tag:blogger.com,1999:blog-61283849738295180292024-03-24T14:19:21.736+01:00From Dummy to DummiesAN APPROACH TO COMPUTERS, THE DUMB WAYAudi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-6128384973829518029.post-87900046814939507362013-11-18T22:33:00.000+01:002013-11-18T22:38:30.676+01:00Copying SAM and SYSTEM hives (Or locked files) from a running system by directly dumping sectors.<div dir="ltr" style="text-align: left;" trbidi="on">
My Kali installation did not have a copy of fgdump.exe, therefore while googling to download fgdump utility for a friend who is currently doing PWB from offensive security, I stumbled upon a post which mentioned about dumping the sectors occupied by a file in order to copy a locked file from file system.<br />
<br />
Thanks to my fat fingers.<br />
<br />
<a href="http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin">http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin</a><br />
<br />
One needs to have administrative privileges on system in order to achieve this but using this, the local SAM and SYSTEM hive can be copied from a running system without a need to reboot the system using linux bootable cd to free file locks.<br />
<br />
The author Armen Hakobyan explains the implementation nicely with all the source codes listed. The list also holds a precompiled binary for 32 bit OS which is compatible with windows 7 as a demo project. 64 bit version can be compiled from sources.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS7W327wfvtrNDEgR6Y_aMy-PZcfbG90gqkPJbaIssLmdsXlsvddaBhvijBfOHSzmBPpjen2ZJv-nnQDSElL7CsXt08yg_8zyHKbGXRmb7o9CWlmxQsTY2LUanT-44Pbw3Wl6p32n-PdY/s1600/Screenshot+2013-11-18+22.22.12.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS7W327wfvtrNDEgR6Y_aMy-PZcfbG90gqkPJbaIssLmdsXlsvddaBhvijBfOHSzmBPpjen2ZJv-nnQDSElL7CsXt08yg_8zyHKbGXRmb7o9CWlmxQsTY2LUanT-44Pbw3Wl6p32n-PdY/s640/Screenshot+2013-11-18+22.22.12.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fdump-demo.exe binary in action.</td></tr>
</tbody></table>
<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmpc1WX8k5b9W7LkzugH8moN8oAFnHUfIZVMin9DV61Fk8Gq39kr8Z-vfd9oe_3y2JEMCxd4bhqLEP-NvXlDTS7xY9mS_v9HKnouQ5jC8KoZTGRaRcixGNwJKL-JD9RtQ8uzgjoVeWrRY/s1600/Screenshot+2013-11-18+22.24.55.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="419" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmpc1WX8k5b9W7LkzugH8moN8oAFnHUfIZVMin9DV61Fk8Gq39kr8Z-vfd9oe_3y2JEMCxd4bhqLEP-NvXlDTS7xY9mS_v9HKnouQ5jC8KoZTGRaRcixGNwJKL-JD9RtQ8uzgjoVeWrRY/s640/Screenshot+2013-11-18+22.24.55.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">FDUMP in Action.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br /></div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-70108499883812496832013-03-17T00:19:00.000+01:002013-03-17T00:19:47.884+01:00Installing Teamviewer 8 on Kali 64bit (Debian)<div dir="ltr" style="text-align: left;" trbidi="on">
<u>Installing Teamviewer 64bit on Kali OS.</u><br />
<br />
While I was trying to install Teamviewer on my 64 bit Kali OS install,I ran into some missing dependencies. One of them was a i386 package, which cannot be installed on 64 bit unless multiple architecture support is enabled in your Install.<br />
For this we first allow i386 to be installed as a multiarch.<br />
<br />
<b>root@kali:/home/dhakkan/Downloads# dpkg --add-architecture i386</b><br />
<br />
Now we need to update our repositories.<br />
<br />
<br />
<b>root@kali:/home/dhakkan/Downloads# apt-get update</b><br />
<div>
<br /></div>
<div>
Now we can deploy i386 packages on 64 bit as multiarch</div>
<div>
<br /></div>
<div>
Now time to install the package.</div>
<div>
<br /></div>
<div>
<b>dhakkan@kali:~/Downloads$ sudo dpkg -i teamviewer_linux_x64.deb</b></div>
<div>
<br /></div>
<div>
You will get errors for unmet dependency which can be installed by using following command</div>
<div>
<br /></div>
<div>
<b>dhakkan@kali:~/Downloads$ sudo apt-get install -f</b></div>
<div>
<br /></div>
<div>
and it should be good to go.</div>
<div>
<br /></div>
</div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com6tag:blogger.com,1999:blog-6128384973829518029.post-22295469681783054012013-02-28T10:45:00.000+01:002013-02-28T10:48:40.305+01:00Double Query Injections: Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<b>DOUBLE QUERY SQL INJECTIONS OR SUBQUERY SQL INJECTIONS</b><br />
<br />
Continuing from my last writeup, discussing about the basics of SQL INJECTIONS, its classifications, and how to approach them during a pen test, in this article I have tried to cover the concepts of double query injections. What they are and how they work behind the scene for MYSQL database.<br />
<br />
You can follow up the article at infosec institute site at following link <a href="http://resources.infosecinstitute.com/double-query-injections-demystified/">http://resources.infosecinstitute.com/double-query-injections-demystified/</a><br />
<br />
Less-5 and Less-6 are discussed in this writeup.<br />
<br />
the first part of the series can be accessed at <a href="http://resources.infosecinstitute.com/sql-injections-introduction/">http://resources.infosecinstitute.com/sql-injections-introduction/</a><br />
<br />
more writeups to follow......</div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com3tag:blogger.com,1999:blog-6128384973829518029.post-16895871662567591362013-01-07T21:39:00.000+01:002013-01-07T21:40:46.595+01:00Error Based injections: Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
<b>SQL INJECTIONS: AN INTRODUCTION</b></h3>
<br />
Each one of us has a different way to learn and understand technical concepts. Therefore I thought of<br />
adding text writeups for my SQLi LABS series to go along with the videos.<br />
<br />
you can follow up the article on infosec intitute site at the following link. <a href="http://resources.infosecinstitute.com/sql-injections-introduction/">http://resources.infosecinstitute.com/sql-injections-introduction/</a><br />
<br />
This covers theory of SQL injections, different types and the basics of error based sql injections. Less-1, Less-2, Less-3 and Less-4 are discussed in the writeup.<br />
<br />
more writeups to follow up.<br />
<br /></div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-8098937894307108012012-12-04T19:41:00.002+01:002012-12-04T19:53:46.171+01:00SQLI-LABS SERIES PART-17<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="color: cyan; font-size: large;"><b><u>SECOND ORDER INJECTIONS</u></b></span><br />
<br />
Second order injections are the ones which are not widely discussed. Firstly these cannot be detected by tools and one needs to understand the application logic and flow to detect this. A code review is better to understand the injection.<br />
In general the Injections happen when the developer trusts the input/or fails to sanitize input to build up the query being used in the application.<br />
<br />
What are second order injection?<br />
Second order injections can be considered simmilar to the stored XSS. Injection does not directly yeild result but this injection is used at some other places insecurely causing the injection to trigger and yield results.<br />
As an Example to understand this imagine an application which allows user to create a user account in the system. Now a malicious user can try to inject SQL keywords in the user creation form which is nicely escaping dangerous characters by use of mysql_real_escape_string() and making it safe for that form. Because mysql_real_escape_string() escapes the dangerous chars, therefore if attacker tries to inject admin' OR 1=1-- in the username field, because of the function, the quotes would be escaped and input would become admin\' or 1=1--. If other values of form are valid, the user account is created with the name <span style="color: lime;"><b>admin' OR 1=1-- </b></span>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQ-qRZvChVFGLkfbJ4gO5VNqGTp0r9BiydolbRtNJc2_oo_5epLtXYdSiniBjXu5WFPE1je1JgpWy2p930K-PfhvohiXUVqpy_FS55bJazzd-L_nm3x9iGXld-U1PFgUvUSIcfvQTZco/s1600/Less-24-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQ-qRZvChVFGLkfbJ4gO5VNqGTp0r9BiydolbRtNJc2_oo_5epLtXYdSiniBjXu5WFPE1je1JgpWy2p930K-PfhvohiXUVqpy_FS55bJazzd-L_nm3x9iGXld-U1PFgUvUSIcfvQTZco/s640/Less-24-1.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
Now with the user created, he can login with newly created account and go to the password reset page. As this page is checking for old password , and building up a query behind the scene something like<br />
<b><span style="color: lime;">UPDATE users SET passwd="</span><span style="color: yellow;">New_Pass</span><span style="color: lime;">" WHERE username="</span><span style="color: yellow;">Username</span><span style="color: lime;">" and passwd="</span><span style="color: yellow;">oldpassword</span><span style="color: lime;">"</span></b><br />
<br />
Now as the username is being taken from the database, the developer treats this as trusted info. As he is confident that initially there is no SQL Injection on the pages. This blind trust on the data from database is called without any escaping, thereby causing the username to trigger the SQL injection.<br />
<br />
The query becomes<span style="color: lime;"> <b>UPDATE users SET passwd="New_Pass" WHERE username =' </b></span><b> <span style="color: yellow;">admin' --</span> <span style="color: lime;"> ' </span><span style="color: #b45f06;">AND password=' old password '.</span></b><br />
Effectively SQLi working and changing the password of Admin user commenting out rest of query which is marked in brown<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR57BGtrEHB7888MgrbkSTzD_QH54LJ1ajDCDBwDoT3TQF2pEJ519vYuVMEm2_O3wtDinqnrXAvgOtHYgudpcVsxwJRnX9FvU2afs-U5n4lzYotdOQn0LiQH8YRzgH670BUcRlipiT4Y8/s1600/Less-24-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR57BGtrEHB7888MgrbkSTzD_QH54LJ1ajDCDBwDoT3TQF2pEJ519vYuVMEm2_O3wtDinqnrXAvgOtHYgudpcVsxwJRnX9FvU2afs-U5n4lzYotdOQn0LiQH8YRzgH670BUcRlipiT4Y8/s640/Less-24-3.png" width="640" /></a></div>
<br />
A video demonstration for the same can be found on the location below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/e9pbC5BxiAE?feature=player_embedded' frameborder='0'></iframe></div>
<br /></div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-67919078016658106702012-11-13T17:12:00.001+01:002012-11-13T17:14:21.354+01:00HAPPY DIWALI<div dir="ltr" style="text-align: left;" trbidi="on">
HAPPY DIWALI TO EVERYONE<br />
<br />
<div style="text-align: justify;">
<h2>
