Archive for July, 2014

We all know that sqlmap is a really great tool which has a lot of options that you can tweak and adjust to exploit the SQLi vuln you just found (or that sqlmap found for you). On rare occasions however you might want to just have a small and simple script or you just want to learn how to do it yourself. So let’s see how you could write your own script to exploit a blind SQLi vulnerability. Just to make sure we are all on the same page, here is the blind SQLi definition from OWASP:

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response.

You can also roughly divide the exploiting techniques in two categories (like owasp does) namely:

  • content based
    • The page output tells you if the query was successful or not
  • time based
    • Based on a time delay you can determine if your query was successful or not

Of course you have dozens of variations on the above two techniques, I wrote about one such variation a while ago. For this script we are going to just focus on the basics of the mentioned techniques, if you are more interested in knowing how to find SQLi vulnerabilities you could read my article on Solving RogueCoder’s SQLi challenge. Since we are only focusing on automating a blind sql injection, we will not be building functionality to find SQL injections.

Before we even think about sending SQL queries to the servers, let’s first setup the vulnerable environment and try to be a bit realistic about it. Normally this means that you at least have to login, keep your session and then inject. In some cases you might even have to take into account CSRF tokens which depending on the implementation, means you have to parse some HTML before you can send the request. This will however be out of scope for this blog entry. If you want to know how you could parse HTML with python you could take a look at my credential scavenger entry.

If you just want the scripts you can find them in the example_bsqli_scripts repository on my github, since this is an entry on how you could write your own scripts all the values are hard coded in the script.

(more…)

During one of those boring afternoons I noticed that most embassy buildings seem to have more or less the same amount of visible physical protection, this made me wonder what the available options are if you’d want to protect your own house. These are just some quick notes after searching around the internet on another boring afternoon, most of the options have an additional wide variety of configuration possibilities. So if you decide to implement any of the mentioned options, please do some research yourself, since these are just some starting points and you should choose the appropriate configuration yourself.

Keep in mind that (as far as I know) most options discussed here can be bypassed. Like with all security measures you should base the choices you make on a layered approach. The sum of all the protective measures should buy you enough time to detect a break in and react before any valuables are stolen. Feel free to leave additional measures in the comments or how to bypass the measures in this article. Do keep in mind that these measures will be a lot less effective if they decide to break in while you are at home, also these security measure are not aimed at preventing social engineering attacks. As usual I’ve got no clue what the rules in your country are, so read up on them before you implement some of the following options.

Oh and if you want an example of how physical security measures can by bypassed then you’ll probably enjoy this article. It’s about one of the biggest ($100 million) diamond heists in Belgium and how the attackers bypassed ten physical security measures: The Untold Story of the World’s Biggest Diamond Heist

(more…)