IT Nan

Thursday, April 4, 2013

addslashes() Versus mysql_real_escape_string()

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string()debate continues. Demonstrating Google's XSS vulnerability is pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf(¿) followed by 0x5c (\).

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash.

I'm going to use MySQL 5.0 and PHP's mysqli extension for this demonstration. If you want to try this yourself, make sure you're using GBK. I just changed/etc/my.cnf, but that's because I'm testing locally:

TOGGLE CODE VIEW

[client]
default-character-set=GBK

Create a table called users:

TOGGLE CODE VIEW

CREATE TABLE users (
username VARCHAR(32) CHARACTER SET GBK,
password VARCHAR(32) CHARACTER SET GBK,
PRIMARY KEY (username)
);

The following script mimics a situation where only addslashes() (ormagic_quotes_gpc) is used to escape the data being used in a query:

TOGGLE CODE VIEW

<?php
$mysql = array();
$db = mysqli_init();
$db->real_connect('localhost', 'myuser', 'mypass', 'mydb');
/* SQL Injection Example */
$_POST['username'] = chr(0xbf) .
chr(0x27) .
' OR username = username /*';
$_POST['password'] = 'guess';
$mysql['username'] = addslashes($_POST['username']);
$mysql['password'] = addslashes($_POST['password']);
$sql = "SELECT *
FROM users
WHERE username = '{$mysql['username']}'
AND password = '{$mysql['password']}'";
$result = $db->query($sql);
if ($result->num_rows) {
/* Success */
} else {
/* Failure */
}
?>

Despite the use of addslashes(), I'm able to log in successfully without knowing a valid username or password. I can simply exploit the SQL injection vulnerability.

To avoid this type of vulnerability, use mysql_real_escape_string(), prepared statements, or any of the major database abstraction libraries.

This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes() can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. UTF-8 does not fit this description.

Source: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

Wednesday, February 27, 2013

An introduction to search commands

Did you know you can search Google for web pages which were published in a certain timeframe? Did you know it often better to use Yahoo to work out your back links as you can exclude your own internal links?

In Yahoo it is possible to restrict your search to pages which have meta tags or which are in the Mediterranean (the coast, one assumes, rather than the sea). On Live search you can look for pages which contain RSS.

The Search Commands* home page shows summary search commands for: Google, Yahoo and Live Search. The rest of the site takes a deeper look at the nuances of common search commands and digs up some of the more obscure search engine commands too. Search Commands* is in beta.

Google search commands summary

cache:: Show the cached snapshot of a page
link:: List pages which link to a page
related:: List pages which Google consider to be related to another
info:: Find one specific URL in the search database
define:: Show Google's glossary definition for a term
stocks:: Show American stockmarket information for a given ticker symbol
site:: Restrict a search to a single site
allintitle:: Restrict a search so that all the keywords must appear in the title
intitle:: Restrict a search so that some of the keywords must appear in the title
allintext:: Restrict a search so that all of the keywords must appear in the body text
allinurl:: Restrict a search so that all of the keywords must appear in the page address
inurl:: Restrict a search so that some keywords must appear in the page address
OR: List pages which have at least some of the keywords
+: Insist that the search engine includes a given keyword in the search results
-: Insist that the search engine omits pages which match a given keyword in the search results
~: Enhance a search to include synonyms for a given keyword
*: Include a wildcard match in your search results
[#]...[#]: Search a range of numbers as a keyword
daterange:: Restrict a search to any timeframe
"": Restrict a search so that the keywords must appear consecutively in a phrase
date:: Restrict a search to a recent timeframe
safesearch:: Restrict a search to exclude adult-content
filetype:: Restrict a search to a given type of file

More information about Google's search commands is available on the dedicated Google search commands page. In Google's page we look at how to use each commands, which search commands can be used together and which cannot.

Yahoo search commands summary

site:: Restrict a search to a single site
hostname:: Restrict a search to a single host name
link:: List pages which link to a page
url:: Find one specific URL in the search database
inurl:: Restrict a search so that some keywords must appear in the page address
intitle:: Restrict a search so that some of the keywords must appear in the title
map: Inclue a map of any US location
weather: Include current weatherinformation for any US location
define: Include a defination for the keyword
airport: Link to weather, directions and maps for an American airport
area code: Include a list of cities which match the US area code
facts: Include encyclopedia entry for keyword
convert:: Show a variety of unit conversion rates, for example currency or distance
gas: Include link to gas prices for an American area
hotels: Include links to hotels in the area
showtimes: Include and link to movie showtimes in the area
news: Include and link to news headlines which match the keyword
patent: Link to detailed information for the matching patent number keyword
quote: Show American stockmarket information for a given ticker symbol
synonym: Include synonyms for keyword and link to definitions of each
scores: Include and link to score results for team name keyword
time: Include local time and timezone information for location keyword
traffic: Link to traffic reports for location keyword
zip code: Include a list of zip codes which match the location keyword
+: Insist that the search engine includes a given keyword in the search results
-: Insist that the search engine omits pages which match a given keyword in the search results
feature:: Restrict a search to pages which include a given feature
region:: Restrict a search to pages from a given region

More information about Yahoo's search commands is available on the dedicated Yahoo search commands page. In Yahoo's page we look at how to use each commands, which search commands can be used together and which cannot.

