Upload is process
of transmitting a file from a computer system to other computer
systems. Attacker to upload files to insert in accordance with the
desired command so that it can remotely victim. This attack is
passive as it waits for the victim to take action on a file that is
uploaded.
Daftar Blog Saya
Jumat, 08 Juni 2012
Minggu, 18 Maret 2012
Magic Number
A magic number or sometimes referred to as a file signature is a number embedded at or near the beginning of a file that indicates its file format (i.e., the type of file it is). magic number can be viewed using a hex editor.
for example, the magic number for JPEG (Joint Photographic Experts Group) image files is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format). However, JPEG magic numbers are not the first bytes in the file; rather, they begin with the seventh byte.
Similarly, the magic number for image files having the subsequently introduced GIF89a format is 0x474946383961. For both types of GIF (Graphic Interchange Format) files, the magic number occupies the first six bytes of the file. They are then followed by additional general information (i.e., metadata) about the file.
for example, the magic number for JPEG (Joint Photographic Experts Group) image files is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format). However, JPEG magic numbers are not the first bytes in the file; rather, they begin with the seventh byte.
Similarly, the magic number for image files having the subsequently introduced GIF89a format is 0x474946383961. For both types of GIF (Graphic Interchange Format) files, the magic number occupies the first six bytes of the file. They are then followed by additional general information (i.e., metadata) about the file.
Slack Space
Slack space is the area between the end of a file and end of the last cluster or sector used by the file in question. Area is an area that will not be used again to store the information there, so the area is "wasted" useless. Slackspace is common in file systems that use a large cluster size, while the file system that uses a small cluster size can organize the storage media more effectively and efficiently.Amount of wasted disk space can be thought is estimated by multiplying the number offiles (including the number of directories) with half the size of a cluster.
Unallocated Space
Unallocated Space is available disk space that is not allocated to any
volume. The type of volume that you can create on unallocated space
depends on the disk type. On basic disks, you can use unallocated space
to create primary or extended partitions. On dynamic disks, you can use
unallocated space to create dynamic volumes
If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that new files can now be re-written to that location.
On a standard, working computer, files can only be written to the unallocated space.
If a newly formatted drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that new files can now be re-written to that location.
On a standard, working computer, files can only be written to the unallocated space.
If a newly formatted drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
DBF File structure
A DBF file consists of a header record
and data records. The header record defines the structure of dbf file
and contains any other information related to the table. The header
record starts at file position zero. Data records follow the header, in
consecutive bytes, and contain the actual text of the fields.
Note The data in dbf file starts at the position indicated in bytes 8 to 9 of the header record. Data records begin with a delete flag byte. If this byte is an ASCII space (0x20), the record is not deleted. If the first byte is an asterisk (0x2A), the record is deleted. The data from the fields named in the field subrecords follows the delete flag. The length of a record, in bytes, is determined by summing the defined lengths of all fields. Integers in dbf files are stored with the least significant byte first.
Note The data in dbf file starts at the position indicated in bytes 8 to 9 of the header record. Data records begin with a delete flag byte. If this byte is an ASCII space (0x20), the record is not deleted. If the first byte is an asterisk (0x2A), the record is deleted. The data from the fields named in the field subrecords follows the delete flag. The length of a record, in bytes, is determined by summing the defined lengths of all fields. Integers in dbf files are stored with the least significant byte first.
