Tuesday, 10 May 2011
Learn Web Hacking With WackoPicko
WackoPicko is a website that contains known vulnerabilities. It can prove as a very efficient way to master web hacking skills. This project is similar to Damn Vulnerable Web Application and is a collection of common web vulnerabilities.
For more information and downloads, you can check the WackoPicko github page.
Vulnerabilities
Reflected XSS
http://localhost/pictures/search.php?query=blah
The query parameter is vulnerable.
Stored XSS
http://localhost/guestbook.php
The comment field is vulnerable.
SessionID vulnerability
http://localhost/admin/login.php
The session cookie value is admin_session, which is an auto-incrementing value.
Stored SQL Injection
http://localhost/users/register.php -> http://localhost/users/similar.php
The first name field of the register users form contains a stored SQL injection which is then used unsanitized on the similar users page.
Reflected SQL Injection
http://localhost/users/login.php
The username field is vulnerable.
Directory Traversal
http://localhost/pictures/upload.php
The tag field has a directory traversal vulnerability enabling a malicious users to overwrite any file the web server uses has access to.
Multi-Step Stored XSS
http://localhost/pictures/view.php?picid=3
The comment field is vulnerable to XSS, however must go through a preview form.
Forceful Browsing
http://localhost/pictures/highquality.php?picid=3&key=highquality
The user doesn't have to purchase the picture to see the high quality version.
Command-line Injection
http://localhost/passcheck.php
The password field is vulnerable to a command line injections.
File Inclusion
http://localhost/admin/index.php?page=login
The page is vulnerable to a file inclusion vulnerability, however you have to include at the end.
Parameter Manipulation
http://localhost/users/sample.php?userid=1
The userid parameter can be manipulated to see any user's page when you need to be logged in otherwise.
Reflected XSS Behind JavaScript
http://localhost/piccheck.php
The name parameter is vulnerable.
Logic Flaw
http://localhost/cart/review.php
A coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.
Reflected XSS Behind a Flash Form
http://localhost/submitname.php
The value parameter is vulnerable.
Weak username/password
https://localhost/admin/login.php
There is a default username/password combination of admin/admin.
Read more...
For more information and downloads, you can check the WackoPicko github page.
Vulnerabilities
Reflected XSS
http://localhost/pictures/search.php?query=blah
The query parameter is vulnerable.
Stored XSS
http://localhost/guestbook.php
The comment field is vulnerable.
SessionID vulnerability
http://localhost/admin/login.php
The session cookie value is admin_session, which is an auto-incrementing value.
Stored SQL Injection
http://localhost/users/register.php -> http://localhost/users/similar.php
The first name field of the register users form contains a stored SQL injection which is then used unsanitized on the similar users page.
Reflected SQL Injection
http://localhost/users/login.php
The username field is vulnerable.
Directory Traversal
http://localhost/pictures/upload.php
The tag field has a directory traversal vulnerability enabling a malicious users to overwrite any file the web server uses has access to.
Multi-Step Stored XSS
http://localhost/pictures/view.php?picid=3
The comment field is vulnerable to XSS, however must go through a preview form.
Forceful Browsing
http://localhost/pictures/highquality.php?picid=3&key=highquality
The user doesn't have to purchase the picture to see the high quality version.
Command-line Injection
http://localhost/passcheck.php
The password field is vulnerable to a command line injections.
File Inclusion
http://localhost/admin/index.php?page=login
The page is vulnerable to a file inclusion vulnerability, however you have to include at the end.
Parameter Manipulation
http://localhost/users/sample.php?userid=1
The userid parameter can be manipulated to see any user's page when you need to be logged in otherwise.
Reflected XSS Behind JavaScript
http://localhost/piccheck.php
The name parameter is vulnerable.
Logic Flaw
http://localhost/cart/review.php
A coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.
Reflected XSS Behind a Flash Form
http://localhost/submitname.php
The value parameter is vulnerable.
