RUN - COMMANDS



Hey friends here I have something for you .......
As I have shared  previously COMMAND-LINE prompt on desktop.
Today, I am going to share some basic RUN commands to use in that command line prompt.
By using this run commands you can interact with most applications easily .




 1. Accessibility Controls - access.cpl
 2. Accessibility Wizard - accwiz
 3. Add Hardware Wizard - hdwwiz.cpl
 4. Add/Remove Programs - appwiz.cpl
 5. Administrative Tools - control admintools
 6. Automatic Updates - wuaucpl.cpl
 7. Bluetooth Transfer Wizard - fsquirt
 8. Calculator - calc
 9. Certificate Manager - certmgr.msc
10. Character Map - charmap
11. Check Disk Utility - chkdsk
12. Clipboard Viewer - clipbrd
13. Command Prompt - cmd
14. Component Services - dcomcnfg
15. Computer Management - compmgmt.msc
16. Control Panel - control
17. Date and Time Properties - timedate.cpl
18. DDE Shares - ddeshare
19. Device Manager - devmgmt.msc
20. Direct X Troubleshooter - dxdiag
21. Disk Cleanup Utility - cleanmgr
22. Disk Defragment - dfrg.msc
23. Disk Management - diskmgmt.msc
24. Disk Partition Manager - diskpart
25. Display Properties - control desktop
26. Display Properties - desk.cpl
27. Dr. Watson System Troubleshooting Utility - drwtsn32
28. Driver Verifier Utility - verifier
29. Event Viewer - eventvwr.msc
30. Files and Settings Transfer Tool - migwiz
31. File Signature Verification Tool - sigverif
32. Findfast - findfast.cpl
33. Firefox - firefox
34. Folders Properties - control folders
35. Fonts - control fonts
36. Fonts Folder - fonts
37. Free Cell Card Game - freecell
38. Game Controllers - joy.cpl
39. Group Policy Editor (for xp professional) - gpedit.msc
40. Hearts Card Game - mshearts
41. Help and Support - helpctr
42. HyperTerminal - hypertrm
43. Iexpress Wizard - iexpress
44. Indexing Service - ciadv.msc
45. Internet Connection Wizard - icwconn1
46. Internet Explorer - iexplore
47. Internet Properties - inetcpl.cpl
48. Keyboard Properties - control keyboard
49. Local Security Settings - secpol.msc
50. Local Users and Groups - lusrmgr.msc
51. Logs You Out Of Windows - logoff
52. Malicious Software Removal Tool - mrt
53. Microsoft Chat - winchat
54. Microsoft Movie Maker - moviemk
55. Microsoft Paint - mspaint
56. Microsoft Syncronization Tool - mobsync
57. Minesweeper Game - winmine
58. Mouse Properties - control mouse
59. Mouse Properties - main.cpl
60. Netmeeting - conf
61. Network Connections - control netconnections
62. Network Connections - ncpa.cpl
63. Network Setup Wizard - netsetup.cpl
64. Notepad - notepad
65. Object Packager - packager
66. ODBC Data Source Administrator - odbccp32.cpl
67. On Screen Keyboard - osk
68. Outlook Express - msimn
69. Paint - pbrush
70. Password Properties - password.cpl
71. Performance Monitor - perfmon.msc
72. Performance Monitor - perfmon
73. Phone and Modem Options - telephon.cpl
74. Phone Dialer - dialer
75. Pinball Game - pinball
76. Power Configuration - powercfg.cpl
77. Printers and Faxes - control printers
78. Printers Folder - printers
79. Regional Settings - intl.cpl
80. Registry Editor - regedit
81. Registry Editor - regedit32
82. Remote Access Phonebook - rasphone
83. Remote Desktop - mstsc
84. Removable Storage - ntmsmgr.msc
85. Removable Storage Operator Requests - ntmsoprq.msc
86. Resultant Set of Policy (for xp professional) - rsop.msc
87. Scanners and Cameras - sticpl.cpl
88. Scheduled Tasks - control schedtasks
89. Security Center - wscui.cpl
90. Services - services.msc
91. Shared Folders - fsmgmt.msc
92. Shuts Down Windows - shutdown
93. Sounds and Audio - mmsys.cpl
94. Spider Solitare Card Game - spider
95. SQL Client Configuration - cliconfg
96. System Configuration Editor - sysedit
97. System Configuration Utility - msconfig
98. System Information - msinfo32
99. System Properties - sysdm.cpl
100. Task Manager - taskmgr
101. TCP Tester - tcptest
102. Telnet Client - telnet
103. User Account Management - nusrmgr.cpl
104. Utility Manager - utilman
105. Windows Address Book - wab
106. Windows Address Book Import Utility - wabmig
107. Windows Explorer - explorer
108. Windows Firewall - firewall.cpl
109. Windows Magnifier - magnify
110. Windows Management Infrastructure - wmimgmt.msc
111. Windows Media Player - wmplayer
112. Windows Messenger - msmsgs
113. Windows System Security Tool - syskey
114. Windows Update Launches - wupdmgr
115. Windows Version - winver
116. Wordpad - write


