Thứ Sáu, 2 tháng 6, 2023

2020-12-13 SUNBURST SolarWinds Backdoor Samples

Reference

I am sure you all saw the news. 

Links updated: Jan 19, 2023


The Resurgence of Russian Threat Actor, NOBELIUM

 
Well, here are the Sunburst binaries. 
Here is a Sunburst malware analysis walk-through video by Colin Hardy




Hashes






SolarWinds.Orion.Core.BusinessLayer.dll


 Trojan:MSIL/Solorigate.B!dha
A Variant Of MSIL/SunBurst.A

SolarWinds.Orion.Core.BusinessLayer.dll
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589
6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

appweblogoimagehandler.ashx.b6031896.dll
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

TEARDROP
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

RAINDROP
be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725

This is the compromised installer file ( was still on Solarwinds update downloads  on Dec 14, 2020)

File size 419.76 MB
CoreInstaller.msi

ad2fbf4add71f61173975989d1a18395afb8538ed889012b9d2e21c19e98bbd1

2020-04-21 17:31:02
SolarWinds Orion Core Services 2020.2
{77E2D294-3D5C-4D93-ADF1-884CCEAD93B0}
File Version Information
Date signed 05:32 PM 04/21/2020
Signers
Solarwinds Worldwide, LLC
Symantec Class 3 SHA256 Code Signing CA
VeriSign
VT - 0 (Dec 14, 2020)

If you unzip, check 

SolarWinds.Orion.Core.BusinessLayer.dll under OrionCore







More information

  1. Pentest Tools Download
  2. Nsa Hacker Tools
  3. Hack Tools For Games
  4. Pentest Recon Tools
  5. Pentest Tools Github
  6. Hacking Tools 2019
  7. Hacker Tools Online
  8. Hack Tools Github
  9. Pentest Tools Free
  10. Nsa Hack Tools
  11. Hacker Tools For Windows
  12. Install Pentest Tools Ubuntu
  13. Hacking Tools For Kali Linux
  14. Pentest Tools List
  15. Hack Rom Tools
  16. Tools For Hacker
  17. Hacking Tools Windows
  18. Best Pentesting Tools 2018
  19. Pentest Tools Free
  20. World No 1 Hacker Software
  21. Pentest Tools Free
  22. Hacking Tools Kit
  23. Hacker Tools 2019
  24. Hack And Tools
  25. Hack Tools 2019
  26. Pentest Tools Url Fuzzer
  27. Hacking Tools For Mac
  28. How To Install Pentest Tools In Ubuntu
  29. Hacking Tools For Kali Linux
  30. Hacking Tools Download
  31. Pentest Tools Github
  32. Pentest Tools Alternative
  33. Hacks And Tools
  34. Pentest Tools Find Subdomains
  35. Bluetooth Hacking Tools Kali
  36. Pentest Tools Subdomain
  37. Pentest Automation Tools
  38. Pentest Tools For Android
  39. Pentest Reporting Tools
  40. Hacks And Tools
  41. Pentest Tools Find Subdomains
  42. Hacking Tools Github
  43. Pentest Tools Windows
  44. Underground Hacker Sites
  45. Bluetooth Hacking Tools Kali
  46. Hacker Techniques Tools And Incident Handling
  47. Hacker Tools 2019
  48. Pentest Tools For Android
  49. Physical Pentest Tools
  50. Android Hack Tools Github
  51. Pentest Tools For Ubuntu
  52. Hack Tools Pc
  53. Hacker Tools List
  54. Hacking Tools Hardware
  55. Pentest Tools Bluekeep
  56. Hack And Tools
  57. What Are Hacking Tools
  58. Pentest Tools For Ubuntu
  59. Hack Tool Apk No Root
  60. Hacking Tools For Pc
  61. Pentest Tools Android
  62. Pentest Tools Windows
  63. Hack Tools For Mac
  64. World No 1 Hacker Software
  65. Hacker Tools For Mac
  66. Pentest Tools For Mac
  67. Hacking Tools For Kali Linux
  68. Hacker Tools Free Download
  69. Hacking Tools Pc
  70. Hacking Tools Mac
  71. Pentest Tools For Android
  72. Hacking Tools Name
  73. Pentest Tools Free
  74. How To Make Hacking Tools
  75. Hacker Tools 2019
  76. Pentest Tools For Windows
  77. Pentest Tools Alternative
  78. Pentest Tools Url Fuzzer
  79. Usb Pentest Tools
  80. Hacker Tools Linux
  81. Hack Apps
  82. Hacker Tools For Pc
  83. Hack Tool Apk No Root
  84. Pentest Reporting Tools
  85. Hacking Tools Github
  86. Hacking Tools For Pc
  87. Hacker Tools 2019
  88. Hacker Security Tools
  89. Pentest Tools Website
  90. Hacking Tools For Pc
  91. Physical Pentest Tools
  92. Hacking Tools For Windows Free Download
  93. Hacker Tools
  94. Hack Tools 2019
  95. Best Hacking Tools 2019
  96. Hacking Tools Mac
  97. Best Hacking Tools 2020
  98. Pentest Tools Port Scanner
  99. Pentest Reporting Tools
  100. Hacking Tools For Pc
  101. Hacker Search Tools
  102. Pentest Tools Github
  103. Hacking Tools Online
  104. Pentest Tools Bluekeep
  105. How To Make Hacking Tools
  106. Free Pentest Tools For Windows
  107. Hack Tool Apk
  108. Hacking Tools For Windows Free Download
  109. Pentest Tools Free
  110. Best Hacking Tools 2020
  111. Hacker Tools For Mac
  112. Usb Pentest Tools
  113. Game Hacking
  114. Pentest Tools Download
  115. Pentest Tools For Mac
  116. Hacking Tools 2019
  117. Hack Tools Download
  118. Growth Hacker Tools
  119. Pentest Tools For Mac
  120. Hack Tools
  121. Pentest Tools Subdomain
  122. Hacker Tools Github
  123. Hacker Tools 2020
Người đăng: vào lúc Không có nhận xét nào:

