PlatformIO

Posted by & filed under Adruino, Hardware, Hardware Development, Programming.

PlatformIO is an open source ecosystem for IoT development
Cross-platform build system. Continuous and IDE integration. Arduino and ARM mbed compatible

 

Came across this cool IDE, built on top of Atom for dev of iot. There is also a commercially supported offering. http://platformio.org/

WordPress Malware hack cleanup

Posted by & filed under Security, Web Development.

A few handy commands to cut to the chase and find the crap spammers/skiddies have added to a WP install:

Find files containing text recursively:

A good use of this is to search for the below. It can return false positives, but finds a function commonly used to obsfucate code:

Diff two installations. If you have a clean copy of WP, you can compare it to a compromised version to find the differences. Here I am excluding the error_log file, and sending the output to diff.txt for review:

Find php files (and other filetypes that should not be present in the uploads directory. This is typically one if the first places things are placed:

Grep the DB. Sometimes things get hidden in the database in an effort to hide malware. Considering that a WordPress database is tiny in the grand scheme of things, a simple way to quickly review what is in the database is to use mysqldump, phpmyadmin or whatever tool you would like to export the entire database to SQL. Then you can review the contents easily. Be on the lookout for base64 encoded strings, they are a good giveaway.

Find recently modified PHP files:

 

 

PHP: Displaying errors in the browser

Posted by & filed under PHP, Programming.

I run into this from time to time, and there are a few options for getting errors to display in browser when the server configuration is preventing it. .htaccess and php.ini can both be modified to allow this to happen. I have found a simpler way is to enable them via PHP:

 

 

util.php – Handy PHP library

Posted by & filed under PHP, Programming.

UtilPHP (Aka util.php) is a collection of useful functions and snippets that you need or could use every day. It’s implemented as a class with static methods, to avoid conflicts with your existing code-base. Just drop it in and start using it immediately.

utility_logo

Included are 40-odd functions that provide you with the ability to do common tasks much easier and more efficiently, without having to find that one comment on php.net where you know it’s been done already. Access superglobals without checking to see if certain indexes are set first and pass default values, use a nicely formatted var dump, validate emails, generate random strings, flatten an array, pull a single column out of a multidimensional array and much more.

Although it’s implemented as one giant class, util.php has extensive documentation and a full suite of unit tests to avoid breaking backwards-compatibility unintentionally.

 

github.com/brandonwamboldt/utilphp/

T-SQL: Quickly Clone a Table

Posted by & filed under Code Snippets, Programming.

To quickly and easily clone a table using T-SQL, the following is useful:

This will create the destination table and copy all source columns and data into it.

Troubleshooting OLE DB Connections

Posted by & filed under Programming.

I was encountering database connectivity issues via a application we are running. This was a new MSSQL database we had never connected to, so there were a lot of questions as to where the connectivity issue may lie.

  1. Installed SQL Server Management Studio, and made a connection tot he new database server from there. It was successful.
  2. Created a UDF file to test the OLE DB connectivity. This is extremely useful for troubleshooting. The basic procedure is to create a file with a .udf extension, open the UDF file (Windows will launch a editor), fill in the connection information, and test.
  3. Using this method we were able to determine that we needed to specify the database instance. Once that was in place, the connection worked flawlessly.

    There is a handy article from Microsoft that details the UDF file creation process: blogs.msdn.com/b/farukcelik/archive/2007…

MySQL – Find and replace string (Useful for WordPress migrations)

Posted by & filed under PHP, Programming, Web Development.

I recently deployed a WordPress site. As part of the development cycle, we first built the site on staging.example.com, then moving it to the primary domain at launch. One issue that this can cause is when creating content, WordPress will create links with the full site’s URL. In our case the staging domain was linked on most images and links. When we went live, this caused some issues. It’s not a uncommon thing to run into, and fortunately there is a simple solution. The following PHP script will connect to the database, searching all tables for the specified string (in our instance a domain name) and replacing it with another string.

Simply update the username, password, database, string_to_replace and new_string with the appropriate values and you are off! I would recommend backing up the database to be safe.

 

Thanks to jimmy.zoger on Stack Overflow for the useful solution.

 

A follow up to this, is that if the values in the database are serialized, a find/replace can wreak havoc on things as it will likely break the serialization unless the character count is the same. A very nice utility I found is the following and it handles the serialization perfectly: https://interconnectit.com/products/search-and-replace-for-wordpress-databases/

OAuth Security Cheatsheet

Posted by & filed under Programming, Security, Software.

