Mad ideas always score, and this one is almost finished! The basic idea of this project is to use the CPU of our visitors for cracking passwords, encrypted in md5 or SHA1 or something like that.

The code I have so far is quite simple, it works like this:

Step 1: generate a MySQL table filled with the so called "ranges" or "blocks", a block is a part of the amount of hashes you want to generate for cracking your hash. For example, the blocksize I'm currently using is 50. So if I want to generate a million hashes, I'd create 20,000 blocks.

Step 2: create a server file for the AJAX function in the Javascript cracker. The server file is written in PHP and returns a random, uncompleted range from the database.

Step 3: the moment a user visits a page, the AJAX function retrieves a random block from the server and starts cracking it (small blocksize so the cracking only takes a few miliseconds). If the block is finished, it tells the server. If the hash is cracked, it also tells the server. The server checks this (no invalid input by evil users, kthxbye) and if this is correct, removes all remaining blocks.

The main issue here is that you need a huge website to get really good speeds. RandomBase receives around 3 hits / second, which would mean only 150 hashes / second.

It's funny how some people couldn't bend their minds around this exploit challenge. Well, if you don't know how the function works, it's hard to see. But as the post title said already, str_replace() isn't recursive, so isn't very safe all the time.

When protecting from LFI, sometimes a programmer decides to try to block access to upper directories, by using:

function removeDouble($str)

{

return str_replace('..','.',$str);

}

Assuming there are only two dots in $str, this would work, but the moment you enter "...", and pass it through the string, you get: .., which is excellent for reaching higher directories from the PHP script.

Example:

<?php
function removeDouble($str)
{
return str_replace('..','.',$str);
}
if(file_exists('./'.removeDouble($_GET['page'])))
{
include('./'.removeDouble($_GET['page']));
}
?>

Exploit: index.php?page=.../.../etc/passwd

Funny, yesterday Tom and me were talking about the impossibility of creating a webpage that doesn't log a thing, thus being the only page on the internet that doesn't invade your privacy. But apparently the capital city of my country, Brussels, decided there is still too much privacy, by signing an agreement with the most privacy invading country in the world: the United States of America, you might have heard of it.

This agreement currently affects only people in Great Britain, but I wouldn't be too surprised if the whole European Union is affected too, soon enough. The actual law in short:

American authorities will be able to obtain greater access to private information such as credit card transactions, internet browsing habits and travel histories of people in Britain under a deal being finalised by European Union officials.

According to the agreement, it's only accessible if you are handling with a specific purpose, but that doesn't mean shit. They will still search through all your data you have generated in their logs.

Original article: link

Companies like Norton and McAfee charge a hell lot of money for software that makes sure your computer is unstable, without performance, ruins your experience whenever you are trying a new application or just blocks you out the moment you try to uninstall it. These companies have the nerve of naming things w32.evilthing.worm or something while their own piece of junk is probably more harmful then the things they attempt to remove.

Let's face it, the software the average computer user buys to "protect" his/her computer is way too primitive and resource demanding. They are known to be full of bugs, extremely easy to hide from as a piece of malware, and best of all: you can't control shit about them (Norton has maybe twenty configuration options, try making it to not start up when Windows does).

But there are more reasons I don't have their junk products: I just don't need it. When I receive a mail from this beautiful Polish lady that would love to chat with me, through her very own chat client, which is of course included as chat.exe, I realise she is just not right for me. Or when someone advices me to go back to Internet Explorer 4 because it has more advanced features, I might question that persons intelligence (for two reasons: recommending Internet Explorer and recommending an older version).

After that, there are still two methods on not getting annoyed by malware or attacks. A good method I use is just misconfiguring your router in such a way it doesn't accept any reverse connections but HTTP and some other protocols. The second method is the one I'd recommend to everyone: try not to make too much enemies, because not all virus mails you get are unsolicited spam mails...

Finally the antispam industry came up with something working, instead of creating an unreadable image with words that go all over the place, create something that only humans can recognize. The most famous example are "The Rapidshare cats". A poll on our homepage showed about 80% hated them, but they have no idea what poor RapidShare is going through with the captcha crackers.

A common question is "why not just add two pictures, cat and dog, and make the human user select which one?". Well, the answer is simple: if spammers have a success rate over 5%, they consider it to being profitable. So, that's why they combined it with the old textbased captcha.

Personally, I believe the idea is awesome, but the realisation could have been done better and as usual: less annoying for the end user. Maybe they should try to implement some sort of rotating system showing different types of captcha's all the time?

This has always been a hot topic on forums and will be one for a long time: how do I make X undetectable for virus scanner Y? This is actually quite simple.

There are two main ways a virus scanner "scans":

1. Checks for a certain string in a file
2. Checks for the behaviour of the file (e.g. specific location in registry or file system)

So, this means you need to protect your program in two ways, by:

1. Changing the encryption of the source code, adding even the slightest piece of code changes the source code if it's a binary file. For scripts, you should add something like base64, as many times as you want.
2. Change its behaviour. This can be done in lots of ways, you can make the install locations random, use different registry settings, bind with other applications..

Does this only apply to malware? Definitely not. Your application or script can get on the blacklist of an antivirus way faster than you might think (Realplayer for example, but they really deserved it), and the process of getting off it again is long and will cost you a lot of users.

I don't feel like writing an exploit but I want to point out these lines in validate.php in AV Arcade v3 script:

$userid = $_REQUEST['id'];
$code = $_REQUEST['code'];

$sql = mysql_query("UPDATE ava_users SET activate='1' WHERE id='$userid' AND password='$code'");

So far for awesome security.

Hey, this isn't new! This is the exact same thing as my previous Simple Machines Forum 1.1.4 password hash cracker! Yes, it is. They didn't change the method this time, it's still a very basic SHA1 encryption. The download can be found here. If you're interested in a more extensive explanation, head over to my old post.

Everyone loves challenges (atleast I do), so here are some for you. They all involve bypassing some sort of filter or doing something very basic, don't expect anything hard here. It's all very obvious, maybe the admin password thing will make you stare at your screen for a couple of minutes, not more if you're used to this kind of things.

Feel free to contact me by commenting on this post about ideas, bugs, bad recognition or solutions you proudly found to the made up problems.

I'm writing too much junk apparently, so here is a idea I had that would solve a lot of SQL injection damage.

Instead of hashing your passwords with md5($password), or instead of the safer md5(md5($password)), or even instead of md5(md5($password).md5($salt)), why not try md5(base64_encode($password))? Not used enough! I'm talking about websites where the source code isn't open for the public (exit: any free PHP CMS that isn't modified on the password storing part).

The scenario I'm talking about is the one where your website gets hacked, owned or roflz0rsyousuckpwned, through a method that doesn't involve executing system commands, but rather stays on the level of the web application. The first two on the top of my head are SQL injection and XSS.

So, the hacker used SQL injection on index.php, like this:

/index.php?id=1' UNION SELECT password FROM userTable

Alright, he has just retrieved a password that is most likely hashed, with SHA1 or md5, in 90% of the occasions. If the attacker is dedicated to his job, he'll open up some sweet cracking tool and start reversing it. Now, if you had a weak password, or your co-administrator had one, the attacker will be able to log in. Now, since the attack didn't involve any source code reading, the attacker will not know what way the password was hashed, md5 was an easy job since it contained 32 chars, a - f and 0 - 9. Double hashing would work good, but thinking on the level of a scriptkiddy: PasswordsPro cracks this. So, here comes the fun: just hash your password like this (play with it, base64_encode(rot13()) in the middle would be fun too :-) ):

md5(base64_encode($password))

Providing your attacker doesn't have your source code, try this method, even after an attack there won't be a way to recover the password.

Note: this method isn't new, just reminding.