Live search commands

filetype:: Restrict a search to a given type of file
link:: List pages which link to a page
linkdomain:: List pages which link to a domain
LinkFromDomain:: List pages which a domain links to
contains:: List pages which link to a given filetype
inurl: Restrict a search so that some keywords must appear in the page address
inanchor:: Restrict a search so that the keyword must appear in anchors tags on the page
intitle:: Restrict a search so that some of the keywords must appear in the title
inbody:: Restrict a search so that all of the keywords must appear in the body text
ip:
: List sites hosted by keyword IP address
language:: Restrict a search to a specific language
location:: Restrict a search to pages from a given region
prefer:: Enhance a search by giving emphasis to the given keyword
site:: Restrict a search to a single site
url:: Find one specific URL in the search database
+: Insist that the search engine includes a given keyword in the search results
-: Insist that the search engine omits pages which match a given keyword in the search results
NOT: Insist that the search engine omits pages which match a given keyword in the search results
OR: List pages which have at least some of the keywords
|: List pages which have at least some of the keywords
"": Restrict a search so that the keywords must appear consecutively in a phrase
(): Group keywords together

More information about Live Search's search commands is available on the dedicated Live search commands page. In Live Search's page we look at how to use each commands, which search commands can be used together and which cannot.

Source: http://www.searchcommands.com/

Saturday, February 23, 2013

Brace Yourselves, Programming Jokes Are Coming

Programming is a very tough job, I’ve done it and even though it’s a very challenging thing to do, you can’t just stay calm and composed every day. It is a highly stressful job, partly because of the client/boss requirements, and most of it is because of simple things we tend to forget…like a semicolon. For now, wipe away your worries and laugh merrily with this compilation of programming jokes, comics, anecdotes, and videos just for you!

Brace yourselves, programming jokes are coming. Even Eddard Stark says so!

Anecdotes

The following are short jokes about programming, all taken from reddit (because I freaking love that place). I’ve chosen the best jokes for you, if you want to read more just follow the link!

An engineer, a manager, and a programmer are riding in a car. They come to a hill and their brakes fail. After careening down the hill and finally coming to a stop they get out to decide what to do. The manager says “We need to have a meeting to form a committee to see what we should do next!” The engineer says, “Screw that! Give me a pocket knife and some duck tape and I’ll have us going in no time!” The programmer looks at them both and says, “Lets push it back to the top and see if it does it again.”

An int, a char and a string walk into a bar and order some drinks. A short while later, the int and char start hitting on the waitress who gets very uncomfortable and walks away. The string walks up to the waitress and says “You’ll have to forgive them, they’re primitive types.”

A programmer’s wife sends him to the grocery store with the instructions, “get a loaf of bread, and if they have eggs, get a dozen.” He comes home with a dozen loaf of bread and tells her, “they had eggs.”

God summons the devil and jesus, and he challenges them to a programming contest. God gives them the spec and they begin. Jesus and the devil write their code furiously. As the contest reaches the end, the power suddenly goes out for a moment, both of their monitors go blank, and reboot when the power comes back on. God asks to see the two programs. The Devil says that he had a good program, but he lost it when the power was out. Jesus had no such problem, and won the contest, because Jesus saves.

A man was crossing a road one day when a frog called out to him and said, “If you kiss me, I’ll turn into a beautiful princess.” He bent over, picked up the frog, and put it in his pocket.

The frog spoke up again and said, “If you kiss me and turn me back into a beautiful princess, I will tell everyone how smart and brave you are and how you are my hero.” The man took the frog out of his pocket, smiled at it, and returned it to his pocket.

The frog spoke up again and said, “If you kiss me and turn me back into a beautiful princess, I will be your loving companion for an entire week.” The man took the frog out of his pocket, smiled at it, and returned it to his pocket.

The frog then cried out, “If you kiss me and turn me back into a princess, I’ll stay with you for a year and do ANYTHING you want.” Again the man took the frog out, smiled at it, and put it back into his pocket.

Finally, the frog asked, “What is the matter? I’ve told you I’m a beautiful princess, that I’ll stay with you for a year and do anything you want. Why won’t you kiss me?”

The man said, “Look, I’m a computer programmer. I don’t have time for a girlfriend, but a talking frog is cool.”

A SQL query walks up to two tables in a restaurant and asks: “Mind if I join you?”
Eight bytes walk into a bar and say to the bartender: “Make us a double.”
Two strings walk into a bar. One says to the bartender: “I’ll have a beer*7jd@jh.” The other says: “Excuse my friend, he’s not null terminated.”