<span style="color: red;">May </span><span style="color: orange;">This</span> <span style="color: lime;">festival</span> <span style="color: cyan;">of </span><span style="color: magenta;">lights</span> <span style="color: #f6b26b;">bring</span> <span style="color: #b6d7a8;">all</span><span style="color: #e06666;"> the</span><span style="color: #38761d;"> happiness</span> <span style="color: orange;">and </span><span style="color: red;">joy </span><span style="color: lime;">to</span> <span style="color: magenta;">you </span><span style="color: #cc0000;">and </span><span style="color: yellow;">your</span> <span style="color: red;">loved</span> <span style="color: cyan;">ones.</span></h2>
</div>
</div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-57822953546280183752012-09-30T14:03:00.000+02:002012-09-30T14:12:17.496+02:00SQLI-LABS SERIES PART-16<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<div style="text-align: center;">
<b><u><span style="color: lime; font-size: large;">SQL Injection via COOKIES</span></u></b></div>
<br />
<br />
<i><span style="color: red;">CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</span></i><br />
<br />
<br />
<div style="text-align: justify;">
As we discussed before in the earlier posts, enumeration is the first and very essential part of every penetration test. Knowing the workflow of application is trivial to its testing. The more one knows about the application, the better and effective it becomes. </div>
<div style="text-align: justify;">
Secondly, all input parameters should be tested. These do not include just the form fields, but also the other input fields like the referrers, user-agent, cookies. Developers these days take care to sanitize the the form inputs and take extra care for those but forget to pay the same attention to the other inputs.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We discussed the injection in update query and injection in the headers in our previous lessons. In this lesson we will discuss the injection via cookies. </div>
<div style="text-align: justify;">
Technically speaking, it is trivial to understand, how cookies are being generated by application and how the same is used within application. Understanding the cookie generation logic is trivial to the successful testing.</div>
<div style="text-align: justify;">
In Less-20, we introduce the basics and use a clear text cookie generation logic to explain. There is no difference in how the injection is performed via a cookie or any other form parameter. In Less-20 and 21 we deal with error based injections.</div>
<div style="text-align: justify;">
Less-21 uses an encoded cookie value and the application logic is used to encode and decode the data and use the result in the queries later on.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Because both are error based based injections, and the database is interacting with the webpage, therefore we can use union statements to dump the databases or we can use the double query injections for dumping the database.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For enumerating the application, we first try to see the workflow off application by providing a legitimate input.</div>
<div style="text-align: justify;">
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEWa0JdYopohd8tcJPV39OraWJBCTxnjv4rlWgiSJokPp1W5ny8fdWawJJc7Yw_3dbXufrkh2Yq_MYUJN7LkprKssrGDgHLLiQrw04d0b89Os0K7hNOVXRyvf0zgSYxmg9ixo_xPh1eyM/s1600/Less-20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEWa0JdYopohd8tcJPV39OraWJBCTxnjv4rlWgiSJokPp1W5ny8fdWawJJc7Yw_3dbXufrkh2Yq_MYUJN7LkprKssrGDgHLLiQrw04d0b89Os0K7hNOVXRyvf0zgSYxmg9ixo_xPh1eyM/s640/Less-20.png" width="640" /></a></div>
<div style="text-align: justify;">
<br />
<br />
<br />
<br /></div>
<div style="text-align: justify;">
This successful login places a cookie in the user browser with Key value ==> pair. Cookie name uname and value as username. </div>
<div style="text-align: justify;">
This cookie value is then used to retrieve some information from the database causing the vulnerable injection point.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ipA4J9HKgOcWZ9-gaoxdaqyd_IJ2BwG3WO-NgIszkBa_SkU_HoEa5pYQlRGtfuIe1iDX_UgoZa6llDGqTKPqA9t8mDtCKFVXmbnRpZoqHbELYsUMnNRGGcyKyBL0xBVDp7RfyGrgMbU/s1600/Less-20-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4ipA4J9HKgOcWZ9-gaoxdaqyd_IJ2BwG3WO-NgIszkBa_SkU_HoEa5pYQlRGtfuIe1iDX_UgoZa6llDGqTKPqA9t8mDtCKFVXmbnRpZoqHbELYsUMnNRGGcyKyBL0xBVDp7RfyGrgMbU/s640/Less-20-1.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<br />
<br />
<br /></div>
<div style="text-align: justify;">
Using firebug, tamperdata or any interceptor proxy like burp suite, ZAP (Zed Attack Proxy), web scarab or any other similar, we can modify the cookies and inject in our payloads. Fuzzing the cookies, we observe that sql query breaks and mysql error is displayed on the screen.</div>
<div style="text-align: justify;">
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE5E6DW3Xb9w-upHIkGIbQkuPLJa08kw36W0ZNqCjsVCiJTsvd112A6Ck3gekyouqjx-tpRrVCbA7eTz-yhYBoPi2s37qbxpEcf6Su_uamKPlIYqMW1N1SOJ7yuTNV4b9zUv6uMkeKEVY/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE5E6DW3Xb9w-upHIkGIbQkuPLJa08kw36W0ZNqCjsVCiJTsvd112A6Ck3gekyouqjx-tpRrVCbA7eTz-yhYBoPi2s37qbxpEcf6Su_uamKPlIYqMW1N1SOJ7yuTNV4b9zUv6uMkeKEVY/s640/Screenshot.png" width="640" /></a></div>
<div style="text-align: justify;">
<br />
<br />
<br /></div>
<div style="text-align: justify;">
Once we achieve this error, then this can be considered similar to error based injection and proceed accordingly to dump the database.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For Less-21 we observe that the system is using Base64 encoding scheme to send an encoded cookie to the browser. Hence forth we need to encode our injections using Base64 to be consumed nicely by the web application.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can watch the video demonstration on YouTube.<br />
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/-A3vVqfP8pA?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com1tag:blogger.com,1999:blog-6128384973829518029.post-14228523361342228642012-08-27T11:27:00.002+02:002012-09-30T14:10:29.587+02:00SQLI-LABS SERIES PART-15<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<b><u><span style="color: cyan;">INJECTION IN THE INSERT QUERY</span></u></b></div>
<div style="text-align: center;">
<b><u><span style="color: cyan;">INJECTION IN HEADERS</span></u></b></div>
<br />
In the earlier parts of the series we looked at the GET and POST based injections and dived into details on error based SQL Injections (string type, Integer type), Double Query injections error based, Blind injections (Boolean based and Time based) or use the outfile/dumpfile to dump the info in text files . In this part we would look at the injections in the Insert Query. For this we would look at the Less-17.<br />
A general update query looks like<br />
<br />
<span style="color: lime;"><b>INSERT INTO table (col1,col2, col3) values (val1,val2, val3);</b></span><br />
<br />
For the purpose of the lab, we would be using the Less-18 and Less-19. These are different Lessons as the injection is in the insert Query and that to in header fields. The Less-18 talks about the injection in the "useragent" field and the Less-19 talks about the injection in the "referrer" field.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSiymKZfqsx1Q9kaFOcJmrF_oHW1MjfsR8P4AB65Y2BsVf-dwxNUHTpj4cC1YZy0v4NVPWSHWm0sK19j4OebDJxEsnDa9WlOgobA70CQq6ewenggBq7EZ7HAzbhXfz0nXnn7wVs2zgtnc/s1600/Less-18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSiymKZfqsx1Q9kaFOcJmrF_oHW1MjfsR8P4AB65Y2BsVf-dwxNUHTpj4cC1YZy0v4NVPWSHWm0sK19j4OebDJxEsnDa9WlOgobA70CQq6ewenggBq7EZ7HAzbhXfz0nXnn7wVs2zgtnc/s640/Less-18.png" width="640" /></a></div>
<br />
<div style="text-align: center;">
<b><i><span style="color: red;"><u>"Less-18 - INJECTION IN THE USERAGENT FIELD"</u></span></i></b></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi05PG-ZOrl0qJ7f31C5RhbDr9KdvwQ5xZhpnxlN8u2sQCz95QcHedgK1WBc2IlFAibaFvjbwq5FMaEytbsyzHIX5JC1mnLfh-b8kZrq79DN3zCD5MbTCFuZeiLY2mGFUkZZH6qA_Om-mQ/s1600/Less-19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi05PG-ZOrl0qJ7f31C5RhbDr9KdvwQ5xZhpnxlN8u2sQCz95QcHedgK1WBc2IlFAibaFvjbwq5FMaEytbsyzHIX5JC1mnLfh-b8kZrq79DN3zCD5MbTCFuZeiLY2mGFUkZZH6qA_Om-mQ/s640/Less-19.png" width="640" /></a></div>
<br />
<div style="text-align: center;">
<b><i><span style="color: red;"><u>"Less-19 - INJECTION IN THE REFER FIELD."</u></span></i></b></div>
<br />
For the purpose of fuzzing these input points we need to write a script or use interceptor proxies like Tamper data (add on for Firefox), Burp suite, Fiddler, Zap, or any other tool which allows you to modify the headers on the fly.<br />
<br />
These sort of injections where the Header fields are being inserted into the database, our focus is to check if the data can be extracted from it is certain way. Well blind is always an option and we can use Boolean or time based injections. The process works but is overall slow.<br />
<br />
In cases where MySQL errors are displayed by the application, this can be used to dump the values efficiently and with much lesser number of queries as compared to Blind based. The logic of Double query injections is used to dump the info.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/ZJiPsWxXYZs?feature=player_embedded' frameborder='0'></iframe></div>
<br />
For more details and basics of the double query injections watch the other parts of the series.<br />
the complete list can viewed here <a href="http://www.securitytube.net/user/Audi">http://www.securitytube.net/user/Audi</a> or directly watched on youtube at <a href="http://www.youtube.com/channel/UCiOdrhE67CR8lM0z2-_fe-A/videos">http://www.youtube.com/channel/UCiOdrhE67CR8lM0z2-_fe-A/videos</a><br />
<br />
<br />
<br />
<div style="text-align: center;">
<br /></div>
<br /></div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-3136875141989861872012-07-18T20:37:00.003+02:002012-07-18T21:07:44.855+02:00SQLI-LABS SERIES PART 13<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;">
<u><b><span style="color: cyan; font-size: large;">INJECTION IN UPDATE QUERY</span></b></u></div>
<br />
<div style="text-align: justify;">
In the earlier parts of the series we looked at the GET and POST based injections and dived into details on error based SQL Injections (string type, Integer type), Double Query injections error based, Blind injections (Boolean based and Time based) or use the outfile/dumpfile to . In this part we would look at the injections in the update Query. For this we would look at the Less-17.</div>
<div style="text-align: justify;">
A general update query looks like</div>
<br />
<b><span style="color: lime;">UPDATE TABLE SET PARAMETER-1=</span><span style="color: yellow;">"some value"</span><span style="color: lime;"> WHERE PARAMETER-2=</span><span style="color: yellow;">"some value";</span></b><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLC9-xUN-FhJmCb4T5NIGGEzh_uKPxkIrANrAYHKzDUZVMeGZ-4TjQQflpB6pJoe86bLLpYq55SXNtlWgWCEbsNjp8geVMNkRTJDFrin9UZsX5qGPoHDRREwUHcvpX6Q9FXVZYEZ-Ez1U/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLC9-xUN-FhJmCb4T5NIGGEzh_uKPxkIrANrAYHKzDUZVMeGZ-4TjQQflpB6pJoe86bLLpYq55SXNtlWgWCEbsNjp8geVMNkRTJDFrin9UZsX5qGPoHDRREwUHcvpX6Q9FXVZYEZ-Ez1U/s640/Screenshot.png" width="640" /></a></div>
