Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - luverose

Pages: [1]
1
Where is the tool's source code?I'm not satisfaction with closed source software :P

2
Beginner's Corner / Re: Who have seen this kind of encryption?
« on: February 05, 2015, 06:00:17 am »
Can you tell us what kind of websites?
A shopping website&A information security training website
Code: [Select]
ShiHang_TodayReachShopping=; ShiHangCity=SZ; SENGINX-SESSION-ID=07a333136fa6ce1e76ada74f0e5c3432; hasshown=1; Hm_lvt_9009849caed7e6fee87308f63a777730=1423084256,1423087811,1423087815,1423099372; Hm_lpvt_9009849caed7e6fee87308f63a777730=1423112060; Nop.customer=23651280-15a6-474a-b10c-3c9ac4d29a00
this is a part of cookie belong to that shopping website :) 

3
Beginner's Corner / Who have seen this kind of encryption?
« on: February 04, 2015, 10:20:13 pm »
Hey guys
Recently I saw a lot of website encrypt their string like this kind of ciphertext
0a9a128c-1d2d-4290-9dff-ec8b28f4c968
who have any idea about what name it is?
I wanna to know thanks ;D

4
Hacking and Security / Re: Learning how to hack
« on: December 13, 2014, 10:12:53 pm »
Some people have a different view on this, but I don't think that google is enough.

You cannot find stuff yet, because you need to learn the basics first. That includes the terminology and the basics of how programs work, the computer works, websites requests work, etc. The exact topic depends on the kind of "hacking" you want to learn. Someone who wants to crack software will have to learn entirely different things than someone who wants to find vulnerabilities in websites. Concentrate on one thing first. Don't try to do all of it at once.

If you don't know a programming language yet or not well enough, start with learning one. You will need it.

Apart from that, as you say you don't know how to learn, this is a personal topic. People have different learning styles. So try different things. Some people make notes all the time while they browse for stuff. Some learn by doing, they have an idea or a project and see what they need to learn in order to solve it. Others like to read a lot of books and get a lot of knowledge prior to jumping into any projects (moi). And then there might be people who just look under the hood of things that are already there, changing small things and see what happens.

You also have to find out, which media is good for you. Do you like to read books? Real books or rather e-books? Do you need to talk to people about stuff? Do you prefer videos? A lot of people say they like videos, but be cautious. There are studies showing that learning from them does not work well, although you might think you do.

Try stuff out and see what suits your personal learning style. Hack learning to learn hacking. ;)

Also, once you know the topic and the programming language you want to learn, we can also give you advice on learning resources.
E.g. Lena's tutorials which were mentioned above are a perfect resource for reverse engineers (people who look under the hood of programs, e.g. for cracking them or for malware analysis). However, you need to learn assembly before you start reverse engineering. Lena's tutorials are actually the second step.

So steps for you to do:
1. Define the topic you want to dive into
2. Look for basic resources on the topic. If you don't find any, ask.
Its really helpful[emoji5]

5
Found it on the Webs / Re: Excelent iptables/networking book.
« on: December 04, 2014, 10:15:45 pm »
Thanks very much!I just looking for this!

6
I'm not get it

7
By the way,Guys If you find any gramma mistakes or anything that  I expressed was wrong ,please point it to me and let me correct it :D

8
0x00 Preface
Code: [Select]
1.Input account
2.Verify the identity of account
3.Reset password
4.Done
-----------------------------------------
Usually common insecurity factors exist in step 2 and 3,Let's see some common reset password BUG! :P

0x01 Enumeration
1. This kind of reset password is a frequent used by website,which is confirm phone verification code to reset password.This design usually be in the steps of retrieve password.System would sent a code to your phone and If you input the right one,you can reset your password then.
    They are designed to use 4-6 digits to verity password which are simple and pure numbers.what's more they don't limit the number of times to verity the simple code.
Let me give you an example If you have a common laptop and you wanna use burosuite to burst four numbers you just need waiting 2 mins and the job would be done.Because 4 numbers only have ten thousand kinds of combination,which your computer can enumerate it in a very short time.
    Let me show you some pictures.
    This is a phone code verity code reset BUG [ps:I'm chinese and I can't find any similar examples in english so the example would using chinese website ;D ]






2.  Same as verity phone code that some website would email you a code to reset your password.The principle is the same and we will not go into details ::)
  Show your some examples too


0x02 Replace the URL of reset password
1.Some website would sent a URL to reset your password.The URL must have two essential parameters--User name (or UID -some parameter represent user) and a encrypted string(System encrypted something which used to verity your identity)
This encrypted string,which sent to your email,logically should designed one-for-one.But by some mistakes This encrypted string could be "one-for-anyone" :'(

1.http://login.evilzone.com/resetPass?username=[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]------ chick it.
2.Attacker receive a email include http://login.evilzone.com/resetPass?username=[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[user1's email address]2.Attacker replace some parameters likehttp://login.evilzone.com/resetPass?username=[Victim]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]

0x03 CSRF
This could be a bit harder to introduce,I will put it in a XSS analysis topic.
 ;) thanks for watch ,see ya

Pages: [1]