CriticalSecurity - Recent Topics

Here I Am Again...Sql Injection Help

Wed, 01 Sep 2010 02:59:22 +0000

Sorry for so many posts lately requiring help. You guys just always seem to respond pretty quickly and help me out. I am having some trouble with some SQL injection and was wondering if anyone had any advice.

At this point, since I have gained access to the system by other means, I can see what queries are being passed to the server, which helps a lot. However, I can't see the PHP page source.

One injection point is where the server takes the HTTP referer and adds it to a table without any sort of character escaping. Here are the two queries:

SELECT name FROM usrlog WHERE ref = '{Injection point}' AND id=2
INSERT INTO usrlog (ref, id) VALUES ('{Injection point}',2)

As you can see, no output from this is displayed on the page, but I know injection is working from looking at the contents of the usrlog table after attempting to inject. Also, when I inject an apostrophe, I get an error on the page stating " mysql_num_rows(): Supplied argument is not a valid MySQL result resource". One thing I've noticed is that -- doesn't seem to comment out the rest of the query, like I've always been taught it would.
For example, if I inject this:
' AND 1=1--
it will give that mysql_num_rows error. But if I inject this:
' AND '1'='1--
I don't get the error because it sees it as
SELECT name FROM usrlog WHERE ref = '' AND '1'='1--' AND id=2

It seems to ignore that the -- is even there. Am I missing something? I know this is an injection point, but I can't figure out how to inject anything or really prove it's an injection point.

The other injection point query takes a number and subtracts it from a column. It looks like this:

UPDATE data SET balance=balance-{injection point} WHERE user='bob'

This query does escape characters using addslashes or magic quotes, but I can still update any column in the data table by injecting something like:
0,balance=1000000
So that the query looks like this:
UPDATE data SET balance=balance-0,balance=1000000 WHERE user='bob'

That works just fine, but is there anything else I can do with that injection point besides update columns in that table?

I'm just looking for ways to expand what I've found so far. The first one really has be stumped and the second one I just don't know if there's more I can do with it or not.

Thanks for any insight you can give.

Your Ultimate Nerdgasm?

Tue, 31 Aug 2010 19:45:29 +0000

One thing ive noticed is within my work place and the internet, peoples piece of hardware or sight of a technical nature that evokes a nerdgasm are alwasy different.
Whats yours?

Mine would be the datacenter at work.

Close to 300 dell PowerEdge R815's, approx a hundred Apple Xserve's, blue coat proxy servers, and so on. The whole shabang.

When i stepped in there, and saw the black racks lined up like aisles in a supermarket in a pristine white room, with groups of cables the size of treetrunks reaching up from the top of the cabinets into the ceiling....

Phwoarrr.
Nerdgasm was had.

So, whats yours?

edit: Also lots of hard drives. All stacked up,

C++ Division

Tue, 31 Aug 2010 19:37:53 +0000

Ok so I'm trying to divide two numbers and im trying to get back a decimal. For instance if I divide 2 by 3 I want it to give me back like .66 but I cant seem to do that, right now I get a floating point exception and If I use % it gives me like 1

#include

using namespace std;

int main(void)
{
short resistor1, resistor2,series;
double parallel;

// Displays the instroduction and instruction to the user;
cout << "\nWelcome to the Resistor Calculation Program!"
<< "\n\nEnter your two resistances:";

// asks the user to enter two resistors
cin >> resistor1 >> resistor2;

cout << "You have entered: " << resistor1
<< " ohms and " << resistor2
<< " ohms! Calculating...\n\n" ;

// Calculations
series = resistor1 + resistor2;
parallel = 1/(1/resistor1) + (1/resistor2);

cout << "If your resistors are placed in series, they'll total to " << series;

cout << "\n\nIf they are placed parallel then the resistance would be " << parallel;
return 0;
}

Information Security Conference

Tue, 31 Aug 2010 06:17:08 +0000

Hacker Halted Conference-2010

Hacker Halted USA is a complete and comprehensive information security conference, with information security experts from all around the world presenting intriguing topics and discussing global security threats, as well as world class trainers leading top notch security training classes @ Hacker Halted | Academy. This is going to be a significant event for the information security community as it will cover a wide variety of agenda that is international in nature, and addresses current critical issues.Hacker Halted aspires to be a complete and comprehensive conference cum workshop that will educate and equip its participants with the in-depth knowledge of understanding the vulnerabilities and the countermeasures to overcome the security infringements present today.

