Read htaccess file through Blind SQL injection

This time I would like to talk about a challenge I solved lastly and I found quite interesting. In that case, we should access to the private zone (protected with htaccess) of a website that we found there was a blind SQL injection vulnerability (widely known, but if someone does not know it, there is a lot of information on the Internet. For example in https://www.owasp.org/index.php/Blind_SQL_Injection).

In MySQL there is the function load_file that allows the access to a file if the user has the FILE privilege. So, the first thing we have to do is to check if we have this privilege.

Before proceeding, I would like to clarify that all the queries can be done manually – or with scripts done by oneself – but sometimes it is better to use tools already created that make the task much easier and faster. For example, sqlmap.org, is a really good tool to exploit SQL injection vulnerabilities.

[Read more…]

Solution to the challenge

A few days ago, we had a new challenge where we should find out what techniques or tips were being used lastly to install malware. To get this information, we only had a compressed file that had been captured.

When we open the file attachment.rar we see that there are three images of Roman ruins: “0.jpeg”, “1.png” y “3.jpg”.

Paying attention on these pictures, the only strange thing we observe it is that there are some Roman numeral in the bottom right corner of two of the pictures (“II” y “IV”) and also that it seems there is one picture missing (number “2”), because after number “1” we only have number “3”.

[Read more…]

New challenge: mail captured.

After some time without any challenge, we come back with a new case where we should put in practice some techniques that could be used to get hidden information from apparently “normal” files .... Leer Más

Challenge: Where will the meeting take place? – Solution

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)... Leer Más

Challenge: Where will the meeting take place?

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

THC-Hydra: Obtaining user credentials by brute-force

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]