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;"><br /></span><br />
<div style="text-align: justify;">
In the general case, a front end for a password update or profile update would have this query working in the backend. During a pentest be extra careful while handling these queries, because one wrong test can update the complete production database with wrong values.</div>
<div style="text-align: justify;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: justify;">
<i><span style="color: red;">CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</span></i></div>
<br />
<br />
In the update statement injection, our objective is to extract info and not update the database, therefore we can use the the basics of<br />
<br />
<ul style="text-align: left;">
<li>Double query injection</li>
<li>Blind injection</li>
<li>Dumpfile/outfile to extract the information.</li>
</ul>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/2FgLcPuU7Vw?feature=player_embedded' frameborder='0'></iframe></span></div>
<br />
Basic query injections:<br />
<b><span style="color: orange;">Less-17</span></b> Line number 97<br />
<span style="color: lime;"><b>$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";</b></span><br />
<br />
<br /></div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-17007715304802234892012-06-30T23:13:00.000+02:002012-06-30T23:16:07.697+02:00CONFIDENCE BOOSTER DOZE<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Thanks a ton to everyone who are watching/following the videos series closely and also appreciating it. Another link on Facebook posted by Vivek Ramachandran, I am really really touched with the wonderful words from the Guru himself..... thanks a ton.<br />
<br />
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN022lzKH5k2ySV0DW3eRC3RdWTJmcN2UVWfYwIhWLFBPnVOxh770WKNw0zCyYJqijOBtOjDL6lg6Rj2zc6kVNb23nqdURR_KNUlw9JCoZt5AfYPVLn87sHh6lVB39p0-fcyjsN9BXjeM/s1600/Screenshot-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN022lzKH5k2ySV0DW3eRC3RdWTJmcN2UVWfYwIhWLFBPnVOxh770WKNw0zCyYJqijOBtOjDL6lg6Rj2zc6kVNb23nqdURR_KNUlw9JCoZt5AfYPVLn87sHh6lVB39p0-fcyjsN9BXjeM/s640/Screenshot-1.png" width="568" /></a></div>
<br />
<br /></div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-21282487512162614392012-06-30T22:49:00.002+02:002012-06-30T23:13:58.912+02:00SQLI-LABS SERIES PART 12<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
In the last part we started to explore the error based sql injections in the POST parameters. We were able to use the UNION statements to dump the database of the test bed. In a situation when the database does not interact with the web page and only was the database displays some info on the web page is through the mysql errors. Then in this case the fastest way to extract the info is through use of type caste errors involving sub queries also referred to as double queries, but MYSQL is very flexible and returns empty rows rather than throwing an error, so infosec guru's figured out some combinations of functions, if combined make sql queries which pass the compile time check but throw run-time errors. With the errors dumps the useful info which is needed.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
<span style="color: cyan; font-size: large;"><b><u>DOUBLE QUERY INJECTIONS</u></b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: red;"><i>CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</i></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As these involve sub query injections, the focus is to use the internal query to dump the info we want and wrap around a query which is syntactically correct, passing the compile time checks and produces error at run time and in process spit the core query as part of error.</div>
<div style="text-align: justify;">
In MYSQL this is achieved by using combination of count() and group by clause. In my personal understanding issue happens when the aggregate functions produce dynamic entries and group by clause clubs them and with the next round of aggregate function finds the values changed, causing duplicate entry issues. We discussed the same during the part 6. There the injection point was in GET parameter, and in this we used the POST parameter.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiZWu4RPicAvFo-H2yjQ0zJSsKaOhGmC74M97_UvlHFlbKBxC-BOp-v1Vor-WTWDv-JPTAfAaTih_XRVc10azuOun6lLZbNv74LdpnwnAMNZii7HoCBZWyjm8EgNMTRzX89FbJP9PfXSw/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiZWu4RPicAvFo-H2yjQ0zJSsKaOhGmC74M97_UvlHFlbKBxC-BOp-v1Vor-WTWDv-JPTAfAaTih_XRVc10azuOun6lLZbNv74LdpnwnAMNZii7HoCBZWyjm8EgNMTRzX89FbJP9PfXSw/s640/Screenshot.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For detailed instructions, you can follow the video.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/tjFXWQY4LuA?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: justify;">
<br />
Basic query to cause injections :</div>
<div style="text-align: justify;">
<br />
<b><span style="color: orange;">Less-13</span></b> line number 57<br />
<b><span style="color: lime;">@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";</span></b><br />
<b>') or ('1')=('1 Will work nicely if injected in username and password field. <span style="color: lime;"> username = ('</span> <span style="color: yellow;">') or ('1')=('1</span><span style="color: lime;"> ') AND password = ('</span> <span style="color: yellow;">') or ('1')=('1</span> <span style="color: lime;">')</span></b><br />
<b>') or 1=1 --+ Will also work only in one field. <span style="color: lime;">username = ('</span> <span style="color: yellow;">') or 1=1 --+</span> <span style="color: magenta;">' commented out</span></b><br />
<b>') or 1=1 # will also work only in one field. <span style="color: lime;">username = ('</span> <span style="color: yellow;">') or 1=1 #</span> <span style="color: magenta;">' commented out</span></b><br />
<br />
<br />
<b><span style="color: orange;">Less-14</span></b> Line 57,58,59<br />
<b><span style="color: lime;">$uname='"'.$uname.'"';</span></b><br />
<b><span style="color: lime;">$passwd='"'.$passwd.'"'; </span></b><br />
<b><span style="color: lime;">@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";</span></b><br />
<br />
<b>" or "1"="1 Will work nicely. <span style="color: lime;"> username = "</span> <span style="color: yellow;">" or "1"="1</span> <span style="color: lime;">" AND password = "</span> <span style="color: yellow;">" or "1"= "1</span> <span style="color: lime;">" </span></b><br />
<b>" or 1=1 --+ Will also work. <span style="color: lime;">username = "</span> <span style="color: yellow;">" or 1=1 --+</span> <span style="color: magenta;">" commented out</span></b><br />
<b>" or 1=1 # will also work. <span style="color: lime;">username = "</span> <span style="color: yellow;">" or 1=1 # </span> <span style="color: magenta;">" commented out</span></b><br />
<div>
<br /></div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-31935282724143546102012-06-28T00:06:00.002+02:002012-06-29T13:58:46.978+02:00SQLI-LABS SERIES PART-11<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Thank you all your feedback's and the responses. I am highly motivated to complete this series and start with a new one soon after.</div>
<div style="text-align: justify;">
Today we will discuss about the injections in the forms. In the last 11 lessons of the series we discussed injections via the GET request. When I had started to learn this topic, I realized that a lot of stuff was available on internet for the GET based injections but POST injections were rarely discussed. That increased curiosity in me much and this was the point when i started this lab. The forms , lesson 11 to 20 are different implementations similar to GET method. We would cover </div>
<div style="text-align: justify;">
<ul>
<li>Error based injections</li>
<li>Double Query injections</li>
<li>Boolean based Blind injections</li>
<li>Time based Blind Injections</li>
<li>Injections in update query</li>
<li>Injections in the Headers</li>
<li>Injections in cookies</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: red;"><i>CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</i></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
<span style="color: cyan; font-size: large;"><b><u>POST BASED INJECTIONS</u></b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In general, nothing changes with the change in injection point. The logic for injection remains the same, the process remains the same. In a general scenario we take up Less-11 and 12 for this. As the page displays a login field. therefore we can build our first sudo query which would be behind the scene as<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_yNtUdhsgUgH2iqWEMBP05EyuK2BBvAjANgwMhz_sXdLTsaXGUSiwMdYPJn4yaTpm53cWKrLCoeldqFPkAz-QjX2-JKP1yMWTp45aGerxt3fFAVALYcm2_rPDP79wBw6y-beVdNuaxAY/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_yNtUdhsgUgH2iqWEMBP05EyuK2BBvAjANgwMhz_sXdLTsaXGUSiwMdYPJn4yaTpm53cWKrLCoeldqFPkAz-QjX2-JKP1yMWTp45aGerxt3fFAVALYcm2_rPDP79wBw6y-beVdNuaxAY/s640/Screenshot.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
<span style="color: lime;">SELECT * FROM table WHERE username="</span><span style="color: yellow;">$uname</span><span style="color: lime;">" and password="</span><span style="color: yellow;">$password</span><span style="color: lime;">".</span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The basic steps involved in the testing to exploitation are:</div>
<div style="text-align: justify;">
<b>1.</b> Fuzzing: Try to give random inputs to all points where it is accepted, be creative and send the values which the developer has failed to visualize. Objective is to try to break the underlying query and gain more insite on how the query is formulated by reviewing error.</div>
<div style="text-align: justify;">
<b>2. </b>Then try to fix the query by either providing the extra characters to balance off what we injected to break the query or comment off rest of query in such a way that it gets fixed.</div>
<div style="text-align: justify;">
<b>3.</b> Once we successfully achieved the above, we effectively get the left side, and right side of the injection and sql statement we inject in between these gets executed on backend.</div>
<div style="text-align: justify;">
As discussed in the previous post on error based injections, we used the UNION SELECT to dump the DB because the database layer was interacting with the web page and columns from table were visible on screen. same way we can see that a successful login leads to display of the username and password.</div>