The Hacker Halted series is aimed at providing the opportunity to CEOs, COOs, CIOs, CFOs, Senior IT Professionals and all other decision makers to assess the best practices in acquiring, implementing, managing and measuring information security.The event covers in-depth topics into various security issues plaguing the world. In addition to highlighting current digital security threat, renowned speakers and industry experts will also discuss the various means of protection and countermeasures in dealing with the digital threats.

EC-Council
LIVE CLASSES
So you are ready to be certified. Congratulations.
To be the best, you need to be trained by the best. EC-Council is proud to bring you Master Trainers who will listen, guide, coach and impart their knowledge to you from Oct 9 - 12, 2010 in Miami.

The three EC-Council Live Classes available for your choice are:

1. Certified Ethical Hacker (CEH)
http://www.hackerhalted.com/2010/Academy/LiveClass/CEH/tabid/253/Default.aspx

2. Computer Hacking Forensic Investigator (CHFI)
http://www.hackerhalted.com/2010/Academy/LiveClass/CHFI/tabid/254/Default.aspx

3. EC-Council Certified Security Analyst (ECSA)
http://www.hackerhalted.com/2010/Academy/LiveClass/ECSA/tabid/255/Default.aspx

CEH needs no introduction. To say it is the hottest commodity in the Information Security circle would be an understatement. As a security professional, CEH is a must in your arsenal, allowing you to entrench your application knowledge and building upon it to safeguard your network infrastructure.

Mention computer forensics, and most people would focus on the 'forensics' part. A post-mortem. A reaction. Lest we forget, knowing how something happens is important to ensure it or something similar does not happen again in the future: We learn from our mistake. The CHFI class promises to empower you with the skills and tools you need to run that trace and build a solid case for prosecution. But most important of all, CHFI gives you the ability to improve your system and stop the next intrusion/abuse from the onset.

ECSA works hand in hand with CEH by going into the analytical phase of ethical hacking. ECSA is a logical progression from CEH by giving you the skills to analyze the outcome from these tools and technologies. ECSA will assist you in conducting intensive assessments required to create a robust risk management system through groundbreaking penetration testing methods and techniques.

For more information visit this site: http://www.hackerhalted.com

Windows Server 2008

Tue, 31 Aug 2010 02:36:07 +0000

hey, I'm thinking of going from win 7 pro on my old desktop to Server 2008. Just to make sure though, all programs I use should be compatable correct?
I'm going to set up a VPN in my house so thats why I'm doing the switch.

And I think its win server 2008 enterprise.

What are the main bells and whistles to that? and what do you guys think, is it better then windows 7?

Yahoo Messenger Api

Mon, 30 Aug 2010 12:48:46 +0000

Hi, does anyone know how websites like ydetector, ... check users' online/offline/invisible status?
I'm interested in making a program that would check a list of users on a regular basis.

Thanks

Php Process

Mon, 30 Aug 2010 00:12:39 +0000

Ive been trying to find out what process actually contains the code when you run a php file by requesting it from apache. In freebsd the process is just called by the name of the php file but linux of course cant be that simple and so i have no idea what the process is. Im trying to debug it just for fun to see how the php gets translated but obviously i cant do that when i dont know what im attaching to... If anyone knows i would be grateful cuz its pissin me off

Aquiring Router Admin Password That Has A Custom Interface

Sun, 29 Aug 2010 11:36:20 +0000

While I do see a number of router administrator password cracking threads already, I believe this one is different due to the fact that my router, a 2WIRE 270GH seems to not use a login name when prompting a password.