DBF File Header
Byte offset | Description |
---|---|
0 | DBF File type: 0x02 FoxBASE 0x03 FoxBASE+/Dbase III plus, no memo 0x30 Visual FoxPro 0x31 Visual FoxPro, autoincrement enabled 0x32 Visual FoxPro with field type Varchar or Varbinary 0x43 dBASE IV SQL table files, no memo 0x63 dBASE IV SQL system files, no memo 0x83 FoxBASE+/dBASE III PLUS, with memo 0x8B dBASE IV with memo 0xCB dBASE IV SQL table files, with memo 0xF5 FoxPro 2.x (or earlier) with memo 0xE5 HiPer-Six format with SMT memo file 0xFB FoxBASE |
1 - 3 | Last update (YYMMDD) |
4 – 7 | Number of records in file |
8 – 9 | Position of first data record |
10 – 11 | Length of one data record, including delete flag |
12 – 27 | Reserved |
28 | Table flags: 0x01 file has a structural .cdx 0x02 file has a Memo field 0x04 file is a database (.dbc) This byte can contain the sum of any of the above values. For example, the value 0x03 indicates the table has a structural .cdx and a Memo field. |
29 | Code page mark |
30 – 31 | Reserved, contains 0x00 |
32 – n | Field subrecords The number of fields determines the number of field subrecords. One field subrecord exists for each field in the table. |
n+1 | Header record terminator (0x0D) |
n+2 to n+264 | Visual Foxpro only: A 263-byte range that contains the backlink, which is the relative path of an associated database (.dbc) file, information. If the first byte is 0x00, the file is not associated with a database. Therefore, database files always contain 0x00. |
Field Subrecords Structure
Byte offset | Description |
---|---|
0 – 10 | Field name with a maximum of 10 characters. If less than 10, it is padded with null characters (0x00). |
11 | Field type: C – Character Y – Currency N – Numeric F – Float D – Date T – DateTime B – Double I – Integer L – Logical M – Memo G – General C – Character (binary) M – Memo (binary) P – Picture + – Autoincrement (dBase Level 7) O – Double (dBase Level 7) @ – Timestamp (dBase Level 7) |
12 – 15 | Displacement of field in record |
16 | Length of field (in bytes) |
17 | Number of decimal places |
18 | Field flags: 0x01 System Column (not visible to user) 0x02 Column can store null values 0x04 Binary column (for CHAR and MEMO only) 0x06 (0x02+0x04) When a field is NULL and binary (Integer, Currency, and Character/Memo fields) 0x0C Column is autoincrementing |
19 - 22 | Value of autoincrement Next value |
23 | Value of autoincrement Step value |
24 – 31 | Reserved |
Kamis, 15 Maret 2012
MBR
Master Boot Record
The Master Boot Record is the same for pretty much all Operating Systems. It is located on the first Sector of the Hard Drive, at Cylinder 0, Head 0, Sector 1. It is the first piece of code that your computer runs after it has checked all of your hardware (POST) and turned control of loading software over the hard drive. It also contains the partition table, which defines the different sections of your hard drive. Basically if anything happens to this little 512 byte section, your hard drive is brain dead.
Offset
|
Description
|
Size
|
000h
|
Executable Code (Boots Computer)
|
446 Bytes
|
1BEh
|
1st Partition Entry (See Next Table)
|
16 Bytes
|
1CEh
|
2nd Partition Entry
|
16 Bytes
|
1DEh
|
3rd Partition Entry
|
16 Bytes
|
1EEh
|
4th Partition Entry
|
16 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
Partition Entry (Part of MBR)
Offset
|
Description
|
Size
|
00h
|
Current State of Partition (00h=Inactive, 80h=Active)
|
1 Byte
|
01h
|
Beginning of Partition - Head
|
1 Byte
|
02h
|
Beginning of Partition - Cylinder/Sector (See Below)
|
1 Word
|
04h
|
Type of Partition (See List Below)
|
1 Byte
|
05h
|
End of Partition - Head
|
1 Byte
|
06h
|
End of Partition - Cylinder/Sector
|
1 Word
|
08h
|
Number of Sectors Between the MBR and the First Sector in the Partition
|
1 Double Word
|
0Ch
|
Number of Sectors in the Partition
|
1 Double Word
|
- Master Partition Table: This small table contains the descriptions of the partitions that are contained on the hard disk. There is only room in the master partition table for the information describing four partitions. Therefore, a hard disk can have only four true partitions, also called primary partitions. Any additional partitions are logical partitions that are linked to one of the primary partitions. Partitions are discussed here. One of the partitions is marked as active, indicating that it is the one that the computer should use for booting up.
- Master Boot Code: The master boot record contains the small initial boot program that the BIOS loads and executes to start the boot process. This program eventually transfers control to the boot program stored on whichever partition is used for booting the PC.
