Category Archives: Information Security

quasiBot ( complex webshell manager )

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called. Also, quasiBot allows you to perform various bruteforce attacks on services such as ftp, ssh or databases.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it’s still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4. Fully written in PHP.

Download QuasiBot

#How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)


  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at ‘Settings’ tab, they are stored in database
  • ‘RSS’ tab contain latest exploits and vulnerabilities feeds
  • ‘RCE’ tab allows to perform Remote Code Execution on specific server using selected PHP function
  • ‘Scan’ tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois – useful in the phase of gathering information
  • ‘Pwn’ tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Exploit Suggestor module
  • ‘MySQL Manager’, as the name says, can be used to perform basic operations on specific database – it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it’s envoirment
  • ‘Run’ tab allows you to run specific command on every bots at once
  • ‘DDoS’ tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • ‘Shell’ tab allows you to spawn reverse or bind shell; you may pick between few languages that will be used for creating reverse shell
  • You may enable authorisation module, user is being validated by session, auth credentials are stored in config file, not in db; using Cookie Auth, user won’t be able to use quasiBot until specific cookie will be used
  • ‘Bruteforce’ category consists of few modules, they allow you to perform single or massive attacks on ftp, ssh, mysql, pgsql, mssql and wordpress
  • Broken credentials are stored in database, bruteforce on websites can be done via tor
  • Whole front-end is maintaned by a pleasant, functional interface







#Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it’s structure
  • In ‘Settings’ tab, you are able to add and delete shells, you’re ready to go
  • Using authorisation? To logout, simply add GET logout to current URL, like quasi/index.php?logout



  • Windows support in ‘PWN’ module
  • Bruteforce WWW: Joomla
  • Optimization
  • ???


  • 0.3
  • Bruteforce: SSH, FTP, WWW, DB’s
  • Details
  • 0.2
  • Added authorization (Sessions / Cookie Auth)
  • Added Shell Module (Reverse / Bind shell)
  • Added Linux Exploit Suggestor module

Referrence :





RIPS – PHP Security Analysis

RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the site.

Download packet RIPS –>

Unzip packet to /var/www/html/rips

Access url via localhost web –> http://localhost/rips/index.php

Untuk menganalisa scrip php dengan cara memasukkan file/path lalu klik scan


Cheers – Andito Yugo Wicaksono

Source Code Analysis Tools

Open Source or Free Tools Of This Type

Bandit – bandit is a comprehensive source vulnerability scanner for Python

Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications

Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby

FindBugs – Find Bugs (including a few security flaws) in Java programs

FindSecBugs – A security specific plugin for FingBugs that significantly improves FindBug’s ability to find security vulnerabilities in Java programs

Flawfinder Flawfinder – Scans C and C++

Google CodeSearchDiggity – Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.

PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)

PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.

Puma Scan – Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.

RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the site.

SonarQube – Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.

VisualCodeGrepper (VCG) – Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

Xanitizer – Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

Source :


What is FoxyProxy ?

FoxyProxy sells reliable, fast, secure VPN and proxy servers in 68+ different countries with 5 ways to connect. Our free proxy and VPN management tools set industry standards as far back as 2006, with our award-winning Firefox addons used by millions.

[1] Untuk installasinya bisa langsung add-on melalui web browser mozilla firefox

[2] Setelah selesai terinstall lalu buka FoxyProxy, buat proxy baru sebagai contoh akan memakai localhost

– Select mode untuk mengaktifkan proxy

Cheers – Andito Yugo Wicaksono






Install Burp Suite di Ubuntu 16.04

[1] Download

[2] Masuk ke direktori file burp suite yang sudah di download, lakukan install

Unpacking JRE ...
Starting Installer ...


Ok burp suite sudah berhasil diinstall

How to use??

[1] Open Burp suite, untuk settingan proxy menggunakan FoxyProxy di browser.

[2] Masuk ke halaman login target, masukkan username dan password di halaman login.

[3] Setting Proxy di Burp Suite

[4] Melihat Intercept Packet, jalankan FoxyProxy di browser sebelum melakukan intercept packet. Klik Forward untuk melakukan intercept.

Bingo, username, password dan session PHP berhasil di dapatkan.

Reference Web Application Attack

Hacking Web Authentication – Part 1

Hacking Web Authentication – Part 2

W3af walkthrough and tutorial

Discovery and Audit plugins

Remaining plugins

w3af walkthrough and tutorial part 4 – w3af tools, profiles and scripting

Cheers – Andito Yugo Wicaksono


Dsniff adalah tools untuk audit jaringan dan penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, dan webspy secara pasif memonitor jaringan untuk mendapatkan data pribadi (kata sandi, e-mail, file, dll.). Arpspoof, dnsspoof, dan macof memfasilitasi intersepsi lalu lintas jaringan yang biasanya unavailable bagi attacker (misalnya, karena layer-2 switching). Sshmitm dan webmitm menerapkan monkey-in-the-middle attacks aktif terhadap sesi SSH dan HTTPS yang diarahkan secara terus menerus dengan memanfaatkan binding yang rentan pada PKI ad-hoc.

[1] Berikut adalah cara Install dsniff di ubuntu 16.04

sudo apt-get install dsniff

Atau bisa langsung download packet di link terkait dsniff


[2] Untuk cara penggunaan bisa dilihat dengan command seperti di bawah ini

dsniff --help
dsniff: invalid option -- '-'
Version: 2.4
Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen]
[-f services] [-t trigger[,...]] [-r|-w savefile]


[3] Sebagai contoh untuk sniffing interface

sudo dsniff -i eth0


Cheers – Andito Yugo Wicaksono


Menggunakan mod_security module untuk konfigurasi Web Application Firewall (WAF).

[1] Install mod_security

yum -y install mod_security

[2] Setelah selesai installasi, konfigurasi file mod_security di direktori dan setting menjadi enabled. Setelah settingan selesai lalu tambahkan rules.

# cat /etc/httpd/conf.d/mod_security.conf 
<IfModule mod_security2.c>
 # ModSecurity Core Rules Set configuration
 IncludeOptional modsecurity.d/*.conf
 IncludeOptional modsecurity.d/activated_rules/*.conf
 # Default recommended configuration
 SecRuleEngine On
 SecRequestBodyAccess On
 SecRule REQUEST_HEADERS:Content-Type "text/xml" \

[3] Di bawah ini contoh rules sederhana

# default action when matching rules
SecDefaultAction "phase:2,deny,log,status:406"

# "etc/passwd" is included in request URI
SecRule REQUEST_URI "etc/passwd" "id:'500001'"
SecRule REQUEST_URI "home" "id:'500005'"

# "../" is included in request URI
SecRule REQUEST_URI "\.\./" "id:'500002'"

# "<SCRIPT" is included in arguments
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"

# "SELECT FROM" is included in arguments
SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"

# Restart httpd
systemctl restart httpd

[4] Akses web yang di block rule

[5] General rules disediakan dari official repository dan mudah untuk menerapkannya. Tapi mungkin anda perlu menyesuaikannya untuk situs web anda sendiri agar tidak memblokir permintaan yang diperlukan.

yum -y install mod_security_crs
cd /usr/lib/modsecurity.d/base_rules

Andito Yugo Wicaksono