Feb 04 2013
This is great news. After joining the sqlninja team and putting lots of effort in, the new version of sqlninja has finally been released. The SQL injection and take-over tool now supports data extraction, a fancy new file upload method and various other useful bits and bobs. For instance, sqlninja now lets you store your progress in a session file. Download it here, give it a try and let us know what you think!
SAP Netweaver Remote Code Execution
April 29 2012
A bug in SAP Netweavers's SAPHostControl allows remote code execution. SAP have released a patch which can be obtained from here.
The vulnerability arises from copying user input of variable size into a static buffer. The full advisory with additional information can be found here.
MS11-066: Microsoft .NET Chart Control
August 09 2011
The actual finding of this vulnerabilities already lies quite some time back. But Microsoft have finally released the security bulletin on this one (check out: MS11-066).
The .NET Chart Control plots graphs, by default stores them as image files on the web server and then serves those files on request. A typical request for example would be: /ChartImg.axd?i=chart_0_3.png.
Before reading and returning the file it does some validation to determine whether the requested file is in the allowed directory or not. However, that validation process is flawed and effectively allows traversing directories and reading arbitrary files on the system. Furthermore, there's a "hidden" trace parameter (/ChartImg.axd?trace=1) that discloses somewhat interesting debug information.
Find more information here.
ICMP Shell in sqlmap
May 06 2011After a big refurbishment the new version of sqlmap is finally out, supporting multiple techniques to exploit SQL injection in various database management systems. A lot of new features have been added including spawning shells using ICMP shell. Certainly worth checking it out! Have a look here.
sqlninja coming up...
Aug 18 2010Good news. There'll actually be some practical use for the reverse ICMP shell that I uploaded just the other day. It's now made its way into sqlninja and will be included in the next release. At the moment it's available in the SVN repository.
Reverse ICMP Shell
Jun 04 2010Due to a recent requirement, I put this reverse ICMP shell together. It's comes with a win32 slave and *nix C or Perl master. The slave is based on Windows library functions which should be on any system from Windows 2000 on. The advantage of using those is that it does not require high privileges to send out ICMP requests as opposed to raw sockets. The slave is about 22k and can even be uploaded via SQL injection in reasonable time. Have a play.
Aug 02 2009... well, kind of. I happily announce the first alpha release of heyoka to be downloaded from here. The alpha version however is somewhat limited and you might find one or the other bug. As for now, it has been tested on Windows 2008 only and NULL or CNAME queries are not supported yet. Those and a lot of other features and improvements will be implemented shortly. Anyway, I'm sure you'll have a lot of fun playing with what is there. So, have a go and leave us some feedback. :)
CONFidence 2009 - Recapitulation
May 22 2009I must say it has been a great event. The venue, the people and the talks were all brilliant at CONFidence this year. There are a few talks that I want to highlight: Rich Smith presented his work on how to automate attacks against systems running VNC. He showed how he can send key strokes to the remote VNC server and thus upload files or execute commands. The talk was well done and the demo rocked! Secondly, there was Shannon Conheady who gave a witty and well entertaining talk about Social Engineering, her experiences and helpful tips and tricks. And then of course, there was Michael Kemp and his feisty talk about Rootkits sold as Data Loss Prevention (DLP) Tools by well-known Anti Virus Vendors. In the end, that very controversial talk sparked a big argument between him, supporters and the present AV vendors. Alltogether a conference worth attending. And I, for sure, will do my best to be there again in 2010...
The Heyoka slides can be found soon on either the conference site or our sourceforge pages.
Witam w Krakowie - Welcome to Krakow!
May 05 2009This is going to be the second gig for Heyoka. After a successful first performance at the SOURCE conference in Boston we'll present our work at CONFidence in Krakow. Since Boston we improved our DNS tunneling technics and came up with a few new ideas to make the tunnel even stealthier. If you happen to be at CONFidence then join us on the 15th of May at 4pm. It'll fun, it'll be worth it...
Cracking Made Simple: p|d 1.2.2 (aka. phrasen|drescher)
March 30 2009It's been quite a while since the last release. I've extended the API, fixed some bugs in the core and plugin codes and added another plugin that allows cracking the symmetric keys of encrypted files. The plugin is based on the PGP Made Simple library (GPGME) and therefore supports all ciphers that are supported by GnuPG. Have a look at the project page...
Heyoka is born!
March 24 2009Heyoka had its first performance in public. We presented our research and showed a demo of the tool at SOURCE Boston 2009 two weeks ago. Since then, we got some really nice and helpful feedback which left us inspired and motivated to keep on working on heyoka. If you're interested, the slides are available on the sourceforge page...
SOURCE Boston was a great conference with many high level talks and a nice atmosphere. There's going to be SOURCE Barcelona this year in September. I recommend that you don't miss it :)