Binary protocols intrigue me. They tend to be time-suckers, taking forever to piece together and may not ultimately reveal anything too interesting.. but they intrigue me nonetheless. I've started work on a tool to help me work through quickly recognizing type-length-value based protocols that try fitting data into that pattern. The code is at github. I don't anticipate it being some glorious open-source tool - I'm just going to add the features I need to it to help me visualize these packets I'm seeing. One of the things I'm working on these days inbetween mourning the loss of summer.
I wrote a bugtraq post about the Microsoft ClickOnce Installer/Updater system, and how it's relatively easy to strip away code signing and man-in-the-middle an update and inject your malicious code. Here's the writeup.
The idea is simple. You want to detect SQL Injection, when you have full access to the code and a QA team. You need to audit massively complex code that spans several servers and involves validation that may be happening on any of them, or the client in javascript. You want to be able to bypass the javascript validation in whole - but not rewrite any javascript or do anything complicated - because you don't want to retrain any QA people - or even have to teach them what SQL Injection is.
The idea is you put a proxy between the client and the web tier that rewrites requests to be an injection, and run a trace on the database to see if the injection ever makes it into the query. It doesn't work in all cases, and sometimes there are better approaches - but it's another option, and it has a few advantages. Check out the article for diagrams, code, and some enhancement ideas.
The other day I had cause to trigger an event firing in ASP.Net without actually having the user trigger the event, so I went about figuring out how that worked. It was simpler than I thought it would be, and it got me thinking about triggering events maliciously. I put together a vulnerable sample project, went to trigger it, and ran smack into ASP.Net Event Validation - which exists to thwart this exact attack. Disappointing
But I remembered other cases where I had run into it, and I refreshed myself by reading K Scott Allen's blog posts (first result on google too!). Long story short, even though Event Validation exists, it may not always be turned on - because there are legitimate places where it makes life super annoying.
So here's how to hack it if Event Validation is turned off. And a good reminder to developers why you should think twice before disabling it on a single page (or god forbid - site-wide).
This took me way too long to figure out, so I'm blogging it. If you want to find the columns in the user defined type you just defined and forgot about here's what you do:
create type ImGoingToForgetThis table ( [id] int, [ie] int, [if] int ) --Now close your query window... exec [sys].sp_table_type_columns_100_rowset 'ImGoingToForgetThis'
Likewise, if you want to run the iisapp.vbs utility in IIS7 - it was replaced. Instead drop this vbs script into %systemroot%/system32:
sub shell(cmd) dim objShell dim result Set objShell = WScript.CreateObject( "WScript.Shell" ) Set oExec = objShell.Exec(cmd) Do While Not oExec.StdOut.AtEndOfStream output = oExec.StdOut.Read(1000) WScript.Echo output Loop end sub shell "C:\Windows\system32\inetsrv\appcmd.exe list wp"
RSS Feed
required, hidden, gravatared
required, markdown enabled (help)
* item 2
* item 3
are treated like code:
if 1 * 2 < 3:
print "hello, world!"
are treated like code: