Latest News

How To Dodge iOS 6.1.2 Passcode - Vulnerability Exploited And Explained


Apple has been a bit bitter past a few of its iOS releases making it that much easier for iOS device users to spit out what they chew. After the release of iOS 6.1.2, we imagined Apple to have gotten on its high horse to resolve security issues that haunted iOS 6.1. Unfortunately, our dreams remain shattered. Apple has been unable to fix 3G connectivity and Exchange Calendar bugs in iOS 6.


It seems like hackers have been able to by-pass iOS's security code once again. Founder and CEO of Vulnerability Lab, Benjamin Kunz Mejri, has described the two exploits discovered in full, giving us a tutorial on how to use them for our own benefit.


Vulnerability Lab's Benjamin Kunz Mejri posts:


A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone. The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth). The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs. The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.


For starters, you will be using the Emergency Call feature, the lock/sleep button and the screenshot feature. This will help you to by-pass the security code needed to access information on an iDevice.

In the first exploit, the hacker can penetrate the iDevice while placing the emergency call, cancelling the call while holding the lock/sleep button and bang! That's it. The hacker will be able to access the iDevice without the security code.

In the second exploit, the hacker needs to make the iPhone screen go black in order for him/her to plug in the iDevice into a computer through USB and access the phone without the PIN or security code.

You can by-pass iPhone, iPad or iPod's security by following the steps given below:

1. Make sure the code lock is activated.

2. Switch your device on by pressing the power button (top right).

3. The iDevice will come to life and the passcode lock will be visible on the screen.

4. Click on the Emergency Call.

5. Dial any random Emergency number such as 911 and hit call.

6. Disconnect the call immediately after so that the network does not connect to your dialled number.

7. Press power button and then the home button on your device.

8. Now, push the power button for three seconds, immediately followed by the home button and the emergency call button all at the same instance (without removing your finger off the other).

9. Take your finger of the home button first and then the power button.

10. The iDevice's screen, at this moment, will be black.

11. Connect your iDevice with you computer with a USB in this mode.

12. You will now have access to all files available in the system.

However, this method has its limitations too and we request our readers to attempt the above hack at their own risk and for their own knowledge.

If you have lost your iPhone, iPod or iPad, we would advice you to use the remote wipe-out feature to erase all your personal data from the iDevice before it gets into wrong hands.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

DOM Based XSS In AVG


Lately, i have been researching on DOM based XSS a bit, Recently i found a DOM based XSS in AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.

With that being said, let's take a look at the DOM based XSS POC:




The vulnerability is the result of lack of escaping done in "js_stdfull.js". The following is the screen shot of the vulnerable code causing the DOM based XSS:


Vulnerable code:

 //display the correct tab based on the url (#name) var pathname = $(location).attr('href');var urlparts = pathname.split("#");

I would like to give full credits to David Vieira-Kurz from Majorsecurity.com (@secalert), for helping me sort out the vulnerable code.

Yet another security researcher, David Sopas also found the same issue but on the English version of the site:

http://labs.davidsopas.com/2013/01/avg-vulnerable-to-dom-xss.html

How To Unmap Google Sites To Solve "Another blog or Google Site is already using this address."

The literal cause of the error "Another blog or Google Site is already using this address." is that the Google Sites service is mapped to the address in question, in the Google domain services mapping database.

Some help articles published on the Internet imply that Sites mappings are the only cause of this error. This misconception creates some of the confusion associated with the error. Sites is not the only service in the services mapping database - but it is the only service with web address mappings.

The Sites service contains both service address, and web address, mappings - and both mappings can cause this problem. This oddity creates complexity, and makes a linear check list impossible, when using Google Apps to clear the error - as well as diagnosing the error, in a typical dialogue in Blogger Help Forum: Something Is Broken.

When the Sites service is suspected as the cause of "Another blog or Google Site is already using this address.", one must check both the Service Address Mapping, and the Web Address Mappings, in the Sites service.

Note that the presence of the mappings is not directly affected by the presence of the service wizards, on the desktop of the Google Apps account which you are using. Neither deleting the Apps account, nor uninstalling a given service wizard from the desktop, will immediately reset the mappings for that service, from the database.

If not present on the desktop, the Sites service must be first installed and activated, using the dashboard "Get more apps and services" link.

The Sites service address mapping, like all other services, can be examined and reset using the CustomURL form in Google Apps, as well as "Change URL" in the "General" tab, in the Sites Settings menu. The web address mappings can only be examined and reset using the "Web Address Mapping" tab, in the Sites Settings menu.
  1. Select the "Web Address Mapping" tab, in the Sites Settings menu.
  2. Select all addresses mapped, and click on "Delete Mapping(s)".
  3. Click on "Yes" in the "Are you sure" popup.

If a Sites mapping is not the cause of your problem, Sites won't have a mapped address, in "Web Address Mapping". You will then need to check other settings, in Control Panel / Google Apps.

