Hacking,tips and trick

*DATA LEAKED* Another day, another news about a data breach, though this is something disconcerting. Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys of his kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to DISCOVER a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers

Security warning: Hackers compromised CCleaner and installed a backdoor September 18, 2017 • By Mark Wycislik-Wilson Users of cleanup, privacy and optimization tool CCleaner are being warned to update their software after it emerged the tool was compromised by hackers. Security researchers at Cisco Talos say that there are a “vast number of machines at risk.” CCleaner is produced by Piriform, now a subsidiary of security firm Avast, making the compromise not only serious, but also embarrassing. With 2 billion downloads — a number that’s rising at a rate of 5 million per week — the software was targeted by hackers who added a backdoor that could be used to download malware, ransomware and keyloggers. The problem is being compared to the NotPetya ransomware threat. Cisco Talos noticed suspicious activity on 13 September, finding that “for a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode

Description Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. This attack differs from  Code Injection , in that code injection allows the attacker to add his own code that is then executed by the application. In  Code Injection , the attacker extends the default functionality of the application without the necessity of executing system commands. Introduction Injection flaws allow attackers to pass malicious code through a web application to another sub system. Depending on the subsystem different types of injection attack can be

"Hello!  Everyone" welcome to this new blog..... What is python??...   Well, first, why Python? Python is my favorite programming language. Believe me, it’s cool. With it’s decreased complexity, increased efficiency and limitless third-party libraries, Python provides an excellent development platform to build our own tools, or, in ethical hackers terms, it’s called offensive tools. Python allows rapid development and testing – which are essential for ethical hackers, pentesters and security professionals. Python is a Hackers’ Language (I read it in TJ O’ Connor’s book) and I believe that. Definitely, Python is a Hackers’ Language.   Who should read this training series? Basically, I recommend this training series to beginners Actually, this training series is for anyone who wants to learn Python and then aims to apply in the field of cybersecurity, pentesting or ethical hacking.   What will be covered in this training series? Yes, we’ll start with ‘Hello World’.

Host header attack Host header attack Description In many cases, developers are trusting the HTTP Host header value and using it to generate links, import scripts and even generate password resets links with its value. This is a very bad idea, because the HTTP Host header can be controlled by an attacker. This can be exploited using web-cache poisoning and by abusing alternative channels like password reset emails. Remediation The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information. Detecting Password Reset Poisoning Vulnerabilities We’ll use an old version of Piwik (an open source web analytics platform) which was vulnerable to password reset poisoning

OurMine Claims It Hacked Sony's PlayStation Social Media Accounts HIGHLIGHTS OurMine is infamously known for hacking into popular accounts, servicesIt's now claimed to have hacked PlayStation's social media accountsIt earlier took charge of hacking HBO's social properties Days after taking over the social media accounts of US television network  Home Box Office (HBO) , infamous hacker group " OurMine " has hit again, this time claiming to have hacked Sony PlayStation's official Twitter and Facebook accounts. The hacker group is known for breaching into high-profile figures and companies' social media accounts, including,  those of the HBO . According to  a report  in IBTimes.co.uk on Monday, in a series of posts, OurMine wrote: "Hi, it's OurMine, we are a security group, if you work at PlayStation  then please contact us." The hacker group hacked the PlayStation Brasil's account also and posted similar messages, trying to get th

Cross-site request forgery Cross-site request forgery , also known as  one-click attack  or  session riding  and abbreviated as  CSRF  (sometimes pronounced  sea-surf [1] ) or  XSRF , is a type of malicious  exploit  of a website  where unauthorized commands are transmitted from a  user  that the web application trusts. [2]  Unlike  cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Synonyms CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation. Prevention measures that do  NOT work Using a secret cookie Remember that all cookies, even the  secret ones, will be submitted with every request. All authentication tokens will be submitted regardle

TECHNOLOGY $1 million bounty offered for Tor Browser zero-day exploits Zerodium, a hacking company that sells exploits to governments around the world, is now offering $1 million for previously undiscovered vulnerabilities in the Tor web browser. The top prize, a  $250,000  bounty, requires a researcher to be able to demonstrate a remote code exploit against Tor while the browser is at its highest security settings on either Windows 10 or the security-focused operating systems TAILS. The attack vector has to be a website targeting the Tor Browser. The Tor browser anonymizes web traffic, encrypting it between computers known as nodes. The network’s architecture makes determining the origin of traffic extremely difficult. The section of the internet known as the “dark web” is only accessible via the Tor browser. The six-figure prize comes weeks after Zerodium placed  $500,000 bounties on secure messenger applications, like Signal, Telegram and WhatsApp. The highest single bounty o

What is a Zero-Day Vulnerability? A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware  or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. In order for the vendor to rectify the vulnerability, the software company must release a patch. Often patches are released on a regular basis, one example being Microsoft’s  Patch Tuesday . On the second Tuesday of each month, Microsoft releases security fixes that resolve identified holes. If, however, a critical vulnerability is discovered, a patch may be released outside of schedule. Browse

