DVWA in action

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
It is a best platform to practice web application hacking and security.

Using this app, you can practice the following existing vulnerabilities:
SQL Injection
XSS (Cross Site Scripting)
LFI (Local File Inclusion)
RFI (Remote File Inclusion)
Command Execution
Upload Script
Login Brute Force

Earlier it was launched with few features only, but recently some new features have been added into this app. Some of the new features are:

Added Acunetix scan report.
All links use http://hiderefer.com to hide referrer header.
Updated/added ‘more info’ links.
Moved change log info to CHANGELOG.txt.
Fixed the exec.php UTF-8 output.
Moved Help/View source buttons to footer.
Fixed phpInfo bug.
Made DVWA IE friendly.
Fixed html bugs.
Improved README.txt and fixed typos.
Made SQL injection possible in sqli_med.php.

Warning: But before testing, do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked because this application is damn vulnerable. It’s recommend that you download and install XAMP onto a local machine inside your LAN which can be used solely for testing.

You can also install it in your Backtrack machine. Generally we need xampp server to setup damn vulnerable web application but xampp server is nothing but a collection of apache, sql, perl, PHP, openssl and other server side software's but backtrack 5 has all of these software's installed. It means there is no need to install xampp on backtrack machine. All you need to do is to get damn vulnerable web app and put it on the root directory of backtrack.
To download dvwa: http://www.dvwa.co.uk/
 --DR34MHAXX

Prerequisites::
win32 programming
c++
Typical viruses sometimes inject their processes in another running process by using windows api functions.They then become harder to detect for the antivirus.In this article we will see how we can inject our code in the remote process thereby causing a remote dll to get loaded in the remote process' address space
The steps for injecting a dll in other process  are::
1.)Create (or open handle to) the process we want the dll to be injected in.
2.)Allocate some memory for the name of the dll in the desired process (in which we want to inject our dll) using VirtualAllocEx and WriteProcessMemory function.
3.)Obtain the address of LoadLibrary(to load the dll in remote process) in our process using functions GetModuleHandle and GetProcAddress.Here, we assume here that kernel32.dll (which contains the LoadLibrary ) will be loaded at the same address in the remote process .So that the address of LoadLibrary will not differ.
4.)After that we need to use the CreateRemoteThread function
(syntax::
HANDLE WINAPI CreateRemoteThread(hProcess,lpThreadAttributes,dwStackSize
,lpStartAddress,lpParameter,dwCreationFlags,
lpThreadId)
);) to spawn a new thread in the remote process and execute the function LoadLibrary(whose address is specified by the 4th parameter ie.lpStartAddress which we obtained in the above step 3).
4.)LoadLibrary will thus be the default function to be executed in the remote process' thread once it (ie. the thread) starts since it's address has been passed to the CreateRemoteThread function.
5.)This will execute our LoadLibrary function with the parameter lpParameter(ie. the pointer to the name of the dll which we allocated in the remote address space using VirtualAllocEx and WriteProcessMemory in step 2)
6.)Once our dll is loaded the code inside it will be executed.
Thus we see that by using dll inject we can cause the remote application to behave arbitrarily in our own way.Other method to inject are by changing the value of the eip register(Later :))
For more reference and for the api documentation refer to msdn and codeproject..

Working app::http://www.mediafire.com/?858h6tcstxcujo5

Let me know if there are any bugs with the implementation.
~~crank

From various souces around we get many files on our desktop which are not to be used right then but to be kept for later use.This application is to clean your desktop. It would check the extension of your file and send it to the desired location.Various windows API functions have been used in the coding. The file management functions with their parameters and brief description is as follows:


1.)FindFirstFile function: Searches a directory for a file or subdirectory with a name that matches a specific name (or partial name if wildcards are used).
  SYNTAX: HANDLE WINAPI FindFirstFile (LPCTSTR lpFileName,LPWIN32_FIND_DATA lpFindFileData);
 PARAMETERS:
lpFileName [in]
The directory or path, and the file name. Since we are talking of a particular case we have given the path of our desktop. We have used * with extension of files we want to move.
lpFindFileData [out]
A pointer to the WIN32_FIND_DATA structure that receives information about a found file or directory.

If the function succeeds, the return value is a search handle used in a subsequent call to FindNextFile, and the lpFindFileData parameter contains information about the first file or directory found.
If the function fails or fails to locate files from the search string in the lpFileName parameter, the return value is INVALID_HANDLE_VALUE and the contents of lpFindFileData are indeterminate.




