Dailydave mailing list archives
Re: Debugging the false alarm problem.
From: "H. Daniel Regalado Arias" <dan57170 () yahoo com>
Date: Fri, 19 Oct 2007 18:16:04 -0700 (PDT)
Hi str0ke and friends!!!!, only a question... Do you have a manual ir order to learn how to inject php code through GET or POST to an Application? i mean, in order to execute or upload php files. i have seen something from you like: # Tested on vBulletin Version 3.0.1 /str0ke # http://www.xxx.net/misc.php?do=page&template={${system(id)}} But it doest not work while testing in my app. Thanks in Advance. H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: str0ke <str0ke () milw0rm com> Para: H. Daniel Regalado Arias <dan57170 () yahoo com> Enviado: miércoles, 3 de octubre, 2007 13:27:11 Asunto: Re: [Dailydave] Debugging the false alarm problem. Daniel, The only way that I know of bypassing magic quotes is if the site is using urldecode %2527 would translate to %27. Regards, /str0ke H. Daniel Regalado Arias wrote:
Hi Dave and Friends!!! Is there a way to bypass magic_quotes_gpc on a PHP app, in order to
execure SQL injection on a Microsoft SQL Server?
I cant use ' (single quotes) 'cause are converted to \', i also tried
%27, ', but nothing happens.
Thanks!!! H. Daniel Regalado Arias, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ----- Mensaje original ---- De: Dave Aitel <dave () immunityinc com> Para: dailydave () lists immunitysec com Enviado: jueves, 27 de septiembre, 2007 12:03:23 Asunto: [Dailydave] Debugging the false alarm problem. A couple days ago the fire alarm in my building went off at midnight. It was about four hundred decibels since they install a loudspeaker
in
each apartment. So I trundled over to the other bedroom, got the screaming one year old, and moved him into a room where the sound was quietest, and then closed the door and played with him for the half hour it took them to turn the noise off. Later on I called my friend who's on the board of the building, and he was like "Why didn't you come downstairs? It was everyone in their nightgowns in the lobby." The answer is that every previous fire alarm (and there have been many) has been a false positive. And I didn't realize it would be a hilarious nighttime parade, of course. This one was a false alarm as well, just a longer false alarm than usual. Anyways, the same thing happens pretty much every time I see anyone run any VA tool, be it web, traditional network VA, or source code analysis, or whatever. They all have false positive results through the roof (which is on fire, naturally). For web VA I'm trying to switch completely to using Immunity
Debugger,
and having it XML-RPC SPIKE Proxy any time certain API filters are hit, for example, CreateFile(). This let's you watch real-time if
your
file include attacks are working, or path traversal, or whatever.
With
this kind of real feedback from the remote app you can make much more educated guesses about the filters' effects on the strings you are passing in. The whole "pass a ton of stuff into a query until you think you have blind-sql-injection" game is very hit-or-miss in my experience. It's much easier to hook the database API's and look to see if you can evade the filters directly. Essentially I want to take all the other tools we have in our bucket, and attach a debugger to them and make them 100 times better. I want to have CANVAS building and deploying custom trojans based on static analysis of executables on the target's hard drive, for example. A while back Mark Curphey asked on his weblog what it was that made good hackers so much better than average hackers. I would posit that no good hacker works alone. The question should be "What makes good teams better than average teams?". And part of the answer is going
to
be Immunity Debugger. -dave [1]
http://securitybuddha.com/2007/08/29/the-security-genome-understanding-how-people-find-security-bugs/
""" Really good people (and you know who you are) can find a far greater proportion of bugs in a far shorter time than you may extrapolate
from
a linear intellect curve. Do they think harder or have a natural gift for making security decisions? I think the later, also a topic of a good dinner conversation. """
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ ¡Sé un mejor asador! Aprende todo sobre asados. http://telemundo.yahoo.com/promos/mejorasador.html _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ ¡Sé un mejor asador! Aprende todo sobre asados. http://telemundo.yahoo.com/promos/mejorasador.html
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Debugging the false alarm problem. H. Daniel Regalado Arias (Oct 03)
- <Possible follow-ups>
- Re: Debugging the false alarm problem. H. Daniel Regalado Arias (Oct 20)