Hack Invasion: March 2016

SQL Vulnerable Sites [Part-3]

AmitVijayan 06:13:00 1 Comment

SQL Vulnerable Sites [Part-3]

http://lemaspinede.fr/reservation.php?id=6

http://purchase.filmweb.no/TicketSal...?showid=679909

http://rent-in-odessa.com/ru/details.php?id=504

http://rocknload.oversa.be/reservati...Form&showId=90

https://secure.modwest.com/sagespasa...php?exp_id=156

http://secure.terrys.net/viewProduct...ctID=PT.39-210

http://shop.westcoastmetric.com/usef...?linkID=Link.7

http://site2host.com/cms.php?cat_id=1607

http://softbe.pl/produkt.php?id=3

http://spcala.com/ecommerce/store.ph...start=0&pic=53

https://ssl.sv24.com/dynatech/produk....php?prod=3841

http://tagursmile.com/viewproduct.php?id=210&cityid=1

http://www.advertuganda.com/buyoffers.php?pg=2&cid=0

http://www.brightpointforchildren.or...communityid=87

http://www.bulbrok.com/paymethod.php?shipID=2

http://www.bvivacation.com/british-v...wnews.php?id=7

http://www.cancun-fishing-charter-co...ation.php?id=7

http://www.caravan-24.de/wagen.php?aktion=showdetails

http://www.cd-lab.com/viewProduct.php?product=345

http://www.christianword.org/new/tes...timony&id=1161

http://www.ck-modelcars.de/sites/produkt.php?id=8022

https://www.cooperslake.com/home/sli....php?photoid=0

http://www.corissia.com/web/en/reser...m=instructions

http://www.cubabedroom.com/reservation.php?id=20

http://www.d3d.co.il/Product.aspx?cid=3&pid=4

http://www.dfpk.eu/produkt.php?id=12

http://www.dio-dipo.co.il/ProductInfo.asp?ProdId=1426

http://www.disc-order.com/en/detail....MERO=101004687

http://www.epicurean.com.hk/new/reservation.php?id=43

www.esthetic-beauty.de/produkt.php?id=9&pid=

http://www.eurostarrental.com/findra...s=3&FindRates=

http://www.freedio.co.il/ProductInfo.asp?ProdId=2235

http://www.goa-tourism.com/reservation.php?id=1

http://www.harter.it/de/produkte.php?c=18

http://www.helloromania.eu/promo/pro...ads=142&page=3

http://www.hummeraccessories.cc/prod...?class=5&cat=9

http://www.johnellis.com/viewproduct.php?p=5&c=1

http://www.kkdayahotel.com/reservation.php?id=3

http://www.koracing.net/viewproduct....er=3&product=1

http://www.kwikpay.com.au/demo2.php?Country=au

http://www.lakesideharley-davidson.c...egory_id=47860

https://www.madisoncomedy.com/comicl...trow=0&alpha=G

http://www.maordeal.co.il/Product.asp?productid=2364

http://www.mbtagifts.com/shop.php?c=12&pt=16&t=1

http://www.meinsanitaetshaus.de/produkt.php?id=3576

http://www.misradia.co.il/product?selected=15548

http://www.nepaligroups.com/folk-son...tion=play&id=1

http://www.officer.co.il/shop/Produc...sp?Category=35

http://www.paravion.ro/userinfo.php?uid=1

http://www.perfectionlearning.com/vi...ductID=3860801

www.pharmaceris.pl/en/line.php?id=115&podzial=5

http://www.pnb.org/Season/Subscripti...px?pkg=13EFULL

http://www.qhealth.co.nz/html/viewProduct.php?id=1344

https://www.scottdawson.org/products/view.php?cn=11

http://www.bitshacking.com/index.php?pid=3

http://www.sk8erboy.eu/shop/kategori...verses&lang=en

http://www.sundaybreakfastmission.org/story.php?did=79

http://www.theonestore.it/result.php?cat=3

http://www.vacances-directes.com/fr/...ex.php?idemp=5

http://www.vangi.com.au/detail.php?no=89

http://www.warwick.de/modules/produk...ID=14460&cl=EN

WordPress Security Checklist

AmitVijayan 00:18:00 2 Comments

WordPress Security Checklist

Basic Checklist :

1. Rename user Admin to something else.

2. Change the ID field on the first user from 1 to something else.

3. Enforce strong password requirements for all system users

4. Don‟t let anybody but admins see available WP updates.

5. Remove the ability for non-admins to modify theme files.

6. Tweak the database so tables aren‟t prefixed with wp_.

7. Don‟t use the MySQL root user to access the database.

8. Limit the MySQL account used to the site database only.

9. Restrict the MySQL account so it can‟t perform destructive actions (i.e. DROP,

etc.)

10. Give the MySQL account a very long, randomised password.

11. Don‟t allow the server‟s root user access via SSH. Use an account with SUDO

privileges instead.

12. Ensure all the secret key fields in wp-config.php are completed with 16-bit SHA

keys.

13. Disallow indexes on all site folders.

14. Hide the admin area.

15. Rename the wp-content directory to something else.

16. Block bad hosts and agents with blacklists.

17. Make any .htaccess files and wp-config.php non-writeable.

18. Make the admin area inaccessible outside of work hours (handle this one with care)

19. Schedule regular database backups.

20. Restrict the length of allowed URLs to 255 characters or less.

21. Require SSL connections on the admin area (if possible; this one has an on-cost attached)

22. If possible, install and run server-side antivirus software such as ClamAV.

23. Consider restricting the server‟s FTP service to only accept connections from certain, whitelisted IP addresses (only applicable if you have at least one static IP).

24. When deploy complete, consider stopping the server‟s FTP service completely.

You can always temporarily switch it on again if required.

25. If your web server is allowing proxying (for example, if you‟re load-balancing),

ensure it‟s not configured as an open HTTP proxy.

26. Remove any open SMTP proxies on your server.

Wordpress Security

AmitVijayan 00:05:00 2 Comments

Pheww...!! Its been so long that i haven't posted something interesting. I really apologize for the delay. Lets Get Started :D

In my previous tutorials, I have explained how to hack a website (that was for educational purpose only) and how to upload a shell also. Now its time to secure your website from various attacks.

What is WordPress?

Its and open source website creation written in PHP or is the easiest and most powerful blogging and website content management system .

With the increase in Digital Market, more and more people are creating their website to show their presence in this Digital World so there is a need to secure that world also.

WordPress Security

1. Disable custom HTML when possible

Add this code in wp-config.php file

define( 'DISALLOW_UNFILTERED_HTML',true );

2. Remove all Default posts and comments

Remove all default posts and comments. If malicious hackers find those on your site,then it may indicate to them that you have a new wordpress site which can be easily cracked.

just to this file "wp-includes/general-template.php"

function the_generator( $type ){

echo apply_filters("the_generator',get_the_generator($type),$type)."\n";

}

After Security

function the_generator($type){

#echo apply_filters('the_generator',get_the_generator($type),$type)."\n";

}

note: make sure a hash is applied next to the echo command .

3. Delete wp-admin/install.php and wp-admin/upgrade.php

Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every wordpress installation or upgrade.

4. Hide indexes

Just open .htaccess file and type this code

Options –indexes

5. Block Some Crucial directories

Your site's wp-includes/ directory is the most important one to block.

Find the .htaccess file there and insert

RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]

If there are subdirectories, then use this code

RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]

6. Secure your Admin page with YUBICO

http://www.yubico.com/ = PAID Plugin

7. Limit Login Attempts

Limit the number of login attempts possible both through normal login as well as using auth cookies.

http://wordpress.org/extend/plugins/login-lockdown/

8. Server Side Scanning Online FREE

Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones Site Check is restricted to.