This document aims to describe common OAuth/Single Sign On/OpenID-related vulnerabilities. Many cross-site interactions are vulnerable to different kinds of leakings and hijackings.

Both hackers and developers can benefit from reading it.

OAuth is a critical functionality. It is responsible for access to sensitive user data, authentication and authorization. Poorly implemented OAuth is a reliable way to take over an account. Unlike XSS, it is easy to exploit, but hard to mitigate for victims (NoScript won’t help, JavaScript is not required).

www.oauthsecurity.com/

WordPress Warnings

Posted by & filed under PHP, Programming, Web Development.

I recently updated some webservers to use PHP 5.4 from 5.3. For a few WordPress sites, this caused it to begin spitting out Warning messages on the website. The warning messages in some cases caused other issues because response headers were already written due to the error, etc.

While the real solution here is to refactor the code to not use deprecated functions, a simple quick and dirty workaround is to add the following directive to the wp-config.php file:

Survive the Deep End: PHP Security

Posted by & filed under PHP, Programming, Security.

As every target of a serious security breach will quickly note in their press releases and websites: Security is very important to them and take it very seriously. Taking this sentiment to heart before you learn it the hard way is recommended. Survive the Deep End: PHP security covers most of the major concepts that should be considered when writing secure PHP web applications.

Despite this, security is also very much an afterthought. Concerns such as having a working application which meets the needs of users within an acceptable budget and timeframe often take precedence over security concerns. It’s an understandable set of priorities, however we can’t ignore security forever and it’s often far better to keep it upfront in your mind when building applications so that we can include security defenses during development while change is cheap.

The afterthought nature of security is largely a product of programmer culture. Some programmers will start to sweat at the very idea of a security vulnerability while others can quite literally argue the definition of a security vulnerability to the point where they can confidently state it is not a security vulnerability. In between may be programmers who do a lot of shoulder shrugging since nothing has gone completely sideways on them before. It’s a weird world out there

phpsecurity.readthedocs.org/en/latest/in…

oclHashCat

Posted by & filed under Numbers, Programming, Security.

I was doing some webapp security audits and needed to use hashcat to attack a few hashes. Definitely a must have when dealing with hashes of any kind.

  • Worlds fastest password cracker
  • Worlds first and only GPGPU based rule engine
  • Free
  • Multi-GPU (up to 128 gpus)
  • Multi-Hash (up to 15 million hashes)
  • Multi-OS (Linux & Windows native binaries)
  • Multi-Platform (OpenCL & CUDA support)
  • Multi-Algo (see below)
  • Low resource utilization, you can still watch movies or play games while cracking
  • Focuses highly iterated modern hashes
  • Focuses dictionary based attacks
  • Supports distributed cracking
  • Supports pause / resume while cracking
  • Supports sessions
  • Supports restore
  • Supports reading words from file
  • Supports reading words from stdin
  • Supports hex-salt
  • Supports hex-charset
  • Built-in benchmarking system
  • Integrated thermal watchdog
  • 80+ Algorithms implemented with performance in mind
oclhashcat

Excel: Joining worksheet columns with vlookup()

Posted by & filed under Code Snippets, Programming.

Excel fun time! Today I had a rather large worksheet that had a column with a unique identifier. I had another worksheet with a matching column of UID’s and a second column that I wanted to “join” to the first worksheet. vlookup() is the function for the job.

  •  Parameter 1 is the column on the first workbook that contains the UID to match to the UID in the second worksheet. The UID for the second (source) worksheet has to be in the first column. The $ freezes the column reference and is needed.
  • Parameter 2 is a Named range from the second workbook. Highlight the UID and the column you want to merge and name the range.
  • Parameter 3 is the column position in the second workbook that should be merged in based on the UID match.
  • Parameter 4 dictates whether exact matches or similar matches should be applied.

That’s it. Drag the formula down the column to finish the join.

Enabling error reporting in cPanel

Posted by & filed under PHP, Programming.

Error reporting is disabled server wide. But for a development project, we need it turned on. Adding a php.ini file with the following directives will get the job done:

This will cause PHP to write out the error to a file in the same directory as the script called error.log. Adjust to your liking.

Another option, is to set the display_errors flag to true. This is not a recommended practice as it can expose sensitive information that should never be sent to clients. In a closed dev environment though it can be handy especially if you do not have a way to easily tail the log file.