mind backtrack box center

Security Compass announces the release of the open source addons mozilla firefox for web application penetration testing at the SecTor conference in Toronto.this is include addons mozilla firefox XSS-me and addons mozilla firefox Exploit-me
exploit mE is A suite of Firefox web application security testing tools. Exploit-Me tools are designed to be lightweight and easy to use. Instead of using proxy tools like many web application testing tools, Exploit-Me integrates directly with Firefox.

XSS-mE

The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack.

If the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS string.

The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.

The Cross-Site Script Me (XSS-Me) tool allows the user to test their web applications against common XSS vulnerabilities. The Beta2 release corrects an issue with the plugin failing to work with Firefox 2.0.0.10.

XSS-Me 0.2 is available here.

SQL INJECT-mE

SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

The tool work by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.

The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.

The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.

You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.

SQL Inject-Me 0.2 is available here.

A “highly-critical” security flaw in Adobe Photoshop CS2 and CS3 that could allow remote hackers to access your computer has been reported by security company Secunia.

The flaw involves the way that Photoshop processes bitmap files, such as BMP, DIB and RLE, and allow malicious coders to launch buffer overflow attacks.A buffer overflow attack is where a hacker purposely causes a program to experience an error, so that they can insert their own code, which is then executed.The flaw was discovered by French security researcher “Marsu”, who tested it against Windows XP SP2.

Marsu has discovered a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user’s system.he vulnerability is caused due to an error within the BMP.8BI Photoshop Format Plugin when handling Bitmap files (e.g. .BMP, .DIB, .RLE). This can be exploited to cause a stack-based buffer overflow via a specially crafted Bitmap file.Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in Adobe Photoshop CS2 and reportedly affects Adobe Photoshop CS3. Other versions may also be affected.

While code has been published by MilwOrm to demonstrate how the flaw can be exploited.

(more…)

this is conversation with one of my friends, he tell me how to do blind sql injection at one of well know university , but some of conversation must sensored because it’ to danger to here, it’s a public area , i hope u all understand..

Conversation with myFriend

(16:01:48) You feel a disturbance in the force…
(16:01:49) myFriend:
(16:01:52) myFriend: mana video mu
(16:01:54) myFriend: share bleh
(16:02:00) wicux11: cih
(16:02:02) wicux11: malu je
(16:02:04) wicux11: sek cupu
(16:02:08) myFriend: halah
(16:02:09) wicux11:
(16:02:12) myFriend: ayo tha
(16:02:12) myFriend:
(16:02:14) wicux11: moh
(16:02:16) myFriend: dekek [sensored] boy
(16:02:19) wicux11: ajari aku disik
(16:02:26) myFriend: hehhehe
(16:02:29) myFriend: sek
(16:02:34) myFriend: tak coba lg [sensored].ac.id
(16:02:37) wicux11: oke
(16:03:11) wicux11: itu yang mosting sopo?
(16:03:13) wicux11: kon?
(16:03:48) myFriend: IYO
(16:03:56) wicux11: tadi wes tak coba
(16:03:59) wicux11: yang telnet
(16:04:00) wicux11: isok
(16:04:12) myFriend: tembus ?
(16:04:14) wicux11: iya
(16:04:15) myFriend:
(16:04:30) myFriend: trus enaknya diapain tuh bang klo uda masuk ??
(16:04:32) myFriend:
(16:04:32) myFriend: hehhehe
(16:04:35) wicux11: bikin user?
(16:04:41) wicux11: kalo akses via web bisa?
(16:04:49) wicux11: tadi mau tak restart ae
(16:04:50) wicux11:
(16:04:53) wicux11: biar mampus
(16:05:02) myFriend: hhahahha
(16:05:08) myFriend: SNMP iku opo
(16:05:11) wicux11: mboh
(16:05:14) wicux11: aku masuk yang ip
(16:05:21) myFriend: ok
(16:05:22) myFriend: sek
(16:05:31) wicux11: ip > display
(16:05:37) wicux11: abis tu ganti deh
(16:05:38) wicux11:
(16:05:45) wicux11: acces juga enak
(16:05:50) wicux11: tadi sempet bikin user
(16:05:52) wicux11: tapi tak del
(16:06:16) myFriend: shit
(16:06:23) myFriend: trus biar kita dpt keuntungan
(16:06:26) myFriend: diapain enaknya
(16:06:36) wicux11: di tutup
(16:06:41) wicux11: yang di allow
(16:06:43) wicux11: IP kit adoank
(16:06:46) wicux11: baru untung besar
(16:06:50) wicux11:
(16:07:00) myFriend: command nya
(16:07:01) myFriend:
(16:07:05) wicux11: mboh
(16:07:07) myFriend: apa aja command2nya
(16:07:08) wicux11: pasti bisa
(16:07:08) myFriend:
(16:07:09) myFriend: hehehe
(16:07:14) myFriend: sek
(16:07:14) myFriend:
(16:07:15) myFriend: >:)
(16:07:18) myFriend: googling sek
(16:07:21) wicux11: cok AI
(16:07:26) wicux11: kon ga masuk
(16:07:31) myFriend: hahaha
(16:07:31) myFriend: mampus
(16:07:34) myFriend: aku pak [sensored] cuk
(16:07:46) wicux11: asu
(16:07:48) wicux11: taik
(16:07:51) wicux11: onok tugas aku
(16:08:31) wicux11: dikumpul saiki
(16:10:13) myFriend:
(16:11:25) myFriend has signed off.
(16:12:01) wicux11: cok
(16:12:08) wicux11: kalo isok yang [sensored].ac.id
(16:12:11) wicux11: ajarin aku
(16:12:37) myFriend has signed on.
(16:12:58) myFriend: bisa
(16:12:58) myFriend:
(16:13:01) wicux11: sip
(16:13:04) wicux11: minta sintaknya
(16:13:09) wicux11: lagnsung URLnya wes
(16:13:10) wicux11:
(16:13:12) myFriend: bentar
(16:13:15) myFriend: step by step
(16:13:19) wicux11: oke

(16:13:20) myFriend: http://www.[sensored].ac.id/agenda.[sensored].php?id=155

(16:13:23) myFriend: iku contoh

(more…)