A Sites service address mapping, like other service address mappings, can sometimes be diagnosed in a simple "302 Moved Temporarily" redirect, in a typical HTTP trace.
Sending request:

GET / HTTP/1.1
Host: www.letthykingdomcome.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:18.0)
Gecko/20100101 Firefox/18.0
Referer: http://www.rexswain.com/httpview.html
Connection: close

• Finding host IP address...
• Host IP address = 74.125.129.121
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:
HTTP/1.1·302·Moved·Temporarily(CR)(LF)
Content-Type:·text/html;·charset=UTF-8(CR)(LF)
Location:·http://sites.google.com/a/letthykingdomcome.com/
sites/system/app/pages/meta/domainWelcome
(CR)(LF)

A Sites web address mapping is not always so easy to diagnose - and may be the reason behind the fact that some HTTP traces end with the blog owner reporting "Another blog or Google Site is already using this address.", and an HTTP trace simply showing the generic 404 Not Found.
Sending request:

GET / HTTP/1.1
Host: www.markhamdesign.co.uk
User-Agent: Mozilla/5.0
(Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Referer: http://www.rexswain.com/httpview.html
Connection: close

• Finding host IP address...
• Host IP address = 216.239.32.21
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:
HTTP/1.1·404·Not·Found(CR)(LF)


A Sites "Web Address Mapping" can include an address which is mapped outside Google Apps. This creates a mapping which can't be managed using Google Apps.
If you own a domain and have access to change the CNAME record, you can map any site created in Google Sites outside of Google Apps (for example, sites.google.com/site) to a custom URL

Sending request:

GET / HTTP/1.1
Host: www.medtechpedia.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Referer: http://www.rexswain.com/httpview.html
Connection: close

• Finding host IP address...
• Host IP address = 74.125.129.121
• Finding TCP protocol...
• Binding to local socket...
• Connecting to host...
• Sending request...
• Waiting for response...
Receiving Header:
HTTP/1.1·200·OK(CR)(LF)

<body·xmlns="http://www.google.com/ns/jotspot"·id="body"·class="·en············">(LF)
<script·src="//www.gstatic.com/caja/5246m/caja.js">·</script>(LF)
<script·src="http://www.gstatic.com/sites/p/926884/system/js/jot_caja.js">·</script>(LF)
<div·id="sites-page-toolbar"·class="sites-header-divider">(LF)
<div·xmlns="http://www.w3.org/1999/xhtml"·id="sites-status"·class="sites-status"·style="display:none;"><div·id="sites-notice"·class="sites-notice"·role="status"·aria-live="assertive">·</div></div>(LF)
</div>(LF)
<div·id="sites-chrome-everything-scrollbar">(LF)
<div·id="sites-chrome-everything">(LF)
<div·id="sites-chrome-page-wrapper"·style="direction:·ltr">(LF)
<div·id="sites-chrome-page-wrapper-inside">(LF)
<div·xmlns="http://www.w3.org/1999/xhtml"·id="sites-chrome-header-wrapper"·style="">(LF)
<table·id="sites-chrome-header"·class="sites-layout-hbox"·cellspacing="0"·style="">(LF)
<tr·class="sites-header-primary-row"·id="sites-chrome-userheader">(LF)
<td·id="sites-header-title"·class=""><div·class="sites-header-cell-buffer-wrapper"><h2>
<a·href="http://sites.google.com/site/medtechpedia/"·dir="ltr"·id="sites-chrome-userheader-title">MedTechPedia</a></h2></div></td><td·class="sites-layout-searchbox·"><div·class="sites-header-cell-buffer-wrapper"><form·id="sites-searchbox-form"·action="/system/app/pages/search"><input·type="hidden"·id="sites-searchbox-scope"·name="scope"·value="search-site"·/><input·type="text"·id="jot-ui-searchInput"·name="q"·size="20"·value=""·aria-label="Search·this·site"·autocomplete="off"·/><div·id="sites-searchbox-button-set"·class="goog-inline-block"><div·role="button"·id="sites-searchbox-search-button"·class="goog-inline-block·jfk-button·jfk-button-standard"·tabindex="0">Search·this·site</div></div></form></div></td>(LF)
</tr>(LF)
<tr·class="sites-header-secondary-row"·id="sites-chrome-horizontal-nav">(LF)
<td·colspan="2"·id="sites-chrome-header-horizontal-nav-container">(LF)
<div·class="sites-header-nav"><ul·class="sites-header-nav-container-tabs"><li·class="current"><a·class="sites-navigation-link·current"·href="/home">Home</a></li><li·class="unselected"><a·class="sites-navigation-link·unselected"·href="/introduction-to-medical-technology">Introduction·to·Medical·Technology</a></li></ul><div·style="clear:·both;"></div></div>(LF)
</td>(LF)
</tr>(LF)
</table>·(LF)
</div>·
A Sites mapping won't always be present - but when it is, it's not difficult to solve - as long as you can access Google Apps aka "Control Panel".

Adobe Zero Day Malware - Upgrade Adobe Reader and Acrobat



A few days ago we blogged about Adobe's Zero-Day Malware affecting Adobe Reader and Acrobat. The malware was investigated on by Sophos Lab and they uncovered an ample amount of information. We reported that while Adobe was trying to fix the vulnerability, users could defend themselves by following a few simple steps. Well, Adobe has kept its promise and we shall fear no more. The emergency update for Adobe Reader and Acrobat have been released.



Adobe has fixed it for all platforms. It is highly recommended that all Mac, Windows and Linux users upgrade to the new release.

According to Adobe's Security Bulletin;

Adobe is aware of reports that two vulnerabilities (CVE-2013-0640, CVE-2013-0641) referenced in Security Advisory APSA13-02 are being exploited in the wild. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Browser Cache, And Blogs Locked After Hacking

The effects of browser cache, upon our Internet life, are not always understood.

Most of us know, by now, to clear cache and restart the browser, after updating a blog, for consistent testing. Some folks know that blog security changes don't always take complete and immediate effect.