<div style="text-align: justify;">
This can then be used to dump the database.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/6sQ23tqiTXY?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><span style="color: orange;">Less-11</span></b> line number 57<br />
<span style="color: lime;"><b>@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";</b></span><br />
<b>' or '1'='1 Will work nicely if injected in username and password field. <span style="color: lime;">username = '</span> <span style="color: yellow;">' or '1'='1</span> <span style="color: lime;">' AND password = ' </span></b><b><span style="color: yellow;">' or '1'='1</span></b><b><span style="color: lime;"> '</span></b><br />
<b>' or 1=1 --+ Will also work only in one field. <span style="color: lime;">username = '</span> <span style="color: yellow;">' or 1=1 --+ </span><span style="color: magenta;"> ' commented out</span></b><br />
<b>' or 1=1 # will also work only in one field. <span style="color: lime;">username = '</span> <span style="color: yellow;">' or 1=1 #</span> <span style="color: magenta;">' commented out</span></b><br />
<b><span style="color: magenta;"><br /></span></b><br />
<b><span style="color: orange;">Less-12</span></b> Line 57,58,59<br />
<span style="color: lime;"><b>$uname='"'.$uname.'"';</b></span><br />
<span style="color: lime;"><b>$passwd='"'.$passwd.'"'; </b></span><br />
<span style="color: lime;"><b>@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";</b></span><br />
<b></b><br />
<b>") or ("1")=("1 Will work nicely. <span style="color: lime;"> username = (" </span><span style="color: yellow;">")or ("1")=("1</span><span style="color: lime;"> ") AND password = (" </span><span style="color: yellow;">")or ("1")=("1</span><span style="color: lime;"> ") </span></b><br />
<b>") or 1=1 --+ Will also work. <span style="color: lime;"> username = (" </span><span style="color: yellow;">")or 1=1 --+</span><span style="color: lime;"> </span><span style="color: magenta;">") commented out</span></b><br />
<b>") or 1=1 # will also work. <span style="color: lime;"> username = ("</span><span style="color: yellow;"> ") or 1=1 # </span><span style="color: lime;"> </span><span style="color: magenta;">") commented out</span></b><br />
<br /></div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-53933358825716195122012-06-26T22:29:00.000+02:002012-09-30T14:13:38.335+02:00EXCITED AND FIRING ALL GUNS<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Thanks a ton to everyone,who is watching the series and also those who commented. A special thanks to Vivek Ramachandran for sharing link on Facebook and writing nice comments about it. Thanks a ton Vivek, it means a lot to me. I am motivated and excited to fire all guns. Never expected this kind of response</div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3hbxAfYpgJPt_NnYrarP0lsJyvJd10wvs5Kgygv6QVZNbkU82W6UnPjJTa5gLZykowLvtMlDYwVySSf3MVneRXzdXAJhkD7-k1hkxh3rMubi_Z603hZUunVK3Z3sZiRPfcfSmJCecSlw/s1600/sqli-labs+part+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3hbxAfYpgJPt_NnYrarP0lsJyvJd10wvs5Kgygv6QVZNbkU82W6UnPjJTa5gLZykowLvtMlDYwVySSf3MVneRXzdXAJhkD7-k1hkxh3rMubi_Z603hZUunVK3Z3sZiRPfcfSmJCecSlw/s640/sqli-labs+part+6.png" width="406" /></a></div>
<br /></div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-84704748816039034072012-06-25T19:41:00.000+02:002012-06-25T20:57:41.224+02:00SQLI-LABS SERIES PART-10<div dir="ltr" style="text-align: left;" trbidi="on">
In the last posts we discussed about different types of SQL injections:<i><span style="font-size: x-small;"> (Click the links to follow)</span></i><br />
<ul style="text-align: left;">
<li><a href="http://dummy2dummies.blogspot.nl/2012/06/sqli-lab-series-part2.html" target="_blank">Error based SQL Injections</a></li>
<li><a href="http://dummy2dummies.blogspot.nl/2012/06/sqli-lab-series-part-6.html" target="_blank">Double Query SQL Injections</a></li>
<li><a href="http://dummy2dummies.blogspot.nl/2012/06/sqli-labs-series-part-8.html" target="_blank">Boolean based Blind SQL Injections</a></li>
<li><a href="http://dummy2dummies.blogspot.nl/2012/06/sqli-labs-series-part-9.html" target="_blank">Time based Blind SQL Injections</a></li>
</ul>
Today we will take it further and discuss the use of outfile function or dumpfile function.<br />
<br />
<span style="color: red;"><i>CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</i></span><br />
<br />
<div style="text-align: center;">
<b><u><span style="color: cyan; font-size: large;">USING THE OUTFILE/DUMPFILE</span></u></b></div>
<br />
<div style="text-align: justify;">
Well if the connection user which is configured to run the queries to the back-end DB has the privileges to write to file system (webroot of server or any other folder under it), then in that case, we can build queries and use the inbuilt function called outfile or dumpfile.</div>
<div style="text-align: justify;">
example query: select * from table into outfile "path-to-file/filename"</div>
<div style="text-align: justify;">
There are two functions which can be used in this case, outfile and dumpfile. With dumpfile, it dumps only one row without any formatting details. This is specially important if you are playing with binary data. The outfile preserves the formatting, carriage returns, etc and dumps multiple rows.</div>
<div style="text-align: justify;">
To practice this you can follow the Less-7 from the labs.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/ADW844OA6io?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<div style="text-align: justify;">
same way we can use mysql to read files from the file system. for that we can use the function called load_file(). By default we cannot execute system commands through mysql, but if mysql is misconfigured, then can lead to upload of User Defined Functions which can lead to a complete compromise of server.</div>
<div style="text-align: justify;">
example injection may look like:</div>
<div style="text-align: justify;">
<span style="color: lime;"><b>' union select 1,load_file("/etc/passwd"),3 into dumpfile "/var/www/test.txt"</b></span></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBdkFZKH2Zci_fCGDkbr21c095dJ1hPKdypFIuy2V9x2M5ngO2kMwyQNUjyBjl9b_8McXZHO_3C4iA5vsPhwrervtok7bYvFBAKxxYN9f6mR9lT8EhS0dtDSuoZNKa-d1mHuPA5DD9FB4/s1600/sql-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBdkFZKH2Zci_fCGDkbr21c095dJ1hPKdypFIuy2V9x2M5ngO2kMwyQNUjyBjl9b_8McXZHO_3C4iA5vsPhwrervtok7bYvFBAKxxYN9f6mR9lT8EhS0dtDSuoZNKa-d1mHuPA5DD9FB4/s640/sql-7.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: orange;"><b>Less -7</b></span> Line number 31</div>
<div style="text-align: justify;">
<span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";</b></span></div>
<div style="text-align: justify;">
<b><span style="color: yellow;">1'))+or+1=1--+</span> -- Basic injection to detect sqli</b></div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-509204771249738732012-06-24T21:59:00.000+02:002012-06-25T12:32:12.453+02:00SQLI-LABS SERIES PART 9<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<span style="color: red;"><i>CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</i></span><br />
<div>
<br /></div>
<div>
<div style="text-align: center;">
<b><u><span style="color: cyan; font-size: large;">TIME BASED INJECTIONS</span></u></b></div>
<br />
In the previous post, we discussed the basics of Blind injections and started to explore Boolean based blind injections. In this blog post we would continue with the Blind injections and discuss TIME based injections. </div>
<div>
In certain web web applications, which are vulnerable but does not disclose errors, nor does the database display any fields on the web pages and neither does it react to physical boolean queries of yes and no meaning we cannot physically differentiate between true and false,</div>
<div>
in that case, we can use time to distinguish between true and false. This can be achieved by using sleep() function. This function is non cpu intensive and if query is true will wait for some time before returning a response and respond quickly if false. This time difference in page reload gives us the correct characters one by one.</div>
<div>
Another way to do time based injections is by use of heavy queries (benchmark queries) which are intensive and consume some CPU cycles if query returns true and are quick if it is false. It is always good to use sleep() function.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/gzU1YBu_838/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/gzU1YBu_838?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" />
<param name="bgcolor" value="#FFFFFF" />
<param name="allowFullScreen" value="true" />
<embed width="320" height="266" src="http://www.youtube.com/v/gzU1YBu_838?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<div>
<br /></div>
<div>
<span style="color: orange;"><b>Less - 9</b></span> line number 29<br />
<span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";</b></span><br />
<b><span style="color: yellow;">1'+and+sleep(10)+--+</span> -- Basic injection to detect sqli</b><br />
<b><span style="color: yellow;">1'+and+if(1=1, sleep(10), null)+--+</span> <span style="color: magenta;">-- Returns True ( page load is approx 10 sec)</span></b><br />
<b><span style="color: yellow;">1'+and+if(1=0, sleep(10), null)+--+</span> <span style="color: magenta;">-- Returns False (page load is almost instant)</span></b><br />
<span style="color: magenta;"><br /></span><br />
<b><span style="color: orange;">Less-10</span></b> line number 28,29<br />
<br />
<span style="color: lime;"><b>$id = '"'.$id.'"';</b></span><br />
<span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";</b></span><br />
<b><span style="color: yellow;">1"+and+sleep(10)+--+</span> -- Basic injection to detect sqli</b><br />
<b><span style="color: yellow;">1"+and+if(1=1, sleep(10), null)+--+</span> <span style="color: magenta;">-- Returns True ( page load is approx 10 sec)</span></b><br />
<b><span style="color: yellow;">1"+and+if(1=0, sleep(10), null)+--+</span> <span style="color: magenta;">-- Returns False (page load is almost instant)</span></b><br />
<b><span style="color: magenta;"><br /></span></b><br />
Hope this makes some sense, after all I am a <b><span style="color: orange;">dhakkan</span></b>.<br />
<div>
<br /></div>
<br /></div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-35023926900910566462012-06-24T19:33:00.000+02:002012-06-25T12:32:26.486+02:00SQLI-LABS SERIES PART-8<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<i><span style="color: red;">CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.</span></i><br />
<br />
<div style="text-align: center;">
<b><u><span style="color: cyan; font-size: large;">BLIND INJECTIONS</span></u></b></div>
<br />