Below is a picture of the GUI upon entering the default gateway (That is not my exact router, as mine is from 2WIRE, and is a 270GH. Same GUI though:
http://img441.imageshack.us/img441/4401/mmmmem.jpg

As I said before, upon entering the default gateway I am presented with the above GUI, it is not until that I go to change the settings when it prompts for a password. It has been changed from the default password:

For those that love a story, basically my roommate pays for the internet, but, does not pay for anything else when the bills come, much to my dismay and our agreement. Quite obviously we split most of the bills, but, it has been lately that when I ask him for his half, he explodes in a fit of rage and consequently blocks my internet service if I continue to pressure. As it is under his name, and not mine, I agreed to pick up one bill by myself out of our stack, while he continued to pay the internet service. Due to this, the router sets in his room locked or under his presence at all times.

Physical solutions will unfortunately not suffice, as any sign of entering his room, or tampering physically with the device will only escalate the situation. He also has no reason to log on to the admin account at anything resembling a regular rate. I guess I could monitor the network anyway, but this unfortunately requires me to wait until a supposed next altercation, and thus if I am not prepared, or if for someone the software does not catch the data, I will be out of a connection for an unforeseeable time simply due to his childishness.

A preemptive solution I.E cracking the password thus allowing me to (hopefully discretely) re-enable my access on the network.

I Think My Graphics Card Is Dying...

Sat, 28 Aug 2010 20:20:36 +0000

Yesterday I started getting little artifacts when ever I did something GPU intensive and now its progressed to just looking at pictures I get little red pixels popping up randomly.

I'm pretty sure that this means my graphics card is dying but I'm not sure, so before I go out and buy a new one I just wanted to make sure here first. And If it is dying, how long do they usually last before it goes all the way?

The next graphics card I was planning on getting was a GTX 465. But I really don't know anything about graphics card. Would this be able to play the newest games at the highest settings and also wont need to be upgraded for a while?

Running Mysql System Commands From A Php Page

Fri, 27 Aug 2010 05:08:27 +0000

Hey guys, I was hoping to get some help again for this web app I'm pentesting. Obviously web programming isn't my strong point.

Anyway, I was wondering if there's a way to run mysql system commands from a php page. I know how to do do it from a sql command line, but can't get it to work when embedding it in a php page. Is this possible?

I've got the sql credentials and all that, and can run other queries from the PHP page just fine(dumping tables, etc), but can't run commands line "\! cat /etc/passwd" or "system cat .mysql_history". SQL is running as root, so there's not a permission issue there, I just can't get it to run from the PHP.

Tips?

Certain Computers Cant Reach Dhcp Server

Thu, 26 Aug 2010 15:47:28 +0000

Backstory:
We (I) am doing various infrastructure changes here at work, and one of them, is putting more functionality into our expensive (and severely underused) Cisco switch. At the same time, we have an old desktop server that we want to retire, so we're moving it's functions off. One of these, is DHCP server. Its a Windows Server 2003 box that has been running the DHCP forever, although Im not familiar with it's setup.

Our querky setup:
In order to help troubleshoot this, you'll have to know how things are setup here. Going over only the relevant topology, we have our Cisco switch doing the switching for our network, and it plugs into both our servers and patch panel for the workstations. Since we have more workstations than we do wall jacks, we have dummy D-Link DGS-1005D switches for most of us, which then splits the connections on average, 3 PCs per D-Link, per jack. There is one exception, where a user is plugging in directly to the wall. All workstations here are running Windows 7 with IPv6 disabled. Again, an exception, one user is on Windows XP Service Pack 3.

What I did:
Last Friday, I created a DHCP pool on our switch, and stopped the DHCP service on the old server. I tested the new DHCP doing a release/renew on my workstation and got an IP just fine. My boss (and main infrastructure guy) tested it as well and it worked. We even tested VPN by having his daughter remote in and she got an IP. The DHCP config on the switch is as follows:

ip dhcp excluded-address 192.168.3.0 192.168.3.199
ip dhcp excluded-address 192.168.3.221 192.168.3.255
!
ip dhcp pool internal
   network 192.168.3.0 255.255.255.0
   dns-server 192.168.3.10
   default-router 192.168.3.253
   domain-name blablabla

With this, the server is configured to provide addresses between 200 and 220 and the lease time is default, one day.

