XSS
is a hacking technique that uses a script-injection method with a
certain gap in a web page. The gap can sometimes be through the input
form, or by modifying the URL parameter. The script that is injected,
there are several kinds, can HTML tags, JavaScript, PHP, ASP (as web
server), etc.| Byte offset | Description |
|---|---|
| 0 | DBF File type: 0x02 FoxBASE 0x03 FoxBASE+/Dbase III plus, no memo 0x30 Visual FoxPro 0x31 Visual FoxPro, autoincrement enabled 0x32 Visual FoxPro with field type Varchar or Varbinary 0x43 dBASE IV SQL table files, no memo 0x63 dBASE IV SQL system files, no memo 0x83 FoxBASE+/dBASE III PLUS, with memo 0x8B dBASE IV with memo 0xCB dBASE IV SQL table files, with memo 0xF5 FoxPro 2.x (or earlier) with memo 0xE5 HiPer-Six format with SMT memo file 0xFB FoxBASE |
| 1 - 3 | Last update (YYMMDD) |
| 4 – 7 | Number of records in file |
| 8 – 9 | Position of first data record |
| 10 – 11 | Length of one data record, including delete flag |
| 12 – 27 | Reserved |
| 28 | Table flags: 0x01 file has a structural .cdx 0x02 file has a Memo field 0x04 file is a database (.dbc) This byte can contain the sum of any of the above values. For example, the value 0x03 indicates the table has a structural .cdx and a Memo field. |
| 29 | Code page mark |
| 30 – 31 | Reserved, contains 0x00 |
| 32 – n | Field subrecords The number of fields determines the number of field subrecords. One field subrecord exists for each field in the table. |
| n+1 | Header record terminator (0x0D) |
| n+2 to n+264 | Visual Foxpro only: A 263-byte range that contains the backlink, which is the relative path of an associated database (.dbc) file, information. If the first byte is 0x00, the file is not associated with a database. Therefore, database files always contain 0x00. |
| Byte offset | Description |
|---|---|
| 0 – 10 | Field name with a maximum of 10 characters. If less than 10, it is padded with null characters (0x00). |
| 11 | Field type: C – Character Y – Currency N – Numeric F – Float D – Date T – DateTime B – Double I – Integer L – Logical M – Memo G – General C – Character (binary) M – Memo (binary) P – Picture + – Autoincrement (dBase Level 7) O – Double (dBase Level 7) @ – Timestamp (dBase Level 7) |
| 12 – 15 | Displacement of field in record |
| 16 | Length of field (in bytes) |
| 17 | Number of decimal places |
| 18 | Field flags: 0x01 System Column (not visible to user) 0x02 Column can store null values 0x04 Binary column (for CHAR and MEMO only) 0x06 (0x02+0x04) When a field is NULL and binary (Integer, Currency, and Character/Memo fields) 0x0C Column is autoincrementing |
| 19 - 22 | Value of autoincrement Next value |
| 23 | Value of autoincrement Step value |
| 24 – 31 | Reserved |
The Master Boot Record is the same for pretty much all Operating Systems. It is located on the first Sector of the Hard Drive, at Cylinder 0, Head 0, Sector 1. It is the first piece of code that your computer runs after it has checked all of your hardware (POST) and turned control of loading software over the hard drive. It also contains the partition table, which defines the different sections of your hard drive. Basically if anything happens to this little 512 byte section, your hard drive is brain dead.
