How Does The Injection Works


Step 1: http://www.mysql.com

Causes the visiting browser to load the following:


Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011 ( Don't Visit Now )

This is the injection point. you can find the entire content of the .js file here.


The Infection Section
http://4.bp.blogspot.com/-WSOXkhEDLQU/ToCO-q6jLkI/AAAAAAAACfU/abyQ5I7fqus/s1600/mysql%2Bhacked%2Bserving%2Bmalware%2B2.png



Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Shows out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Source
http://blog.armorize.com/2011/09/mysqlcom-hacked-infecting-visitors-with.html

Cracking services supported

Schwett.com
Netmd5crack.com
MD5-Cracker.tk
tools.BenRamsey.com
md5.Gromweb.com
md5.HashCracking.com
victorov.su
md5.thekaine.de
tmto.org
md5-db.de
md5.my-addr.com
md5pass.info
md5decryption.com
md5crack.com
md5online.net
md5-decrypter.com
authsecu.com
hashcrack.com
objectif-securite.ch
c0llision.net
md5.rednoize.com
cmd5.org
cacin.net
ibeast.com
password-decrypt.com
bigtrapeze.com
hashchecker.com
md5hashcracker.appspot.com
passcracking.com
askcheck.com
cracker.fox21.at
crackfoo.nicenamecrew.com
joomlaaa.com
md5-lookup.com
sha1-lookup.com
sha-256.sha1-lookup.com
ripemd-lookup.com
md5.com.cn
md5.digitalsun.pl
md5.drasen.net
md5.myinfosec.net
md5.net
md5.noisette.ch
md5hood.com
stringfunction.com
xanadrel.99k.org
isc.sans.edu
bokehman.com

Download
http://code.google.com/p/findmyhash/downloads/list

1 209 20.07.11 winAUTOPWN v2.7
2 120 15.09.11 Backtrack 5 Wireless Penetration Testing
3 115 28.08.11 Killapache - DDOS tool - Perl
4 114 24.07.11 Ani Shell - PHP
5 97 20.07.11 BackTrack 5 Release 1

PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems.
Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works.

Download
http://www.pentbox.net/download-pentbox/

By default Internet Explorer 9 has a security system to help prevent Reflective XSS attacks. There are well known shortfalls of this system, most notably that it does not attempt to address DOM based XSS or Stored XSS. This security system is built on an arbitrary philosophy which only accounts for the most straight forward of reflective XSS attacks[1]. This paper is covering three attack patterns that undermine Internet Explorer’s ability to prevent Reflective XSS. These are general attack patterns that are independent of Web Application platform.


Download PDF
https://sitewat.ch/files/Bypassing%20Internet%20Explorer%27s%20XSS%20Filter.pdf

Required for the Agnitio hands on demos:

A 32bit Windows Operating System (XP or 7 preferably – VM will be fine)
.NET framework 3.5 installed
Agnitio v2.0 installed
http://sourceforge.net/projects/agnitiotool/
Download the Pandemobium Android and iOS source code
https://github.com/denimgroup/Pandemobium
Download the selected vulnerable open source application
https://github.com/denimgroup/Pandemobium

by David Rook (Security Ninja)

Features and changes made in lilith

got rid of many many false positives (that’s good)
when SQL error is found, it now goes onto next var
improved (i hope) scanning engine
(anti) coldfusion support
better cookie handling and cookie tampering
omitted perl HTML::Form limitation
better verbose output
extensive logging
detects directory indexing
recursive URL dissection
cleaned up this pasta code

Download
http://michaelhendrickx.com/wp-content/uploads/2008/11/lilith-06atar.gz

The first vulnerability is known as a “Permission escalation vulnerability”, and allows attackers to install additional “arbitrary applications with arbitrary permissions”, without first asking the user if they want to permit such actions. This would allow attackers to access call records, texts, web browsing history and media stored on the device.
The second bug only affects the Samsung Nexus S smartphone. It lets attackers gain root access on the device, providing them with full control over the handset. Google has yet to address the security issues.

Avira is looking to capture the market with this new kind of promotion. Avira has declared that they are going to add one month subscription for every 10,000 new fans. In other words, if Avira receives 120,000 fans during the promo campaign then 12 months subscription (1 year) will be added to the license key. The promo campaign will end on October 17, 2011.

Click here "http://www.facebook.com/avira?sk=app_28134323652" to visit promo page on facebook and click on the “Like” button.
Click on the “Enter Sweepstakes” button, and then allow the sweepstakes application to access your profile information.
Fill up the “Entry Form” and click on the “Submit” button.
You have successfully applied for this promo. Just to make sure, check your email. You should receive an email from notifications@wildfireapp.com about your successfully entry.

TSRC - Application level attack
Session Race Conditions and Session Puzzling

A few months ago Shay Chen, Senior Manager at Hacktics Advanced Security Center (HASC) published a paper about Session Puzzling, a new application level attack vector of critical severity and numerous uses, but for some bizarre reasons, most of the responses I got was that the attack was too complicated to comprehend all it once.

The project home page (presentation, whitepaper, training kit)
http://code.google.com/p/puzzlemall/

The following movies demonstrate a few simple TSRC attacks:

Exploiting Temporal Session Race Conditions via Connection Pool Consumption:
http://www.youtube.com/watch?v=woWECWwrsSk

Exploiting Temporal Session Race Conditions via RegEx DoS:
http://www.youtube.com/watch?v=3k_eJ1bcCro

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

Download
http://sourceforge.net/projects/networkminer/files/networkminer/