Recently, we're seeing a new effect, reported by owners of Blogger accounts locked, after hacking activity is detected.
I got a message mentioning suspicious account activity, when I logged in to Blogger. I provided my phone number, and I received a code on my phone, that I had to enter before I could then log in. My blog was working fine just after I logged in. A short while later, though, it was gone. Why was my blog deleted, because I unlocked my account?
This blog owner is just slightly confused, about the cause and effect here.

Google robotic processes are constantly monitoring account login activity, and watching for signs of hacking activity, such as brute force password entry.

Hacking Cannot Be Detected, Immediately.

When hacking is detected, the detection may not be immediate - so Google protects us by considering the possibility that the hacking could have been successful, and deletes or locks blogs owned by the account under attack. The blogs in question are taken offline, immediately, when hacking is detected.

When a blog is taken offline, blog content may be found in cache.

If a blog owner has just been working on a blog, as is frequently the case, the blog contents will be cached somewhere between the owner and the Blogger servers. Blogger can take the blogs offline, on their servers - but any cache containing the blogs will remain. If the blog owner is working on a blog while the Blogger account is under attack, what's in cache will remain, visible to the owner, until cache expires.

If a Blogger account is attacked, and the attack is detected, shortly after the owner has viewed a blog, what's in cache will be used, until it expires. The owner won't see the effects of the blog being deleted until the cache expires, and the browser tries to retrieve a fresh copy from the Blogger servers.

As cache expires later, the blog owner sees the blog go offline.

The blog owner sees the blog go offline shortly after he verifies account ownership, and thinks that the verification process caused the blog to go offline. In reality, the blog was taken offline before the owner even knew of "suspicious" account activity.

The blog owner has to wait, while the blogs are examined for hacker changes.

Now, the blog owner can do nothing, except wait until the account and the blogs are examined for signs of tampering. In some cases, no notification of progress will be received - and the owner will see the blog(s) returned to service, sometime later.

How much later the blogs return to service will vary widely, depending upon several details - and this variation, added to the uncertainty caused by cache latency, leads to mystery. And less attentive owners may take the delay as revenge, by Blogger, for their lack of attention to their blog(s).

---

Browser Cache, And Confusion About Blogs Locked After Suspected Account Hacking
Browser Cache, And Blogs Locked After Hacking

All Problems And Solutions Related To SQL injection

                             SQL1.bmp

Today I'll write a tutorial for you that covers most problems while applying SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too many SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author most of the time doesn't even know why does SQL injection works. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone is writing tutorials about SQL, but nobody covers the problems what will come with that attack.
What is the cause of most problems related to SQL injection?

Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody will like to have their site hacked and they are also implementing some security, but ofcourse it will be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

If you're interested in WAF's and how they're working then I suggest you read it from wikipedia http://en.wikipedia.org/wiki/Application_firewall or from Open Web Application Security Project what's also known as OWASP

https://www.owasp.org/index.php/Web_Application_Firewall

Order by is being blocked?

It rarely happens, but sometimes you can't use order by because the WAF has blocked it or some other reason. Unfortunally we can't skip the order by and we have to find another way. The way is simple, instead of using Order by we have to use Group by because that's very unlikely to be blacklisted by the WAF.
If that request will return 'forbidden' then it means it's blocked.

http://site.com/gallery?id=1 order by 100--

Then you have to try to use Group by and it will return correct :

http://site.com/gallery?id=1 group by 100-- / success

Still there's a possibility that WAF will block the request, but there's one other way and that's not very widely known. It's about using ( the main query ) = (select 1)

http://example.org/news.php?id=8 and (select * from admins)=(select 1)

Then you'll probably receive an error like this : Operand should contain 5 column(s).
That error means that there are 5 columns and it means we can proceed to our next step what's union select. The command was different than usual, but the injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--
'order by 10000' and still not error?

There's a small chapter where I'll tell you why sometimes order by won't work and you don't see an error. The difference between this capther and the last one is that previously your requests were blocked by the WAF, but here the injection method is a little bit different. When I saw that the first time then I thought about how a Database has 100000 columns because I'm not getting the error while the site is vulnerable?

The answer is quite logical. By trying order by 1000000 we're not getting the error because there are so many columns in there, we're not getting the error because our injection isn't working.

Example : site.com/news.php?id=9 order by 10000000000-- [No Error] 

to bypass this you just have to change the URL a little bit. Add ' after the ID number and at the end just enter +
Example :
site.com/news.php?id=9' order by 10000000--+[Error]

If the last example is working for you then it means you have to use it in the next steps also. This isn't anything complicated, but to make everything clear I'll still give you an example.

http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+


Extracting data from other database.

Sometimes we can administer the injection successfully and there doesn't appear any errors, it's a hacker's perfect dream. That dream will end the moment we see that nothing useful exists while doing so. There are only few tables and are called "News", "gallery" and "articles". They aren't useful at all because we'd like to see tables like "Admin" or "Administrator". Still we know that the server probably has several databases and even if we find the information we're looking for, you should still take a look within the other databases as well.

This will give you Schema names.


site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata
And with this code you can get the tables from the schema.

site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from informati
on_schema.tables where table_schema=0x
This code will give you the column names.

site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x


I get error if I try to extract tables.


site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables

Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1-- 
How to bypass WAF/Web application firewall

The biggest reason why most the problems occur is due to most of the security measures added to the server and WAF, but mostly they're of no use and can be bypassed really easily. Mostly you will get error 404 like it's in the code below, this is WAF. Most likely persons who're into SQL injection and bypassing WAF's are thinking at the moment "Dude, only one bypassing method?", but in this case we both know that bypassing WAF's is a different kind of science and I could write a ebook on bypassing them. I'll answer all those bypassing queries another time.

