Author: Osanda Malith Jayathissa

Fun with SQLite Load_Extension

What is load_extension?

This interface loads an SQLite extension library from the named file.

[code language=”C”]
int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
[/code]

More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be
[code language=”sql”]
select load_extension(‘path\dll’, ‘EP’);
[/code]
However this path, const char *zFile can be a SMB share too.
(more…)

Content Spoofing on Infiniteskills

O’Reilly’s video training website is http://www.infiniteskills.com/. One day while I was browsing I found out that their online player can be spoofed with our own content. For example I was able to watch my favorite music videos 😉

After reporting I was given to choose any 2 courses for free. Thanks for the reward 🙂
(more…)

Acknowledged by WSO2

I was able to bypass their XSS filter. After responsibly disclosing the vulnerability I got acknowledged.
https://docs.wso2.com/display/Security/Acknowledgments

View post on imgur.com

Making your Shellcode Undetectable using .NET

In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.

VirtualProtect

This is how MSDN explains this:

Changes the protection on a region of committed pages in the virtual address space of the calling process.

[code language=”c”]
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx

Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.

Here’s an example using C which I have implemented.
(more…)

Bypassing IE and Edge XSS Filters with Double Encoding

IE and Edge both uses a default XSS filter which is not powerful like the XSSAuditor(Webkit/Blink).
This is how the XSS filter is implemented.

https://msdnshared.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/swi/WindowsLiveWriter/IE8XSSFilterArchitectureImplementation_7E69/pic1_thumb.png
(source: https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/)
(more…)

Break This SQLi

logo

I made some interesting SQLi challenges based on some real world experiences 🙂 Give it a shot to test your SQLi skills 😉

http://breakthisqli.rf.gd/

Thank you very much for more than 100 likes !
[tweet https://twitter.com/hasherezade/status/756122086112915456]

Satana Malware Analysis

I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿

Samples:

Behavior Analysis

As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.

View post on imgur.com

The following is the disassembly corresponding to this event.

View post on imgur.com


(more…)

Storing a EXE inside MySQL

It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.

[code language=”sql”]
CREATE DATABASE testupload;

USE testupload

CREATE TABLE uploads (
id INT(3) NOT NULL AUTO_INCREMENT,
name VARCHAR(1000000) NOT NULL,
PRIMARY KEY (id)
);
[/code]
(more…)