Continuing the SQLI-LABS series, we discussed the Error based injections, and discussed Union type injections and double query injections. In today's post we would be discussing Blind injections. Blind injections got this name because during blind injections, you do not get any help from the application. All the errors are suppressed from the end user.<br />
Therefore complete injection is based on a guess. The tester does not see any error responses to tune his injections.<br />
Blind Injections can be classified mainly into two categories:<br />
<br />
<ul style="text-align: left;">
<li><b>Boolean based Blind injections</b></li>
<li><b>Time based Blind injections.</b></li>
</ul>
<br />
<br />
<div style="text-align: center;">
<span style="color: cyan;"><b><u>Boolean Based</u></b></span></div>
<div style="text-align: justify;">
As per wikipedia "In computer science, the Boolean or logical data type is a data type, having two values (usually denoted true and false), intended to represent the truth values of logic and Boolean algebra. It is named after George Boole, who first defined an algebraic system of logic in the mid 19th century".</div>
<div style="text-align: justify;">
Well in certain web applications, you can witness that the database does not write any fields on the web page or somehow union injections do not work, and the mysql errors are also not displayed on the page, so technically there is no direct channel through which the database writes on web page. In this case the only option left is to use blind injections. With Blind injections we cannot dump the strings or names directly but need to deduce names character by character.</div>
<div style="text-align: justify;">
In general when we were dealing with error based injections, we ask the database questions like, dump us the database name, version, table names etc. In case of blind injections, we change the way we ask questions to database and rephrase questions like is the first letter of the database this? and answer comes out as either yes or no or true or false. Check the video at the end of the post for more detailed explanation.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><span style="color: orange;">Less-8</span></b> line number 29<br />
<span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";</b></span><br />
<br />
basic injection example:<br />
<b><span style="color: yellow;">1' AND '1'='1</span> -- returns true</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtGDFQ_6YnURhRBw4xv_JTjyaSkJjZTvCX0-X-TcXH1ax1xZJ9JSgJ2Jyi1A8D5B4yB5Xc00ve4ZXd01chOy8u1cRG7DnTCFi2Xg0D6Pv9U1JQpKKjRtE1UoEYJyxMlu1UKTqWZPmiOb0/s1600/Less-8t.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtGDFQ_6YnURhRBw4xv_JTjyaSkJjZTvCX0-X-TcXH1ax1xZJ9JSgJ2Jyi1A8D5B4yB5Xc00ve4ZXd01chOy8u1cRG7DnTCFi2Xg0D6Pv9U1JQpKKjRtE1UoEYJyxMlu1UKTqWZPmiOb0/s640/Less-8t.png" width="640" /></a></div>
<br />
<br />
<b><span style="color: yellow;">1' AND '1'='0</span> -- returns false</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyACrz5SMg_1gRISBJ3_tCQipKqqiEq0s2TXadi1d93y02-qOuJfhfG8ffkC-MqUu9NZ7bn3wiqb0YzVxs47CZiOuB8y7o8MElvJzwJhluBFDA5hV5kH7B3dFO30O6iB43STJpBhyphenhyphenf-P8/s1600/Less-8n.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyACrz5SMg_1gRISBJ3_tCQipKqqiEq0s2TXadi1d93y02-qOuJfhfG8ffkC-MqUu9NZ7bn3wiqb0YzVxs47CZiOuB8y7o8MElvJzwJhluBFDA5hV5kH7B3dFO30O6iB43STJpBhyphenhyphenf-P8/s640/Less-8n.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
Therefore by evaluating the strings character by character we can dump the complete database.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/u7Z7AIR6cMI?feature=player_embedded' frameborder='0'></iframe></div>
<br /></div>
<br />
<div>
<br /></div>
<br />
<br /></div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-52264816911752547222012-06-24T15:27:00.000+02:002012-06-25T12:32:36.308+02:00SQLI-LABS SERIES PART 6,7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="text-align: justify;">
<span style="color: red;"><i>CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned. </i></span></div>
<div>
<br /></div>
<div style="text-align: center;">
<span style="color: cyan; font-size: large;"><b><u>DOUBLE QUERY INJECTIONS OR SUBQUERY INJECTIONS.</u></b></span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
In the last 5 parts of the series we learnt about some basics about the error based injections and used the UNION statements to dump the database using the web application. Well we could achieve it because the database was interacting with web page and some database fields were visible on the web pages. A basic injection looked like id=<span style="color: yellow;">-1 union all select 1,2,3 --+</span> and we were able to see the username name and password field displaying value 2 and 3. For detailed explanation watch video's 2 to 5.</div>
<div style="text-align: justify;">
In a scenario when the database does not directly display columns on the wep page, then the above technique cannot be used. To understand this better you can check Lesson 5 or 6 of the sqli-labs series. </div>
</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimZhU9GEIHiaOXX-_9e1SLfBJ86APIxKgMZJWTuobto576fB_pvRe3oFtB84YB_uyU3V-SB8Y5N78vwB2kuKP1Brpz2QrRZMtdKV9ZWk1IxOCBDFsBeeSdiGnwZciDidQ7rRI6iB-gUOI/s1600/Less-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimZhU9GEIHiaOXX-_9e1SLfBJ86APIxKgMZJWTuobto576fB_pvRe3oFtB84YB_uyU3V-SB8Y5N78vwB2kuKP1Brpz2QrRZMtdKV9ZWk1IxOCBDFsBeeSdiGnwZciDidQ7rRI6iB-gUOI/s640/Less-5.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As we see we just see a generic message "You are in". Therefore in this case, the database is not displaying any files on the page. In this case only way the database is displaying into is through the mysql error. <i>(note: I am interchangeably using the Lesson 5 and 6, only thing different is way to produce error)</i></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNChaIzk7OIhFXYKJXffvEzNx1EPYnPnJcBFhOUYGV_DzSLzKgsrmqhEmMeYzq4GqOSdz4xW65D7bheqQjq2MB9RkzCDysQdcYubyv2-1kxzBpEXT-zWpIYSFzsq6UAlDcMtvR8gC5Gw/s1600/Less-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNChaIzk7OIhFXYKJXffvEzNx1EPYnPnJcBFhOUYGV_DzSLzKgsrmqhEmMeYzq4GqOSdz4xW65D7bheqQjq2MB9RkzCDysQdcYubyv2-1kxzBpEXT-zWpIYSFzsq6UAlDcMtvR8gC5Gw/s640/Less-6.png" title="Less-5" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So primary objective in a double query injection is to create a query injection in such a way which is syntactically correct (correct at compile time) but produce an error at run time thereby spitting useful information in the errors. In case of MSSQL server cast errors dumps the info but in case of MYSQL, being flexible returns empty rows. Therefore some genius researchers found a combination of use of aggregate functions, group by clause, and use of random functions to produce errors are run time due to dynamic calculations involved in random function and aggregate function like count. </div>
<div style="text-align: justify;">
Hope this makes some sence, after all I am a <b><span style="color: orange;">dhakkan</span></b>. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/zaRlcPbfX4M?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><span style="color: orange;">Less-5</span></b> line number 29</div>
<div style="text-align: justify;">
<span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";</b></span><br />
<br />
<ul>
<li>' or '1'='1 Will work nicely. <b><span style="color: lime;"> id = '</span><span style="color: yellow;"> ' or '1'='1</span><span style="color: lime;"> ' LIMIT 0,1</span></b></li>
<li>' or 1=1 --+ Will also work. <b><span style="color: lime;"> id = '</span> <span style="color: yellow;">' or 1=1 --+</span> <span style="color: magenta;">' commented out</span></b></li>
<li>' or 1=1 # will also work. <b><span style="color: lime;">id = '</span> <span style="color: yellow;">' or 1=1 #</span> <span style="color: magenta;">' commented out</span></b></li>
</ul>
<div>
<span style="color: orange;"><b><br /></b></span><br />
<span style="color: orange;"><b>Less-6</b></span> line number 28,29</div>
<div>
<div>
<b><span style="color: lime;">$id = '"'.$id.'"';</span></b></div>
<div>
<b><span style="color: lime;">$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";</span></b></div>
</div>
<div>
<div>
<ul>
<li>" or "1"="1 Will work nicely. <b> <span style="color: lime;">id = "</span> <span style="color: yellow;">" or "1"="1</span> <span style="color: lime;">" LIMIT 0,1</span></b></li>
<li>" or 1=1 --+ Will also work. <b><span style="color: lime;">id = "</span> <span style="color: yellow;">" or 1=1 --+</span> <span style="color: magenta;">" commented out</span></b></li>
<li>" or 1=1 # will also work. <b><span style="color: lime;"> id = "</span> <span style="color: yellow;">" or 1=1 #</span> <span style="color: magenta;">" commented out</span></b></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/9utdAPxmvaI?feature=player_embedded' frameborder='0'></iframe></div>
<div>
<span style="color: magenta;"><b><br /></b></span></div>
</div>
</div>
</div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com4tag:blogger.com,1999:blog-6128384973829518029.post-83811237979919321982012-06-22T22:37:00.000+02:002012-12-19T12:29:46.956+01:00SQLI-LABS SERIES PART - 2,3,4,5<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<i><span style="color: red;">CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned. </span></i><br />
<div>
<br /></div>
<br />
<br />
In the first part of the series we downloaded the PHP code files and installed them on the backtrack machine or under XAMPP on windows.<br />
<div>
In today's lesson We would start with the Error based SQL injections. </div>
<div>
<br /></div>
<div>
<span style="font-family: inherit;">What exactly is <b><span style="color: red;">SQL injection?</span></b></span></div>
<div style="text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="line-height: 19px;">SQL injection is a technique often used to attack databases through a website. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. -- source wikipedia</span></span></div>
<div style="text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="line-height: 19px;"><br /></span></span></div>
<div style="text-align: -webkit-auto;">
<span style="line-height: 19px;">How does SQL injection happen?</span></div>
<div style="text-align: -webkit-auto;">
Let us take the example of Less-1, the webpage is taking an input through the parameter "ID" and passes it on to the backend database by constructing a query in real time.<br />
<br /></div>
<div style="text-align: -webkit-auto;">
<div style="text-align: center;">
<span style="color: cyan; font-size: large; line-height: 19px;"><b><u>ERROR BASED SQL INJECTION</u></b></span></div>
<div style="text-align: center;">
<span style="color: cyan; line-height: 19px;"><b><u><br /></u></b></span></div>
</div>
<div style="text-align: -webkit-auto;">
