O’Reilly’s video training website is http://www.infiniteskills.com/. One day while I was browsing I found out that their online player can be spoofed with our own content. For example I was able to watch my favorite music videos 😉
After reporting I was given to choose any 2 courses for free. Thanks for the reward 🙂
(more…)
I was able to bypass their XSS filter. After responsibly disclosing the vulnerability I got acknowledged.
https://docs.wso2.com/display/Security/Acknowledgments
Reported SQLi and 2 XSS.
As usual responsible disclosure 🙂
avira cert
[tweet https://twitter.com/Avira/status/760418158956118020]
In the world of Windows you can execute shellcode using the VirtualAlloc and VirtualProtect Windows APIs. There are also few more APIs we can use to do the same task but different techniques involved.
This is how MSDN explains this:
Changes the protection on a region of committed pages in the virtual address space of the calling process.
[code language=”c”]
BOOL WINAPI VirtualProtect(
_In_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flNewProtect,
_Out_ PDWORD lpflOldProtect
);
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898(v=vs.85).aspx
Basically we can make our shellcode memory region executable and invoke it using this API. We use the PAGE_EXECUTE_READWRITE as the memory protection constant for the flNewProtect parameter to make our page RWX.
Here’s an example using C which I have implemented.
(more…)
IE and Edge both uses a default XSS filter which is not powerful like the XSSAuditor(Webkit/Blink).
This is how the XSS filter is implemented.
https://msdnshared.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/swi/WindowsLiveWriter/IE8XSSFilterArchitectureImplementation_7E69/pic1_thumb.png
(source: https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/)
(more…)
I made some interesting SQLi challenges based on some real world experiences 🙂 Give it a shot to test your SQLi skills 😉
Thank you very much for more than 100 likes !
[tweet https://twitter.com/hasherezade/status/756122086112915456]
I haven’t done any malware analysis before and this would be my first post related to malware. I’m really interested but still quite a lot of things to learn 🙂 so I thought of starting off somewhere and this is the analysis of the ransomware named “Satana” by me. Obviously I hope you know who is Satan 👿
Samples:
As soon as you run this the main executable will be deleted and a new sample will be created inside the %temp% folder.
The following is the disassembly corresponding to this event.
It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.
[code language=”sql”]
CREATE DATABASE testupload;
USE testupload
CREATE TABLE uploads (
id INT(3) NOT NULL AUTO_INCREMENT,
name VARCHAR(1000000) NOT NULL,
PRIMARY KEY (id)
);
[/code]
(more…)
In MySQL and MariaDB the official methods of commenting would be
|
1 2 3 |
-- # /* comment */ |
The ‘#’ is also known as a “fragment identifier” and is typically used to identify a portion of an HTML document that sits within a fully qualified URL.
When passing ‘#’ inside a URL to the back-end database we can use ‘%23’.
(more…)
