http://www.acunetix.com/websitesecurity/upload-forms-threat/
A good article about the danger of providing a file upload functionality in a web application, and how some of the security mechanisms (such as MIME-type and extension filtering) can actually be bypassed.
http://www.ghacks.net/2013/08/07/how-to-get-click-to-play-working-in-firefox-23-or-newer/
Previously, Firefox can be configured to run plugins on demand by changing a setting in about:config (plugins.click_to_play). In Firefox 23, plugins appear to run by default even with this setting. This article teaches how to get the run-on-demand behaviour back.
A simple PHP script to get a list of a user’s uploaded photos through the Flickr REST API. For each photo, the script gets its title, description, original photo URL and geolocation.
To use the Flickr API, an API Key (Consumer Key and Consumer Secret) and an OAuth Token (and OAuth Token Secret) are needed. An API Key is obtained by registering a new application (http://www.flickr.com/services/apps/create/apply/), and an OAuth Token is obtained by authenticating the user and granting access to the application (http://www.flickr.com/services/api/auth.oauth.html).
PHP Code
<?php
$page = 1;
$hasMorePhotos = true;
while ($hasMorePhotos) {
$timestamp = time();
$url = 'http://ycpi.api.flickr.com/services/rest/';
$parameters
= 'extras=description%2Cgeo%2Coriginal_format'
. '&format=json'
. '&method=flickr.people.getPhotos'
. '&nojsoncallback=1'
. '&oauth_consumer_key=<consumer_key>'
. '&oauth_nonce=0'
. '&oauth_signature_method=HMAC-SHA1'
. '&oauth_timestamp=' . ((string) $timestamp)
. '&oauth_token=<oauth_token>'
. '&oauth_version=1.0'
. '&page=' . ((string) $page)
. '&per_page=500'
. '&user_id=me';
$signatureText = 'GET&' . rawurlencode($url) . '&' . rawurlencode($parameters);
$signatureKey = '<consumer_secret>&<oauth_token_secret>';
$signature = rawurlencode(base64_encode(hash_hmac('sha1', $signatureText, $signatureKey, true)));
$parameters .= ('&oauth_signature=' . $signature);
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_URL, ($url . '?' . $parameters));
$result = curl_exec($curl);
$resultJson = json_decode($result, true);
if (count($resultJson['photos']['photo']) > 0) {
foreach ($resultJson['photos']['photo'] as $photo) {
echo 'ID: ' . $photo['id'] . "\n";
echo ' TITLE: ' . $photo['title'] . "\n";
echo ' DESCRIPTION: ' . $photo['description']['_content'] . "\n";
echo ' URL: '
. 'http://farm' . $photo['farm'] . '.staticflickr.com/'
. $photo['server'] . '/'
. $photo['id'] . '_' . $photo['originalsecret'] . '_o.' . $photo['originalformat'] . "\n";
echo ' GEOLOCATION: ' . $photo['latitude'] . ', ' . $photo['longitude'] . "\n";
}
$page++;
} else {
$hasMorePhotos = false;
}
}
?>
where <consumer_key>, <consumer_secret>, <oauth_token> and <oauth_token_secret> are obtained through the application registration and user authentication process.
Explanations
while ($hasMorePhotos) {
...
}
Each of API call returns a “page” of photo information, which is a list of at most 500 photos. Hence, a loop is needed to retrieve all pages.
$url = 'http://ycpi.api.flickr.com/services/rest/';
The URL for the API call.
$parameters = 'extras=description%2Cgeo%2Coriginal_format' . '&format=json' . '&method=flickr.people.getPhotos' . '&nojsoncallback=1' . '&oauth_consumer_key=<consumer_key>' . '&oauth_nonce=0' . '&oauth_signature_method=HMAC-SHA1' . '&oauth_timestamp=' . ((string) $timestamp) . '&oauth_token=<oauth_token>' . '&oauth_version=1.0' . '&page=' . ((string) $page) . '&per_page=500' . '&user_id=me';
Form the parameters needed for the API call.
$signatureText = 'GET&' . rawurlencode($url) . '&' . rawurlencode($parameters);
$signatureKey = '<consumer_secret>&<oauth_token_secret>';
$signature = rawurlencode(base64_encode(hash_hmac('sha1', $signatureText, $signatureKey, true)));
The OAuth Signature is generated by hashing the URL and parameters (in lexicographical order), using the Consumer Secret and OAuth Token Secret as hash keys.
$parameters .= ('&oauth_signature=' . $signature);
Append the generated signature to the request parameters.
$curl = curl_init(); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); curl_setopt($curl, CURLOPT_URL, ($url . '?' . $parameters)); $result = curl_exec($curl);
Use Curl to make the API request and get the response.
$resultJson = json_decode($result, true);
Parse the JSON response.
foreach ($resultJson['photos']['photo'] as $photo) {
echo 'ID: ' . $photo['id'] . "\n";
echo ' TITLE: ' . $photo['title'] . "\n";
echo ' DESCRIPTION: ' . $photo['description']['_content'] . "\n";
echo ' URL: '
. 'http://farm' . $photo['farm'] . '.staticflickr.com/'
. $photo['server'] . '/'
. $photo['id'] . '_' . $photo['originalsecret'] . '_o.' . $photo['originalformat'] . "\n";
echo ' GEOLOCATION: ' . $photo['latitude'] . ', ' . $photo['longitude'] . "\n";
}
Iterate through and print out the returned photo information.
Note: php and php-curl are needed to run the script, and they may not be present in a default installation. They can be installed through the package manager
References
[1] http://www.flickr.com/services/apps/create/apply/
[2] http://www.flickr.com/services/api/auth.oauth.html
[3] http://www.flickr.com/services/api/flickr.people.getPhotos.html
A simple Linux command to convert a wave file to a FLAC file:
$ flac -0 --tag=ALBUM="Some Album" --tag=ARTIST="Some Artist" --tag=GENRE="Rock" --tag=TITLE="Song Title" --tag=TRACKNUMBER="3" filename.wav
where filename.wav is the name of the input wave file. The output FLAC file will have the name filename.flac.
Explanation of the command arguments:
-0
Compression level (in this case, 0). Valid compression levels are from 0 to 8.
--tag=ALBUM="Some Album"
Add the ALBUM tag to the FLAC file (in this case, with the value Some Album)
--tag=ARTIST="Some Artist"
Add the ARTIST tag to the FLAC file (in this case, with the value Some Artist)
--tag=GENRE="Rock"
Add the GENRE tag to the FLAC file (in this case, with the value Rock)
--tag=TITLE="Song Title"
Add the TITLE tag to the FLAC file (in this case, with the value Song Title)
--tag=TRACKNUMBER="3"
Add the TRACKNUMBER tag to the FLAC file (in this case, with the value 3)
Note: Valid tags that can be added are TITLE, VERSION, ALBUM, TRACKNUMBER, ARTIST, PERFORMER, COPYRIGHT, LICENSE, ORGANIZATION, DESCRIPTION, GENRE, DATE, LOCATION, CONTACT and ISRC.
Note: flac may not be present in a default installation. It can be installed through the package manager.
References
[1] http://linux.die.net/man/1/flac
[2] https://www.xiph.org/vorbis/doc/v-comment.html
http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html
This is not an in-depth instruction manual on SQL injection, nor an introduction of cutting edge exploitation techniques. Nevertheless, it is a very good primer on the concepts and basics of SQL injection.
Root Device and Install Custom Bootloader
1. Root the device (http://rootkindlefire.com/category/kindle-fire-root/) and install the FireFireFire custom bootloader (http://forum.xda-developers.com/showthread.php?p=23492717). FireFireFire will enable easy booting to recovery.
Download Recovery Image
2. Download a suitable recovery image (e.g. openrecovery-twrp-2.5.0.0-otter.img from http://techerrata.com/browse/twrp2/blaze/).
Boot to Fastboot
3. Change boot mode so that the device will boot to fastboot.
$ sudo ./adb shell # idme bootmode 4002 <idme> write 4002 to offset 0x1000
4. Reboot device to enter fastboot.
Install Recovery
5. Flash device with the downloaded recovery image.
$ sudo ./fastboot -i 0x1949 flash recovery openrecovery-twrp-2.5.0.0-otter.img sending 'recovery' (6144 KB)... OKAY [ 1.540s] writing 'recovery'... OKAY [ 0.691s] finished. total time: 2.231s
where openrecovery-twrp-2.5.0.0-otter.img is the downloaded image.
6. Change back the boot mode.
$ sudo ./fastboot -i 0x1949 oem idme bootmode 4000 ... OKAY [ 0.080s] finished. total time: 0.080s
Boot to Recovery
7. Reboot device. To boot to recovery, press the power button when the FireFireFire appears upon device start up.
References
[1] http://rootkindlefire.com/category/kindle-fire-root/
[2] http://forum.xda-developers.com/showthread.php?p=23492717
[3] http://techerrata.com/browse/twrp2/blaze/
[4] http://forum.xda-developers.com/showthread.php?t=1369405
When installing VMware Tools in more recent Linux releases, the following error would occur even when the kernel headers were already installed.
Searching for a valid kernel header path... The path "" is not a valid path to the 3.8.0-19-generic kernel headers. Would you like to change it? [yes] yes Enter the path to the kernel header files for the 3.8.0-19-generic kernel? /lib/modules/3.8.0-19-generic/build/include The path "/lib/modules/3.8.0-19-generic/build/include" is not a valid path to the 3.8.0-19-generic kernel headers. Would you like to change it? [yes]
The installer would not find the header files even when the correct path was manually provided.
The reason is that, in version 3.7 of the Linux kernel, the version.h file needed by the VMware Tools installer have been relocated from /usr/src/linux-headers-$(uname -r)/include/linux to /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux, and the installer has not been updated to handle that.
The solution would be to create a symbolic link to version.h at the location where VMware Tools installer expects it.
$ ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/version.h
References
[1] https://cmanios.wordpress.com/2013/06/12/fix-vmware-tools-kernel-header-path-is-not-valid-error/
[2] http://askubuntu.com/questions/131351/how-to-install-vmware-tools/286003#286003
[3] https://lkml.org/lkml/2012/7/20/419
Backup
1. Backup applications and settings using Titanium Backup, do a NANDroid backup in recovery, and/or do a manual backup of the sdcard partition.
Check and Upgrade Bootloader (HBOOT) Version
2. Check the bootloader version using adb.
$ sudo ./adb shell shell@android:/ $ getprop ro.bootloader 1.27.0000 shell@android:/ $ exit
If the bootloader version number (1.27.0000 in this case) is lower than 1.28.0000, then it needs to be updated.
3. Check the device carrier ID using fastboot.
$ sudo ./fastboot oem readcid ... (bootloader) DEBUG: cid: HTC__044 OKAY [ 0.015s] finished. total time: 0.015s
In this case, the carrier ID is HTC__044.
4. Download the firmware corresponding to the device carrier ID (HTC__044) from http://forum.xda-developers.com/showthread.php?t=1957376.
5. If the bootloader has previously been unlocked, it needs to be re-locked using fastboot.
$ sudo ./fastboot oem lock ... (bootloader) Lock successfully... OKAY [ 0.143s] finished. total time: 0.146s
6. Reboot the RUU using fastboot.
$ sudo ./fastboot oem rebootRUU ... (bootloader) Save data from original MSC... (bootloader) Save data from SIF... (bootloader) Update partition data to SIF partition (bootloader) offset = 0 (bootloader) Update partition data from original MSC... (bootloader) offset = 0 (bootloader) [MSG] OKAY OKAY [ 0.210s] finished. total time: 0.210s
7. Flash the device with the downloaded firmware using fastboot.
$ sudo ./fastboot flash zip firmware.zip sending 'zip' (12875 KB)... OKAY [ 1.619s] writing 'zip'... (bootloader) adopting the signature contained in this image... (bootloader) signature checking... (bootloader) checking model ID... (bootloader) checking custom ID... (bootloader) checking main version... (bootloader) checking hboot version... (bootloader) start image[boot] unzipping & flushing... (bootloader) Format partition LNX done (bootloader) [RUU]WP,boot,100 (bootloader) start image[recovery] unzipping & flushing... (bootloader) Format partition SOS done (bootloader) [RUU]WP,recovery,100 (bootloader) ERASE backup cid OKAY [ 3.170s] finished. total time: 4.790s
where firmware.zip is the downloaded firmware package.
IMPORTANT: If this step fails, repeat the command (to flash the device) IMMEDIATELY.
Unlock Bootloader
8. Unlock the bootloader using fastboot.
$ sudo ./fastboot flash unlocktoken Unlock_code.bin sending 'unlocktoken' (0 KB)... OKAY [ 0.008s] writing 'unlocktoken'... (bootloader) unlock token check successfully FAILED (status read failed (No such device)) finished. total time: 19.736s
where Unlock_code.bin is the unlock code from HTC. The bootloader is now unlocked again.
Install Recovery
9. Flash the device with the recovery image using fastboot.
$ sudo ./fastboot flash recovery recovery-clockwork-touch-5.8.4.0-endeavoru.img sending 'recovery' (5742 KB)... OKAY [ 0.731s] writing 'recovery'... (bootloader) Format partition SOS done OKAY [ 0.552s] finished. total time: 1.283s
where recovery-clockwork-touch-5.8.4.0-endeavoru.img is the recovery image (in this case, ClockworkMod 5.8.4.0 for HTC One X).
Install CyanogenMod
10. Download the CyanogenMod package from http://download.cyanogenmod.org/?type=stable&device=endeavoru.
11. Flash the device with the boot image from the CyanogenMod package using fastboot.
$ sudo ./fastboot flash boot boot.img sending 'boot' (4960 KB)... OKAY [ 0.626s] writing 'boot'... (bootloader) Format partition LNX done OKAY [ 0.493s] finished. total time: 1.119s
12. Boot into recovery and flash the device with the CyanogenMod package.
13. Restore the backups if necessary.
References
[1] http://wiki.cyanogenmod.org/w/Endeavoru_Info
[2] http://download.cyanogenmod.org/?type=stable&device=endeavoru
[3] http://forum.xda-developers.com/showpost.php?p=37930062&postcount=1161
[4] http://forum.xda-developers.com/showthread.php?t=1957376
http://www.andreafabrizi.it/?dropbox_uploader
A Dropbox synchronisation tool implemented as a BASH script (curl is used for the Dropbox API HTTP calls). Contrary to the name of the application, it is also able to perform downloads, as well as various remote operations such as file deletion, directory creation and directory deletion. Authentication is done using Dropbox’s official OAuth API.
http://www.linuxjournal.com/content/raspberry-pi-perfect-home-server/
An article on setting up the Raspberry Pi as a home server. It contains steps on how to install and configure Samba (for file sharing), MiniDLNA (for media streaming), and CUPS (for printer sharing).
#! 