Training – Hacking and Securing Oracle Database (11g)
My company (7Safe) will be delivering the training at the nearest Blackhat 2011 conference (Las Vegas). This will be about hacking and securing Oracle Database (11g), so highly recommended to be there! I took a liberty to prepare a small promotional video about it. So take a look and well... SEE YOU IN VEGAS! :-)
When:
- Weekend Training Session: July 30-31
- Weekday Training Session: August 1-2
Registration:
http://blackhat.com/...
More details:
7Safe together with Red-Database-Security will be delivering the two-day hands-on course at Blackhat 2011. The course will teach the audience the security problems related to Oracle database. The training covers a variety of security problems arising from flaws such as insecure design, insecure features/packages, insecure PL/SQL code, patch management, weak passwords etc. The second day will focus on securing and hardening databases using built-in oracle features along with a number of externally available scripts and tools. Implementing auditing solutions will also be a part of the training. The audience will have access to an infrastructure with a number of Oracle components deployed, and they will be encouraged to identify/exploit/patch security vulnerabilities as they learn them. The training will provide software developers understanding of writing secure PL/SQL code, DBAs the understanding of thorough auditing of the database and penetration testers the understanding of how to break the unbreakable Oracle.
Smuggling .NET code inside batch files. Impossible? Who said that?
This will be rather a quick one. :-) Just check this out:
Create a batch (.bat) file with the following content and execute!:
/*
@echo off && cls
set WinDirNet=%WinDir%\Microsoft.NET\Framework
IF EXIST "%WinDirNet%\v2.0.50727\csc.exe" set csc="%WinDirNet%\v2.0.50727\csc.exe"
IF EXIST "%WinDirNet%\v3.5\csc.exe" set csc="%WinDirNet%\v3.5\csc.exe"
IF EXIST "%WinDirNet%\v4.0.30319\csc.exe" set csc="%WinDirNet%\v4.0.30319\csc.exe"
%csc% /nologo /out:"%~0.exe" %0
"%~0.exe"
del "%~0.exe"
exit
*/
class HelloWorld
{
static void Main()
{
System.Console.WriteLine("Greetings from IT Security Lab!");
System.Console.WriteLine("-------------------------------");
System.Console.WriteLine("RTM: " + System.Environment.Version);
System.Console.WriteLine("User: " + System.Environment.UserName);
System.Console.WriteLine("Machine name: " + System.Environment.MachineName);
System.Console.WriteLine("OS version: " + System.Environment.OSVersion);
System.Console.WriteLine("Stack trace: " + System.Environment.StackTrace);
System.Console.ReadLine();
}
}
I was absolutely amazed. The implications for security are... well... pretty complex. You are clever boys and girls, so you already know what can be done with it, right...
Found here: http://forum.antichat.ru/
Cross-site scripting explained (video)
Maybe you noticed that recently I was not being writing too much here. But I have an excuse (of course I do have one!): in a meantime I was quite busy by doing different things (e.g. relocating) and also preparing "this-and-that" to the corporate event which took place in London couple of days ago. So now I may proudly present the video I made for this event, which explains what cross-site scripting is. The film is especially good for well... rather less-technical audience. ;-) Actually it's a live scenario of persistent XSS exploitation, so may be quite interesting for you to watch as well.
I also had incredible opportunity to spend couple of days making the intro (last time I was playing with 3d modeling and video editing was... oh my god, probably couple of years ago). So it was definitely good to recall some old (but not forgotten) skills. Anyway have fun! :-) Let me know what do you think about the video and if you have any ideas about the next ones.
More info about the event on the 7Safe's web page: http://penetration-testing.7safe.com/...
Btw, I also recommend you to look through the video prepared for the same event by a colleague of mine running http://commonexploits.com (you've been there already, right). So this is a hacking presentation demonstrating client side exploits, pivot attacks using Metasploit. Really cool stuff.
Innocent comment regarding sensitive information disclosure…
I don't know really how to comment it... This is what I found recently in my web server logs in the "Referrers" table:
http://10.10.1.1/login?user=0045f2&password=806361&popup=false &dst=http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php?nasIp=10.10.1.1 &nasId=fitio&loginIp=10.10.1.1:80&vlan=bridge1&macAddress=00:21:6B:15:E3:70 &ipAddress=10.10.1.95&loginPort=&urlPostLogin=http://itsecuritylab.eu/index.php/2010/09/26/pentesting-privilege-escalation-in-web-applications/
So what can I find here? Oh God...
