spoonfork

"My Shellcodes Bring All The Girls To The Yards"

The following are some of the bizarre, weird search phrases that hit my blog this month:
why chinese use chopstick? the bozo explosion image siti nurhaliza background with url code ulu yam fucking
ulu yam, of all places?

The CFP (Call for Papers) for HITBSecConf2005 Bahrain is now officially closed. We have very good response this time around. There were lots of submissions with topics ranging from malware and virus analysis to honeypot systems to WinCE buffer overflows! All very very interesting stuff. A fair number of the submissions come from Eurooe and Middle East researchers. This weekend will be spent digging through the submissions and finalizing speakers list. For all of you that sent in your submission, thank you very much.

Listening to: The Rurals - Show Me

One of these days I'm going to apply for a job at 8TV. Yeah, no more dabbling with IT. I want a job where there's no IT/Security/Coding/Watevernot is involved. I wanna be a deejay, just like Adam - of course not just like him cause he's just freakin' bizarre (well, everyone's like that when they're reaching puberty and Adam is no exception

8TV is a hip place to work (so is Astro but its like in TPM and I can't do a wheelie all the way there). Plus, it's the only place where employees can publicly make fun of their bosses. Just look at Adam. Oh Adam. He makes fun of Paul Moss whenever he likes it! Cool eh?

And of course there's the lovely Marion (albeit not that sharp of a person). Oh Marion. But anyways I am liking her less and less each day - Rina is getting funnier and hotter. Must be the workout.

So, what I'm gonna do? Hmm... I will take over Phat Fabes role because he's fat and not handsome. Then I'll climb my way up to become CEO. Orait cools. Sounds like a plan.

Listening to: Jeff Bennet - Oblique

sql-foo.pl is a complete rewrite sql_enum.pl. sql_enum.pl was written four years back - it was ugly, incomprehensible, and getting it to work was a pain in the butt. And it was not even a complicated script. I guess I was still learning Perl back then. sql-foo.pl is much cleaner. However, there is no new features. And yes, it's only for GET. Coding it to support POST is quite trivial.

I was planning to make it automatically query for all columns in a tables (assuming that you start with table enumeration), but in my experience, even if you are able to enumerate say a table, it does not mean that you can enumerate columns. Also, even if you are able to enumerate columns, it still does not guarantee that you can enumerate the records. If you can do this from a single query string, than you've found an extremely weak web application.

Exploiting SQL injection still requires a lot of manual work - sql-foo.pl is the tool that you can use if you are planning to enumerate a lot of records from the database. Anyways, if you are looking for a better tool, go here. I've never tested absinthe before because it requires Mono version 1 and above and mono requires the latest gcc, and in addition, I always go for the low hanging fruits. Blind SQL injection is just too much work.

Oh ya - I haven't really tested it. And yes, even after 5 years, SQL injection is still rampant.