"404 forbidden you do not have permission to access to this webpage"
The code will look like this if you get the error

http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]
Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]

Is it possible to modify the information in the database by SQL injection?

Most people aren't aware of it, but it's possible. You're able to Update, Drop, insert and select information. Most of people who're dealing with SQL injection have never looked deeper in the attack than shown in the average SQL injection tutorial, but an average SQL injection tutorial doesn't have those statements added. Most likely because most people are copy&pasting tutorials or just overwriting them. You might ask that why should one update, drop or insert information into the database if I can just look into the information to use the current ones, why should we make another Administrator account if there already exists one?

Reading information is just one part of the injection and sometimes those other commands that are quite infamous are more powerful than we think. If you have read all those avalible SQL injection tutorials then you're probably aware that you can read the information, but you didn't know that you can modify it. If you have tried SQL injection then you have probably faced some problems that there isn't an administrator account, why not use the Insert command to add one? There isn't an admin page to login, why not drop the table and all information so nobody can access it? I want to get rid of the current Administrator and can't change the password, why not use the update commands to change the password of the Administrator?
You must have noticed that I have talked alot about unneccesary information that you probably don't need to know, but that's the information you need to learn and understand to become a real hacker because you have to learn how SQL databases are working to fiqure out how those commands are working because you can't find tutorials about it on the network. It's just like math you learn in school, if you won't learn it then you'll be in trouble when you grow up.

Theory is almost over and now let's get to the practice.

Let's say that we're visiting that page and it's vulnerable to SQL injection.

http://site.com/news.php?id=1
You have to start injecting to look at the tables and columns in them, but let's assume that the current table is named as "News".

With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the database. The SELECT is probably already covered in all the tutorials so let's focus on the other three. Let's start with the DROP command.

I'd like to get rid of a table, how to do it?

http://site.com/news.php?id=1; DROP TABLE news

That seems easy, we have just dropped the table. I'd explain what we did in the above statement, but it's quite hard to explain because you all can understand the above command. Unfortunally most of 'hackers' who're making tutorials on SQL injection aren't aware of it and sometimes these three words are more important than all the information we can read on some tutorials.

Let's head to the next statement what's UPDATE.


http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 
'new data' WHERE column_name='information'--

Above explanation might be quite confusing so I'll add a query which is what you're most likely going to use in real life :

http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--
We have just updated Administrator account's password. In the above example, we updated the column called 'admin_login" and added a password what is "Crackhackforum" and that credential belongs to the account with the username Rynaldo. Kinda heavy to explain, but I hope you'll understand.
How does INSERT work?
Luckily "INSERT" isn't as easy as the "DROP" statement, but still quite understandable. Let's go further with Administrator privileges because that's what most of people are heading to. Adding an administrator
account would be like this :

http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--
INSERT INTO 'admin_login' means that we're inserting something to 'admin_login'. Now we have to give instructions to the database, about what exact information we want to add, ('login_id', 'login_name', 'password', 'details'). Means that the specifications we're adding to the DB are Login_id, Login_name, password and details and the information the database needs to create a new account. So far we have told the database what information we want to add, we want to add a new account, password, account ID and details. Now we have to tell the database what will be the new account's username, it's password and account ID, VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username will be Rynaldo, password of the account will be Crackhackforum. Your new account has been added to the database and all you have to do is open up the Administrator page and login.
Passwords aren't working

Sometimes the site is vulnerable to SQL and you can get the passwords. Then you can find the site's username and password, but when you enter it into adminpanel then it shows the "Wrong password" error. This can be because those usernames and passwords are there, but aren't working. This is made by site's admin to confuse you and actually the Cpanel doesn't contain any username/password. Sometimes accounts are removed, but the accounts are still in the database. Sometimes it isn't made by the admin and those credentials have been left in the database after removing the login page, sometimes the real credentials have been transfered to another database and old entries haven't been deleted.
Sometimes I get some weird password
This weird password is called Hash and most likely it's MD5 hash. That means the site's admin has added more security to the website and has encrypted the passwords. Most popular crypting way is using MD5 hash. The best way to crack MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack the password even if it's really hard or isn't MD5. Also you can use http://md5decrypter.com. I don't like to be a person who's pitching around with small details that aren't correct, but here's a tip that you should keep in mind. The domain is saying it's "md5decryptor" that reffers to decrypting MD5 hashes.
Actually it's not possible to decrypt a hash because they're having 'one-way' encryption. One way encryption means it can only be encrypted, but not decrypted. Still it doesn't mean that we can't know what the hash means, we have to crack it. Hashes can't be decrypted, only cracked. Those online sites aren't cracking hashes every time, they're saving already cracked hashes & results to their database and if you'll ask a hash what's already in their database, you will get the result. :)
Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes that exist and their description http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked
How to find admin page of site?
Some sites don't contain admin control panel and that means you can use any method for finding the admin page, but that doesn't even exist. You might ask "I got the username and password from the database, why isn't there any admin login page then?", but sometimes they are just left in the database after removing the Cpanel.
Mostly people are using tools called "Admin page finders". They have some specific list of pages and will try them. If the page will give HTTP response 200 then it means the page exists, but if the server responds with HTTP response 404 then it means the page doesn't exist in there. If the page exists in the list then the tool will say "Page found". I don't have any tool to share at the moment, but if you're downloading it yourself then be beware because those tools might beinfected with viruses.
Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the administrator page if it's customly made or renamed. That means quite oftenly those tools don't help us out and we have to use an alternative and I think the best one is by using site crawlers. Most of you are probably having Acunetix Web Vulnerability scanner 8 and it has one wonderful feature called site crawler. It'll show you all the pages on the site and will 100% find the login page if there exists one.
Automated SQL injection tools.
Automated SQL injection tools are programs what will do the whole work for you, sometimes they will even crack the hashes and will find the Administrator page for you. Most people are using automated SQL injection tools and most popular of them are Havij and SQLmap. Havij is being used much more than SQLmap no matter the other tool is much better for that injection. The sad truth why that is so is that many people aren't even able to run SQLmap and those persons are called script-kiddies. Being a script-kiddie is the worst thing you can be in the hacking world and if you won't learn how to perform the attack manually and are only using tools then you're one of them.
If you're using those tools to perform the attack then most people will think that you're a script-kiddie because most likely you are. Professionals won't take you seriously if you're injecting with them and you won't become a real hacker neither.