<span style="line-height: 19px;">Error Based Sql injection is called so because in this errors are being displaded on the web page, and these errors are used to discover the underlying query.</span><br />
<span style="line-height: 19px;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://i.ytimg.com/vi/TA2h_kUqfhU/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/TA2h_kUqfhU?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" />
<param name="bgcolor" value="#FFFFFF" />
<param name="allowFullScreen" value="true" />
<embed width="320" height="266" src="http://www.youtube.com/v/TA2h_kUqfhU?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<span style="line-height: 19px;"><br /></span>
<span style="color: orange; line-height: 19px;"><b>Less-1 </b></span><br />
<span style="line-height: 19px;">if you open the source of the index.php under Less-1, you would see on line 29</span><br />
<span style="color: lime; line-height: 19px;"><b>$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";</b></span><br />
<span style="line-height: 19px;">in here we see that the variable $id is being wrapped around single quotes.</span><br />
<span style="line-height: 19px;">id = ' $id ' , Now when a tester provides a <b><span style="color: yellow;"> ' or 1=1</span></b> then it becomes <b><span style="color: lime;">id = '</span> <span style="color: yellow;">' or 1=1 </span> </b><span style="color: lime;"><b>'</b> </span>thereby effectively evaluating the complete query as id= empty string or (evaluate one equals one) and escaping the data boundary and getting executed as code. As there is a quote on right side which we either need to handle or comment out remaining part of query.</span><br />
<br />
<ul style="text-align: left;">
<li><span style="line-height: 19px;">' or '1'='1 Will work nicely. <span style="color: lime;"> <b>id = '</b></span><b><span style="color: yellow;"> ' or '1'='1</span><span style="color: lime;"> ' </span></b></span><b style="color: lime; line-height: 19px;">LIMIT 0,1</b></li>
<li><span style="line-height: 19px;">' or 1=1 --+ Will also work. </span><b><span style="line-height: 19px;"><span style="color: lime;">id = ' </span><span style="color: yellow;">' or 1=1 --+</span> <span style="color: magenta;"> </span></span><span style="line-height: 19px;"><span style="color: magenta;">' commented out</span></span></b></li>
<li><span style="line-height: 19px;">' or 1=1 # will also work. </span><span style="line-height: 19px;"><b><span style="color: lime;">id = ' </span><span style="color: yellow;">' or 1=1 #</span><span style="color: lime;"> </span><span style="color: magenta;">' commented out</span></b></span></li>
</ul>
<div style="text-align: left;">
<span style="line-height: 19px;"><span style="color: orange;"><b>Less-2</b></span> line number 31,32</span></div>
<div style="text-align: left;">
<span style="line-height: 19px;"><span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";</b></span></span></div>
<div style="text-align: left;">
<ul style="text-align: left;">
<li><span style="line-height: 19px;">or 1=1 Will work nicely. </span><span style="color: lime; line-height: 19px;"><b>id = </b></span><b style="line-height: 19px;"><span style="color: yellow;"> or 1=1</span><span style="color: lime;"> </span></b><b style="color: lime; line-height: 19px;">LIMIT 0,1</b></li>
<li><span style="line-height: 19px;">or 1=1 --+ Will also work. </span><span style="color: lime; line-height: 19px;"><b>id = </b></span><b style="line-height: 19px;"><span style="color: yellow;">or 1=1 --+</span><span style="color: lime;"> </span></b></li>
<li><span style="line-height: 19px;">or 1=1 # Will also work. </span><span style="color: lime; line-height: 19px;"><b>id = </b></span><b style="line-height: 19px;"><span style="color: yellow;"> or 1=1</span><span style="color: lime;"> </span><span style="color: yellow;">#</span></b></li>
</ul>
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/N0zAChmZIZU?feature=player_embedded' frameborder='0'></iframe></div>
<span style="line-height: 19px;"><b><span style="color: orange;"><br /></span></b></span>
<span style="line-height: 19px;"><b><span style="color: orange;">Less-3</span> </b>line number 31</span></div>
<div style="text-align: left;">
<span style="line-height: 19px;"><span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";</b></span></span></div>
<div style="text-align: left;">
<ul>
<li><span style="line-height: 19px;">' ) or ('1')=('1 Will work nicely. <span style="color: lime;"> <b>id = ('</b></span><b><span style="color: yellow;"> ') or '1'=('1</span><span style="color: lime;"> ') </span></b></span><b style="color: lime; line-height: 19px;">LIMIT 0,1</b></li>
<li><span style="line-height: 19px;">' ) or 1=1 --+ Will also work. </span><b><span style="line-height: 19px;"><span style="color: lime;">id = (' </span><span style="color: yellow;">') or 1=1 --+</span> <span style="color: magenta;"> </span></span><span style="line-height: 19px;"><span style="color: magenta;">') commented out</span></span></b></li>
<li><span style="line-height: 19px;">' ) or 1=1 # will also work. </span><span style="line-height: 19px;"><b><span style="color: lime;">id = (' </span><span style="color: yellow;">') or 1=1 #</span><span style="color: lime;"> </span><span style="color: magenta;">') commented out</span></b></span></li>
</ul>
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<br /><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/6pVxm5mWBVU?feature=player_embedded' frameborder='0'></iframe></div>
<span style="line-height: 19px;"><b><span style="color: orange;"><br /></span></b></span>
<span style="line-height: 19px;"><b><span style="color: orange;">Less-4</span> </b>line number 28,29</span></div>
<b style="color: lime; line-height: 19px;">$id = '"' . $id . '"';</b><br />
<span style="line-height: 19px;"><span style="color: lime;"><b>$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";</b></span></span><br />
<br />
<div style="text-align: left;">
<ul>
<li><span style="line-height: 19px;">") or ("1")=("1 Will work nicely. <span style="color: lime;"> <b>id = ("</b></span><b><span style="color: yellow;"> ")or ("1")=("1</span><span style="color: lime;"> ") </span></b></span><b style="color: lime; line-height: 19px;">LIMIT 0,1</b></li>
<li><span style="line-height: 19px;">") or 1=1 --+ Will also work. </span><b><span style="line-height: 19px;"><span style="color: lime;">id = (" </span><span style="color: yellow;">")or 1=1 --+</span> <span style="color: magenta;"> ")</span></span><span style="line-height: 19px;"><span style="color: magenta;"> commented out</span></span></b></li>
<li><span style="line-height: 19px;">") or 1=1 # will also work. </span><span style="line-height: 19px;"><b><span style="color: lime;">id = (" </span><span style="color: yellow;">") or 1=1 #</span><span style="color: lime;"> </span><span style="color: magenta;"> ") commented out</span></b></span></li>
</ul>
</div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/0tyerVP9R98?feature=player_embedded' frameborder='0'></iframe></div>
<br />
hope you all like it.<br />
<span style="line-height: 19px;"><br /></span></div>
</div>
Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com5tag:blogger.com,1999:blog-6128384973829518029.post-4785594226515762922012-06-22T13:13:00.002+02:002012-06-26T22:35:26.611+02:00SQLI-LABS SERIES PART-1<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Issue with me is that I have a very unconventional way of self learning and unless the core concepts are clear, things fall logically in place and I have answer to all how and why questions in my head, cannot accept and retain those thopics.</div>
<div style="text-align: justify;">
Well for me my good friend Alper has always been there whenever stupid ideas pop'ed into my head and I needed someone to share, discuss and to show me the right path. Pranab has always supported me in the odd hours of research and learning, when we are trying to understand things....</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Shashank another good friend of mine pushed me to share my ideas and know how with others.... so revival of my blog is because of him. Not to forget my buddy Neeraj who was with me in all the ups and downs of my life....(Miss you uncle.................)</div>
<div style="text-align: justify;">
Thank a ton to all my friends. It is only because of them that I am what I am today.<br />
<br />
<br />
<br />
<div style="text-align: center;">
<b><span style="color: lime; font-size: large;"><u>SQLI-LABS SERIES</u></span></b></div>
<div style="text-align: center;">
<b><span style="color: lime; font-size: large;"><u><br /></u></span></b></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrcJ-gZ7Bo23Lrj6uhPu358hAF_z-3H0hiajmSCZRkFAoReepoIhgNooE19PffgvveQ3blVsTTC9DJEP-_Ghg7quRVOs1ME4-PPyDzFMv6sa07aE1vR01IhgIcJErvFjEMK41bJdhhmw0/s1600/sqli-labs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrcJ-gZ7Bo23Lrj6uhPu358hAF_z-3H0hiajmSCZRkFAoReepoIhgNooE19PffgvveQ3blVsTTC9DJEP-_Ghg7quRVOs1ME4-PPyDzFMv6sa07aE1vR01IhgIcJErvFjEMK41bJdhhmw0/s640/sqli-labs.png" width="640" /></a></div>
<div style="text-align: justify;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: justify;">
So here I am sharing the little I know....<br />
Plans are big. If audience likes the stuff, then I will invest more time to share and bring forward more subjects.....</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I started with SQL Injections...... why SQL injections. Well there is a lot talked about on this subject on internet from basic to advanced stuff but no single resource explains the logic behind the scene for all types in 1 place , how it works and why it works and most are like do this then this and then this but why it needs to be done like that is not explained...........</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
SQLI-LABS is my attempt to explain the basics involved in SQL injections. I tried to be a <span style="color: yellow;">DHAKKAN</span> during my explainations.... Hope you all like them.</div>
<div style="text-align: justify;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: justify;">
<span style="color: red;">CAUTION:</span> <span style="color: red;"><i>This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned. </i></span></div>
<div style="text-align: justify;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: justify;">
SQLI-LABS is a test bed of various lessons to explain and learn different types of SQL injections.</div>
<div style="text-align: justify;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: justify;">
</div>
<ol>
<li>Error Based Sql Injections - Union select type.</li>
<li>Error Based Sql Injections - Double Query type.</li>
<li>Boolian Based Blind Injections.</li>
<li>Time Based Blind Injections.</li>
<li>Dumping the DB using outfile / Dumpfile.</li>
