Now to the good stuff. It’s really an easy process, and this is just one of many ways you can do it:

Download and install Piwik to a folder outside your publicly accessible space.

Create symbolic links to each of your domains folders:

cd domain1/
ln -s ../piwik/ track
cd ../domain2/
ln -s ../piwik/ track
cd ../domain3/
ln -s ../piwik/ track

etc…

Add meta nofollow tags to the templates:

<meta NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW" />

plugins/Login/templates
plugins/CoreHome/templates

And add it to piwik/robots.txt if you want:

#Disallow everything
User-agent: *
Disallow: /
Disallow: /*
Disallow: */*
Disallow: *.*
Disallow: *
Disallow: .

Next you can log in to your Piwik install from any of your domains like this:
http://domain1.com/track/

Then you can add your site and it will create tracking code for the domain your are logged in from.

You can manage and view your data for any domain from any other domain since its a single installation.

Backtrack 4 APT repo

http://archive.offensive-security.com/

Backtrack 4 Pre Final Screens

Backtrack 4 Pre Final Firefox Info

User Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/8.10 (intrepid) Firefox/3.0.11

Enabled Extensions: [2]

• NoScript 1.9.3.3
• Ubuntu Firefox Modifications 0.6

Disabled Extensions: [5]

• Firebug 1.3.3
• FoxyProxy 2.9
• Greasemonkey 0.8.20090123.1
• HackBar 1.3.2
• Tamper Data 10.1.0

Backtrack 4 Pre Final Tutorial/Guide PDF

http://www.offensive-security.com/backtrack4-guide-tutorial.pdf

Introduction to BackTrack 4 movie

http://www.offensive-security.com/videos/backtrack-security-training-video/up-and-running-backtrack.html

Backtrack 4 Pre Final Subforum

http://forums.remote-exploit.org/backtrack-4-pre-final/

Download Backtrack 4 Pre Final Release ISO (1329MB)

http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-prefinal-iso

Once you’ve gotten the hang of these steps, you may wish to look at more advanced GIMP tutorials that will show you how to add special effects to your text and graphic.

Video demo:
[youtube]http://www.youtube.com/watch?v=Fwe8LKklPEM[/youtube]

Companion PDF:

http://nukeit.org/pub/ec125gimp.pdf

If you like this tutorial, be sure to give it a stumble or digg so others can find it too

Introduction.

You probably know requesting a carefully constructed URL can inject code into the log file, which you (or the admin) can run the next time that log is viewed. I’ve seen very popular and semi-commercial apps do this, and even leave the log file open for anyone to view with minimal protection. The goal of this paper is to show you that a php error log is a more viable target than your typical apache log or other common methods of command injection.

Many, if not all, LFI/RCE tutorials out there fail to recognize the potential for injection with PHP’s own error log, which in many cases is more likely to be accessible to the public, or rather the user that Apache is running under. Custom log files will always be within users home folder or a similar area that is usually within open_basedir or safe_mode restrictions, whereas the typical Apache log file is not. Also, there are more than a few scripts that place PHP’s errors or their own inside a web accessible file (such as errors.php) which will give the exploiter a better opportunity to obtain access even faster.

Techniques.

More often than not, however, the log file is generated by php.ini or iniset. In these cases, the log file won’t execute like a PHP script does, and you will need an LFI vulnerability to exploit it. In such cases, you can refer to your typical LFI to RCE for more info, just think of it in terms of injecting PHP code into a PHP error log rather than Apache’s. The beauty here is that people will quite often try to bypass their host’s restrictions by creating their own php.ini with its own error logs pointing to a public directory for easy access. The real key here is filter evasion.

Most of the scripts that log errors have some sort of filter that is usually geared toward XSS prevention, which are fairly easy to bypass with the usual methods. There are some, however, that do nice things like converting special characters to HTML entities (<> to &lt; &gt; for example). If you open the log and see this, you might as well move along

If you find an LFI and an accessible PHP error log, you can exploit it all on one page since you’ll typically see an error for an invalid include.

Examples.