- URL to the Network provider: http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php
- Someone's internal IPs disclosure: 10.10.1.1, 10.10.1.95
- Login IP and port: 10.10.1.1:80
- MAC address: 00:21:6B:15:E3:70
- Someone's credentials: user=0045f2, password=806361
- NAS ID: fitio
- VLAN name: bridge1
What else I already know (from geolocation info):
- Connection from IP: 189.223.43.88.dsl.dyn.telnor.net
- Country : Mexico
- City : Tijuana
Definitely I will try to mess with this VLAN next time I will be in Tijuana! One thing is clear: if the next time I would get something like this - I should not be surprised at all... ;-)
...http://besure.bank.com/login?user=crazyUser&password=Tijuana12345&popup=false&account=1652635-1232-12312&lastTransaction=moneyTransf&targetAccount=123123-0000-0734&success=true&vlan=bridge1...
I think you are already big boys and girls, so think twice what sensitive information about you may leak out, in what weird and unusual way. Make conclusion by yourself and well... Beware! ;-)
Pentesting privilege escalation in web applications
Quick tip from my pentesting practice about how you can make your life easier when testing for privilege escalation in web applications.
Background of the problem
Let's imagine that we have a web application to test, so have (at least) two sets of credentials: for a high-privileged user and low-privilege one. When we log-in as high-privileged user (e.g.: admin) - we obviously have access to much more information (more menu items, more functionality, etc.). Now what we want to know - if those items may be accessed directly by low-privileged user. It is clear that if you just would click "here and there" manually (or even copy some URLs) as low-privileged user - you still may omit something important very easily. So the question is: how we may be sure that all combination are checked?
Proposed solution
The whole idea is quite simple:
- We have to spider the application from the perspective of high-privileged user. You may use any tools you like (e.g.: Burp Suite, DirBuster, Paros, etc.). Important is to have the whole list of visited URLs written in simple text file.
- We have to log-in as a low-privileged user and get a copy of sample GET request with appropriate cookie (e.g.: Burp, Paros or Fiddler may be used for it).
- We may use Burp's "Intruder" module and re-issue the captured header (with cookie appropriate for low-privileged user) and automatically replace URL with ones from our list.
- We should carefully examine results and look for all discrepancies (e.g.: when unexpectedly status is "200 OK" when it should be an error or redirection).
Illustration
Assume you have the following URL to test: http://vulnerableapp.com This is the sample list of URLs you may get from your spidering tools being authenticated as high-privileged user:
... /admin/edit_my_details.asp /admin/my_folders.asp /admin/list_suggestions.asp /admin/list_asset.asp /admin/my_assets.asp /admin/usage_category.asp /admin/upload_file.asp /admin/list_category.asp /admin/bulk_copy.asp /admin/list_users.asp /admin/list_subcategory.asp /admin/list_logged_in_users.asp /admin/list_company.asp /admin/manage_project.asp /admin/manage_intro.asp /admin/manage_contacts.asp /admin/manage_event_types.asp ...
So it does mean you were able successfully navigate there from the perspective of high-privileged user. Let's check how far the low-privileged user may go. :-)
Log-in to the system as low-privileged user and copy sample GET request to "Intruder".
In Intruder we must set up the "fuzzing point":
Now use our saved list of URLs as the payload:
Finally, run Intruder and see what happened:
Now all points where low-privileged user have access are clearly visible. The next step would be only to open those URLs in a web browser and check if this user really should be able to access it.
Oh yes, you can also repeat the same trick without cookie at all, so then you may easily check what functionality may be accessed for unauthenticated user.
Recent Posts
- Knowledge sharing event: Risk-based approaches to protecting your data – London, Tuesday 19th April
- Training – Hacking and Securing Oracle Database (11g)
- Changed language does not persist when Skype is restarted: how to solve the annoying issue
- More 3D Fun with Kinect and Delphi. You can grab and save still 3D frames!
- Having Fun with Kinect and Delphi (examples of 2D and 3D visualization)
- Smuggling .NET code inside batch files. Impossible? Who said that?
- Cross-site scripting explained (video)
- Innocent comment regarding sensitive information disclosure…
- Pentesting privilege escalation in web applications
- TinyWeb: Pocket-size Portable Web Server With CGI And PHP Support (!)
Popular
Archives
- April 2011 (2)
- January 2011 (1)
- December 2010 (3)
- October 2010 (1)
- September 2010 (8)
- August 2010 (8)
- July 2010 (8)
- June 2010 (2)
Categories
- .NET (1)
- Binary application security (11)
- Cryptography (2)
- Delphi (12)
- Exploitation practice (16)
- Fun (5)
- Java (1)
- Kinect (2)
- Mobile devices security (1)
- Pentesting (15)
- PHP (2)
- Skype (3)
- SQL (5)
- SQL injection (6)
- Uncategorized (9)
- Windows security (6)
Recent Tweets
- No public Twitter messages.
Affiliated websites
