*solomon kariri* solomonkariri at gmail.com <skunkworks%40lists.my.co.ke?Subject=Re%3A%20%5BSkunkworks%5D%20What%20is%20this&In-Reply-To=%3Cd27d6dc20910150112n70e22014haf63c7f5704cd5b4%40mail.gmail.com%3E>: I just run the rewards request MMI for zain and got the following response java.sql.SQLException: Internal error: Invalid index for data access Thought you should know. -- Solomon Kariri, @Solomon, Can it be due to something on Oracle db? Rgds. -- "always a student @ heart...."
Actually I dont why Im always the person to get these funny things. I think whatever the case is, you should never display to the end user the results of an sql error as it might expose some information about the structure of the database. As in imagine a message like this [MySQL][Version 1.5] there is an error in your sql. Please check the manual for the correct syntax to use near 'username='whateveruproviede',access_level=3'. I was just wondering. From the response Im sure you can tell what database they are using because the nature of the messages is usually characteristic of certain database management system. On Thu, Oct 15, 2009 at 11:28 AM, aki <aki275@googlemail.com> wrote:
*solomon kariri* solomonkariri at gmail.com <skunkworks%40lists.my.co.ke?Subject=Re%3A%20%5BSkunkworks%5D%20What%20is%20this&In-Reply-To=%3Cd27d6dc20910150112n70e22014haf63c7f5704cd5b4%40mail.gmail.com%3E>: I just run the rewards request MMI for zain and got the following response java.sql.SQLException: Internal error: Invalid index for data access Thought you should know.
-- Solomon Kariri,
@Solomon, Can it be due to something on Oracle db?
Rgds.
-- "always a student @ heart...."
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Solomon Kariri, Software Developer, Cell: +254736 729 450 Skype: solomonkariri
*solomon kariri **solomonkariri at gmail.com *<skunkworks%40lists.my.co.ke?Subject=Re%3A%20%5BSkunkworks%5D%20What%20is%20this&In-Reply-To=%3Cd27d6dc20910150140i79b45258h49bb0021d4ffa848%40mail.gmail.com%3E> *Actually I dont why Im always the person to get these funny things. I think whatever the case is, you should never display to the end user the results of an sql error as it might expose some information about the structure of the database. As in imagine a message like this [MySQL][Version 1.5] there is an error in your sql. Please check the manual for the correct syntax to use near 'username='whateveruproviede',access_level=3'. I was just wondering. From the response Im sure you can tell what database they are using because the nature of the messages is usually characteristic of certain database management system*. -------------------- Dude, When I get there, I'm sure will exchange some views with you because seems you are talking of exploits in sql. But the basics of any application design ( my world at the moment ) or web design ( future world ): - Forms ; capture, edit and query data - Db : store data Db access needs I think 2 ports open in udp. The exploits are on all DB platforms or just one? -- "always a student @ heart....? "
Its for any database http://en.wikipedia.org/wiki/SQL_injection On Thu, Oct 15, 2009 at 11:58 AM, aki <aki275@googlemail.com> wrote:
*solomon kariri **solomonkariri at gmail.com *<skunkworks%40lists.my.co.ke?Subject=Re%3A%20%5BSkunkworks%5D%20What%20is%20this&In-Reply-To=%3Cd27d6dc20910150140i79b45258h49bb0021d4ffa848%40mail.gmail.com%3E> *Actually I dont why Im always the person to get these funny things. I think whatever the case is, you should never display to the end user the results of an sql error as it might expose some information about the structure of the database. As in imagine a message like this [MySQL][Version 1.5] there is an error in your sql. Please check the manual for the correct syntax to use near 'username='whateveruproviede',access_level=3'. I was just wondering. From the response Im sure you can tell what database they are using because the nature of the messages is usually characteristic of certain database management system*. --------------------
Dude, When I get there, I'm sure will exchange some views with you because seems you are talking of exploits in sql.
But the basics of any application design ( my world at the moment ) or web design ( future world ):
- Forms ; capture, edit and query data - Db : store data
Db access needs I think 2 ports open in udp. The exploits are on all DB platforms or just one?
-- "always a student @ heart....? "
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Solomon Kariri, Software Developer, Cell: +254736 729 450 Skype: solomonkariri
solomon kariri wrote : Its for any database http://en.wikipedia.org/wiki/SQL_injection
Hey Solomon, interesting read and many thnks for the info, though I think I've got nothing to worry about as my apps or sites will not hold anything valuable enough to be considered " hot data in need ". Still not argument enough for me to move to other platforms though I dont have a problem with any platform. :-))) Just a general comment. What I found interesting about the link and sharing my fictional thoughts.* I just love our tech sector! Its never boring..hehehe. * *Ok, my strictly fictional thots after reading the link :* No matter how strong or diffcult you build it, if they want what's there, they will find a way. So rather than fighting them defensively with all sorts of patches, workarounds etc, I think OS's should become offensive. Create sites that will contain data considered " hot " as decoys and set the trap. Boom! Catch them in the act and keep frustrating them. Embed scripts into files that will allow querying of many things. Once the data is hacked, data contains script files that will attach to whatever. I can see a hollywood movie on this... LOL! I once read a thread here on skunks about KDN wireless and some Uni where it was injected and opened. KDN closed it down. This would have been the real test ground of offensive policies to see : yes you can hack it and break it, but can you take whats coming? Where are you scripting gurus? Is this possible and why has it not been done? I even more motivated to finish my C# asap. :-))) Rgds.
Actually that is a fairly standard mechanism. Read up on 'honeytraps' On Thu, Oct 15, 2009 at 1:23 PM, aki <aki275@googlemail.com> wrote:
solomon kariri wrote : Its for any database http://en.wikipedia.org/wiki/SQL_injection
Hey Solomon, interesting read and many thnks for the info, though I think I've got nothing to worry about as my apps or sites will not hold anything valuable enough to be considered " hot data in need ". Still not argument enough for me to move to other platforms though I dont have a problem with any platform. :-)))
Just a general comment. What I found interesting about the link and sharing my fictional thoughts.* I just love our tech sector! Its never boring..hehehe. *
*Ok, my strictly fictional thots after reading the link :* No matter how strong or diffcult you build it, if they want what's there, they will find a way. So rather than fighting them defensively with all sorts of patches, workarounds etc, I think OS's should become offensive. Create sites that will contain data considered " hot " as decoys and set the trap. Boom! Catch them in the act and keep frustrating them. Embed scripts into files that will allow querying of many things. Once the data is hacked, data contains script files that will attach to whatever. I can see a hollywood movie on this... LOL!
I once read a thread here on skunks about KDN wireless and some Uni where it was injected and opened. KDN closed it down. This would have been the real test ground of offensive policies to see : yes you can hack it and break it, but can you take whats coming?
Where are you scripting gurus? Is this possible and why has it not been done? I even more motivated to finish my C# asap. :-)))
Rgds.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
@Solomon and @Rad! , I want to shake you hands and thank you. Until now learning programming was the most boring thing I've ever done etc. You guys have changed my learning direction. I hope when I'm ready, I'd want to setup a small lab with server exploits then invite security group or those in the know to break the box and we can have some real fun with offensive and defensive coding. Let me find my way first.... Skunks List is the best! :-) Over and out. On Thu, Oct 15, 2009 at 1:23 PM, aki <aki275@googlemail.com> wrote:
solomon kariri wrote : Its for any database http://en.wikipedia.org/wiki/SQL_injection
On Thu, Oct 15, 2009 at 2:44 PM, aki <aki275@googlemail.com> wrote:
@Solomon and @Rad! , I want to shake you hands and thank you. Until now learning programming was the most boring thing I've ever done etc. You guys have changed my learning direction. I hope when I'm ready, I'd want to setup a small lab with server exploits then invite security group or those in the know to break the box and we can have some real fun with offensive and defensive coding.
Ahem, some dudes over at the security mailing list are making the logistics for setting a lab for a hacking "event" http://lists.my.co.ke/pipermail/security/2009-October/000782.html
On Thu, Oct 15, 2009 at 2:44 PM, aki <aki275@googlemail.com> wrote:
@Solomon and @Rad! , I want to shake you hands and thank you. Until now learning programming was the most boring thing I've ever done etc.
Aki, Solomon is going to enlighten us more on some AJAX stuff one of these days. He is into Java and Linuts but you never know, he might surprise us with some other stuff one of these days. Let's note JQuery was created by a geek in his early 20's. Think he is almost / about 25 now. About getting bored and burning out, it happens all the time. A corporate hires a software or network engineer from a more dynamic solution provider but lacks the environment to motivate them to produce or learn new stuff. The engineer becomes a corporate bureaucrat that frustrates more productive (if not younger talent) and types to protect their turf and ...