Here are a few useful one liners that you can use.

This will reset the file for you, giving you a blank slate to work with.
<?fclose(fopen('errorlog.php','w'));?>

This is a standard RCE passthru command:
<?passthru($_GET[cmd])?>

Which of course can be used like so:
http://url/errorlog.php?cmd=who

Notice how the spaces are missing, which is helpful when sending requests via telnet or the like. If you put in a space, you’ll end up with broken code since Apache is looking for the protocol like HTTP/1.0. You may find a server with mod_rewrite code to fix this, but it’s pretty rare. If you have problems with getting the page to log the command, you can always try some quoting and null chars like this:

index.php?page=%00'"><?passthru($_GET[cmd])?>

If you happen upon a server with shortags turned off, you can try this:
<?php;phpinfo();?>

A note about security.

Some CMS/Portals use or something similar at the top of their log file to avoid executing anything that gets logged afterward. It is funny, however, how none of the ones I’ve encountered will put it back after the log is manually (or automatically) reset

Some of the most secure scripts out there are vulnerable to this attack. Happy hacking!

This tutorial will show you how to set up GPG for use with Firefox and Gmail on Win32 and Linux systems.

What you need:
Firefox
GPG

GPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.

Win32: gnupg-w32cli-1.4.9.exe is the latest at this time.
Linux: gpg should be installed by default on most distros, if not, you’ll need to get the tar.gz and do the compile dance:
tar xvzf gnupg-?.?.?.tar.gz
./configure
make
(sudo) make install

FireGPG

FireGPG is able to detect PGP blocks in any page (for example a public key), and lets you easily manage these different blocks.

A movie or some other large file. It seemed to speed up generating my 4096-bit keys considerably.

Once you’ve installed the binary and Firefox plugin, you need to generate a new key.
Win32:
Start > Run > cmd
cd \
cd "Program Files\GNU\GnuPG"
gpg --gen-key

Linux:
Open a terminal and type:
gpg --gen-key

Tips:
Use a random password generator to generate a strong password.
Answer the questions, defaults are ok. When it starts to generate a key, start watching your movie.

Now, open up Firefox and verify that FireGPG has automatically found your new key:
Tools > FireGPG > Key Manager
You should see your new key in the list.

Now you can test it in Gmail by sending yourself a message with “Clear sign and send” option:

FireGPG has a bunch of other features that you’ll become familiar with as you browse the web from day to day. Gmail is really popular, so I figured this would be the best example of its usage. Leave a comment if you have found other unique tips that you want to share.

In this example we want to find a way into the servers that host our unfriendly competition.

First thing we should do is find out what services they have running.
I prefer YouGetSignal’s Open Ports Tool, it’s almost like an web based nmap quick scan:

http://www.yougetsignal.com/openPortsTool/

Put your target’s IP into the box
At the bottom right of the page, click Scan all common ports
I haven’t checked to see what data they collect or send, so it would be wise to use this tool via a proxy.

Once you have the open ports (if any), write them down somewhere.

The next thing I like to do is check what other domains are hosted on that IP. This is especially useful if they are on a shared hosting plan. Just because the target has locked down his website doesn’t mean that everyone else on his box has too.

I prefer the web based lookup tool at MyIPNeighbors.
This site does not proxy anything, so use your own.

http://www.myipneighbors.com/

Even if the target is on a dedicated or VPS, you will likely see other domains or subdomains they have registered.

Once you have checked other domains for entry points (i hope you found one:)) we can move on to my next favorite web based tool.

http://serversniff.net/ is a free “swiss army knife” site with tons of nice features.

I will focus on its subdomain search, as it has proven very handy for finding “secret” subdomains such as admin.foo.com and other stuff you won’t find on google…
This is likely a dictionary based search, so don’t expect to find ai4038502.foo.com or whatever.

Once you have found some (hopefully vulnerable) subdomains, you may notice that some of them have different IP addresses from the original. Go search for those on myipneighbors and look for more possible entry points. Repeat this process until you have mapped out pretty much everything web related for your target.