 My above text might give you a question, "But I've seen that even Proffesional hackers are using SQLmap?" and I'd like to say that everything isn't always black & white. If there are 10 databases, 50 tables in them and 100 columns in the table then it would just take days to proccess all that information. I'm also sometimes using automated tools because it makes my life easier, but to use those tools you first have to learn how to use those tools manually and that's what the tutorial above is teaching you.
Use automated tools only to make your life easier, but don't even look at them if you don't know how to perform the attack manually.

What else can I do with SQL injection besides extracting information? There are many things besides extracting information from the database and sometimes they are much more powerful. We have talked about how sometimes the database doesn't contain Administrator's credentials or you can't crack the hashes. Then all the injection seems pointless because we can't use the information we have got from the database. Still we can use another methods. Just like we can conduct CSRF attack with persistent XSS, we can also move to another attacks through SQL injection. One of the solution would be performing DOS attack on the website which is vulnerable to SQL injection. DOS is shortened from Denial of service and it's totaly different from DDOS that's Distributed Denial of Service. I think that you all probably know what these are, but if I'm taking that attack up with a sentence then DOS will allow us to take down the website temporarily so users won't have access to the site. The other way would be uploading our shell through SQL injection. If you're having a question about what's shell then by saying it shortly, it's a script what we'll upload to the server and it will create an backdoor for us and will give us all the privileges to do what we'd like in the server and sometimes by uploading a shell you're having more rights to modify things than the real Administrator has. After you have uploaded a shell you can move forward to symlink which means that we can deface all the sites that are sharing the same server. Shelling the website is probably the most powerful thing you can use on the website. I have not covered how to upload a shell through SQL injection and haven't covered how to cause DOS neither, but probably will do in my next tutorials because uploading a shell through SQL is another kind of science, just like bypassing WAF's. Those are the most common methods that attackers will put in use after they can't get anything useful out of the database. We have all heard that immagination is unlimited and you can do whatever you'd like. That's kinda true and hacking isn't an exception, there are more ways than I can count.

What to do if all the information doesn't display on the page?
I actually have rarely ever seen that there is so much information on the webpage that it all just doesn't fit in there, but one person recently asked that question from me and I decided to add it here. Also if you're having questions then surely ask and I'll update the article. If we're getting back to the question then the answer is simple, if all the information can't fit in the screen then you have to look at the source code because everything displayed on the webpage will be in there. Also sometimes information will appear in the tab where usually is the site's name. If you can't see the information then sometimes it's hidden, but with taking a deeper look you might find it from the source. That's why you always have to look all the solutions out before quiting because sometimes you might think "I can't inject into that..", but actually the answer is hidden in the source.

About the Author
Every sentence of that thread is writtened by Crackhackforum.com staff Rynaldo. You can use that tutorial on your blog, sites and forums if you'll keep the credits to crackhackforum.com Staff Rynaldo and linking to this post. 

If You Moderate Comments Using Email, Mark The Spam Properly

One evidence of confusion, in Blogger Help Forum: Something Is Broken, comes from blog owners who are moderating comments, to their blogs, using comment moderation email.
I am constantly assailed by spam comments, being published to my blog, delivered to my Inbox! Is there anything I can do, about the spam, except just keep deleting?
Comment moderation, using email, offers several choices for action - but only one action will have any actual effect upon the spam.

When you moderate comments using email, and you are using comment moderation email - not comment notification email, you'll have the same choices for comment moderation, as when you use the Blogger dashboard wizard.
  • Publish
  • Delete
  • Mark as spam
You'll have an additional choice, too.
  • Moderate comments for this blog.
The latter choice gives you - when you are properly logged in to Blogger - quick access to the dashboard Comments wizard, to moderate from there.

As with using the dashboard wizard, the choice here is crucial. You need to mark spam comments as Spam. If you delete, the comment goes away - and nothing is done to train the spam filters. Spam comments, deleted, will simply let the spammer continue to annoy you.

With email messages, there are two more actions which some people take - and neither will do anything, directly, about comment spam.
  • Some people will delete the email message - and this simply removes the email message, and the emailed copy of the spam, from the Inbox.
  • Other people will use the "Spam" email mark. This selection is used to train the email comment filters - but it will only indirectly train the comment spam filters.
Neither deleting the email message, nor marking the email message as spam, will do anything about comment spam.