2.)FindNextFile function : 
     Continues a file search from a previous call to the FindFirstFile function.
   SYNTAX:
   BOOL WINAPI FindNextFile(HANDLE hFindFile,LPWIN32_FIND_DATA lpFindFileData);
  PARAMETERS:
hFindFile [in]
The search handle returned by a previous call to the FindFirstFile function.
lpFindFileData [out]
A pointer to the WIN32_FIND_DATA structure that receives information about the found file or subdirectory.
The structure can be used in subsequent calls to FindNextFile to indicate from which file to continue the search.
If the function succeeds, the return value is nonzero and the lpFindFileData parameter contains information about the next file or directory found.
If the function fails, the return value is zero and the contents of lpFindFileData are indeterminate

3.)MoveFile function :
Moves an existing file or a directory, including its children.

SYNTAX:BOOL WINAPI MoveFile(LPCTSTR lpExistingFileName,LPCTSTR lpNewFileName);

PARAMETERS:
lpExistingFileName [in]
The current name of the file or directory on the local computer. The location from where we are moving our file.
lpNewFileName [in]
The new name for the file or directory. The new name must not already exist.The location where we want to move our file.

If the function succeeds, the return value is nonzero.If the function fails, the return value is zero.





Here's the source code::
#include<windows.h>
#include<stdio.h>
#include<conio.h>
void cpp(void);
void mp3();
void jpg();
int main(void)
{

cpp();
mp3();
jpg();
getch();
return 0;
}
void cpp()
{
      HANDLE hwnd;
      WIN32_FIND_DATA a;
      hwnd=FindFirstFile("C:\\users\\neha\\desktop\\*.cpp",&a);
      puts(a.cFileName);
      char from[100]="C:\\users\\neha\\desktop\\";
      char to[100]="E:\\cpp\\";
      strcat(to,a.cFileName);
      strcat(from,a.cFileName);
      MoveFile(from,to);
      while(0!=FindNextFile(hwnd,&a))
      {
                                     puts(a.cFileName);
                                     char from1[100]="C:\\users\\neha\\desktop\\";
                                     char to1[100]="E:\\cpp\\";
                                     strcat(from1,a.cFileName);
                                     strcat(to1,a.cFileName);
                                     MoveFile(from1,to1);
 
    }
}
void mp3()
{
      HANDLE hwnd;
      WIN32_FIND_DATA a;
      hwnd=FindFirstFile("C:\\users\\neha\\desktop\\*.mp3",&a);
       puts(a.cFileName);
      char from[100]="C:\\users\\neha\\desktop\\";
      char to[100]="E:\\selected songs\\";
      strcat(to,a.cFileName);
      strcat(from,a.cFileName);
      MoveFile(from,to);
      while(0!=FindNextFile(hwnd,&a))
      {
                                      puts(a.cFileName);
                                      char from1[100]="C:\\users\\neha\\desktop\\";
                                      char to1[100]="E:\\selected songs\\";
                                      strcat(from1,a.cFileName);
                                      strcat(to1,a.cFileName);
                                      MoveFile(from1,to1);
                                    
}

}
void jpg()
{
      HANDLE hwnd;
      WIN32_FIND_DATA a;
      hwnd=FindFirstFile("C:\\users\\neha\\desktop\\*.jpg",&a);
       puts(a.cFileName);
      char from[100]="C:\\users\\neha\\desktop\\";
      char to[100]="E:\\pictures\\";
      strcat(to,a.cFileName);
      strcat(from,a.cFileName);
      MoveFile(from,to);
      while(0!=FindNextFile(hwnd,&a))
      {
                                      puts(a.cFileName);
                                      char from1[100]="C:\\users\\neha\\desktop\\";
                                      char to1[100]="E:\\pictures\\";
                                      strcat(from1,a.cFileName);
                                      strcat(to1,a.cFileName);
                                      MoveFile(from1,to1);
                                    
}

}


---By:: cyb3R 4ng3ls

Spam alert. Avoid this.
I was browsing facebook today when a link caught my attention.

