sqlninja Released!

Feb 04 2013

This is great news. After joining the sqlninja team and putting lots of effort in, the new version of sqlninja has finally been released. The SQL injection and take-over tool now supports data extraction, a fancy new file upload method and various other useful bits and bobs. For instance, sqlninja now lets you store your progress in a session file. Download it here, give it a try and let us know what you think!

SAP Netweaver Remote Code Execution

April 29 2012

A bug in SAP Netweavers's SAPHostControl allows remote code execution. SAP have released a patch which can be obtained from here.

The vulnerability arises from copying user input of variable size into a static buffer. The full advisory with additional information can be found here.

MS11-066: Microsoft .NET Chart Control

August 09 2011

The actual finding of this vulnerabilities already lies quite some time back. But Microsoft have finally released the security bulletin on this one (check out: MS11-066).

The .NET Chart Control plots graphs, by default stores them as image files on the web server and then serves those files on request. A typical request for example would be: /ChartImg.axd?i=chart_0_3.png.

Before reading and returning the file it does some validation to determine whether the requested file is in the allowed directory or not. However, that validation process is flawed and effectively allows traversing directories and reading arbitrary files on the system. Furthermore, there's a "hidden" trace parameter (/ChartImg.axd?trace=1) that discloses somewhat interesting debug information.

Find more information here.

ICMP Shell in sqlmap

May 06 2011

After a big refurbishment the new version of sqlmap is finally out, supporting multiple techniques to exploit SQL injection in various database management systems. A lot of new features have been added including spawning shells using ICMP shell. Certainly worth checking it out! Have a look here.

sqlninja coming up...

Aug 18 2010

Good news. There'll actually be some practical use for the reverse ICMP shell that I uploaded just the other day. It's now made its way into sqlninja and will be included in the next release. At the moment it's available in the SVN repository.

Reverse ICMP Shell

Jun 04 2010

Due to a recent requirement, I put this reverse ICMP shell together. It's comes with a win32 slave and *nix C or Perl master. The slave is based on Windows library functions which should be on any system from Windows 2000 on. The advantage of using those is that it does not require high privileges to send out ICMP requests as opposed to raw sockets. The slave is about 22k and can even be uploaded via SQL injection in reasonable time. Have a play.

Mission Accomplished!

Aug 02 2009

... well, kind of. I happily announce the first alpha release of heyoka to be downloaded from here. The alpha version however is somewhat limited and you might find one or the other bug. As for now, it has been tested on Windows 2008 only and NULL or CNAME queries are not supported yet. Those and a lot of other features and improvements will be implemented shortly. Anyway, I'm sure you'll have a lot of fun playing with what is there. So, have a go and leave us some feedback. :)

CONFidence 2009 - Recapitulation

May 22 2009

I must say it has been a great event. The venue, the people and the talks were all brilliant at CONFidence this year. There are a few talks that I want to highlight: Rich Smith presented his work on how to automate attacks against systems running VNC. He showed how he can send key strokes to the remote VNC server and thus upload files or execute commands. The talk was well done and the demo rocked! Secondly, there was Shannon Conheady who gave a witty and well entertaining talk about Social Engineering, her experiences and helpful tips and tricks. And then of course, there was Michael Kemp and his feisty talk about Rootkits sold as Data Loss Prevention (DLP) Tools by well-known Anti Virus Vendors. In the end, that very controversial talk sparked a big argument between him, supporters and the present AV vendors. Alltogether a conference worth attending. And I, for sure, will do my best to be there again in 2010...

The Heyoka slides can be found soon on either the conference site or our sourceforge pages.

Witam w Krakowie - Welcome to Krakow!

May 05 2009

This is going to be the second gig for Heyoka. After a successful first performance at the SOURCE conference in Boston we'll present our work at CONFidence in Krakow. Since Boston we improved our DNS tunneling technics and came up with a few new ideas to make the tunnel even stealthier. If you happen to be at CONFidence then join us on the 15th of May at 4pm. It'll fun, it'll be worth it...

Cracking Made Simple: p|d 1.2.2 (aka. phrasen|drescher)

March 30 2009

It's been quite a while since the last release. I've extended the API, fixed some bugs in the core and plugin codes and added another plugin that allows cracking the symmetric keys of encrypted files. The plugin is based on the PGP Made Simple library (GPGME) and therefore supports all ciphers that are supported by GnuPG. Have a look at the project page...

Heyoka is born!

March 24 2009

Heyoka had its first performance in public. We presented our research and showed a demo of the tool at SOURCE Boston 2009 two weeks ago. Since then, we got some really nice and helpful feedback which left us inspired and motivated to keep on working on heyoka. If you're interested, the slides are available on the sourceforge page...
SOURCE Boston was a great conference with many high level talks and a nice atmosphere. There's going to be SOURCE Barcelona this year in September. I recommend that you don't miss it :)

Coming up: SOURCE Boston

February 26 2009

I'll have the pleasure to talk together with Alberto Revelli a.k.a icesurfer (sqlninja) at SOURCE Boston about a new tool that we have been developing in the past few month. Heyoka is a tuned up DNS tunneling tool that is build for speed, throughput as well as stealth. We make use of some flexibility in the DNS protocol that has been described in the related RFCs and is implemented in the most common DNS servers. Additionally, we split the communication channels between slave and master to make the tunnel difficult to detect. Heyoka will not be released to public very soon. But if you happen to be in Boston in mid of March and if you are interested then don't hesitate to attend the talk and come for a beer with us afterwards...

phrasen|drescher In Third Release

June 23 2008

This is the third release of phrasen|drescher (now version 1.1.1) and it comes with a lot more features and improvements. p|d is now multi processing and supports plugins for different purposes such as cracking RSA and DSA key pass phrases, MS SQL password hashes, SSH accounts on remote hosts as well as cracking web application accounts via HTTP based logins. p|d offers a simple and easy to understand API for further plugin development. read more

Cisco Unified Call Manager SQL Injection

February 21 2008

The Cisco Unified Call Manager (versions prior to 6.1(1a) and 5.1(3a)) is prone to multiple SQL Injections. This requires the attacker to have access to an account within the application. He might then be able to retrieve other users passwords and other sensitive information. read more

phrasen|drescher First Release

January 24 2008

The first release of phrasen|drescher, a tool that cracks RSA and DSA key passphrases as they would be used by SSH, can be found in the projects section. It performs wordlist and rule based attacks against one or multiple keys at a time and is known to run under FreeBSD, NetBSD, OpenBSD, MacOS X and Linux. read more

GreenSQL Advisory

October 12 2007

GreenSQL is an open source database firewall which acts as proxy server and is used to protect databases from SQL injection attacks. There's a format string vulnerability in the applications logging facility. Exploiting this vulnerabilty might allow attackers to exectue arbitrary code within the context of the GreenSQL proxy server. read more

Papoo CMS Advisory - Second Try

June 24 2007

The Papoo Content Management System, once again, has security flaws. That's an SQL Injection (read more) and a quite interesting Access Restriction Bypass (read more) that may allow attackers to retrieve all usernames and password hashes.

Having Fun With PostgreSQL

June 16 2007

PostgreSQL has serious security issues with its configuration. Those could allow an attacker to escalade privileges, execute shell commands or upload (binary) files. These vulnerabilities mainly originate from a mistakes in the configuration of which some are the default configuration in the PostgreSQL installation. From an administrator point of view risks can easily be mitigated. Please read the paper to find more information about the vulnerabilities. read more