What happened:
On Wednesday morning, two users were no longer able to access the network. One of them tried troubleshooting himself before I got in. He tried rebooting his workstation, plugging in to a different port on the D-Link switch, and trying a new cable.

What I tried:
Running ipconfig /all on his machine yeilded the following:

Quote

>ipconfig /all

Windows IP Configuration

An error occured while renewing interface Local Area Connection : unable to con
tact your DHCP server. Request has timed out.
An error occured while releasing interface Loopback Pseudo-Interface 1 : The sy
stem cannot find the file specified.

Doing an ipconfig /all then shows the following relevant information:

Quote

DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IPv4 Address. . : 169.254.175.189(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0

Of curiosity, I tried pinging loopback:

Quote

>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

I also tried pinging the switch:

Quote

>ping 192.168.3.3

Pinging 192.168.3.3 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 192.168.3.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

What bypassed the issue:
Assigning a static IP address to the workstations.

What I tried to troubleshoot:
Given that Im about sure its not hardware, and that one coworker tried switching cables, ports on the D-Link, and reboot, I didnt re-try this. I havent tried bypassing the D-Link switch as one user who couldnt talk to the DHCP server wasnt going through a D-Link.

What I noticed today:

[font="Courier New"]Switch#show ip dhcp server statistics
Memory usage         5818
Address pools        1
Database agents      0
Automatic bindings   1
Manual bindings      0
Expired bindings     24
Malformed messages   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         8267
DHCPREQUEST          26162
DHCPDECLINE          0
DHCPRELEASE          10
DHCPINFORM           916

Message              Sent
BOOTREPLY            0
DHCPOFFER            60
DHCPACK              996
DHCPNAK              9[/font]

What I've yet to try:
I noticed the switch's date wasnt configured. Its datetime was set to June 1993. I corrected this (NTP is the next step once/if I get approval) but I havent gotten one of the affected users to retry DHCP. Will do this later today.

So, any ideas why some workstations can communicate with the DHCP server and others cannot?

The Lowdown

Thu, 26 Aug 2010 04:55:51 +0000

Well, it's nice to say that after a year or so learning from this site I have finally established an account here. While most of my time was spent with SXing I had a habit of tampering with the technology side of hacking. I must say that I really have learned much from all of you, but one thing continues to elude me no matter where I look. If anyone would be so kind as to draw a picture in my mind concerning the workings of packets, sniffing, and handshaking for me, I would be much obliged. I am fine with technical terms, just don't lose me
Thanks guys,
Whitwix

Average Temp Of Your Laptop ( Or Dv7)

Mon, 23 Aug 2010 15:18:59 +0000

I use speed fan to monitor the temp of my dv7-3160US ( 500GB sata, 512mb ATI video dedicated, 4GB ram, dual 2.5ghz, win 7 pro) Right now I'm at a college, Air conditioned and sitting around 115-117F with firefox and word open. When playing video games I usually hit around 199-205F. Do I have a "heat" problem or is that normal for laptops of this size and this amount of power? This laptop is about 3 months old. And all vents are clean.

Ever Want To Finger A User?

Mon, 23 Aug 2010 01:26:57 +0000

Finger any user at CS.net

fire up a terminal and finger me first: finger thetan@subnet.fm

after you fingered me senseless finger pilot a little bit: finger pilot@subnet.fm

then once you get through the two of us, feel free to finger whoever else you want on CS.net whenever you want.

I'll be adding IRC statistics next and perhaps even adding online-now status as well.

edit: roflmao, killed it on accident, try again in 5 minutes
EDIT: ok back in srs bussiness

Roll Your Own Os

Sun, 22 Aug 2010 14:25:49 +0000

OMG I JUST CAME HARD!! My OS lectures haven't covered this kind of raw nitty gritty stuff at all, so I'm finding it useful to go through all this stuff