<li>POST based Sql injections Error based type - union select.</li>
<li>POST based Sql injections - Double injection type.</li>
<li>POST based Blind injections -Boolian / Time based.</li>
<li>Injection in the UPDATE query.</li>
<li>Injection in the Headers.</li>
<li>Injection in cookies.</li>
</ol>
<div>
Download the test bed from <a href="https://github.com/Audi-1/sqli-labs">https://github.com/Audi-1/sqli-labs</a></div>
Installation video can be found at <a href="http://www.youtube.com/watch?v=NJ9AA1_t1Ic" style="text-align: left;">http://www.youtube.com/watch?v=NJ9AA1_t1Ic</a>
<br />
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="http://3.gvt0.com/vi/NJ9AA1_t1Ic/0.jpg" height="266" width="320"><param name="movie" value="http://www.youtube.com/v/NJ9AA1_t1Ic&fs=1&source=uds" />
<param name="bgcolor" value="#FFFFFF" />
<param name="allowFullScreen" value="true" />
<embed width="320" height="266" src="http://www.youtube.com/v/NJ9AA1_t1Ic&fs=1&source=uds" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com7tag:blogger.com,1999:blog-6128384973829518029.post-17738255368526379202012-06-22T11:53:00.000+02:002012-06-26T22:33:03.223+02:00Rediscovering myself<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Hi All,</div>
<div style="text-align: justify;">
well over past few years, i had lost myself in the crowd.....</div>
<div style="text-align: justify;">
and had just become a machine, but thanks to my good friend, Shashank Dixit who pushed me to rediscover myself. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Rejuvenated with the newly gained energy, and backing by a lot of good friends. Special thanks to Alper Celik, Pranab Kumar, Shashank dixit, Krishna Kumar and many more... I am back with a promise to myself that I will try to help others in the field of infosec as much as i can.....Even more than ever before...</div>
</div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com1tag:blogger.com,1999:blog-6128384973829518029.post-52136622594848310622011-08-07T23:27:00.001+02:002011-08-07T23:44:23.310+02:00Can 2 machines on a same LAN have same IP address without a conflict<div dir="ltr" style="text-align: left;" trbidi="on"><span style="color: red;"><strong>This is for Informational use only, Abuse it your own risk, you have been warned.</strong></span><br />
This is one of my favorite interview questions. When ever you ask this question to a normal systems administrator, his answer is a big no, many in security arena also answer the same. I think otherwise. May be<br />
<br />
<span style="color: #ff80ff; font-size: large;"><b><u>I am dumb………</u></b></span><br />
<span style="color: #ff80ff; font-size: large;"><b><u><br />
</u></b></span><br />
Ok let us cookup……. it has been a long long time since I cooked something..<br />
let us assume the following.. (IP address is logical addressing and MAC is physical addressing) <br />
<br />
<span style="color: yellow;">We have PC1 with IP 1 and MAC address 1 <br />
We have PC2 with IP 2 and MAC address 2 </span><br />
<br />
Now let us say PC1 wants to ping PC2.............(yeah on same lan it will ping..<br />
<span class="Apple-style-span" style="color: yellow;">you would be thinking what an Idiot explanation we know this.............................. just be patient and go through the post :) </span><br />
<span class="Apple-style-span" style="color: lime;">When PC1 tries to ping PC2 it does an operation called AND ing to find weather the destination host is on same logical subnet, it is not concerned about the physical network like both are on same switch/HUB etc. <br />
this it does by using Source Mask to destination IP. As they are on LAN so assume them to be in same range</span><br />
<span class="Apple-style-span" style="color: lime;">for now keeping things simple..... <br />
Now to transfer content Echo request with dumb data in it..... PC1 needs to know the physical location of PC2, As the AND ing tells they are on same logical segment, PC1 sends out an ARP broadcast packet........ <br />
This packet contains following... <br />
Source IP = IP 1 <br />
Source mac = Mac 1 <br />
Destination IP = IP 2 <br />
Destination MAC = ??????????????? (unknown) <br />
PC 2 which is on wire accepts this packet, processes it and notes down the IP to MAC relationship of PC1 in its table called ARP cache or ARP table, and sends back its mac info to PC 1 so it can also update the same. <br />
</span><br />
<span class="Apple-style-span" style="color: lime;">To dump the contents of ARP cache or table use the following <br />
ARP -a -----IN windows <br />
ARP ------- In Linux and search for similar for other OS. <br />
</span><br />
<span class="Apple-style-span" style="color: lime;">Then PC 1 Sends out the data Echo request for ICMP (Ping) to PC 2 on its physical address (MAC address) <br />
Means All communications happen on physical addressing..... not on logical IP's......... To validate what this DUMB is saying, just capture data flowing on wire and see yourself, an ARP request response before real data transfer weather it be FTP, HTTP, DNS, WINS, Telnet etc etc...........</span><br />
<span class="Apple-style-span" style="color: lime;"><br />
</span><br />
<span class="Apple-style-span" style="color: magenta;"> homework done ..... basics understood .... Real fun.........</span><br />
<span class="Apple-style-span" style="color: magenta;"><br />
</span><br />
<span class="Apple-style-span" style="color: red;"> Now Think from a reverse engineers perspective.......<br />
When PC 1 has IP 1 on the wire, and u try to assign same IP to PC 2, On PC 1 there is warning saying there is a conflict ... and on PC 2 there is warning saying the IP is in use on network... So somehow somewhere in the Stack there is a condition match which pops up these alerts....... <br />
Think of this similar to good jump and bad jump after a key compare in program cracking........</span><br />
<span class="Apple-style-span" style="color: cyan;"> Now how to overcome this ................... </span><br />
<span class="Apple-style-span" style="color: cyan;">Things getting interesting here........... <br />
</span><br />
<span class="Apple-style-span" style="color: cyan;">When you assign PC an IP, to validate it is not already in use on network, the machine sends out a Special ARP request 3 times and waits for the response.... If there is a response, alerts are sounded like IP conflict etc etc <br />
This is called Gratuituos ARP which has following: <br />
Source IP : IP which is to be assigned <br />
Source MAC : Mac of the machine <br />
Dest IP : IP which is to be assigned (means destination is itself) <br />
Dest MAC: ????????????? (unknown) <br />
So if there is a machine on wire with an existant IP it processes the packet and sounds alert as MAC are different for both, and sends a reply back with its MAC so this PC also knows there is a machine already with this IP that i am going to use and sounds its alert. <br />
</span><br />
<span class="Apple-style-span" style="color: cyan;">Smiling now .......... hmmmm </span><br />
<span class="Apple-style-span" style="color: cyan;">a good nice way....... but how to overcome this alerts</span><br />
<span class="Apple-style-span" style="color: cyan;"> PC 1 has IP 1 to start and PC 2 has IP 2 <br />
now just ping pc 2 from PC 1 <br />
and dump your arp catch to know mac of PC 2 <br />
once mac is known <br />
open network properties of pc 1 and under network card configuration under advance put the MAC value. <br />
click OK and you are half done... Now two machines on network have same mac but diff IP. <br />
Now just change IP on pc 1 from IP 1 to Ip 2, it will send out a packet as usual but contents would be this <br />
Source IP = IP 2 <br />
Source MAC = mac 2 <br />
Dest IP = IP 2 <br />
Dest MAc = ?????????? <br />
even if PC 2 processes the packet, it does not sound strange as MAC in source is same as its mac so no condition met, no alert sound, and stack initialized..... now both machines can communicate to any other machine on the wire, and even surf internet etc etc but cannot communicate amongst themselves. <br />
</span><br />
<span class="Apple-style-span" style="color: cyan;">Hope you understood this </span><br />
<span class="Apple-style-span" style="color: cyan;"><br />
</span><br />
<span class="Apple-style-span" style="color: cyan;"></span><span class="Apple-style-span" style="color: red;">Normal disclaimer, this is for educational use only, please do not use it for malicious intentions..... if you do so , it is at your own risk, you have been warned............. </span><br />
<br />
<span class="Apple-style-span" style="color: cyan;">Hope this helps ........<img alt="Smile" src="http://securityoverride.com/images/smiley/smile.gif" /> <br />
</span><br />
<span class="Apple-style-span" style="color: cyan;">Sorry for being crappy at places, afterall I am DUMB</span></div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-62977854559966754772010-06-03T19:31:00.001+02:002010-06-03T19:35:13.334+02:00Metasploit Autopawn with postgreSQLMany times I thought in the past why my manual exploits worked with bind shell or reverse shell but not when using autopawn. I thought of digging into it and found some articles which described using something other than SQLITE3.<br />
We have seen the similar warning when we use command db_driver.<br />
This issue has been nicely mentioned on metasploit sites but i thought of writing this article for Dummies like me who have hard time understanding some articles………….. :)<br />
OK to start with, we would be needing the following………<br />
1. Backtrack version 4<br />
2. A little bit of Dumbness<br />
Here we go……………….<br />
1. We need to install postgreSQL if it is not installed on your system, if you are using backtrack then it is installed by default. in case it is not here is how to get it.<br />
apt-get install postgresql postgresql-client postgresql-contrib<br />
apt-get install pgadmin3<br />
2. Configuring it. If you try to run the postgresql by using the script placed in /etc/init.d it will throw an error saying <br />
<pre>#/etc/init.d/postgresql-8.3 start (could not load server certificate file "server.crt": No such file or directory)</pre>use nano or kate to open /etc/postgresql/8.3/main/postgresql.conf and look for line ssl = true. Once u find it just comment it out and save and exit.<br />
#nano /etc/postgresql/8.3/main/postgresql.conf <br />
#ssl = true (requires a restart)<br />
Now start the service by typing at prompt /etc/init.d/postgresql-8.3 start<br />
#/etc/init.d/postgresql-8.3 start<br />
Now we are ready so we can check if the server is running by issuing the following command.<br />
# su postgres –c psql<br />
then quit by typing \q<br />
Now to assign a password to this account we can do the following <br />