Weak username/password
https://localhost/admin/login.php
There is a default username/password combination of admin/admin.
Read more...
Learn Web Hacking With WackoPicko
2011-05-10T22:46:00+05:45
Cool Samar
cross site scripting|hacking|remote code exection|security|security bypass|sql injection|useful website|
Comments
Labels:
cross site scripting,
hacking,
remote code exection,
security,
security bypass,
sql injection,
useful website
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Phatch : Batch photo processing GUI tool
Phatch(Photo + Batch) is an user friendly, cross-platform Photo Batch Processor and Exif Renamer with a nice graphical user interface. Phatch handles all popular image formats and can duplicate (sub)folder hierarchies. Phatch can batch resize, rotate, apply shadows, perspective, rounded corners, … and do much more actions in minutes instead of hours or days if you do it manually.
For more information on Phatch, you can visit HERE.
Overview
Actions: resize, rotate, invert, flip, watermark, shadow, rounded corners and much more!
Drag & drop of actions
Enable & disable actions
Can copy folder hierarchies
Python shell
Error logging
File history
Console (can run on servers without gui)
Desktop droplets
Image Inspector (exif & iptc)
Cross-platform (Linux, Windows & Mac)
python-api
File formats
Phatch supports the same file formats as PIL…
Read & write: 'bmp','dib','gif','jpe','jpeg','jpg','im','msp', 'pcx','png','pbm','pgm','ppm','tif','tiff','xbm'
Read only: 'cur','dcx','fli','flc','fpx', 'gbr','gd','ico','imt','mic','mcidas','pcd', 'psd','bw','rgb','cmyk','sun','tga','xpm'
Write only: 'eps','ps','pdf'
Color support
Phatch supports these color modes:
Monochrome (1-bit pixels, black and white)
Grayscale (8-bit pixels, black and white)
RGB (3x8-bit pixels, true colour)
RGBA (4x8-bit pixels, RGB with transparency mask)
CMYK (4x8-bit pixels, colour separation)
P (8-bit pixels, mapped using a colour palette)
YCbCr (3x8-bit pixels, colour video format)
I (32-bit integer pixels)
F (32-bit floating point pixels)
To install phatch under ubuntu, type the following in terminal:
Read more...
For more information on Phatch, you can visit HERE.
Overview
Actions: resize, rotate, invert, flip, watermark, shadow, rounded corners and much more!
Drag & drop of actions
Enable & disable actions
Can copy folder hierarchies
Python shell
Error logging
File history
Console (can run on servers without gui)
Desktop droplets
Image Inspector (exif & iptc)
Cross-platform (Linux, Windows & Mac)
python-api
File formats
Phatch supports the same file formats as PIL…
Read & write: 'bmp','dib','gif','jpe','jpeg','jpg','im','msp', 'pcx','png','pbm','pgm','ppm','tif','tiff','xbm'
Read only: 'cur','dcx','fli','flc','fpx', 'gbr','gd','ico','imt','mic','mcidas','pcd', 'psd','bw','rgb','cmyk','sun','tga','xpm'
Write only: 'eps','ps','pdf'
Color support
Phatch supports these color modes:
Monochrome (1-bit pixels, black and white)
Grayscale (8-bit pixels, black and white)
RGB (3x8-bit pixels, true colour)
RGBA (4x8-bit pixels, RGB with transparency mask)
CMYK (4x8-bit pixels, colour separation)
P (8-bit pixels, mapped using a colour palette)
YCbCr (3x8-bit pixels, colour video format)
I (32-bit integer pixels)
F (32-bit floating point pixels)
To install phatch under ubuntu, type the following in terminal:
sudo apt-get install phatch
Read more...
Phatch : Batch photo processing GUI tool
2011-05-10T22:17:00+05:45
Cool Samar
graphics|software|
Comments
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Saturday, 7 May 2011
GPRS Setting For Nepal Telecom
Nepal Telecom is providing GPRS service in its both pre-paid and post-paid services. I am posting the general setting to use the GPRS service of Nepal Telecom.