Please share it with your friends & also leave your comments Or Suggestions.......  :)

Put a Command-Line Prompt on Your Desktop

Some command line junkies always want the command prompt within easy reach.
So here is the way ...... If you use the command line regularly—for example, to launch Windows Explorer with shortcuts you'd like the command line within easy reach. In fact, you'd like it right on your desktop. XP has no built-in way to do that for you.

               Here is the one Great program called MCL that run as small command line you can put anywhere on your desktop as shown in this figure.
To download : CLICK HERE



Now you would use the normal command line, including any normal switches that you use to launch programs.But MCL does more than just let you enter commands. It includes a number of other goodies that the XP command prompt doesn't, including these:
  • It keeps a history of your last 100 commands, so you can easily reenter or edit any commands you've already typed.
  • It includes an AutoComplete function that finishes your commands for you.
  • It lets you launch URLs directly from the command line. If you type a URL, your default browser will open to that URL.
  • It can be minimized to the System Notification area.
  • It can be launched with a hot key. The default is Ctrl-Alt-M.
The program has a few eccentricities you'll have to keep in mind when using it. When executing a DOS command, you have to use the % prefix. For example, to copy a file from C:\Favorite Files to C:\Summer, you'd use this command:
%copy C:\Favorite Files\Gabecamp.doc C:\Summer\Gabecamp.doc
To open to a specific directory in Windows Explorer, precede the command with a $. So to open to C:\Program Files, you'd issue the command $C:\Program Files.
Command-line fans will also want to get a copy of 4NT (http://www.jpsoft.com). Run it instead of the normal command prompt and get countless new features, such as a command-line editor for modifying and reexecuting previous commands; the ability to copy, delete, and rename groups of files and directories with a single command; a built-in file viewer; the ability to select or include files by a variety of criteria, including date, time, and size; the ability to append descriptions (up to 511 characters) to files; and an exceedingly powerful batch language. It's shareware and free to try, but if you continue to use it, you're expected to pay $69.95.

Tips for the PHP developer to prevent from SQL injection

                 As we seen in our previous topic that some of the way to prevent from the SQL injection.
If you have not  read yet then must read that first.... click here 

   Today, I am going to share some tips for PHP developer that how to make secure their site from the SQL injection. There are number of things are their to do, from that one of the things are as below:


Let, see the First one

Suppose, As below is your code:

<?php
 $result = mySql_query('select Text from pages where id=' . $_GET['id']);
echo($result);
?>



As shown in the above code it says that you are selecting the page content which is "Text"  from "pages" in the SQL database, and you are sorting out the right page content with $_GET[''id] and $_GET['id'] is the thing in url...

for e.g. :                http://www.example.com/index.php?id=123

As this code is easily injected by the some one, but if you can do this ...

<?php
$result = mySql_query('select Text from pages where id=' . mySql_real_escape_String($_GET['id']));
echo($result);
?>

Then you are 100 % secure.............. If  you like this post then please share this with your friends &  make aware them too from the SQL injection.

Ways to prevent your webserver from SQL Injection

                            As we all know that today SQL Injection is the easiest way to hack someone's website or any companies website. Today mostly all hackers and script kiddles are using this ....
                            So today, I am going to  share some ways to prevent SQL injection on your own or may be on your company's website.

(1) Use the email-id instead of the user id always

                          This is the one of the best way to prevent the SQL injection, to prevent it you have to use an Email Id ,so what is happening that here the code written will validate in such a way that it will not accept anything else instead of the Email address ,so here the SQL injection string is not acceptable, so the SQL injection is prevented this way.

(2) Never use default admin login page.

                        Another way to protect your website from SQL injection is that never use the default admin login page means as you use your default login page as  "AdminLogin" according to you. But try to have other than this such as "SuperLogin.asp" or "GentalLogin.asp" mean something different which can not be found easily  on the search engine hacks (i.e Google,Yahoo,Bing,etc). So when any hacker try to search for your AdminLogin page he/she , he will try in search "AdminLogin.asp"  or "Admin|Login.asp" some thing like this but he can't get the result and will be frustrated and hence your site will be prevented.

(3)  Make your Admin page became hidden from the others.

                      As we all know that nothing is secure in this universe, only just one opportunity is required. So as SQL injection is only possible through your Admin login panel or sometimes with url. So never show or link your "AdminLogin" page on your site and always make it hidden from  the other users.  If you are showing the "AdminLogin" page directly on your site than you are giving an opportunity to the hackers to hack your site.

(4)  Social Engineering.

                     Never show your website vulnerabilities to anyone or never discuss to any single person. With out asking or discussing Just try to get solution  by searching on Google. At last never show any type of warning messages on your login page such as "We are using transparent proxy don't try to hack otherwise an legal action would be taken."  


Friends I hope you like this Tips for preventing you website from SQL Injection. If you like this and it helpful  any how then share it with others too..... 


SQL METHOD ~ SQL MANIPULATION


                       As in the Earlier post I had discuss that it is  the most commonly described attacks for all types of databases (including SQL Server, MySQL, PostgreSQL, and Oracle).   Let see the SQL MANIPULATION method in some detail with basic......

Note : SQL statements are used in this chapter to demonstrate the  SQL injection method. In order to be programming language neutral, only the developer intended and attacker manipulated SQL statements are presented.  The portions in blue, italics is a sample of what input the programmer is expecting and what an attacker might actually enter into a string field of the application. 

                       The most common type of SQL Injection attack is SQL manipulation.  The attacker attempts to modify  the existing SQL statement by adding elements to the WHERE clause or extending the SQL statement  with set operators like UNION, INTERSECT, or MINUS.  There are other possible variations, but these are the most significant examples.

Example : 

                   The classic SQL manipulation is during the login authentication.  A simplistic web application may check user authentication by executing the following query and checking to see if any rows were
returned –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword'  

The attacker attempts to manipulate the SQL statement to execute as –

SELECT * FROM users
WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a'  

Based on operator precedence, the WHERE clause is true for every row and the attacker has gained
access to the application.

The set operator UNION is frequently used in SQL injection attacks.  The goal is to manipulate a SQL
statement into returning rows from another table.  A web form may execute the following query to
return a list of available products –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs%'


The attacker attempts to manipulate the SQL statement to execute as –

SELECT product_name FROM all_products
WHERE product_name like '%Chairs' 
UNION 
SELECT username FROM dba_users 
WHERE username like '%'

The list returned to the web form will include all the selected products, but also all the database users.




Also See : What is SQL Injection ?
                 SQL Injection category.

SQL injection categories


SQL injection attacks are simple in nature – an attacker passes string input to an application in hopes manipulating the SQL statement to his or her advantage.  The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker.  Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack.


CATEGORIES OF SQL INJECTION ATTACKS

There are four main categories of SQL Injection attacks against Oracle databases –

1.  SQL Manipulation
2.  Code Injection
3.  Function Call Injection
4.  Buffer Overflows

The first two categories, SQL manipulation and code injection, should be well known to the reader, as
these are the most commonly described attacks for all types of databases (including SQL Server,
MySQL, PostgreSQL, and Oracle).

SQL manipulation typically involves modifying the SQL statement through set operations (e.g.,
UNION) or altering the WHERE clause to return a different result.  Many documented SQL injection
attacks are of this type.  The most well known attack is to modify the WHERE clause of the user
authentication statement so the WHERE clause always results in TRUE.

Code injection is when an attacker inserts new SQL statements or database commands into the SQL
statement.  The classic code injection attack is to append a SQL Server EXECUTE command to the
vulnerable SQL statement.  Code injection only works when multiple SQL statements per database
request are supported.  SQL Server and PostgreSQL have this capability and it is sometimes possible
to inject multiple SQL statements with Oracle.  Oracle code injection vulnerabilities involve the
dynamic execution of SQL in PL/SQL.

The last two categories are more specific attacks against Oracle databases and are not well known or
documented.  In the vast majority of our application audits, we have found applications vulnerable to
these two types of attacks.

Function call injection is the insertion of Oracle database functions or custom functions into a
vulnerable SQL statement.  These function calls can be used to make operating system calls or
manipulate data in the database.

SQL injection of buffer overflows is a subset of function call injection.  In several commercial and
open-source databases, vulnerabilities exist in a few database functions that may result in a buffer
overflow.  Patches are available for most of these vulnerabilities, but many production databases
remain un-patched.

WHAT’S VULNERABLE

An application is vulnerable to SQL injection for only one reason – end user string input is not properly
validated and is passed to a dynamic SQL statement without any such validation.  The string input is
usually passed directly to the SQL statement.  However, the user input may be stored in the database
and later passed to a dynamic SQL statement, referred to as a second-order SQL injection.  Because
of the stateless nature of many web applications, it is common to write data to the database or store it
using some other means between web pages.  This indirect type of attack is much more complex and
often requires in-depth knowledge of the application.

WHAT’S NOT VULNERABLE

SQL Statements using bind variables are generally protected from SQL Injection as the Oracle
database will use the value of the bind variable exclusively and not interpret the contents of the
variable in any way.  PL/SQL and JDBC allow for bind variables.  Bind variables should be extensively
used for both security and performance reasons.  

Also see : What is SQL injection ?

What Is SQL Injection ?


                      Most of the students asks me about the SQL injection, So here today I shall share some information about the SQL injection...This concept is to wide, here I show you the overview only.

                      Most application developers underestimate the risk of SQL injections attacks against applications that use Oracle as the back-end database.  Our audits of custom web applications show many application developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks.
                      This Blog is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable.  It is not intended to be a tutorial on executing SQL attacks and does not provide instructions on
executing these attacks.

SQL INJECTION OVERVIEW 


                      SQL injection is a basic attack used either to gain unauthorized access to a database or to retrieve information directly from the database.  The basic principles underlying SQL injection are simple and
these types of attacks are easy to execute and master.
                      Any program or application may be vulnerable to SQL injection including stored procedures executed with a direct database connection, Oracle Forms applications, web applications, etc.  Numerous SQL injection vulnerabilities have been found in the standard Oracle Database packages such as
DBMS_DATAPUMP, DBMS_REGISTRY, and DBMS_METADATA (see Oracle Critical Patch Update January 2006).  Web applications are at highest risk to attack since often an attacker can exploit SQL injection vulnerabilities remotely without any database or application authentication.
                     Web applications using Oracle as a back-end database are more vulnerable to SQL injection attacks than most application developers think.  Our application audits have found many web applications
vulnerable to SQL injection even though well-established coding standards were in place during
development of many of these applications.  Function-based SQL injection attacks are of most
concern, since these attacks do not require knowledge of the application and can be easily automated.


                     Fortunately, SQL injection attacks are easy to defend against with simple coding practices.  However, every parameter passed to every dynamic SQL statement must be validated or bind variables must be used.

SQL INJECTION: ORACLE VERSUS OTHER DATABASES 


                    Oracle generally fares well against SQL injection attacks as there is no multiple SQL statement support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO OUTFILE function (MySQL) – all methods frequently used to exploit SQL injection vulnerabilities.  In addition, the use of bind variables in Oracle environments for performance reasons provides the most effective protection
against SQL injection attacks.
                    Oracle may have fewer attack vectors for SQL injection than other databases, however, Oracle-based applications without proper defenses against these types of attacks can still be vulnerable and can be easily exploited through SQL injection vulnerabilities.