Offset
|
Description
|
Size
|
000h
|
Executable Code (Boots Computer)
|
446 Bytes
|
1BEh
|
1st Partition Entry (See Next Table)
|
16 Bytes
|
1CEh
|
2nd Partition Entry
|
16 Bytes
|
1DEh
|
3rd Partition Entry
|
16 Bytes
|
1EEh
|
4th Partition Entry
|
16 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
Offset
|
Description
|
Size
|
00h
|
Current State of Partition (00h=Inactive, 80h=Active)
|
1 Byte
|
01h
|
Beginning of Partition - Head
|
1 Byte
|
02h
|
Beginning of Partition - Cylinder/Sector (See Below)
|
1 Word
|
04h
|
Type of Partition (See List Below)
|
1 Byte
|
05h
|
End of Partition - Head
|
1 Byte
|
06h
|
End of Partition - Cylinder/Sector
|
1 Word
|
08h
|
Number of Sectors Between the MBR and the First Sector in the Partition
|
1 Double Word
|
0Ch
|
Number of Sectors in the Partition
|
1 Double Word
|
I guess back in the days of 10MB hard drives and 8086's, code was at a premium. So they did everything they could to preserve space. Unfortunately now we have to live with it, but luckily they created new ways of translating the system so the 1024 Cylinder Limit (2^10) isn't too big of a problem, for newer computers, at least. Older ones usually need some sort of Disk Overlay program to make them see the whole hard drive.Anyway, to get the Sector out of this, you need to apply an AND mask ($3F) to it. To get the Cylinder, you take the high byte and OR it with the low byte that has been AND masked with ($C0) and then Shifted Left Two. It's not very easy to explain, so I'll just show you how I did it with two routines I made (In Pascal) for Encoding and Decoding the Cylinder/Sector. Hopefully even if you don't know Pascal you'll be able to read it.Function CylSecEncode(Cylinder, Sector : Word) : Word;
Begin
CylSecEncode := (Lo(Cylinder) shl 8) or (Hi(Cylinder) shl 6) or Sector;
End;
Procedure CylSecDecode(Var Cylinder, Sector : Word; CylSec : Word);
Begin
Cylinder := Hi(CylSec) or ((Lo(CylSec) and $C0) shl 2);
Sector := (CylSec and $3F);
End;
15
|
14
|
13
|
12
|
11
|
10
|
9
|
8
|
7
|
6
|
5
|
4
|
3
|
2
|
1
|
0
|
Cylinder Bits 7 to 0
|
Cylinder Bits 9+8
|
Sector Bits 5 to 0
| |||||||||||||
There are more than just these shown, but I've only included that ones relevant to MS Operating Systems.
Value
|
Description
|
00h
|
Unknown or Nothing
|
01h
|
12-bit FAT
|
04h
|
16-bit FAT (Partition Smaller than 32MB)
|
05h
|
Extended MS-DOS Partition
|
06h
|
16-bit FAT (Partition Larger than 32MB)
|
0Bh
|
32-bit FAT (Partition Up to 2048GB)
|
0Ch
|
Same as 0BH, but uses LBA1 13h Extensions
|
0Eh
|
Same as 06H, but uses LBA1 13h Extensions
|
0Fh
|
Same as 05H, but uses LBA1 13h Extensions
|
Although having multiple partitions in FAT32 isn't as likely as in FAT16, it still works the same way. The first partition is the Primary Partition, and everything else is stored in the Extended Partition. It's a little tricky when it comes to reading those extra partitions though (not a lot, just a little). The first record in the partition table shows where the Primary partition is (how big it is, where it starts, and where it ends). The second entry in the partition table shows where the Entire Extended Partition is (which may include more than just one partition). To read any more partitions, you go to the where it says the Extended Partition starts, and read the first sector. It acts just like the MBR. It'll have blank where the code is supposed to be, and in the partition table it will have for it's first entry the next Partition in the Drive, and if there are anymore, there will be another Extended partition, just like before. However, all references to Sector Numbers are made using the that new MBR point as the reference, making it a virtual drive. Just incase this doesn't make much sense (and by the way I explain things I can understand if it doesn't), let me show you how a drive with three partitions is setup.MBR of Whole DriveEntry #1 - Points to Partition #1
Entry #2 - Points to the Entire Extended PartitionYou would read the first sector of that Extended Partition, and see another MBR Structure.MBR of Extended PartitionEntry #1 - Points to Partition #2
Entry #2 - Points to Rest of Extended Partition after Partition #2Now, all references to Sector Numbers (most specifically the entry at Offset 08h) in those Entries wouldn't be referenced from the start of the drive, but from the start of the Extended Partition. However, the CHS (Cylinder, Head, Sector) numbers would still be right.Once again, you would read the first sector of that Extended Partition, and see the next MBR.MBR of Rest of Extended PartitionEntry #1 - Points to Partition #3
No Entry #2, since this was the Last PartitionIf there were another partition, the pattern would continue just like before, until the last one was reached.
This information is located in the first sector of every partition.