Basic Setting Parameters for GPRS & MMS
Proxy Server :- 192.80.7.133, Port :- 8000
For accessing internet/WAP through your mobile handset :-
GPRS Access Point Name(APN) :- ntwap
For accessing internet through computer by using GPRS service in your mobile phone :-
APN :- ntnet
For sending and receiving MMS :-
MMS APN :- ntmms
MMS Home Page/Server Address :- 192.80.11.180
Read more...
Basic Setting Parameters for GPRS & MMS
Proxy Server :- 192.80.7.133, Port :- 8000
For accessing internet/WAP through your mobile handset :-
GPRS Access Point Name(APN) :- ntwap
For accessing internet through computer by using GPRS service in your mobile phone :-
APN :- ntnet
For sending and receiving MMS :-
MMS APN :- ntmms
MMS Home Page/Server Address :- 192.80.11.180
Read more...
GPRS Setting For Nepal Telecom
2011-05-07T22:39:00+05:45
Cool Samar
mobile|
Comments
Labels:
mobile
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
HTML Parser For Blogs
I've written a small code snippet that will work as HTML parser for use in your blogs. It can be useful to put the google adsenses and to post source codes in your blog. Obviously it might have other usages but I am using it for posting source codes.
The parser can be accessed from the URL below:
www.nepali.netau.net/parser
Thanks.
Read more...
The parser can be accessed from the URL below:
www.nepali.netau.net/parser
Thanks.
Read more...
HTML Parser For Blogs
2011-05-07T22:07:00+05:45
Cool Samar
blog|useful website|
Comments
Labels:
blog,
useful website
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Graphical Tools To Determine PCI Devices In Linux
We can use lspci command to list and determine the PCI devices from the terminal but most of us want some graphical way to view the PCI devices connected to our system. In this post, we will discuss two such GUI tools.
1. GNOME Device Manager
This is a GNOME program to manage devices and device drivers. It's inspired by hal-device-manager, from the HAL project, but rewritten in C for efficiency and an outlook to actually make it manage devices rather than just show information.
To install it, type the following apt-get command:
You can open the program from Applications -> System Tools -> Device Manager
2. Hardinfo
HardInfo is a small system profiler and benchmark application that displays information about your hardware and operating system. Currently it knows about PCI, ISA PnP, USB, IDE, SCSI, Serial and parallel port devices.
To install hardinfo, type the following in your terminal:
You can open the program from Applications -> System Tools -> System Profiler and Benchmark
If you know any other such GUI tool, please do comment.
Read more...
1. GNOME Device Manager
This is a GNOME program to manage devices and device drivers. It's inspired by hal-device-manager, from the HAL project, but rewritten in C for efficiency and an outlook to actually make it manage devices rather than just show information.
To install it, type the following apt-get command:
sudo apt-get install gnome-device-manager
You can open the program from Applications -> System Tools -> Device Manager
2. Hardinfo
HardInfo is a small system profiler and benchmark application that displays information about your hardware and operating system. Currently it knows about PCI, ISA PnP, USB, IDE, SCSI, Serial and parallel port devices.
To install hardinfo, type the following in your terminal:
sudo apt-get install hardinfo
You can open the program from Applications -> System Tools -> System Profiler and Benchmark
If you know any other such GUI tool, please do comment.
Read more...
Graphical Tools To Determine PCI Devices In Linux
2011-05-07T21:57:00+05:45
Cool Samar
linux|software|ubuntu|
Comments
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Monday, 25 April 2011
Keyloggers for Linux: Secretly Watch The Linux Users
For windows, there are numerous keyloggers out there with many pretty cool features but there has been none such great keylogger. But lately there have been few developments and new keyloggers have been developed for Linux platform. In this post, I'll list few keyloggers for linux I've heard about.
