Quirk of mine.
SQL (the language) is pronounced as SEQUEL.
SQL Server is pronounced as Ess-Que-Ell Server.
Go figure.
Sunday, September 21, 2008
Monday, September 15, 2008
MSN Bot -> Twitter -> Facebook status integration is kinda cool.
But wiimote hacks kicks ass.
Lightsabre, drums, mouse - some of the many things you can do when you hook up your wiimote to your computer :D
Although, my laptop is one of the rarities which does not have bluetooth,so I'm stuck with my sis's old Mac for now. *Shudders*
Java library for wiimotes is out though, makes life much easier ;D
But wiimote hacks kicks ass.
Lightsabre, drums, mouse - some of the many things you can do when you hook up your wiimote to your computer :D
Although, my laptop is one of the rarities which does not have bluetooth,so I'm stuck with my sis's old Mac for now. *Shudders*
Java library for wiimotes is out though, makes life much easier ;D
Saturday, September 6, 2008
Woah. Appearently unknown people are accessing my personal laptop :O (Something tells me I shouldn't be surprised, but still - first time seeing something like this.)
So, I was messing about one day and decided to install IIS on my laptop. Installed it, played a lil about with it, and thought of hosting something somewhat useful. First thing that came to mind was BlackNova Traders (google it).
BNT ran on PHP, which naturally, didn't come with the IIS prepackged with Vista, so installed the fastCGI PHP on IIS.
BNT didn't run too well on windows/IIS (only supported on *nix/apache. go figure) so deleted it, and started playing about with php.
Wrote a script that displayed my external ip address (sounds stupid, but if external clients even access that page, they already know my external ip address, so the point's moot. And, it makes it easier for me to find my external ip address. Localhost is much faster to type than whatismyip.com. So there.) and the client's ip address that IIS is seeing. And, log the IP too.
Checked the log after a couple days, saw a few IPs that definitely weren't mine. And, I hadn't told anyone about the site. Hell,even if I had, I have a dynamic IP address, (which was the whole point of the script). Had a dyndns domain pointing here for a grand total of 5 minutes (+dns entry timeout).
Cleared the log for now, see what happens then.
So, I was messing about one day and decided to install IIS on my laptop. Installed it, played a lil about with it, and thought of hosting something somewhat useful. First thing that came to mind was BlackNova Traders (google it).
BNT ran on PHP, which naturally, didn't come with the IIS prepackged with Vista, so installed the fastCGI PHP on IIS.
BNT didn't run too well on windows/IIS (only supported on *nix/apache. go figure) so deleted it, and started playing about with php.
Wrote a script that displayed my external ip address (sounds stupid, but if external clients even access that page, they already know my external ip address, so the point's moot. And, it makes it easier for me to find my external ip address. Localhost is much faster to type than whatismyip.com. So there.) and the client's ip address that IIS is seeing. And, log the IP too.
Checked the log after a couple days, saw a few IPs that definitely weren't mine. And, I hadn't told anyone about the site. Hell,even if I had, I have a dynamic IP address, (which was the whole point of the script). Had a dyndns domain pointing here for a grand total of 5 minutes (+dns entry timeout).
Cleared the log for now, see what happens then.
Monday, September 1, 2008
So.
Found a SQL Injection vulnerability in my ex-secondary (That's high school for you Americans out there) school's website.
Crafted a query to get one column name,table name and schema from the entire database using information_schema.columns
Came across a mdl_user table (school was using Joomla,with a Moodle module). Chock full of users - the entire school uses the moodle module for e-learning, so every single student was in there.
Simple guessing came out with the username and password columns. (NB:No prefixes ;)
Checked that out - remember,SQL injection hole - and the username were IC numbers. (The American counterpart would be the Social Security Numbers).
So, there were storing sensitive data, IN CLEARTEXT, as usernames. If I were a identity stealer I would have been in Nirvana. Well,close, in any case, though I can't imagine why would you need to impersonate a high schooler.
Anyway, password was MD5 hashed (moodle module remember.If it was developed inhouse it probably would have been in cleartext as well, going by what I've seen so far),but found that many users had the same password.
So, digged in further the website. Went to the moodle main page. And lo and behold, on the login page, "All student accounts have been reset on January 15th with the password \"password\""
Do they seriously expect 15-year olds to bother about changing their default passwords in a school e-learning portal? At least generate random passwords or something.
So, fired an email to the school's sysadmin, and about five days later, no reply. Hole's still there.
Oh well.
Found a SQL Injection vulnerability in my ex-secondary (That's high school for you Americans out there) school's website.
Crafted a query to get one column name,table name and schema from the entire database using information_schema.columns
Came across a mdl_user table (school was using Joomla,with a Moodle module). Chock full of users - the entire school uses the moodle module for e-learning, so every single student was in there.
Simple guessing came out with the username and password columns. (NB:No prefixes ;)
Checked that out - remember,SQL injection hole - and the username were IC numbers. (The American counterpart would be the Social Security Numbers).
So, there were storing sensitive data, IN CLEARTEXT, as usernames. If I were a identity stealer I would have been in Nirvana. Well,close, in any case, though I can't imagine why would you need to impersonate a high schooler.
Anyway, password was MD5 hashed (moodle module remember.If it was developed inhouse it probably would have been in cleartext as well, going by what I've seen so far),but found that many users had the same password.
So, digged in further the website. Went to the moodle main page. And lo and behold, on the login page, "All student accounts have been reset on January 15th with the password \"password\""
Do they seriously expect 15-year olds to bother about changing their default passwords in a school e-learning portal? At least generate random passwords or something.
So, fired an email to the school's sysadmin, and about five days later, no reply. Hole's still there.
Oh well.
Subscribe to:
Posts (Atom)