[Dailydave] Debugging the false alarm problem.

H. Daniel Regalado Arias dan57170 at yahoo.com
Fri Oct 19 21:16:04 EDT 2007 

Hi str0ke and friends!!!!, only a question...

Do you have a manual ir order to learn how to inject php code through GET or POST to an Application? i mean, in order to execute or upload php files.

i have seen something from you like:

# Tested on vBulletin Version 3.0.1 /str0ke 
# http://www.xxx.net/misc.php?do=page&template={${system(id)}} 

But it doest not work while testing in my app.

Thanks in Advance.

 
H. Daniel Regalado Arias, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

----- Mensaje original ----
De: str0ke <str0ke at milw0rm.com>
Para: H. Daniel Regalado Arias <dan57170 at yahoo.com>
Enviado: miércoles, 3 de octubre, 2007 13:27:11
Asunto: Re: [Dailydave] Debugging the false alarm problem.

Daniel,

The only way that I know of bypassing magic quotes is if the site is
using urldecode %2527 would translate to %27.

Regards,
/str0ke

H. Daniel Regalado Arias wrote:
> Hi Dave and Friends!!!
>
> Is there a way to bypass magic_quotes_gpc on a PHP app, in order to
execure SQL injection on a Microsoft SQL Server?
> I cant use ' (single quotes) 'cause are converted to \', i also tried
%27, ', but nothing happens.
>
> Thanks!!!
> 
> H. Daniel Regalado Arias, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
> ----- Mensaje original ----
> De: Dave Aitel <dave at immunityinc.com>
> Para: dailydave at lists.immunitysec.com
> Enviado: jueves, 27 de septiembre, 2007 12:03:23
> Asunto: [Dailydave] Debugging the false alarm problem.
>
> A couple days ago the fire alarm in my building went off at midnight.
> It was about four hundred decibels since they install a loudspeaker
 in
> each apartment. So I trundled over to the other bedroom, got the
> screaming one year old, and moved him into a room where the sound was
> quietest, and then closed the door and played with him for the half
> hour it took them to turn the noise off. Later on I called my friend
> who's on the board of the building, and he was like "Why didn't you
> come downstairs? It was everyone in their nightgowns in the lobby."
>
> The answer is that every previous fire alarm (and there have been
> many) has been a false positive. And I didn't realize it would be a
> hilarious nighttime parade, of course. This one was a false alarm as
> well, just a longer false alarm than usual.
>
> Anyways, the same thing happens pretty much every time I see anyone
> run any VA tool, be it web, traditional network VA, or source code
> analysis, or whatever. They all have false positive results through
> the roof (which is on fire, naturally).
>
> For web VA I'm trying to switch completely to using Immunity
 Debugger,
> and having it XML-RPC SPIKE Proxy any time certain API filters are
> hit, for example, CreateFile(). This let's you watch real-time if
 your
> file include attacks are working, or path traversal, or whatever.
 With
> this kind of real feedback from the remote app you can make much more
> educated guesses about the filters' effects on the strings you are
> passing in.
>
> The whole "pass a ton of stuff into a query until you think you have
> blind-sql-injection" game is very hit-or-miss in my experience. It's
> much easier to hook the database API's and look to see if you can
> evade the filters directly.
>
> Essentially I want to take all the other tools we have in our bucket,
> and attach a debugger to them and make them 100 times better. I want
> to have CANVAS building and deploying custom trojans based on static
> analysis of executables on the target's hard drive, for example.
>
> A while back Mark Curphey asked on his weblog what it was that made
> good hackers so much better than average hackers. I would posit that
> no good hacker works alone. The question should be "What makes good
> teams better than average teams?".  And part of the answer is going
 to
> be Immunity Debugger.
>
> -dave
>
> [1]
>
 http://securitybuddha.com/2007/08/29/the-security-genome-understanding-how-people-find-security-bugs/
>
> """
> Really good people (and you know who you are) can find a far greater
> proportion of bugs in a far shorter time than you may extrapolate
 from
> a linear intellect curve. Do they think harder or have a natural gift
> for making security decisions? I think the later, also a topic of a
> good dinner conversation.
> """
>
>
>

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave





     
____________________________________________________________________________________
¡Sé un mejor asador!
Aprende todo sobre asados.                     
http://telemundo.yahoo.com/promos/mejorasador.html
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave








      ____________________________________________________________________________________
¡Sé un mejor asador!
Aprende todo sobre asados.                      
http://telemundo.yahoo.com/promos/mejorasador.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071019/b96e0e53/attachment.htm

More information about the Dailydave mailing list