A man walks into a pet shop containing various different types of animals, and notices that they’re very expensive. He points at a monkey, and asks the pet shop owner “This monkey costs £40,000! Why is it so expensive?” The pet shop owner replies, “Ah, that’s a special monkey, that – it can program in Java – good for enterprise programming and web stuff.” The man looks around a bit more, and notices another more expensive monkey. He asks the pet shop owner “This one costs £50,000 – what does this one do?” The pet shop owner says “That’s a C++ monkey. More advanced, low-level and faster code.” The man accepts this and looks around the pet shop a bit more. He then sees another even more expensive monkey. “Good god – this monkey costs £70,000 – what on earth does it do?” he asks. “Well, I’ve never actually seen that monkey do anything,” said the pet shop owner, “but the other monkeys call it the project manager.”

A programmer goes out with a chick. Next day he tells his friend how the date went: “It was raining, we were soaked. We went to her place where she started to undress before me… Then she threw the wet clothes on the computer” – “Wow… what kind of computer?” – the other says.

How does a Programmer become a Brogrammer?

This question was asked on Quora a couple of months back, and today there are plenty of people who have answered. Most of them are hilarious, going off the track of a stereotypical programmer, such as hitting the gym, doing push-ups in between coding, and many others. Below is a sneak peek of what you’ll see when you follow the link above.

Who Wouldn’t Hire Him?

Just so you know, clicking the image will open the source on a new window, there you can read more of things like this and, if you want, you can even buy his book!

10 Excuses of Programmers to a Non-technical Boss

“That’s weird.”
“But it worked yesterday!”
“It must be a hardware problem.”
“It works on my machine.”
“Your computer might be infected with a virus.”
“Someone must have changed my code..”
“It really does that.”
“Oh my God you broke it!” – very effective for warding off the boss.
“Almost done.”
“Compiling!”

5 Things Programmers Wonder About Their Own Code

“Why are you not working?!”
“Why are you working?!”
“Where’s the missing semi-colon?!”
“What just happened?!”
“Who coded this sh@t?!”

Top 5 Words Commonly Uttered by Programmers

(removed by editor due to excessive profanity)
(removed by editor due to excessive profanity)
(removed by editor due to excessive profanity)
(removed by editor due to excessive profanity)
(removed by editor due to excessive profanity)

Question and Answer

Q: How many programmers does it take to change a lightbulb?
A: None. They won’t touch it because it’s a hardware problem.

Q: What do cats and programmers have in common?
A: When either one is unusually happy and excited, an appropriate question would be, “did you find a bug?”

Q: What is the most used language in programming?
A: Profanity.

Q: Why do programmers confuse Halloween and Christmas?
A: Because Oct 31 == Dec 25

Q: How did the programmer die in the shower?
A: He read the shampoo bottle instructions: Lather. Rinse. Repeat.

Q: Why did the programmer quit his job?
A:Because he didn’t get arrays.

Q: How do developers create shaman spells?
A: Using a hex editor.

Videos

GUI interface using Visual Basic to track the killer’s IP address

Well, you know, why not call the killer’s ISP instead? I’m pretty sure they’d get a warrant for that. And Visual Basic? Seriously?

It’s a Unix system

//No comment

Interview for a C++ programming position

Although this animation is intended to be funny, there’s still a lingering taste of sourness because it happens in real life. After graduating college I was really looking forward to getting hired as a programmer. Job postings said “entry level” and “fresh graduates are welcome to apply”, but then they require applicants to have a “solid 2 year experience of working knowledge” in “many things”. What about compensation? Well, a peasant would be glad he’s a peasant.

So I got in for an interview after submitting my CV to several companies. Turns out, it wasn’t a programming job or anything related to information technology. I ended up with an engineering job, maintaining ICs. Now I’m here, and I’m loving it!

Angry Programmer?

Seriously, during my second class of programming in college this is how I almost reacted every time an error flashes on my compiler. One thing I had to do, when my buddy was with me working on a final project, was I left him for three hours inside my room while I went to the nearest shopping mall (1 hour away) just to chill, all because I didn’t know what to do with pointers (yeah, I’m a lazy one).

Time Lapse of a Programmer Hard(ly) at Work in His Cubicle

I don’t know why I watched the whole thing, I guess part of me can relate! How about you?

Comics and Images

Ballmer Peak

Truth be told there’s truth in this, not only within programming but it also applies on almost anything! And I’m about to share you a dark secret I’ve kept for years..the first OS I’ve used for my PC is Windows ME. ಠ_ಠ

Compiling

I really never got the chance to say this during my programming days because there are just a few hundred lines to compile (which only takes about 3 seconds to 5), but I can relate to the sword-fighting part. I mean, every programmer dreams of being Obi-Wan Kenobi, right?