Posts

Showing posts from January, 2012

Bit shifting blind injection : Simplified!

Image
I've recently been investigating Blind SQL injection, and have become quite fond of the practice. I stumbled upon a new technique documented by http://h.ackack.net (see here http://h.ackack.net/faster-blind-mysql-injection-using-bit-shifting.html) that used Bit shifting to guess the bits that make up the chars of the information you are trying to extract from the database.

I then came up with a modification to the method to try and make it simpler and hopefully allow the development of an even faster method (which im still working on) . My method uses the XOR bitwise operation to simplify the output and operation of the attack.

Thought relatively simple methods, they still require a comfortable understanding of the binary number system and can be frustrating to use. The method I'm about to show you can be performed with minimal understanding of the binary number system. This is because you don't need to convert in and out of binary while performing the attack.

Creativity : The only real Hacking tool

this a post from my old blog, i wanted to add it to this one because I really enjoyed writting it :)


People use hacking tools because they believe it helps them hack, but in actual fact a lot of the times all they are doing
Is helping you, convince yourself that YOU are performing a hack.

How to shoot in the dark: Improved Blind SQLi

Image
I really like this method, i feel that it should replace the method you are currently used for blind injection if you aren't using this one!


Blind SQL injection is all about knowing how to ask the right questions. The problem is you have to ask alot of questions before finding out something useful! And we also know most of the time we are trying to find out things like passwords/password hashes, usernames or emails and these things are just simply saved as a bunch of characters in a table somewhere.

The conventional Blind injection will have you probing every character of a given, guessing every possible character in the ascii table until you manage to get the right one. Worst case this will take 127 requests per character!

But there is a a faster way, which uses the way characters are represented to guess them faster.

Injecting Insert statements: MySQL error based injection

Image
One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.
Some people might be wondering why on earth would one would want to inject an insert? Would that even work?
The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements

Ordering Remote File inclusion via e-mail

I just briefly discussed Local File Inclusion in this article and more importantly to that you can use to turn an LFI into an Remote File Inclusion (or Remote Code injection)

This method, abuses the way e-mail is stored on Linux servers, (when a certain kind of Mail Delivery Agent is in use) and helps to propagate a RFI attack on a server with a LFI vulnerability, or create an RFI attack vector when one doesn't exist

The Google cache : Time travel for hackers

Image
There is something that most hackers nowadays don't pay much attention to, and thats Exploiting the host after you Exploit the host, for me this is why I'd be interested in breaking into a computer, because of the information that will be available on the host!

What I'm going to talk about is one way you can use Google's cache to extend the life of a hack,
but this is often only possible if you have already:

Stolen Cookies/logins off a host using XSS or Cross Site Request Forgery or (CSRF)Edited the page to perform HTTP parameter pollution/HTTP Response splitting via victim

The Science of Google Dorking

In this post I'm in proposing some new and improved Google dorks for hackers/pentesters and generally any one that likes finding web based targets based on the vulnerabilities they expose, the dorks I will discuss here include servers exhibiting:

Local file inclusion / Remote File inclusion vulnerabilitiesSQL injectionError based injection

Injecting javascript via MySQL error based injection

Image
I've written about this in a couple of other articles, but I needed it to be on my new blog because it makes a good attack especially when dealing with MySQL databases, because:

MySQL on *nix servers can be configured pretty well, making access to the database very difficult and therefore pwnage can be very difficult!!You have the ability to extend MySQL Error based injection into other attacks that may not be viable on the web application like:non-persistent XSSDefacement of the siteHTTP parameter pollutionDDos (more on this in another post!!) ---using this web application to make requests to other servers at the expense of the person visiting the page

LFI attacks for Predators

Image
What is an LFI vulnerability??
what? you don't know!!? lulz, an LFI or (Local file inclusion)  vulnerability ---much like other web attacks, exists when unclean user input is used to determine input to any of the  follow php functions  include : "Files are included based on the file path given or, if none is given, the include_path specified. If the file isn't found in the include_path, include() will finally check in the calling script's own directory and the current working directory before failing. The include() construct will emit a warning if it cannot find a file; this is different behavior from require(), which will emit a fatal_error."an interesting thing to note is that include will actually search for files with the specified name if an absolute path is not given the script will search for it in the include_path, this means if you can influence the environment variables that a script runs under, you may be able to fool it into including the wrong files!

I'm back!!

What happened k3170? After protesting against SOPA my gmail accounts have been suspended (Still don't know why, I suspect the javascript redirect I had running on my last post), I'd tried recovering my account but this just proved a frustration so i decided it was time for a fresh start.

 I've decided to focus as much of my blog on Hacking and Information Security news,tutorials,discussions  and ideas (I hope one day when I'm old I'll still be writing these tutorials!!). I want share with you as much of my hacking skill as possible, and share the things I pick up as I go along.

So sit back and enjoy!!
Get me on twitter!! @k3170makan