1. PyKeylogger - PyKeylogger is a free open source keylogger written in the python programming language, available under the terms of the GNU General Public License. It is currently available for Windows (NT/2000 and up), and Linux (using Xlib, so won't work on the console). It is primarily designed for personal backup purposes, rather than stealth keylogging. Thus, it does not make explicit attempts to hide its presence from the operating system or the user. That said, the only way it is visible is that the process name shows up in the task list, so it is not immediately apparent that there is a keylogger on the system. More on PyKeylogger
2. Logkeys - Logkeys is no more advanced than other available Linux keyloggers, but is a bit more up to date, it doesn't unreliably repeat keys and it should never crash your X. It works with serial as well as USB keyboards. More on Logkeys
3. LKL (Linux KeyLogger) - LKL is a userspace keylogger that runs under Linux on the x86 arch. LKL sniffs and logs everything that passes through the hardware keyboard port (0x60). It translates keycodes to ASCII with a keymap file. LKL Homepage
4. THC-Vlogger - THC-vlogger, an advanced linux kernel based keylogger developed by famous hacker group THC, enables the capability to log keystrokes of all administrator/user's sessions via console, serial and remote sessions (telnet, ssh), switching logging mode by using magic password, stealthily sending logged data to centralized remote server. Its smart mode can automatically detect password prompts to log only sensitive user and password information. THC-Vlogger Home
The keyloggers for Linux are not much advanced and generally lack stealth. You'll have to be creative to make those keyloggers really stealth. Anyway, I hope this list gives you a start to know about linux keyloggers.
Read more...
1. PyKeylogger - PyKeylogger is a free open source keylogger written in the python programming language, available under the terms of the GNU General Public License. It is currently available for Windows (NT/2000 and up), and Linux (using Xlib, so won't work on the console). It is primarily designed for personal backup purposes, rather than stealth keylogging. Thus, it does not make explicit attempts to hide its presence from the operating system or the user. That said, the only way it is visible is that the process name shows up in the task list, so it is not immediately apparent that there is a keylogger on the system. More on PyKeylogger
2. Logkeys - Logkeys is no more advanced than other available Linux keyloggers, but is a bit more up to date, it doesn't unreliably repeat keys and it should never crash your X. It works with serial as well as USB keyboards. More on Logkeys
3. LKL (Linux KeyLogger) - LKL is a userspace keylogger that runs under Linux on the x86 arch. LKL sniffs and logs everything that passes through the hardware keyboard port (0x60). It translates keycodes to ASCII with a keymap file. LKL Homepage
4. THC-Vlogger - THC-vlogger, an advanced linux kernel based keylogger developed by famous hacker group THC, enables the capability to log keystrokes of all administrator/user's sessions via console, serial and remote sessions (telnet, ssh), switching logging mode by using magic password, stealthily sending logged data to centralized remote server. Its smart mode can automatically detect password prompts to log only sensitive user and password information. THC-Vlogger Home
The keyloggers for Linux are not much advanced and generally lack stealth. You'll have to be creative to make those keyloggers really stealth. Anyway, I hope this list gives you a start to know about linux keyloggers.
Read more...
Keyloggers for Linux: Secretly Watch The Linux Users
2011-04-25T22:19:00+05:45
Cool Samar
hacking|keyloggers|linux|
Comments
Labels:
hacking,
keyloggers,
linux
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Installing Adobe Photoshop CS5 In Ubuntu [How To]
In this tutorial, I will guide you through how to install and fully run Adobe Photoshop CS5 without any errors. We will be installing the Adobe Photoshop CS5 Portable version available for free in internet.
After downloading the installer for Adobe Photoshop CS5 Portable, you will have to first chmod the exe file so that it can be executed.
