Re: Debugging the false alarm problem.

["H. Daniel Regalado Arias" <dan57170 () yahoo com>]

Hi Dave and Friends!!!

Is there a way to bypass magic_quotes_gpc on a PHP app, in order to execure SQL injection on a Microsoft SQL Server?
I cant use ' (single quotes) 'cause are converted to \', i also tried %27, ', but nothing happens.

Thanks!!!
 
H. Daniel Regalado Arias, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

----- Mensaje original ----
De: Dave Aitel <dave () immunityinc com>
Para: dailydave () lists immunitysec com
Enviado: jueves, 27 de septiembre, 2007 12:03:23
Asunto: [Dailydave] Debugging the false alarm problem.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A couple days ago the fire alarm in my building went off at midnight.
It was about four hundred decibels since they install a loudspeaker in
each apartment. So I trundled over to the other bedroom, got the
screaming one year old, and moved him into a room where the sound was
quietest, and then closed the door and played with him for the half
hour it took them to turn the noise off. Later on I called my friend
who's on the board of the building, and he was like "Why didn't you
come downstairs? It was everyone in their nightgowns in the lobby."

The answer is that every previous fire alarm (and there have been
many) has been a false positive. And I didn't realize it would be a
hilarious nighttime parade, of course. This one was a false alarm as
well, just a longer false alarm than usual.

Anyways, the same thing happens pretty much every time I see anyone
run any VA tool, be it web, traditional network VA, or source code
analysis, or whatever. They all have false positive results through
the roof (which is on fire, naturally).

For web VA I'm trying to switch completely to using Immunity Debugger,
and having it XML-RPC SPIKE Proxy any time certain API filters are
hit, for example, CreateFile(). This let's you watch real-time if your
file include attacks are working, or path traversal, or whatever. With
this kind of real feedback from the remote app you can make much more
educated guesses about the filters' effects on the strings you are
passing in.

The whole "pass a ton of stuff into a query until you think you have
blind-sql-injection" game is very hit-or-miss in my experience. It's
much easier to hook the database API's and look to see if you can
evade the filters directly.

Essentially I want to take all the other tools we have in our bucket,
and attach a debugger to them and make them 100 times better. I want
to have CANVAS building and deploying custom trojans based on static
analysis of executables on the target's hard drive, for example.

A while back Mark Curphey asked on his weblog what it was that made
good hackers so much better than average hackers. I would posit that
no good hacker works alone. The question should be "What makes good
teams better than average teams?".  And part of the answer is going to
be Immunity Debugger.

- -dave

[1]
http://securitybuddha.com/2007/08/29/the-security-genome-understanding-how-people-find-security-bugs/

"""
Really good people (and you know who you are) can find a far greater
proportion of bugs in a far shorter time than you may extrapolate from
a linear intellect curve. Do they think harder or have a natural gift
for making security decisions? I think the later, also a topic of a
good dinner conversation.
"""



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG++JZtehAhL0gheoRAm7VAJsHiUH33sEO4Vjd/jbazev+zWYLAQCfcBPs
Uhgf4p8o5qo0FDjBaVa0408=
=eWYO
-----END PGP SIGNATURE-----


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave





      ____________________________________________________________________________________
¡Sé un mejor asador!
Aprende todo sobre asados.                      
http://telemundo.yahoo.com/promos/mejorasador.html
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave