Pangolin and your data

This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.

So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?

At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.

Be careful where you send your data ;)

-CMM

Incident Handling Cheatsheets

The guys at ISC SANS (Internet Storm Center) has released two Incident Handling Cheatsheets, these will be useful for people that got hacked, infected by malware, system administrators, etc. 

The first one is "Security Incident Survey Cheat Sheet for Server Administrators", it captures tips for examining a suspect machine.

The other is a questionnaire for responders, it collects the most important questions an incident handler should ask when taking control of the incident, or getting in contact with the problem.

Security Incident Survey Cheat Sheet

Questionnaire for responders

More information here