I also think sometimes not thinking outside the box is our biggest problem. Most of us essentially work on the same sort of projects - car sales website / joolma-drupal CMS intranet & website / facebook clone / internal apps. Not that it is a bad thing, but we end up in a rut. I would be very keen to see someone strike out in a new direction and build something like this http://www.letsimondecide.com/ On Thu, Oct 15, 2009 at 3:21 PM, Murigi Muraya <mmskunkworks@gmail.com>wrote:
On Thu, Oct 15, 2009 at 2:44 PM, aki <aki275@googlemail.com> wrote:
@Solomon and @Rad! , I want to shake you hands and thank you. Until now learning programming was the most boring thing I've ever done etc.
Aki,
Solomon is going to enlighten us more on some AJAX stuff one of these days. He is into Java and Linuts but you never know, he might surprise us with some other stuff one of these days.
Let's note JQuery was created by a geek in his early 20's. Think he is almost / about 25 now.
About getting bored and burning out, it happens all the time.
A corporate hires a software or network engineer from a more dynamic solution provider but lacks the environment to motivate them to produce or learn new stuff. The engineer becomes a corporate bureaucrat that frustrates more productive (if not younger talent) and types to protect their turf and ...
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
*>Peter Karunyu* wrote: Ahem, some dudes over at the security mailing list are making the logistics for setting a lab for a hacking "event" http://lists.my.co.ke/pipermail/security/2009-October/000782.html @Peter, thnks for the info. I think we can give Chucks and group something to play with next year ( humouring them ) event. Security group tactics, methods must be learnt. So those " behind the server " should start sharpening their skills. :-) @Chucks as security team, if it will be possible I setup a server to be broken into, which will help to learn more about offensive and defensive coding, will you guys honour the challenge? I mean we can throw in all the exploits and flavours. If Chucks and Team accept the challenge and I know its serious stuff, we must build a skunks code team. Anyone willing? I'm a code toddler but now focussed..... Listers, lets make this a bit interesting. :-)))))) -- "always a student @ heart.. "
If you are a developer who takes their work seriously this book is highly recommended reading http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228 On Thu, Oct 15, 2009 at 3:33 PM, aki <aki275@googlemail.com> wrote:
*>Peter Karunyu* wrote: Ahem, some dudes over at the security mailing list are making the logistics for setting a lab for a hacking "event" http://lists.my.co.ke/pipermail/security/2009-October/000782.html
@Peter, thnks for the info. I think we can give Chucks and group something to play with next year ( humouring them ) event. Security group tactics, methods must be learnt. So those " behind the server " should start sharpening their skills. :-)
@Chucks as security team, if it will be possible I setup a server to be broken into, which will help to learn more about offensive and defensive coding, will you guys honour the challenge? I mean we can throw in all the exploits and flavours.
If Chucks and Team accept the challenge and I know its serious stuff, we must build a skunks code team. Anyone willing? I'm a code toddler but now focussed.....
Listers, lets make this a bit interesting. :-)))))) -- "always a student @ heart.. "
Thanks Radi for the link. i must read that one. On Thu, Oct 15, 2009 at 4:04 PM, Rad! <conradakunga@gmail.com> wrote:
If you are a developer who takes their work seriously this book is highly recommended reading http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228
On Thu, Oct 15, 2009 at 3:33 PM, aki <aki275@googlemail.com> wrote:
*>Peter Karunyu* wrote: Ahem, some dudes over at the security mailing list are making the logistics for setting a lab for a hacking "event" http://lists.my.co.ke/pipermail/security/2009-October/000782.html
@Peter, thnks for the info. I think we can give Chucks and group something to play with next year ( humouring them ) event. Security group tactics, methods must be learnt. So those " behind the server " should start sharpening their skills. :-)
@Chucks as security team, if it will be possible I setup a server to be broken into, which will help to learn more about offensive and defensive coding, will you guys honour the challenge? I mean we can throw in all the exploits and flavours.
If Chucks and Team accept the challenge and I know its serious stuff, we must build a skunks code team. Anyone willing? I'm a code toddler but now focussed.....
Listers, lets make this a bit interesting. :-)))))) -- "always a student @ heart.. "
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Solomon Kariri, Software Developer, Cell: +254736 729 450 Skype: solomonkariri
For those who need to download the book, you can try the link below: http://search.4shared.com/network/search.jsp?searchmode=2&searchName=writing... Enjoy! On Thu, Oct 15, 2009 at 4:04 PM, Rad! <conradakunga@gmail.com> wrote:
If you are a developer who takes their work seriously this book is highly recommended reading http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228
-- "We must respect the other fellow's religion, but only in the sense and to the extent that we respect his theory that his wife is beautiful and his children smart.”
participants (6)
-
aki -
Frankline Ogongi -
Murigi Muraya -
Peter Karunyu -
Rad! -
solomon kariri