Offset
|
Description
|
Size
|
00h
|
Jump Code + NOP
|
3 Bytes
|
03h
|
OEM Name (Probably MSWIN4.1)
|
8 Bytes
|
0Bh
|
Bytes Per Sector
|
1 Word
|
0Dh
|
Sectors Per Cluster
|
1 Byte
|
0Eh
|
Reserved Sectors
|
1 Word
|
10h
|
Number of Copies of FAT
|
1 Byte
|
11h
|
Maximum Root Directory Entries (N/A for FAT32)
|
1 Word
|
13h
|
Number of Sectors in Partition Smaller than 32MB (N/A for FAT32)
|
1 Word
|
15h
|
Media Descriptor (F8h for Hard Disks)
|
1 Byte
|
16h
|
Sectors Per FAT in Older FAT Systems (N/A for FAT32)
|
1 Word
|
18h
|
Sectors Per Track
|
1 Word
|
1Ah
|
Number of Heads
|
1 Word
|
1Ch
|
Number of Hidden Sectors in Partition
|
1 Double Word
|
20h
|
Number of Sectors in Partition
|
1 Double Word
|
24h
|
Number of Sectors Per FAT
|
1 Double Word
|
28h
|
Flags (Bits 0-4 Indicate Active FAT Copy) (Bit 7 Indicates whether FAT Mirroring is Enabled or Disabled <Clear is Enabled>) (If FAT Mirroring is Disabled, the FAT Information is only written to the copy indicated by bits 0-4)
|
1 Word
|
2Ah
|
Version of FAT32 Drive (High Byte = Major Version, Low Byte = Minor Version)
|
1 Word
|
2Ch
|
Cluster Number of the Start of the Root Directory
|
1 Double Word
|
30h
|
Sector Number of the File System Information Sector (See Structure Below) (Referenced from the Start of the Partition)
|
1 Word
|
32h
|
Sector Number of the Backup Boot Sector (Referenced from the Start of the Partition)
|
1 Word
|
34h
|
Reserved
|
12 Bytes
|
40h
|
Logical Drive Number of Partition
|
1 Byte
|
41h
|
Unused (Could be High Byte of Previous Entry)
|
1 Byte
|
42h
|
Extended Signature (29h)
|
1 Byte
|
43h
|
Serial Number of Partition
|
1 Double Word
|
47h
|
Volume Name of Partition
|
11 Bytes
|
52h
|
FAT Name (FAT32)
|
8 Bytes
|
5Ah
|
Executable Code
|
420 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
Usually this is the Second Sector of the partition, although since there is a reference in the Boot Sector to it, I'm assuming it can be moved around. I never got a complete picture of this one. Although I do know where the important fields are at.
Offset
|
Description
|
Size
|
00h
|
First Signature (52h 52h 61h 41h)
|
1 Double Word
|
04h
|
Unknown, Currently (Might just be Null)
|
480 Bytes
|
1E4h
|
Signature of FSInfo Sector (72h 72h 41h 61h)
|
1 Double Word
|
1E8h
|
Number of Free Clusters (Set to -1 if Unknown)
|
1 Double Word
|
1ECh
|
Cluster Number of Cluster that was Most Recently Allocated.
|
1 Double Word
|
1F0h
|
Reserved
|
12 Bytes
|
1FCh
|
Unknown or Null
|
2 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
Offset
|
Description
|
Start of Partition
|
Boot Sector
|
Start + # of Reserved Sectors
|
Fat Tables
|
Start + # of Reserved + (# of Sectors Per FAT * 2) <Assuming that FAT Mirroring is Enabled, I personally haven't seen a case where it wasn't, but I guess there is always the possibility>
|
Data Area (Starts with Cluster #2)
|
A Cluster is a Group of Sectors on the Hard Drive that have information in them. A 4K Cluster has 8 Sectors in it (512*8=4096). Each Cluster is given a spot in the FAT Table. When you look at an Entry in the FAT, the number there tells you whether or not that cluster has data in it, and if so, if it is the end of the data or there is another cluster after it. All Data on a Partition starts with Cluster #2. If the FAT Entry is 0, then there is no data in that cluster. If the FAT Entry is 0FFFFFFFh, then it is the last entry in the chain.This is one of my biggest holes in my information. I am unable to find anyplace that shows what numbers mean what when it comes to the FAT table. I was able to tell the end of the chain just by looking at a FAT32 Drive, but I don't know what stands for a BAD Cluster or what the maximum valid number for showing data is.For now, you can calculate the maximum valid cluster in a partition with this formula:( (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) / (# of Sectors per Cluster)If there is any remainder in the answer to that formula, it just means that there were a few extra clusters at the end of the partition (probably not enough to make another cluster), so you can just get rid of anything after the decimal point.Thanks to Andrew Clausen for pointing this formula out to me.
Another aspect when looking at a File System at Low Level is the Directory Table. The Directory Table is what stores all of the File and Directory Entries. Basically there is only one difference between the Directory Table of FAT16 and FAT32, so go here to look at FAT16's Structure. The Difference is : the Reserved OS/2 Byte (Offset 20 [14h]) in the Short Filename Structure is replaced with the High Word of the Cluster Number (since it's now 4 bytes instead of 2).