If you're looking at the comment notification email message, you'll have no comment moderation choices. Here, your only choice will be to delete the email message - if you're concerned with Inbox capacity. You can't moderate, using comment notification email.

Marking an email message, containing a spam comment, as spam - whether you are viewing the comment moderation or comment notification email message - accomplishes nothing. When you mark an email message as spam, you're reporting the sender of the email message. With comment moderation or comment notification email, marking an email message as spam reports the Blogger comment forwarding wizard - and this does nothing about the originator of the spam comment.

Use email to moderate comments, if you like. It's a convenient way to quickly moderate comments - and for some, more convenient than the Blogger dashboard. But make the right choices, when moderating.

>> Top

Jailbreak iOS 6.1.2 Untethered On All iDevices



Apple has been quick to patch the last of the bugs found in the iOS 6.1.1. With the release of iOS 6.1.2 it seemed that Apple would patch the jailbreak exploit as well. Fortunately, they haven't. The developers of the jailbreak tool Evasi0n are on a roll as they have updated the software to support iOS 6.1.2. Evasi0n v1.4 can now untether jailbreak iOS 6.1.2.






Note: This Jailbreak tool is available for all the iDevices mentioned below:
  • iPhone 5
  • iPhone 4S
  • iPhone 4
  • iPhone 3GS
  • iPad 4
  • iPad 3
  • iPad 2
  • iPad mini
  • iPod touch 4
  • iPod touch 5
Its supported firmwares are:
  • iOS 6.0
  • iOS 6.0.1
  • iOS 6.0.2
  • iOS 6.1
  • iOS 6.1.1
  • iOS 6.1.2

Evasi0n tool supports all iDevices except Apple TV 3 and it is recommended that you backup your device using iTunes or iCloud before proceeding.

All the steps are exactly the same as before. Nothing has changed. If you haven't read up on the topic, we would suggest you look into a full tutorial.

Please read the instructions below and follow them to the dot:

1. Update your iDevice to iOS 6.1.2 via iTunes restore. Click here to download iOS 6.1.2 and update your iDevice manually.

2. Download Evasi0n Jailbreak Tool v1.4 on your Windows, Mac or Linux. (Download links provided below).

3. Disable password lock in case you have enabled it on your iDevice. To do so, go to Settings --> General --> Passcode Lock, and then just switch it off.

4. Run Evasi0n on your computer to get started.


5. Connect your iDevice to your computer via data cable and make sure that your computer recognises it.

6. Hit the jailbreak option and wait for the software to complete performing necessary steps to jailbreak your device. Do not touch your device or your computer during this time.


7. Once done, your iDevice will boot back up. When it does, unlock your device, and click on the icon which will now be available on your homescreen named "jailbreak". Click on it and wait.


8. After rebooting a couple of times, you will then have access to Cydia on your homescreen. This means that you have successfully jailbroken your iGadget. Congratulations!







Download Evasi0n Jailbreak Tool v1.4





Cheers!

About the Author:
This article is written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.




Malware Classification, And Country Code Redirection

We're seeing a few complaints, in Blogger Help Forum: Something Is Broken, about overly aggressive malware classification.

Many of the complaints are from blog owners who only want to publish their blogs without fear of side effects from the latest controversial feature, Country Code Alias Redirection.

Spurious malware / spam detection is a painful topic to discuss - and it's even more so when the question of country code alias redirection is discussed. Like auto pagination long ago, country code alias redirection appears to be another case of Google manipulating its customers, maliciously. If you consider this issue from the viewpoint of Blogger blogs in general, though, you may see the full picture.

Blogger blogs, like the Internet, need to be available to all countries in the world, without fear of censorship.

Redirection allows specific blogs to be blocked in specific countries.

Country Code Alias Redirection allows Blogger to selectively disable any single blog, in any single country. This selective disabling will, eventually, eliminate the need of any country government to block the entire Blogger service, in their country, because of a few culturally or politically insensitive blogs.

Country Code Alias Redirection is a righteous feature in Blogger blogs. Like many new Google features, it was added before every Internet service was made able to support it. Country Code Alias Redirection uses an Internet standard - not a Google proprietary feature - the canonical URL tag.

If you look at the header in this blog, you can see an example of a canonical URL tag.
<link href='http://blogging.nitecruzr.net/2013/02/malware-classification-and-cc-alias.html' rel='canonical'/>
That's the tag for this article, for instance.

Some non Google features and services don't support Blogger Redirection.

Some Blogger blog owners find that Country Code Alias Redirection causes problems, with some accessories on their blog. Some owners have added anti redirection code to their blogs, so the accessories on their blogs continue to work.

Country Code Alias Redirection may not work with every third party provided blog accessory or Internet service - because all Internet services, and third party accessory providers, do not support canonical URL tags.

Just because some services are not up to date with all Internet features (like Country Code Alias Redirection), this does not mean that it should not be used. The delinquent services need to be encouraged to update their code, as necessary.

Blogs which block redirection are classified as malware hosts.

Some blogs, which block Country Code Alias Redirection, are being spuriously detected as malware hosts - and this is more controversy.

The anti redirection code looks like malware - because that same code is used by spammers, to abuse the Blogger service. To not classify blogs attempting to disable Country Code Alias Redirection, would require the malware classifier to identify the intent of the blog owner - and would make malware detection more complicated.

Since Country Code Alias Redirection is a righteous feature, it's possible that anti redirection code actually should be treated as malware - even though the blog owners, adding the code to their blogs, may not consider this to be the case.

