This is another fun shellcode I’ve written to scroll your desktop horizontally.
(more…)
Month: February 2017
Shellcode to Invert Colors
This is a simple shellcode I wrote for fun. This is pretty useless but still it’s fun to experiment đ
MySQL Injection in Update, Insert and Delete
Overview
The traditional in-band method in INSERT, UPDATE injections would be by fixing the query. For example in INSERT statements one can simply fix the query, comment out the rest and extract the data once it is echoed out by the application. Same goes with the UPDATE statement, but only if the query has more than one column we can fix the query. What if we face a situation where UPDATE or INSERT has one column or simply we donât know the exact query to fix? What if mysql_error() is not echoed out?
Letâs look at the following scenario. For simplicityâs sake letâs not make things complex. The updated username is also echoed back to us. How can we inject in this scenario?
$query = "UPDATE users SET username = '$username' WHERE id = '$id';";
The parameters are as follows for the update query.
username=test&id=16
Recently I was researching on different in-band and out-of-band techniques we can apply in these situations.
To understand my technique letâs look at how MySQL handles strings. Basically a string is equal to â0â in MySQL. Let me prove it.
mysql> select 'osanda' = 0; +--------------+ | 'osanda' = 0 | +--------------+ | 1 | +--------------+ mysql> select !'osanda'; +-----------+ | !'osanda' | +-----------+ | 1 | +-----------+
What if we add digits to a string? It would be same as adding a value to 0.
mysql> select 'osanda'+123; +--------------+ | 'osanda'+123 | +--------------+ | 123 | +--------------+
MySQL Out-of-Band Hacking
Overview
Out-of-band injections are very well researched when it comes to MSSQL and Oracle. But in MySQL I noticed that this topic is not well researched. I thought of researching about this topic based on my experiences in SQL injections. For this purpose we can take advantage of functions such as load_file() and select ⌠into outfile/dumpfile. Apart from that we can also steal NetNTLM hashes and perform SMB relay attacks. All this is possible only in MySQL under Windows.
What is Out-of-Band Injection?
These attacks involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.
Limitations in MySQL
In MySQL there exists a global system variable known as âsecure_file_privâ. This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT … INTO OUTFILE statements and the LOAD_FILE() function.
- If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist, the server will not create it.
- If the variable is empty it has no effect, thus insecure configuration.
- If set to NULL, the server disables import and export operations. This value is permitted as of MySQL 5.5.53
Before MySQL 5.5.53 this variable is empty by default, hence allowing us to use these functions. But in the versions after 5.5.53 the value âNULLâ will disable these functions.
To check the value of this variable you can use any of these methods. The âsecure_file_privâ is a global variable and itâs a read only variable, which means you cannot change this during runtime.
select @@secure_file_priv; select @@global.secure_file_priv; show variables like "secure_file_priv";
Alternative for Information_Schema.Tables in MySQL
Overview
Starting from MySQL 5.5 and above the default storage engine was known as the InnoDB. In MySQL versions 5.5 and above if you do a âselect @@innodb_versionâ you can see the version of the InnoDB, which is almost same as your MySQL version.
But in MySQL 5.6 and above I noticed 2 new tables by InnoDB. âinnodb_index_statsâ and âinnodb_table_statsâ. Both these tables contains the database and table names of all the newly created databases and tables.
The MySQL documentation explains these two tables as follows.
The persistent statistics feature relies on the internally managed tables in the mysql database, named innodb_table_stats and innodb_index_stats. These tables are set up automatically in all install, upgrade, and build-from-source procedures.
For injection purposes letâs take the âinnodb_table_statsâ table. Unfortunately InnoDB doesnât store columns.
If you simply do âshow tables in mysqlâ you can view this from your localhost.
(more…)
Patching Windows Media Player
I’m writing this post on the request of @rudr4_sarkar. This is a very simple patch in which you can open multiple instances of wmplayer. It basically uses the ‘CreateMutexW’ API to create a mutex object with the string “Local\Microsoft_WMP_70_CheckForOtherInstanceMutex”.
The pseudo code would be something like this
[code language=”c”]
HANDLE hMutex = CreateMutex(NULL, FALSE, L"Local\Microsoft_WMP_70_CheckForOtherInstanceMutex");
if (GetLastError() == ERROR_ALREADY_EXISTS) {
}
[/code]
You just need to patch the ‘JNZ’ to a ‘JMP’ instruction, that will always jump to the good boy đ