This course covers lots of areas in the field of penetration testing. I like the content since it covers good theory as well. They have included new sections such as Ruby and Wi-Fi. The content is very up to date. The exam was more realistic and not CTF based. I’m not going to write a complete review, but I would recommend this course for anyone who wants to enter the field of penetration testing or existing people. Always there’s something to new to learn from any course 😉
In certain situations when I want to print some string to stdout we need the length for the write syscall in linux. So we can’t always depend on the $-string macro, which is valid for a defined string.
We use the REPNE (REPeat while Not Equal) instruction which will loop as long as CX != 0. Along with REPNE we use SCASB (scan byte string). It compares the content of the accumulator (AL, AX, or EAX) against the current value pointed at by ES:[EDI]. In the end we calculate the difference between offsets of the scanned string (EDI) and the original string (EBX) to find the length.
_strlen:
push ebx
push ecx
mov ebx, edi
xor al, al
mov ecx, 0xffffffff
repne scasb ; REPeat while Not Equal [edi] != al
sub edi, ebx ; length = offset of (edi - ebx)
mov eax, edi
pop ebx
pop ecx
ret
I recently wanted to explore the world of game hacking, which involves some cool reverse engineering tricks. This is a trainer written in C++.
Simply uses WriteProcessMemory to write the values into memory of the game.
Download game: https://assault.cubers.net/download.html
Download trainer: https://github.com/OsandaMalith/GameHacking/blob/master/AssaultCube/Hack.7z
This interface loads an SQLite extension library from the named file.
[code language=”C”]
int sqlite3_load_extension(
sqlite3 *db, /* Load the extension into this database connection */
const char *zFile, /* Name of the shared library containing extension */
const char *zProc, /* Entry point. Derived from zFile if 0 */
char **pzErrMsg /* Put error message here if not 0 */
);
[/code]
More information: https://www.sqlite.org/c3ref/load_extension.html
You can use this function to load a SQLite extension. However by default sqlite3_enable_load_extension() is turned off by default to prevent this in SQL injection attacks. You can read more from here https://www.sqlite.org/c3ref/enable_load_extension.html
The syntax would be
[code language=”sql”]
select load_extension(‘path\dll’, ‘EP’);
[/code]
However this path, const char *zFile can be a SMB share too.
(more…)
In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.
This is how MSDN explains this:
Changes the protection on a region of committed pages in the virtual address space of the calling process.
[code language=”c”]
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx
Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.
Here’s an example using C which I have implemented.
(more…)
IE and Edge both uses a default XSS filter which is not powerful like the XSSAuditor(Webkit/Blink).
This is how the XSS filter is implemented.
https://msdnshared.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/swi/WindowsLiveWriter/IE8XSSFilterArchitectureImplementation_7E69/pic1_thumb.png
(source: https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/)
(more…)
I made some interesting SQLi challenges based on some real world experiences 🙂 Give it a shot to test your SQLi skills 😉
Thank you very much for more than 100 likes !
[tweet https://twitter.com/hasherezade/status/756122086112915456]
I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿
Samples:
As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.
The following is the disassembly corresponding to this event.
It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.
[code language=”sql”]
CREATE DATABASE testupload;
USE testupload
CREATE TABLE uploads (
id INT(3) NOT NULL AUTO_INCREMENT,
name VARCHAR(1000000) NOT NULL,
PRIMARY KEY (id)
);
[/code]
(more…)
In MySQL and MariaDB the official methods of commenting would be
|
1 2 3 |
-- # /* comment */ |
The ‘#’ is also known as a “fragment identifier” and is typically used to identify a portion of an HTML document that sits within a fully qualified URL.
When passing ‘#’ inside a URL to the back-end database we can use ‘%23’.
(more…)