Here are a few other web based tools that offer similar free services that can be helpful:
http://news.netcraft.com/ ye olde faithful. Can tell you what a site is running, known subdomains, similar TLD’s and other handy info.

http://centralops.net/co/DomainDossier.aspx another nice web tool, has service scan, whois records, etc.
http://centralops.net/co/ btw has a bunch of other tools, none really unique though.

I hope this tutorial has shown you something about the power these web based tools can add to your arsenal.

Now you need to find some new apps to scan. Go to sourceforge.net and search for some:

1. Advanced search
2. Under Project Categories, expand Internet, WWW/HTTP, then check Dynamic Content.
3. Set Start Date and End Date to today. or the previous day (sometimes I even find stuff for tomorrow!)
4. Set Exclude Projects without files.
5. Hit search.
6. Typically, I sort by downloads. Now grab a bunch of new apps.
7. Make sure you are getting LAMP/WAMP apps and not WAR/JAR files. I will cover tomcat scanning another day.
8. Install them to your LAMP (or WAMP) box and make sure you have the mysql db’s users, configs, file/folder permissions, etc all correctly configured.
9. *Optional* You may want to browse around through your new sites to find some unique identifiers to use as dorks for google.

Once you have several sites running, its time to start scanning. If you are a windows user, I can’t really give you a recommendation for which tools to use. I have never been satisfied with the results of the mainstream commercial vulnerability scanners such as Acunetix, or pretty much anything on http://sectools.org/web-scanners.html… although nikto does serve its purpose.

Here are two scanning tools that I will cover. PSA3 has a GUI and both produce HTML results for easy double checking.

http://packetstormsecurity.org/filedesc/PSA3.zip.html

http://developer.spikesource.com/projects/phpsecaudit/

There are about a million tools out there, I use these two with good results. PSA is good for a quick scan, but it’s generally more adept at finding XSS than anything else. Spike’s tool seems to find nearly everything wrong with the code, but typically finds a lot of false positives because of if/die “security” declarations in admin/include scripts.

Other options include Firefox addons, which are a good option because firefox is universal.

You can find 2 plugins for scanning XSS and SQL here:

http://www.securitycompass.com/exploitme.shtml

There is also Technika (they have not released the full framework yet)

http://www.gnucitizen.org/projects/technika/

Steps for PSA:

1. Firstly ensure that Register_Globals is On in php.ini
2. Copy psa to your htdocs root.
3. perl psa.pl
4. Test run.
5. If everything is good, click create shell then scan.

Once it is finished (be patient), it will display the results in the window.
You can open results.html in your htdocs folder to get clickable links to the exploits
Check each one to make sure that its not a false positive.
*Recommended* Google for a live site running the same software (or an older version) and test it.
*Optional* Send the bug to the devs

Steps for phpsecaudit:

1. Firstly this requires php 5, so if you’re using xampp make sure you have php 5 turned on (default)
2. Copy it somewhere
3. Open your terminal
4. php run.php –src /path/to/htdocs
5. Open output/index.html in your browser

Here you will see the errors that it found, you will have to check them by hand. (which i will hopefully go into detail about later)
This tool is very detailed and will probably show a metric fuckton of false positives, which a leading expert in this field recently described as extremely gay.
The main thing I look for with this tool is RFI, which is relatively easy to test.

Steps for XSS Me and SQL Me firefox plugins:

1. Browse to a page with a form.
2. Tools XSS Me or SQL Me > Open toolbar
3. Run All tests

On a cautionary note, XSS Me uses vbscript on the All tests. Linux doesn’t know wtf to do with that by default which causes firefox to fuck up… so don’t run full scan unless you are using windows.

Another good thing about these plugins is that its a real browser test, so there are going to be a lot fewer false positives (if any).

If you are up to it, here is a pretty big list of webfuzzers/scanners:

http://www.owasp.org/index.php/Phoenix/Tools

I’ll get around to testing them one day.

I hope this has been helpful to the newbs out there. Feel free to leave comments. 1337 D00dZ nonsense will be deleted