# passwd postgres<br />
Now give the password to account and we are ready to go….<br />
open MSFCONSOLE and type the following <br />
msf>db_driver postgresql<br />
db_connect postgres:password@127.0.0.1/somename<br />
ready to rock and rollAudi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com0tag:blogger.com,1999:blog-6128384973829518029.post-80346392652216486872010-02-11T19:37:00.001+01:002010-02-11T19:37:17.003+01:00What is DHCP, its Benefits, its lease Lease process…. Explained the Dummy way<p align="justify"><font size="4">DHCP and its benefits explained.</font></p> <p align="justify">As explained in almost all articles related to DHCP, DHCP is Dynamic Host configuration Protocol, A protocol used to ease administration of network by automating the IP address assignment on a network.</p> <ol> <li> <div align="justify">They Help in avoiding the IP address conflicts which may arise due to manual assigning of IP addresses by the network administrators.</div> </li> <li> <div align="justify">If the Network topology changes, an administrator needs to reflect the new changes at one central location and all machines update themselves at the next lease request/renewal time. Else without it imagine changing DNS server IP or a Default gateway IP on a network having 1000 clients.</div> </li> <li> <div align="justify">It helps in address management as stale IP addresses can be reused without any human intervention. Like if machines are replaced, an administrator has to reassign the same IP as old machine and if the replaced machine is plugged in somewhere on the network.</div> </li> </ol> <p align="justify">In today’s networking world, one cannot imagine life without DHCP. It is a client server technology, therefore has a server component and a client component. The server component is supported by almost all operating systems and many networking devices like routers, Switches.</p> Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com1tag:blogger.com,1999:blog-6128384973829518029.post-98041571170084782009-09-04T17:01:00.000+02:002009-10-02T14:36:59.467+02:00What is Arp-Proxy (Proxy Arp), where it is used and why?<blockquote></blockquote><div style="text-align: justify;">What does the word Proxy mean?<br />
</div><div style="text-align: justify;">We all are very much familiar with this word in our life. Somewhere, someday we need to stand in for someone for their work, accompany someone as the original person is not available or assign someone to do something's on our behalf, may be mark our attendance in class when we would be late or we bunk the class.<br />
</div><div style="text-align: justify;">Similarly in this computer world when we ask a resource to perform a specific function on someone's behalf it is called a proxy. We also have heard the word "Proxy" in context of internet surfing a lot but what is it ??????????????<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
<span style="background-color: black;"><span style="color: magenta; font-size: x-large;"><strong><em>After all I am DUMB.</em></strong></span> </span><br />
</div><div align="center" style="text-align: left;"></div><div style="text-align: justify;"></div><div></div><br />
<br />
<span style="font-size: x-small;"><span style="font-size: large;"><strong><em><span style="font-family: 'Monotype Corsiva'; font-size: large;">So Let us start</span></em></strong></span> <br />
<br />
</span><br />
<div></div><div align="justify"><strong><span style="background-color: black; color: blue; font-family: Georgia, 'Times New Roman', serif; font-size: large;"><em>Objective:</em></span></strong> What is proxy arp or arp proxy, where and why it is used? <br />
I would walk you through some scenarios. Please be patient and follow closely. <br />
</div><span style="background-color: black; color: blue; font-family: Georgia, 'Times New Roman', serif; font-size: large;"><em><strong>Scenario:</strong></em></span> We have 3 machines each with following IP addresses and MAC (Media access Control) addresses. <br />
<ul><li>PC 1 ----------- 192.168.0.1, --------Mac Address = Mac1</li>
<li>PC 2 ----------- 192.168.0.2, --------Mac Address = Mac2</li>
<li>PC 3 ----------- 10.0.0.1 , --------Mac Address = Mac3</li>
</ul><blockquote><div align="left"> <u><strong>Scenario 1:</strong></u> The PC number 1, 2 and 3 connected to the same switch. <br />
<u><strong>Scenario 2:</strong></u> The PC number 1, 2 and 3 connected to a router. <br />
</div></blockquote><span style="color: blue; font-family: Georgia, 'Times New Roman', serif; font-size: large;"><strong><em>Explanation:</em></strong></span> <span style="color: blue;">What is going on behind the scene????????????</span><br />
<br />
<div style="text-align: justify;">When Machines start to communicate with each other over TCP/IP and on Ethernet, this is a generic process they follow irrespective of the operating system installed. To explain let assume PC1 is trying to Ping with PC2 and PC3.<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;">PC1---------Ping----------PC2<br />
</div><div style="text-align: justify;">PC1---------Ping----------PC3<br />
</div><div style="text-align: justify;">PC1 when starts to ping PC2 first thing it does is try to check whether the destination IP is local to it or remote. What I mean is it does an operation called ANDing where it tries to calculate the network ID of the destination by comparing it to its own subnet mask value and then comparing to its network ID. <br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;">If it is a match the destination is termed as LOCAL. If the network ID's do not match then the destination is termed REMOTE. The system follows different actions for different types of destinations.<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
<br />
<strong><u><span style="color: blue; font-family: Times, 'Times New Roman', serif;"><em>WHEN Destination is LOCAL:</em></span></u></strong><br />
</div><ol><li><br />
<br />
<div style="text-align: justify;">The PC1 searches its ARP table to find the MAC address of the PC with IP address. In our case it tries to find MAC address corresponding to 192.168.0.2<br />
</div><br />
</li>
<li><br />
<br />
<div style="text-align: justify;">When an entry is found, the frames are marked for the MAC and sent on the wire.<br />
</div><br />
</li>
<li><br />
<br />
<div style="text-align: justify;">Else PC1 does a broadcast on network shouting IP 192.168.0.2 what is your MAC address. In the packet it also sends its IP and MAC.<br />
</div><br />
</li>
<li><br />
<br />
<div style="text-align: justify;">PC2 listens to and accepts the packet as it is for him and updates its ARP table, also called its MAC table with IP of PC1 corresponding to MAC 1 and sends a unicast reply back to the PC1 on MAC1.<br />
</div><br />
</li>
<li><br />
<br />
<div style="text-align: justify;">PC1 accepts the reply updates its MAC with entry of PC2. Thereafter communications happen and we see ping replies on the screen of PC1<br />
</div><br />
</li>
</ol><div style="text-align: justify;"><br />
<strong><u><span style="color: blue; font-family: Times, 'Times New Roman', serif;"><em>WHEN DESTINATION IS REMOTE:</em></span></u></strong><br />
</div><ol><li style="text-align: justify;">When the destination is marked as remote, the PC1 parses its routing table to find if it has a route to the destination.</li>
<li style="text-align: justify;">The route preference is as follows: <br />
<br />
<ol><li style="text-align: justify;">Specific route.</li>
<li style="text-align: justify;">Network route.</li>
<li style="text-align: justify;">Default route.</li>
</ol><br />
</li>
<li style="text-align: justify;">If there is a match, then the processing continues, else we receive Destination Host Unreachable message on our scenes.</li>
<li style="text-align: justify;">When there is a match of route, the PC tried to find the MAC of next hop (gateway) by the above mentioned LOCAL process and sends the frames across.</li>
<li style="text-align: justify;"><em>Important:</em> PC 2 has to follow the same steps to return the packet and also hope that devices (routers) in the path know the routes to destination or original source.</li>
</ol><div style="text-align: justify;"><br />
<u><em><strong><span style="color: blue;">FOOD COOKED, BASICS UNDERSTOOD, TIME FOR THE REAL QUESTION ASKED</span></strong></em></u><br />
</div><div style="text-align: justify;"><em><u></u></em><br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
What is Proxy ARP?<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
Imagine Scenario 2 where all three PC's are behind different interfaces of the router. Now when the PC1 tries to ping PC3 on a different Network ID, it pings fine due to presence of default route on PC1 and PC3.<br />
</div><div style="text-align: justify;">But now as we try to ping PC2 from PC1 it does not ping ??????????<br />
</div><div style="text-align: justify;">Did you guess it, why it fails….<br />
</div><div style="text-align: justify;"><br />
Correct <br />
</div><div style="text-align: justify;"><br />
when PC1 tries to ping PC2 it tends to resolve the MAC of PC2 by doing ARP broadcast as the destination is on same subnet (LOCAL).<br />
</div><div style="text-align: justify;">Router would block request to pass through, therefore it would not get reply of MAC finding request of PC1 which can be considered to be on a different physical subnet.<br />
</div><div style="text-align: justify;">To make this work, a machine each can be setup in both the subnets such that when we do not get an answer of MAC requests and there is a request time out, this device provides its MAC back to source. Hence a proxy is done for ARP.<br />
</div><div style="text-align: justify;">PC1 requested MAC of PC2 but as it is not available, the router with proxy arp enable replies back with its MAC to PC1 stating it is MAC of PC2.<br />
</div><div style="text-align: justify;">Dumb PC1 sends packets to discovered MAC which bridges the packets to destination network. This is how proxy arp is formed or works.<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"><br />
<span style="font-size: medium;">Where is this proxy arp used?</span><br />
</div><div style="text-align: justify;">This was used primarily in bridges which connected different physical subnets to make a big network.<br />
</div><div style="text-align: justify;">Used in some firewalls in website publishing scenarios.<br />
</div><div style="text-align: justify;">Used by attackers to do MITM attacks…..<br />
......many more........<br />
<br />
<br />
Keywords: dummy, dummy2dummies, Arp-proxy, Proxy-ARP<br />
</div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div><div style="text-align: justify;"></div>Audi-1 aka (Dhakkan)http://www.blogger.com/profile/00500429737089621486noreply@blogger.com2