Thứ Năm, 1 tháng 6, 2023

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp

More articles


  1. Hacking Tools Software
  2. Hack Tools 2019
  3. Easy Hack Tools
  4. Hack Tools For Games
  5. Hack Tools Pc
  6. Hacking Tools Pc
  7. Hacker Search Tools
  8. Hacker Tools For Windows
  9. Best Hacking Tools 2019
  10. Hack Tools For Games
  11. Pentest Tools Windows
  12. Pentest Tools Framework
  13. Hacker Tools List
  14. Pentest Tools Free
  15. Hack Tools For Pc
  16. Hack Website Online Tool
  17. Pentest Tools Bluekeep
  18. Computer Hacker
  19. Free Pentest Tools For Windows
  20. Pentest Box Tools Download
  21. Github Hacking Tools
  22. Hacker Tools Windows
  23. Hacking Tools
  24. Nsa Hacker Tools
  25. Pentest Tools Framework
  26. Pentest Tools Url Fuzzer
  27. Game Hacking
  28. Pentest Tools Tcp Port Scanner
  29. Hacking Tools Software
  30. Hacking Tools
  31. How To Make Hacking Tools
  32. Growth Hacker Tools
  33. Hacking Tools Kit
  34. New Hack Tools
  35. Ethical Hacker Tools
  36. Growth Hacker Tools
  37. Hacking Tools Usb
  38. Hacking Tools Free Download
  39. Hacking Tools Free Download
  40. Hacking Tools Github
  41. Hack Apps
  42. Usb Pentest Tools
  43. Hack Tools For Pc
  44. Black Hat Hacker Tools
  45. Hak5 Tools
  46. Github Hacking Tools
  47. Hacker Tools Linux
  48. Pentest Tools List
  49. Pentest Tools Linux
  50. Pentest Tools Subdomain
  51. Hacking Tools Free Download
  52. Hack Website Online Tool
  53. Ethical Hacker Tools
  54. Hack And Tools
  55. Hack Tools Mac
  56. Black Hat Hacker Tools
  57. Pentest Tools Nmap
  58. Hacker Tools Linux
  59. Hacks And Tools
  60. New Hack Tools
  61. Hacker Tools Hardware
  62. Hacker Tools Free Download
  63. Hacker Tools For Ios
  64. Hacking Tools 2019
  65. Ethical Hacker Tools
  66. Hacker Security Tools
  67. Hack Tools Online
  68. Hacking Tools Usb
  69. Hacker Tools Apk Download
  70. Free Pentest Tools For Windows
  71. Nsa Hacker Tools
  72. Install Pentest Tools Ubuntu
  73. Pentest Tools For Ubuntu
  74. Pentest Tools
  75. Hack Tool Apk No Root
  76. Pentest Tools Online
  77. Hack Tools Pc
  78. What Is Hacking Tools
  79. Hack Tools
  80. Hacker Tools For Windows
  81. Hack Tools
  82. Hacker Tools 2019
  83. Hacker Hardware Tools
  84. Hacking Tools Windows 10
  85. Hacker Tools Windows
  86. Hacker Tools For Windows
Người đăng: vào lúc Không có nhận xét nào:

Hackerhubb.blogspot.com

Hackerhubb.blogspot.comMore info
Người đăng: vào lúc Không có nhận xét nào:
Đăng ký: Bài đăng (Atom)