Cylinder/Sector Encoding
I guess back in the days of 10MB hard drives and 8086's, code was at a premium. So they did everything they could to preserve space. Unfortunately now we have to live with it, but luckily they created new ways of translating the system so the 1024 Cylinder Limit (2^10) isn't too big of a problem, for newer computers, at least. Older ones usually need some sort of Disk Overlay program to make them see the whole hard drive.Anyway, to get the Sector out of this, you need to apply an AND mask ($3F) to it. To get the Cylinder, you take the high byte and OR it with the low byte that has been AND masked with ($C0) and then Shifted Left Two. It's not very easy to explain, so I'll just show you how I did it with two routines I made (In Pascal) for Encoding and Decoding the Cylinder/Sector. Hopefully even if you don't know Pascal you'll be able to read it.Function CylSecEncode(Cylinder, Sector : Word) : Word;
Begin
CylSecEncode := (Lo(Cylinder) shl 8) or (Hi(Cylinder) shl 6) or Sector;
End;
Procedure CylSecDecode(Var Cylinder, Sector : Word; CylSec : Word);
Begin
Cylinder := Hi(CylSec) or ((Lo(CylSec) and $C0) shl 2);
Sector := (CylSec and $3F);
End;
15
|
14
|
13
|
12
|
11
|
10
|
9
|
8
|
7
|
6
|
5
|
4
|
3
|
2
|
1
|
0
|
Cylinder Bits 7 to 0
|
Cylinder Bits 9+8
|
Sector Bits 5 to 0
|
Partition Type Listing
There are more than just these shown, but I've only included that ones relevant to MS Operating Systems.
Value
|
Description
|
00h
|
Unknown or Nothing
|
01h
|
12-bit FAT
|
04h
|
16-bit FAT (Partition Smaller than 32MB)
|
05h
|
Extended MS-DOS Partition
|
06h
|
16-bit FAT (Partition Larger than 32MB)
|
0Bh
|
32-bit FAT (Partition Up to 2048GB)
|
0Ch
|
Same as 0BH, but uses LBA1 13h Extensions
|
0Eh
|
Same as 06H, but uses LBA1 13h Extensions
|
0Fh
|
Same as 05H, but uses LBA1 13h Extensions
|
Reading Multiple Partitions
Although having multiple partitions in FAT32 isn't as likely as in FAT16, it still works the same way. The first partition is the Primary Partition, and everything else is stored in the Extended Partition. It's a little tricky when it comes to reading those extra partitions though (not a lot, just a little). The first record in the partition table shows where the Primary partition is (how big it is, where it starts, and where it ends). The second entry in the partition table shows where the Entire Extended Partition is (which may include more than just one partition). To read any more partitions, you go to the where it says the Extended Partition starts, and read the first sector. It acts just like the MBR. It'll have blank where the code is supposed to be, and in the partition table it will have for it's first entry the next Partition in the Drive, and if there are anymore, there will be another Extended partition, just like before. However, all references to Sector Numbers are made using the that new MBR point as the reference, making it a virtual drive. Just incase this doesn't make much sense (and by the way I explain things I can understand if it doesn't), let me show you how a drive with three partitions is setup.MBR of Whole DriveEntry #1 - Points to Partition #1
Entry #2 - Points to the Entire Extended PartitionYou would read the first sector of that Extended Partition, and see another MBR Structure.MBR of Extended PartitionEntry #1 - Points to Partition #2
Entry #2 - Points to Rest of Extended Partition after Partition #2Now, all references to Sector Numbers (most specifically the entry at Offset 08h) in those Entries wouldn't be referenced from the start of the drive, but from the start of the Extended Partition. However, the CHS (Cylinder, Head, Sector) numbers would still be right.Once again, you would read the first sector of that Extended Partition, and see the next MBR.MBR of Rest of Extended PartitionEntry #1 - Points to Partition #3
No Entry #2, since this was the Last PartitionIf there were another partition, the pattern would continue just like before, until the last one was reached.
FAT32 Boot Record
This information is located in the first sector of every partition.
