View RSS Feed

Recent Blogs Posts

  1. CVE-2015-2652 Ė Unauthenticated File Upload in Oracle E-business Suite.

    Quote Originally Posted by [s] View Post
    During my regular job, I unravelled an interesting vulnerability of Unauthenticated File Upload in Oracle E-business Suite 0-day vulnerability. This particular Upload Bug can be easily used to upload files on the web-server and also an attacker can flood the hard-disk of the server,thus making it easier for an attacker to leverage the vulnerability remotely.

    Oracle released Critical Patch Update containing security fixes for the Oracle E-Business Suite. This vulnerability is remotely
    Tags: zap Add / Edit Tags
  2. How to Bypass iPhone 6+ IOS 8.3 Emergency Call

    Hello Guys, After several days I was busy at work, I come back with a new subject which you can see on top of this text. Before I start, Iíve to say my IOS is updated and version is 8.3. Keep reading to know more.

    I donít want make it hard to be understood, so I explain it basic and fast. All you need to do is to turn on WiFi or mobile internet data and lock the screen, as you can see, iPhone just let you to call emergency numbers [example: 911]. Now you hold the ďHomeĒ button and ...
  3. Google Bug: Gmail 2-Step Verification Detector

    Hello world! [ Including People , Robots, Zombies Dariush & Arash, Alien dudes if they exist, and my friends ], By the way, I decided to write about a Gmail Bug. Itís not a vulnerability of Gmail but itís some kind of bug let us know if we hack a Gmail, we can login it or not without alert the Gmail owner. I talking about 2-Step verification, Imagine to grab a Gmail password and not be sure to login or not , victim might be use Gmail SMS auth service and when you click login, Google send victim ...
  4. How to Setup Secure Website for Hackers

    When security researchers and hackers want to setup a self blog, the biggest stress on their head is what to do to secure their server(s) and site(s). what if someone come and naughty their server(s) ? what if server get DOS/DDOS attack when they donít have access to fix up their server(s) and they are travelling or go for business or something and they canít access their server(s) for some reason. After some years that I spent my life on information security I release that nothing canít be secure ...

    Updated 05-29-2015 at 08:59 PM by G3n3Rall

    Tags: linux, php, python, service, waf, zap Add / Edit Tags
  5. Malware Cleanup: Analysis of an Undetectable web-shell code uploaded, RevSlider bug

    I started my day with my regular Malware Cleanup activity and came across an interesting backdoor web shell file on the server. The server is not specific to any particular environment, it was one of the regularly updated WordPress package with the plugin RevSlider Plugin ver. 4.1.4 .

    I initiated the process to detect the backdoors and web malwares, and got a hit on a malicious .htaccess file which was redirecting hxxp:// as shown below:

  6. CVE-2015-0235 Ė How to secure against Glibc Ghost Vulnerability

    CVE-2015-0235 Ghost (glibc gethostbyname buffer overflow) Vulnerability is serious cause for all Linux servers. This vulnerability leveraged to execute remote and code execution on the victim Linux server. The vulnerability found By Qualys Researcher and patched in GNU.

    What is the cause ?

    The bug is in __nss_hostname_digits_dots() function of function of the GNU C Library (glibc), and location of the path is file for non-reentrant version is nss/getXXbyYY.c , which ...
  7. Everything you need to know about CVE-2014-6271


    HTML Code:
    Code execution possible on CGI Web Applications:  	Yes [Critical ]
    Code execution possible on SSH                 : 	       Yes [Not critical or is based on architecture ]
    Working Payload for getting reverse Shell Available:      Yes
    Is the Current patch complete:                                    No
    Where was the Bug:

    Bash supports exporting not just shell variables, but also shell functions to other

    Updated 10-01-2014 at 03:36 PM by 41.w4r10r

  8. Reverse Engineering : Domain generation for PushDo Malware algorithm released.

    DGA : The domain generation for PushDo unleashed
    Name:  Screen Shot 2014-08-26 at 1.22.56 am.jpg
Views: 6010
Size:  21.3 KB

    About pushdo:

    Four times since 2008, authorities and technology companies have taken the prolific PushDo malware and Cutwail spam botnet offline. Yet much like the Energizer Bunny, it keeps coming back for more.

    In early March, researchers at Damballa discovered a new version of the malware that had adopted a domain generation algorithm (DGA) in order to not only help ...

    Updated 08-26-2014 at 01:41 AM by garage4hackers

  9. Microsofts Anti-CSRF Token Bypass

    [B]Microsoft's CSRF Vulnerability[/B]

    I want to share one of my finding on Microsoft which I have reported to them in April 2013.

    While researching and working on bug bounties I have found that we can bypass Anti-CSRF token validation even when it is getting validated on the server-side and can execute CSRF. And after that using the CSRF we can compromise the victims account by change email id of any users account on that site to the attackers email ...
  10. Twitter Follow Retweet and Tweet Favourite CSRF Vulnerabilities

    [B]How we were able to find Twitter Follow Retweet and [/B][B][B]Tweet Favourite[/B] CSRF[/B]

    [LEFT]We want to share 3 of our findings on Twitter which me and my friend Krutarth have reported to them on March 2014.My good friend @KrutarthShukla was testing Twitter and he was trying deeply to find something on it. And finally he got a Follow CSRF and after sometime later I also got Reweet & Tweet Favourite CSRF. So, we found 3 CSRF vulnerabilities on Twitter.
    [/LEFT] ...
Page 1 of 2 12 LastLast