Google Dorks List 2017 | Fresh Google Dorks 2017 for SQLi about.php?cartID= accinfo.php?cartId= acclogin.php?cartID= add.php?bookid= add_cart.php?num= addcart.php? addItem.php add-to-cart.php?ID= addToCart.php?idProduct= addtomylist.php?ProdId= adminEditProductFields.php?intProdID= advSearch_h.php?idCategory= affiliate.php?ID= affiliate-agreement.cfm?storeid= affiliates.php?id= ancillary.php?ID= archive.php?id= article.php?id= phpx?PageID basket.php?id= Book.php?bookID= book_list.php?bookid= book_view.php?bookid= BookDetails.php?ID= browse.php?catid= browse_item_details.php Browse_Item_Details.php?Store_Id= buy.php? buy.php?bookid= bycategory.php?id= cardinfo.php?card= cart.php?action= cart.php?cart_id= cart.php?id= cart_additem.php?id= cart_validate.php?id= cartadd.php?id= cat.php?iCat= catalog.php catalog.php?CatalogID= catalog_item.php?ID= catalog_main.php?catid= category.php category.php?catid= category_list.php?id= categorydisplay.php?

Cross-site scripting  ( XSS ) is a type of computer security   vulnerability  typically found in  web applications . XSS enables attackers to inject   client-side scripts  into  web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass  access controls  such as the  same-origin policy . Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec  as of 2007. [1]  Bug bounty company HackerOne  in 2017 reported that XSS is still a major threat vector. [2]  XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

A  database  is an organized collection of data . [1]  It is a collection of  schemas ,  tables , queries , reports,  views , and other objects. Database designers typically organize the data to model aspects of reality in a way that supports  processes  requiring information, such as (for example) modelling the availability of rooms in hotels in a way that supports finding a hotel with vacancies. A  database-management system  ( DBMS ) is a computer-software   application  that interacts with  end-users , other applications, and the database itself to capture and analyze data. A general-purpose DBMS allows the definition, creation, querying, update, and administration of databases. Well-known DBMSs include MySQL ,  PostgreSQL ,  MongoDB ,  MariaDB , Microsoft SQL Server ,  Oracle ,  Sybase ,  SAP HANA ,  MemSQL ,  SQLite  and  IBM DB2 . A database is not generally  portable  across different DBMSs, but different DBMSs can interoperate by using  standards  such as  SQL and  ODBC  or 

SQL injection  is a  code injection  technique, used to  attack  data-driven applications, in which nefarious  SQL  statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). [1]  SQL injection must exploit a  security vulnerability in an application's software, for example, when user input is either incorrectly filtered for  string literal   escape characters  embedded in SQL statements or user input is not  strongly typed  and unexpectedly executed. SQL injection is mostly known as an attack  vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average w

OWASP TOP 10 VULNERABILITIES What is OWASP and the OWASP Top 10? The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. The OWASP Top 10 represents a broad consensus on the most critical web application security flaws. The errors on this list occur frequently in web applications, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over your software, steal data, or prevent your software from working at all. Meeting OWASP Compliance Standards is the First Step Toward Secure Code Web application attacks are now the most frequent pattern in confirmed breaches ( 2016  Verizon Data Breach Investigations Report ). Yet many organizations struggle to implement an application security program because they simply don’t know where to start. Setting policies based on eliminating OWASP Top 10 vulnerabilities is an

Hack using Termux- The Linux Terminal Emulator for Android This post is about an application using which you can do most of the things same as you are using the Terminal in Kali Linux. Termux- The terminal app for android. This is a great app which makes you fee like you are using Terminal in Linux. This app is the best way to do all the things. You can use this app to nmap the websites and find the loop hole and open ports. Termux can do a lot more things but this is the best thing to do. Suppose you have a website and want to know that if the site can be hacked using SQL injection or DDOS attack or not? just open Termux and use nmap to find the open ports and close the ports all done. Now your site is secure. Lets get the tutorial started. But before starting let me tell you the precautions you should take. Never ever nmap any website which doesn’t belongs to you. I mean that don’t just open nmap and use it on google.com or technicalunit.org or any other site. Otherwise they can

Armis security has  identified  a new vulnerability in computers and mobile devices that leaves them susceptible to attack via Bluetooth. The exploit, dubbed "BlueBorne," doesn't require user permission or to even pair with devices -- it can simply connect over the air and access networks or install malware. Armis previously alerted most affected parties back in April, but as of today, it's mostly Android devices that remain vulnerable to attack. There are technically several distinct attack vectors spread across current mobile operating systems. As Armis noted in its BlueBorne info page, Apple's iOS beyond version 9.3.5 are vulnerable, but that vector was ironed out in iOS 10. Microsoft released an update today to all Windows versions that closes the vulnerability, with details listed  here . Google's Android, however, is spread across so much hardware that the onus to update falls on third-party manufacturers, who might not patch out the vulnerability in