Lol !Checkout this video its a very embarrassing moment for her

The moment i looked upon it i knew that its a spam and i didnt had much to do so i tried to learn what it did.
after clicking on the link we get redirected to http://awts-on-tv6.blogspot.com/?video
since most of the people will try to watch the video and for that the website requires you to download and install a plugin.
in this case that plugin is Youtube Premium Plugin.(cleverly crafted, or is it though?)
So i click on install plugin and B00m all of my friends on facebook have their walls +1'd by a new post,
created by me (funny i never did that).
and that post again randomly changes.
Lesson 1: never install those plugins.
but lets say that you did, ofcourse i DID!
then lets move to the next step, analysing.
notice the top right corner it says that i installed the plugin.
even after installing the video isnt visible so i take it as a Spam.
Warning if doing this kind of testing, beforehand logout your facebook profile. i will explain later why.




now it is installed and i have logged of before hand thus making the plugin fail and none of my friends got spammed again so that they again do what i accidently did with their sorry hands.


next thing we do is go to the core of this plugin
i already knew that chrome stays in %homedrive%\\users\\<username>\\appdata\\local\\google\\chrome
therefore if a plugin is actually installed then it is residing in this directory for sure. unless its some sort of malware. which i found to be a false claim, yes its definetly a spam.


moving further we have a folder called user data in the application
upon browsing all the folders and subfolders i finally found the place where plugins are installed.
C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Extensions
there were two folders here during my time.
opening them i found many files, one said mibbit.png ..... and other folder said icon.png.
since one extension i installed was mibbit IRC client and other one was this youtube one we are currently trying to break down. we arrive to the conclusion that other folder was our final extension.




in that folder there was only one file which could do anythnig to our browser. i.e. .js file or javascript
a section of that file i have shown in image. notice the highlighted part
in all of the javascript there is only one URL and no other malicious functions.
http://betterfinace.com/script.js
thus my curiousity grew. upon opening the file i got this
another link and opening this marked link i get final thing. you can open the js link and it isnt malicious in any way i assure you. your browser wont execute that and will only open js file in text mode for you to see.
the first function enchulatuFB tells us that the coder of this thing is of spanish origin.
next thing we note is tons of functions.
1st: uses iframes to post some data
2nd the highlighted part says the following in the messagebox. read comments for more information. as of now remember that i puts the images given in the messagebox on the screen like in the first image given by me check out the girl in bottom. thats the image this function loads.
also note that malicious attackers can be able to infect your pc with a string like aaaaasdhjhnfajsdasldlas  so dont try to execute them since they can be simple machine code which can harm you in any possible way. avoid direct gibberish code execution at all costs. what i did alert(string.convert.....); was stupid dont do that.
3rd function: reads cookies of browser and stores them somewhere.
4th function sets cookie passd by parameter
5th and 6th function are used in collaboration to set predefined strings in diffferent order.
like
 'check this out ... shocking ',' This shocking ...', 'I hate it happened to her ..'

  'check this out ... OMG ',' Ehey ',' Hey ',' Hey! ',' LOL ',' Hello! ',' Look! ',' This is sic.. ',' Damn!'
    'u wont believe! ',' check this embarrassing video ',' why did this happen to her?'
    ' Bizarre . '

thus explaining random order of strings which i got and my friends got after infection.

last and finally fb_comparte function uses facebooks cookies to generate new request for browser to evaluate friends of the victim and post the aforementioned strings on everyone of thei walls. thus making this campaign a hit. :)

for better understanding of the javascript read some good books then check the js file out.

it will explain everything about how elements of a webpage are grabbed to view friend lists and how [POST] request can send data to another user using forms. as a result their walls can get flooded with such spams.

i hope you would have understood how to analyze anything like this if it comes good in future.

Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code. The first application is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go through what you need for both and some sample code.

Well, according to the latest survey firefox is the second most used browser in the world. chrome is definitely catching up. And to be very frank , its the browser of my choice:D (
Now the question arises, why firefox?
you may choose firefox because it is fast, safe and open-source, which means you can modify  anything for it( if you know how).It is multi platform and the most important is its pluggable extension feature, it means that firefox gives you certain number of features and if you want to make it more you can make extensions.
about firefox security
While no browser is 100% secure Mozilla Firefox has much better security than Internet Explorer. Firefox does not support Activex which is a tool that can be used with good and bad intentions. Activex allows web sites to have more access to Windows. As a result of this, cyber criminals have taken advantage of it. This means that viruses and spy ware (and sometimes other types of malware as well such as adware) can take advantage of it, resulting in these programs ending up on the visitors computer (if using Windows at the time). Spyware is any piece of software that silently gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes.Spyware and other types of Malware usually do not target Firefox, but there is some out there that will also get Firefox, but it is rather unlikely that a Firefox user would get it. Unless for example they install loads of extensions from all kinds of web sites. So don't install an add-on if the website doesn't look trustworthy .If a Firefox user has the cache turned on a Trojan can end up in it. A cache is an amount of space in which Firefox uses to temporarily store images and other files from sites so you can load the page up quicker if you chose to go back and view the page again. You can turn it off by going to "Tools" then "options" click on the "advanced" tag and then the "cache" tag set the amount of MB's it's allowed to use to "0". However a Trojan just sit their in the catch and will not do anything unless the user actually opens it.
FIREFOX ADDONS
Add-ons are installable enhancements to the Mozilla Foundation's projects, and projects based on them. Add-ons allow the user to add or augment application features, use themes to their liking, and handle new types of content.So, Add-ons give Firefox many new options and functions. How to get them? www.google.com or mozillas extension site which is at addons.mozilla.org.some useful addons for development & security in my opinion are:
1. GREASE MONKEY:  This allows you to customize the way a web page displays or behaves, by using small bits of JavaScript.
download link:
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/?src=cb-dl-users
2. FIRE BUG: Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
download link:
https://addons.mozilla.org/en-US/firefox/addon/firebug
3.RIGHTTOCLICK: It enables right-click, text selection, context-menu, drag&drop and much more where it is disabled by Javascript.RightToClick protects from annoying alert pop-ups, can remove many timer actions and is able to suppress (unusual) click behavior. The highly sophisticated engine also offers options for fine tuning. Finally it's helpful with image downloads (also disabling CSS might be useful here).
download link:
https://addons.mozilla.org/en-us/firefox/addon/righttoclick
p.s- if you have not noticed yet, then let me inform you that you can use this addon in this blog also, try it.
4. NOSCRIPT:This add-on is used for security. It simply blocks malicious scripts, applets and flash. A disadvantage of this is if you want a script to be run on a site when visiting, you must unblock it. To read more about this addon:
http://teamhackaholic.blogspot.com/2011/06/noscript-security-against-active.html
5.ADD-N-EDIT COOKIES:No comment. You know what it does. but this add-on is not available for the 7.0,1 version.
6.ADBLOCK PLUS:The add-on is supported by over forty filter subscriptions in dozens of languages which automatically configure it for purposes ranging from removing online advertising to blocking all known malware domains. Adblock Plus also allows you to customize your filters with the assistance of a variety of useful features, including a context option for images, a block tab for Flash and Java objects, and a list of blockable items to remove scripts and stylesheets.
download link:
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus
7.WEB-DEVELOPER:The Web Developer adds various web developer tools to your browser.
download link:
https://addons.mozilla.org/en-US/firefox/addon/web-developer
8.LIGHT SHOT: if you want a screenshot of a website immediately, then this tool is very useful for you.LightShot is a tool allowing you to easily make screenshots of any selected area in a browser tab.
downloading link:
https://addons.mozilla.org/en-US/firefox/addon/lightshot
9.HACKBAR: Well if you are a web develper and concerned about your website security, then this Add-on is made for you. we have already explained about this add-on in our blog earlier. follow the link to read more:http://teamhackaholic.blogspot.com/2011/06/firefox-hacking-addon-hackbar.html
10.ALL-IN-ONE SIDEBAR:This is made for the ease of the user.All-in-One Sidebar is a wonderful extension that provides you easy access to your bookmarks, downloads, history, themes and extensions, and more.
download link:
https://addons.mozilla.org/en-US/firefox/addon/all-in-one-sidebar
note: all the add-ons are explained keeping in mind that you are using the latest firefox version,i.e. 7.0.1, many security issues and bugs have been patched in this version. Otherwise if you are using the earlier versions of firefox, then many security related add-ons are available which are very important:
some of them are:XSS-ME, SQL INJECT ME etc.


posted by:-DR34MHAXX

New spamming campaign has been reported by Trend micro. This type of malware is spreading through Facebook.  The downloaded malware is another type of Zbot, also called Zeus a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet.
Malware spreads by sending messages to victims that includes Facebook friend request notification. When user clicks to approve the friend request link opens a page that invites him to install the latest version of Adobe Flash Player. But here the link takes user to install TSPY_ZBOT.FAZ instead of Adobe Flash Player.


This spyware adds registry entries to enable its automatic execution at every system startup. It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.
Generally Trojan.Zbot files are used to compromise computers is generated using a special toolkit that is available in marketplaces for online criminals. Toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers.
The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft.