What is LOIC LOIC basically turns your computer’s network connection into a firehose of garbage requests, directed towards a target web se...

LOIC :Dos Attacking tool

Monday, May 09, 2011 Sensei Fedon 0 Comments

What is LOIC
LOIC basically turns your computer’s network connection into a firehose of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web server—garbage requests can easily ignored while legit requests for web pages are responded to as normal.
But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered.

LOIC is more focued on web applications we can also call it applicaton based DOS attack. LOIC can be used on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.
LOIC is a nice tool to perform dos or ddos attack but try it on your own risk. It does no have an ability to hide your IP addressSource code is also available .
Download LOIC 1.0.4 here

0 comments:

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Si...

RFI over SQL Injection/Cross-Site Scripting

Monday, May 02, 2011 Sensei Fedon 0 Comments

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Site Scripting. We had the following situation:

- User segment with an attacker (me) operating from it;
- Technological network with strictly restricted outgoing traffic;
- A web application in the technological network that is vulnerable to Remote File Including (RFI);
- A web application in the technological network that is vulnerable to SQL Injection.

0 comments:

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me ...

Another fine method to exploit SQL Injection and bypass WAF

Monday, May 02, 2011 Sensei Fedon 0 Comments

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that "sql-code" should be executed only if the DBMS version is later than the given value.

Some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:

0 comments: