Sunday, 25 May 2014

CROSS SITE SCRIPTING XSS tut

Simply put, cross site scripting involves the injection of malicious code into a website. It is the most common method of attack at the moment, as most large sites will contain at least one XSS vulnerability. However, there is more than one type of XSS. The most commonly found isreferred to as "non persistent" XSS. None Persistent XSS Non persistent as the title suggests means that the injectedscript isn't permanent and just appears for the short time the user is viewing the page. The best example of this is a basic coded search engine for a site. Say for example, the site search script is in this format: Site.com/search.php?search=text here Once something has been searched for, the script may display on the page something along the lines of: "Results for text here" Simply echoing your search string straight onto the page without performing any validation checks. What if we were to alter the search string to display html of JavaScript? For example: Site.com/search.php?search=XSS Site.com/search.php?search=alert("XSS"; If no sanitation checks are being performed by the search script, this will just be echoed straight onto the page, therefore displaying an alert or red text. If there was no limit to the size, this could be used to display anything you want. However, since the attacker can only display code on their own pages, this isn't much of a threat to other users. Although if the string was turned into Hex the search string may be slightly more hidden and with a little deception could be used to trick users into thinking the link is legitimate. Next there's persistent XSS Persistent XSS Again as the name suggests, this is the type of XSS attack the attacker would want to get. Persistent attacks are injected permanently into the code of the site, so anyone who views the site will be able to see permanently. In order for these to work, the code has to be made to store itself on the sites server somehow, which can be hard to find. An embarrassing example of this was an XSS vulnerability discovered on this site by one of our users (fixed now, obviously) affecting the page blog.php. The register process wasn't sanitized at all, so all a user had to do was simply put redirection code. This was an obvious vulnerability which should have been spotted from the beginning, but just like XSS on other sites it was missed. If not fixed, this vulnerability would effect index.php as well as the forums and anywhere where the code was displayed on the site. A good place to look out for this vulnerability is basic forum scripts that site owners have made themselves or found off sites designed to help novices. With both of these attacks, it is also possible to run malicious code from another site again making the possibilities of attack endless. Javascript has a lot of features the are not well know, such as changing the images on sites from images[number].src and anyone who uses myspace will know the CSS can be used to remove or replace certain sections of a site based on name.If you have a permanently vulnerable site, injecting code as simple as the one below will allow you to run XSS off another site: Getting Past Basic Protection So what if a site owner knows about XSS, but has provided some but very little protection against it? Well, this is where CharCode comes in. Char code is basically just a simple form of character encoding that can encode blocked characters so they get past the protection but still get displayed normally on thepage. Here is a very common onethat will pop up alerts saying"XSS" if it is vulnerable: ';alert(String.fromCharCode(88,83,83))//'; alert(String.fromCharCode(88,83,83))//"; alert (String.fromCharCode(88,83,83))//"; alert (String.fromCharCode(88,83,83))//-->">'> alert(String.fromCharCode(88,83,83)) This is a very useful XSS to know, as it provides more than one type of attack at once. If you get only one or two alerts, you know that only one of two of them work, so you need to try to eliminate some of them to text which one is affecting the site. The CharCode for "X" is 88 and"S" is 83. As you can see, each provides a slight variation to try to beat character blocking. XSS could also be hidden in a none existent image. This code below would run malicious JavaScript disguised as an image: What if quotes are blocked? No problem, just inject the site like so: The " will be interpreted in html as a " so the code will run fine. The next one below is very likely to work if you find a site is vulnerable.
Posted by at No comments:

Hackers use this google dorks and hack site automatically using shells

Hackers often use dis shell and hack sites using the online hack mechanism powered by google Use one of the following google dork to find the shell: intitle:index of/sh3llZ "Index of /sh3llZ" "/sh3llZ/uploadshell/ uploadshell.php" This will show the list of sites that has a sh3llZ folder. Probably, there will be link to c99 shell. If you click the link, it will land you in a shell page. Using that shell, you can upload your own shells or deface the sites. More Shells : http://sqladminportal.com /sh3llz/ http://phpadmin.org/sh3llz/ http://donate-for-charity.com/sh3llz/ http://php-admin.org/sh3llz/ http://smf- forum.org/sh3llz/ http://netdesigns.org /sh3llZ http://www.admin-portal.com /sh3llZ/ http://www.sexymodelforum.net /sh3llZ/ http://active-layout.org/sh3llZ http:// blog.dark-action.net/sh3llZ/ http://blog.brainshots-blog.com/sh3llZ/ http://activedesigns.org/sh3llZ/ http://john.charity-zone.com/sh3llZ/ http://donate-for-charity.net/sh3llZ/ http://balcesishop.com/sh3llZ/ http://to- charity.com/sh3llZ/ http://smf-forum.org /sh3llZ/ http://darkactioncomics.org /sh3llZ/
Posted by at No comments:

100% FUD Crypters for Keylogger and RATS

100% FUD Crypters for Keyloggers and RATs So now i will teach u guys how to make ur keyloggers and rats Undetectable by antivirus so lets just begin What are Crypters and what is FUD??? Well, I won't extend this topic over here, as I will explained all things about crypters in my articles #jxt chillax, Put Ya Mind 4 Groud# #l0l Ok letx Go :- Steps. How to use FUD crypter??? i have tried this Fud crypter and found it working perfectly and i hope it will work well for u as well 1.Download [= http://www.ziddu.com/ download/14444550/ XPROTECTCRYPTER_By_TRICKS4INDYA.rar.html] FUD Crypter Software Here to bypass antivirus. 2. Run crypter on your computer to see: 3. Hit on Browse and select the Decay logger server you have created (I WILL POST HOW TO CREATE A SERVER AFTER ). Again, hit on second Browse button and select the msc2.exe stubfile from downloaded folder. Select type of encryption like Xor, Rsa, etc. as you want. Now, hit on Crypt and select the path where you want to save the crypted FUD server. 4. You will find the crypted FUD server created at required destination. Now, bind this crypted keylogger server with any .exe file using Iexpress Binder software and send it to your victim to get the required email passwords from victim computer dpending on What information u want to get. You don't have to worry about victim antivirus as the crypted server will not be detected by any antivirus. I have posted the scan results below: Scan result before crypting: Scan result after Crypting: Note :s ince this crypter is public, it will remain FUD for not more than 2-3 days. So, use this crypter the earliest. The best way is to get the best hacking software -Winspy Keylogger, which is FUD (Fully UnDetectable). This is personally recommended keylogger
Posted by at No comments:

How to deface a pbnl site member.index works on only sites with post.php trendingphp and unprotected topic.php

To redirect a pbnl site with post.php or without protected topics.php, either to your site or to your deface page. you need to do the following...visit any pbnl site,login then create a new post with anything. I mean put anything in the content and the title,then open that post you created look @the address bar you will see something like this " www.site.tk/forum /showtopic.php?id=any number(e.g =31), write down that number,then create a new post in the forum again, IN THE TITLE OF THE NEW POST PUT THIS BELOW CODES. u can as wel change the URL to ur own site. while in the content put this below codes then to finally complete your hacking visit this link : www.site.tk/forum/post.php? action=update&tid=id of your second post which will be =32 NOTE:i told you to create a post first of all with anythin which i said write down the id, if the id of the first post you created is 31 then the id of the new one you created will be 32. DOWNLOAD THE TOPIC.PHP Below 2 protect ur site. N0TE: The topic.php allows only ur admins to create thread,add music, upload,e.t.c. It also rejects shells to be uploaded in avatars folders as pics.
Posted by at No comments:

FREE BEST HACKING SOFTWARES YOU NEED TO HAVE AS A HACKER

Best Free Hacking Software and Tools List There are plenty of tools floating round the internet which claims to be the most effective in their fields. I have used severalhacking toolsthat are designed for windows and Linux operating system and have seen that the Linux operating system tools are way more powerful than the windows tools. Keeping this factor in mind I believed to compile my ownbest free hacking software. Here is the list ofBest free Hacking Software: NMAP | Best Free Hacking Tool NMAP, by far is that the bestsecurity scanningandhacking toolever created. This software is superior in each list of chief hacking software for 2 reasons. Firstly, its easy use and second, its wide usage. It provides a large vary of options like port scanning, fingerprinting,os detection, ping, scanning, alive hosts detection, etc. It’s an amazing command line tool for advanced users which might mix many commands along to execute ones. Its the foremost recommended tool for beginners and further as advanced learners and security specialists. SUPERSCAN Powerful protocol port scanner, pinger, resolver.If you wish an alternative for Nmap on Windows with an honest interface, I recommend you to check this out, it’s pretty nice. It provides a cool scanning expertise with heap of data displayed. CAIN AND ABEL My personal favorite for cracking of any kind. Cain & Abel could be a recovery tool for Microsoft operating Systems. It permits simple recovery of variedsimple passwords by sniffing the network, cracking encrypted passwords, Brute-Force and cryptology attacks, recording VoIP conversations, revealinghidden boxes, uncovering cached passwords and analyzing routing protocols. The program doesn’t exploit any software package vulnerabilities or bugs that might not be mounted with very little effort. JOHN THE RIPER This is my personal favoritecracking softwarethat has been within the marketplace for over a decade and it’s evolved into a strong tool, thanks to the special effort of the open source community.John the Ripper may be a quick password cracker, presently offered for several operating system. Its primary purpose is to observe weak operating system passwords. NESSUS SECURITY SCANNER This tool has been the simplest tool for each network admins and hackers, thanks to its wide implementation.The Nessus vulnerability scanner is the world-leader in active scanners,that includes high- speeddiscovery, configuration auditing, quality identification, sensitive information discovery and vulnerability analysisof your security infrastructure. WIRESHARK Wiresharkcould be a network protocol analyzer, or sniffer, that helps you to capture andinteractively browse the contents of network frames. The goal of the project is to form a commercial-quality analyzer for UNIX and to relinquish Wireshark options that are missing from closed-source sniffers. Works nice on both UNIX system and Windows (with a GUI), simple to use and might reconstruct TCP/IP Streams! LIVE BULK MAILER Live bulk mailer has the flexibility to still deface the spam filter of gmail, hotmail and yahoo. Its an email flooding tool that permits the hacker to send desired variety of bulk mails to the victim inbox and flood it utterly. This could be a difficult task and might place you into problems therefore before attacking via this tool don’t forget to use a proxy server to cover your IP address. WEBSITE DIGGER Website digger may be atool that helps you to Digg into an internet siteand gain data concerning the host by applying whois questionand conjointly banner grabbing capability.
Posted by at No comments:
Subscribe to: Posts (Atom)