Now, run the installer and the photoshop installation will complete without any errors. The problem with this portable photoshop cs5 installation is that it will install correctly but might produce the runtime error complaining about the incorrect loading of C runtime environment. The error you are likely to encounter is similar to something below:
To fix this error, I copied all the files from WinSxS folder from my windows XP OS to the wine's C:\windows\WinSxS\. For this, copy all the files of WinSxS folder to USB and then to your Ubuntu OS(or if you are on VM like me, copy paste via the Virtual Shared folders feature). Now, go to Applications - Wine - Browse C: Drive and then navigate to Windows - WinSxS folder. Paste all the WinSxS contents you just copied from windows OS to this folder. See the screenshots below if you are confused from where to copy and where to paste:
Now try to run photoshop portable and you will probably face the error as below:
Now, go to Applications - Wine - Configure Wine and then from the Applications tab, click on Add Application and add the photoshop portable's executable located at $HOME/.wine/dosdevices/c:/PhotoshopPortable/App/PhotoshopCS5. After adding application, select Windows XP from Windows Version dropdown list. Click on Apply and now your photoshop CS5 portable should work without any error in Ubuntu.
I hope this helps. :)
Read more...
After downloading the installer for Adobe Photoshop CS5 Portable, you will have to first chmod the exe file so that it can be executed.
chmod +x Photoshop_Portable_12.0_en-fr-de-es-it-ru-zh-tw.paf.exe
Now, run the installer and the photoshop installation will complete without any errors. The problem with this portable photoshop cs5 installation is that it will install correctly but might produce the runtime error complaining about the incorrect loading of C runtime environment. The error you are likely to encounter is similar to something below:
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PhotoshopPortable\PhotoshopPortable.exe
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information
Runtime Error!
Program C:\PhotoshopPortable\PhotoshopPortable.exe
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information
To fix this error, I copied all the files from WinSxS folder from my windows XP OS to the wine's C:\windows\WinSxS\. For this, copy all the files of WinSxS folder to USB and then to your Ubuntu OS(or if you are on VM like me, copy paste via the Virtual Shared folders feature). Now, go to Applications - Wine - Browse C: Drive and then navigate to Windows - WinSxS folder. Paste all the WinSxS contents you just copied from windows OS to this folder. See the screenshots below if you are confused from where to copy and where to paste:
Now try to run photoshop portable and you will probably face the error as below:
Could not complete your request Unable to initialize windowing system. Terminating.
Now, go to Applications - Wine - Configure Wine and then from the Applications tab, click on Add Application and add the photoshop portable's executable located at $HOME/.wine/dosdevices/c:/PhotoshopPortable/App/PhotoshopCS5. After adding application, select Windows XP from Windows Version dropdown list. Click on Apply and now your photoshop CS5 portable should work without any error in Ubuntu.
I hope this helps. :)
Read more...
Installing Adobe Photoshop CS5 In Ubuntu [How To]
2011-04-25T21:04:00+05:45
Cool Samar
tricks and tips|ubuntu|wine|
Comments
Labels:
tricks and tips,
ubuntu,
wine
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Sunday, 24 April 2011
Automatic SQL Injection And Database Takeover With SQLMap 0.9
sqlmap is an open source SQL injection penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQLMap consists of a very accurate detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
SQLMap v. 0.9 is out on April 10, 2011 and now consists of more features than ever with numerous improvements in coding. This time the SQL Injection engine has been re-written in v. 0.9 and the tool will be very useful for security experts, enthusiasts and hackers. The feature list of SQLMap is available over HERE.
The tool can be downloaded from the sourceforge page HERE.
Read more...
SQLMap v. 0.9 is out on April 10, 2011 and now consists of more features than ever with numerous improvements in coding. This time the SQL Injection engine has been re-written in v. 0.9 and the tool will be very useful for security experts, enthusiasts and hackers. The feature list of SQLMap is available over HERE.
The tool can be downloaded from the sourceforge page HERE.
Read more...
Automatic SQL Injection And Database Takeover With SQLMap 0.9
2011-04-24T18:38:00+05:45
Cool Samar
hacking|security|security bypass|sql injection|
Comments
Labels:
hacking,
security,
security bypass,
sql injection
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Subscribe to:
Posts (Atom)