We need to discourage blocking of redirection, for everybody's benefit.

Those of us who are concerned with detection and removal of malware and spam from the Internet, in general, know that malware and spam is like a cancer - if you don't remove what you see, it's only going to get worse.

To allow anti redirection code to be installed in some Blogger blogs, will encourage other blog owners to do the same - and will inhibit the effects of Country Code Aliasing. Also, it will allow some hackers and spammers to do likewise, without fear of detection. None of these possibilities is good for Blogger blogs, in general.

Your blog may now be locked, because of redirection blocking code,

If you installed anti redirection code in your blog some time ago, your blog was just locked as a suspected malware host. and you are now anxiously waiting for malware review while your blog remains offline, we're sorry for you. But you are not being abused by Blogger - nor is your malware classification unfair.

Remove the anti redirection code, on your blog - now, while you are able. Encourage the providers of third party accessories and Internet services to update their code. And don't allow or encourage hackers and spammers to abuse Blogger blogs, or the Internet in general. Please.

BlackBerry Users At Risk



Attention all BlackBerry users! You are vulnerable to remote attacks by hackers.

It has been reported by Blackberry security advisory that it is possible for hackers to infiltrate BlackBerry Enterprise Server. Hackers can also run malicious code on BES which is used by many companies. These exploits are considered to be grave in nature.


According to BlackBerry security advisory:


Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server.Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.


The hacker can trick the user into visiting a webpage that carries out the attack or embeds a malicious code directly into an email or instant message. BlackBerry Enterprise Server is mainly involved in this method and it depends on how it handles TIFF image files which are being viewed by the BlackBerry user. According to some reports, these images/links do not even need to be clicked or an email to be viewed for the attack to begin.

The biggest concern is that through the attack, hackers might succeed into planting malicious code on BES which allows remote access to it. This would lead to information being stolen from your network. Hackers may also be able to crash or interrupt communications through this exploit.

BlackBerry phones are not the root cause of these attacks. BES used by companies is the vulnerable software here. Therefore, you do not need to throw your BlackBerry out.

There haven't been any reports on attacks being carried out on BlackBerry customers but we request our readers to update their phones as soon as possible before you become a victim and your personal information is stolen from you.

BlackBerry has published workarounds from the companies who may not succeed in updating their BES.

Cheers!

About the Author:
This article is written by Dr. Sindhia Javed Junejo. She is one the core members of RHA team.

Facebook's Security Breeched - Java Zero-Day Vulnerability Found


Facebook was attacked by unidentified hackers on Friday. The attack was carried out when Facebook Co.'s employees visited a developer's website which was, you guessed it, compromised. The malware was installed on their laptops and so began the journey of Facebook's self-enlightenment.

Facebook has over 1 million users to its disposal who share sensitive information on the social networking site, giving Facebook the edge to control and use it freely. However, none of these 1 billion users want their private content to be spread out for everyone's eyes to see. Facebook is very aware of what attacks like such could mean for their following. It could bring down the very foundation of Facebook as we know it.





Facebook published a formal bulletin regarding the security breech titled "Protecting People on Facebook":

Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse.

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.

We have found no evidence that Facebook user data was compromised.

Previously, Facebook had claimed that none of the data that it has authority over or has been intrusted to them was compromised in the attack. In response to which Kevin Mitnick, the founder of Mitnick Security Consulting LLC, tweeted:


Surely enough, Facebook's CSO, Joe Sullivan is then reported to have said in an interview:

An analysis of the activity of the malware showed that "they were trying to move laterally into our production environment," Sullivan said. The attackers gained "some limited visibility" into production systems, but a forensic review found no evidence that data was exfiltrated from that. However, some of the information on the laptops themselves—"what you typically find on an engineer's laptop," Sullivan said—was harvested by the hackers, including corporate data, e-mail, and some software code.

It is reported that the security breech occurred to due a Java zero-day vulnerability. Through this exploit the hackers were able to infiltrate Facebook's network and inject malware. Facebook now claims that the exploit has been patched and anti-virused. Therefore, users of Facebook can be at ease again.

Facebook has been jumping up and down trying to convince its users that their sensitive data has not been compromised by the attack:

There are a few important points that people on Facebook should understand about this attack:

- Foremost, we have found no evidence that Facebook user data was compromised.

- We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.

However, we would request all our readers to switch off Java in their browsers.

Cheers!

About the Author:
This article is written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Blind SQL Injection - Detection And Exploitation


In our previous post "SQL Injection Basics - Union Based", I explained the basic technique not only to find detect sql injection vulnerabilities also how to exploit SQL Injection vulnerabilities with Union based method. However, In this post a security researcher and a good friend of mine ahmad ashraff decided to contribute to RHA and present his research on some blind sqli techniques, So enough from me, Over to Ahmed.


In this post I'm going to share with all on how to detect if the website is vulnerable to Blind SQLi or there is no SQLi at all.

Before, do note that I'm not an expert in this security/hacking scene. This sharing based on my own understanding from articles/discussions among of these great people such as .mario,stampar,R4x0r,Nurfed,benzi and more!!

In Blind SQLi, we need to understand correctly on how the server/website response based on TRUE or FALSE condition.AFAIK, there are 2 ways to detect it.
  1. Quotes
It can be either single quote (') , double quotes (")  or backtick ( ` )
Look at the example below.


