tag:blogger.com,1999:blog-7734053691306644784.post2411046993701421719..comments2023-06-17T08:46:11.544-06:00Comments on An Eye on Forensics: The End Game: Part 1Grayson Lenikhttp://www.blogger.com/profile/15457122858920457681noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7734053691306644784.post-89275858671292422942013-05-22T04:11:26.293-06:002013-05-22T04:11:26.293-06:00Eхcellеnt post! Thanks for Sharing. Keep up the gг...Eхcellеnt post! Thanks for Sharing. Keep up the gгeat work.<br /><br /><a href="http://www.nightlionsecurity.com/services/computer-forensics/" rel="nofollow">Computer Forensics</a>Nightlionsecurityhttps://www.blogger.com/profile/03806116113226893437noreply@blogger.comtag:blogger.com,1999:blog-7734053691306644784.post-15689766824149920462013-02-09T14:08:28.929-07:002013-02-09T14:08:28.929-07:00Grayson,
Congrats on your expertise journey. I'...Grayson,<br />Congrats on your expertise journey. I'm proud to say that I bumped into you when you were just starting out. Soon, I'll be able to say I knew you before you were famous!<br /><br />A prez at a con is pretty cool.<br /><br />When your book comes out, I want an autographed copy. :)<br /><br />Go man, go!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7734053691306644784.post-20700114692615796932013-02-06T12:52:14.683-07:002013-02-06T12:52:14.683-07:00Harlan,
I guess I would amend that to say "t...Harlan,<br /><br />I guess I would amend that to say "they encrypt the data with the MD5 algorithm and a static key or base64 encode it before dropping it into the database". I'm certain that you know about the sites offering on-the-fly MD5 decoding of hashed password values, though it may serve the other readers to hear about them. There are also rainbow tables available for MD5 now. <br /> The point I was trying to make is that when your encryption features a static key and the encryption algorithm/method is stored in clear text on the site, they are finding it and they are using it to decrypt data. We do it ourselves or via our reversing team as a "proof of concept".<br /><br />One of my favorite hacks was a very small PHP uploader that was written to a server file system via the SQL INTO OUTFILE command. They uploaded 3 times to work out the kinks before successfully using it to upload a full webshell. After that, it was all over for the client unfortunately.<br /><br />Thanks for the questions/comments/retweets Harlan!Grayson Lenikhttps://www.blogger.com/profile/15457122858920457681noreply@blogger.comtag:blogger.com,1999:blog-7734053691306644784.post-4582091785437999152013-02-06T05:22:52.507-07:002013-02-06T05:22:52.507-07:00Grayson,
Interesting post. It's kind of fun ...Grayson,<br /><br />Interesting post. It's kind of fun to see SQLi still being used so prolifically, even years after I left the PCI scene.<br /><br /><i>During the database write they sneak in an MD5 hashing routine or Base64 encoding. This encoding is trivial to reverse...</i><br /><br />Did you mean to include the "MD5 hashing routine" phrase in that sentence? I ask, b/c MD5 isn't something that can be reversed, per se.<br /><br />Some other questions, if you don't mind...<br /><br />One of the things I saw that was absolutely fascinating was how the shell was actually uploaded to the system. In some cases, SQLi was used to create and then launch an FTP script, which could often be recovered easily, either from the SQLi "logged" in the web server logs, or directly from the system itself. In some instances, I saw where the .exe file was uploaded to the database in 512 byte chunks, and then a command was run to append all of the cell entries together, in order, on the file system in order to reconstitute the .exe. There were apparently no "transporter malfunctions" because the functioning .exe made it through! ;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com