Offset
|
Description
|
Size
|
00h
|
Jump Code + NOP
|
3 Bytes
|
03h
|
OEM Name (Probably MSWIN4.1)
|
8 Bytes
|
0Bh
|
Bytes Per Sector
|
1 Word
|
0Dh
|
Sectors Per Cluster
|
1 Byte
|
0Eh
|
Reserved Sectors
|
1 Word
|
10h
|
Number of Copies of FAT
|
1 Byte
|
11h
|
Maximum Root Directory Entries (N/A for FAT32)
|
1 Word
|
13h
|
Number of Sectors in Partition Smaller than 32MB (N/A for FAT32)
|
1 Word
|
15h
|
Media Descriptor (F8h for Hard Disks)
|
1 Byte
|
16h
|
Sectors Per FAT in Older FAT Systems (N/A for FAT32)
|
1 Word
|
18h
|
Sectors Per Track
|
1 Word
|
1Ah
|
Number of Heads
|
1 Word
|
1Ch
|
Number of Hidden Sectors in Partition
|
1 Double Word
|
20h
|
Number of Sectors in Partition
|
1 Double Word
|
24h
|
Number of Sectors Per FAT
|
1 Double Word
|
28h
|
Flags (Bits 0-4 Indicate Active FAT Copy) (Bit 7 Indicates whether FAT Mirroring is Enabled or Disabled <Clear is Enabled>) (If FAT Mirroring is Disabled, the FAT Information is only written to the copy indicated by bits 0-4)
|
1 Word
|
2Ah
|
Version of FAT32 Drive (High Byte = Major Version, Low Byte = Minor Version)
|
1 Word
|
2Ch
|
Cluster Number of the Start of the Root Directory
|
1 Double Word
|
30h
|
Sector Number of the File System Information Sector (See Structure Below) (Referenced from the Start of the Partition)
|
1 Word
|
32h
|
Sector Number of the Backup Boot Sector (Referenced from the Start of the Partition)
|
1 Word
|
34h
|
Reserved
|
12 Bytes
|
40h
|
Logical Drive Number of Partition
|
1 Byte
|
41h
|
Unused (Could be High Byte of Previous Entry)
|
1 Byte
|
42h
|
Extended Signature (29h)
|
1 Byte
|
43h
|
Serial Number of Partition
|
1 Double Word
|
47h
|
Volume Name of Partition
|
11 Bytes
|
52h
|
FAT Name (FAT32)
|
8 Bytes
|
5Ah
|
Executable Code
|
420 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
File System Information Sector
Usually this is the Second Sector of the partition, although since there is a reference in the Boot Sector to it, I'm assuming it can be moved around. I never got a complete picture of this one. Although I do know where the important fields are at.
Offset
|
Description
|
Size
|
00h
|
First Signature (52h 52h 61h 41h)
|
1 Double Word
|
04h
|
Unknown, Currently (Might just be Null)
|
480 Bytes
|
1E4h
|
Signature of FSInfo Sector (72h 72h 41h 61h)
|
1 Double Word
|
1E8h
|
Number of Free Clusters (Set to -1 if Unknown)
|
1 Double Word
|
1ECh
|
Cluster Number of Cluster that was Most Recently Allocated.
|
1 Double Word
|
1F0h
|
Reserved
|
12 Bytes
|
1FCh
|
Unknown or Null
|
2 Bytes
|
1FEh
|
Boot Record Signature (55h AAh)
|
2 Bytes
|
FAT32 Drive Layout
Offset
|
Description
|
Start of Partition
|
Boot Sector
|
Start + # of Reserved Sectors
|
Fat Tables
|
Start + # of Reserved + (# of Sectors Per FAT * 2) <Assuming that FAT Mirroring is Enabled, I personally haven't seen a case where it wasn't, but I guess there is always the possibility>
|
Data Area (Starts with Cluster #2)
|
Cluster Meaning
A Cluster is a Group of Sectors on the Hard Drive that have information in them. A 4K Cluster has 8 Sectors in it (512*8=4096). Each Cluster is given a spot in the FAT Table. When you look at an Entry in the FAT, the number there tells you whether or not that cluster has data in it, and if so, if it is the end of the data or there is another cluster after it. All Data on a Partition starts with Cluster #2. If the FAT Entry is 0, then there is no data in that cluster. If the FAT Entry is 0FFFFFFFh, then it is the last entry in the chain.This is one of my biggest holes in my information. I am unable to find anyplace that shows what numbers mean what when it comes to the FAT table. I was able to tell the end of the chain just by looking at a FAT32 Drive, but I don't know what stands for a BAD Cluster or what the maximum valid number for showing data is.For now, you can calculate the maximum valid cluster in a partition with this formula:( (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) / (# of Sectors per Cluster)If there is any remainder in the answer to that formula, it just means that there were a few extra clusters at the end of the partition (probably not enough to make another cluster), so you can just get rid of anything after the decimal point.Thanks to Andrew Clausen for pointing this formula out to me.
Directory Table
Another aspect when looking at a File System at Low Level is the Directory Table. The Directory Table is what stores all of the File and Directory Entries. Basically there is only one difference between the Directory Table of FAT16 and FAT32, so go here to look at FAT16's Structure. The Difference is : the Reserved OS/2 Byte (Offset 20 [14h]) in the Short Filename Structure is replaced with the High Word of the Cluster Number (since it's now 4 bytes instead of 2).
Langganan:
Postingan (Atom)