A normal page condition ( TRUE condition )

The page become blank (FALSE condition) once we put a single quote

The page back to normal condition (TRUE) once we put another single quote.
We can use these method as well to check the TRUE/FALSE condition under this way of detection.


    2. Numeric Operators
 Make sure you know how to calculate a simple math! 
The example below shows that pic_id is vulnerable to SQLi

Normal page loaded. Because the condition is true. 1=1 is TRUE

The admin word is missing. This shows a FALSE condition since 1=2 is FALSE.
Another way is by using simple calculation. The current page loaded fine on pic_id=13.

The page loaded fine but it shows another page. This is because we added 1 in the pic_id where it'll become 13+1=14 so the page will loaded the pic_id=14

Here are some other method under this technique.

Next, we want to inject it! But how?

i. Common technique
id=1 and 1=1
id=1 and (put our sql query here)=(put our expectation here)
as  example we want to query the current version,
id=1 and substring(@@version,1,1)=4
so, if the current MySQL version used by the website started with 4 the page will load normally (TRUE condition) else the page will be error/blank (FALSE condition)

Example as below
Testing if the MySQL used is version 4.*. Page error,shows that the website is not using that version.

Testing if the MySQL used is version 5.*. Page loaded fine,shows the current version used is 5.*

ii. Using a Case statement
id=1 and 1
id=1 and (CASE when (our sql query here) THEN 1 else 0 END)
If the query is TRUE,it'll resulting 1 where 1 is TRUE condition. Else, it'll resulting 0 where 0 is FALSE condition.

1=2 is wrong,so it'll resulting 0,FALSE.
1=1 is correct,so it'll resulting 1,TRUE.

iii. Time Based

I will explain the time based technique in his my upcoming guest post on RHA
and there are more techniques in SQLi out there. This just a basic way to detect Blind SQLi based on my knowledge and experience. Do have some read and research on them as well. You might find a new way on exploiting, who knows right? :D

That's all guys!

About The Author

Yappare is a web application security Professional, He has been listed in lots of hall of fames and has found lots of high risk vulnerabilities inside lots of CMS platforms. You can follow him on @yappare

Custom Redirects, And Old FTP Published Blog URLs

Long ago, Blogger blog owners would publish a blog as part of an existing website.

With the website published as "www.mydomain.com", they would create a website subdirectory "www.mydomain.com/myblog", and publish the blog there.

The option to publish a blog as "www.mydomain.com/myblog" required an externally maintained domain / website - and the Blogger feature "FTP Publishing". In 2010, Blogger, with many man hours spent fixing a constant stream of problems, retired "FTP Publishing", in favour of "Custom Domain Publishing".

Custom Domain Publishing, like FTP Publishing, lets us publish our Blogger blogs to non BlogSpot URLs.

Unlike an FTP published blog, a custom domain published blog requires a separate subdomain for each different blog. If a non Blogger website is hosted as "www.mydomain.com", a Blogger blog can only be published to "blog.mydomain.com" - and "www.mydomain.com/blog" became an impossibility.

Last year, Blogger introduced Custom Redirects, as part of the "Search Preferences" feature. Now, once again, a Blogger blog can be addressed as "www.mydomain.com/myblog", when hosted as "www.mydomain.com" - though a non Blogger website (if one exists) cannot be directly hosted as "www.mydomain.com", simultaneously.

It may be possible, however, to host an externally published website as "site.mydomain.com", and a Blogger blog as "www.mydomain.com" - and use the Blogger "Missing Files Host" feature to locate website pages, dynamically, in "site.mydomain.com". There may be hope, for people who declined to migrate their FTP Published blogs, in 2009 - and who now have static "blogs" as frozen pages in their external websites.

Country Code Aliases Are Not In Use, In All Non USA Countries

One source of confusion, about the occasionally misunderstood country code aliasing of BlogSpot published blogs, comes from the way the aliasing is being installed, world wide.

Country Code Aliasing is a new feature - and it's still being tested. Since it's being tested, it's not being immediately installed in all countries, world wide - and this will cause confusion, until it is fully installed.

Google is installing Country Code Aliasing, one country at a time, as convenient to them.

Change notification will be provided, if at all, after change is made.

Google is providing no notice, before - or after - any given country is being added, as an alias to "blogspot.com". This is a standard technique used in Information Technology environments - it's not new or unique to the Blogger / Google Country Code Aliasing feature.

It's called by various names, in different companies. Some call it phased installation, others pilot testing, and others may have other names.

Each blog, with a different reader population, will have different results.

What it means - simply - is that not all blog owners will see the same effects, as the new feature is installed, in every country, as each new country is added. Every different blog will have a differing reader population, distributed over different countries.

Readers in some countries - where aliasing is active - will see different results than readers in other countries, where aliasing is not active.

Not any two blog owners will see the same problems.

Combining the different content in every different blog, which makes some blogs more or less susceptible than other blogs to the effects of aliasing, with the different reader population, not any two blog owners will see the same problems, or have the same opinions, about aliasing.

Until every blog owner realises several details about aliasing, we're going to keep hearing complaints.
  • Country code aliasing is not optional.
  • Country code aliasing has a real purpose.
  • Country code aliasing is beneficial to all of us.

We'll deal with the problems, one blog, one country, and one owner at a time.

We'll all just have to deal with the problems, one country at a time. We'll need to ask our readers, one crucial question.
What exact URL is displayed, by your browser, when you observe the problem?
And, we'll have to observe the difference between "blogspot.com", "blogspot.co.uk", and "blogspot.fr".

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code