Wednesday, October 29, 2014

The complete SHELLSHOCK exploit tutorial - pen testing for experiment

This year probably the biggest vulnerablility ever was disclosed, it was dubbed 'ShellShock'. It was a vulnerability in all systems implimenting Bash, which is the majority of Linux and Mac operating systems. Just the simple string () { :;}; when injected into a bash enviroment variable or a process that uses bash like Headers, User-Agent, Refferer, Curl and Wget will allow a remote code execution... this 0-day is 100x worse than HeartBleed!! Especially since there are 5 versions of the exploit...

 The contents of this post have been encrypted. You need the correct key to unlock the contents.

SQL injection with Havij and Poison


Today I will be showing how to do MySQL Injection with Havij. This will be explained in steps and pictures. Have fun watching!

Step 1: Finding a vulnerable website.

1.1 - Open up the program and you will get this window.

[Image: pic1wh.png]

1.2 - Once that's open, you will have to select a dork. I am using a PHP dorp in this example. After you have selected the desired dork press on Scan and it'll show the results in the Result Pane.

[Image: picol.png]

1.3 - Now you want to send the results to the Sqli Crawler. You can do this by rightclicking in the Results Plane and select "Send to Sqli Crawler -> All"

[Image: picwr.png]

1.4 - Now the Sqli Cralwer tab will open and all you have to do is press Crawl and it will check if the website is really vulnerable to SQL Injection.

[Image: picio.png]

1.5 - Now you have to press Export Results and place it somewhere where you can open it later.

[Image: pic2fp.png]

Step 2: SQL Injection with Havij 1.15 Pro

2.1 - Open up Havij v1.15 Pro and enter the desired url. Then press Analyze and program will try to find the database. After he found a database click on Tables to view it.

[Image: picyaq.png]

2.2 - Click on the database that the program found and click on Get Tables. If there is no information_scheme then he will try to guess the tables for himself. Leave it running and wait for it to complete.

[Image: picyx.png]

2.3 - So once that's done click on the desired Table. For me this will be users since I am more interested in that then articles. Click users and press Get Columns.

[Image: picgt.png]

2.4 - Now that we have found the tables we want to see the data it holds. Select whatever table you want and press Get Data. Some databases has a lot of data in it and some don't. Please be patient while letting the program fetch the data.

[Image: picck.png]


Sql Poizon v1.1 - The Exploit Scanner
Havij 1.15 - Advanced SQL Injection

Well this is the end of the tutorial. It took me a good 30 minutes to write. I hope you guys enjoyed the tutorial and looking forward to write more tutorial for HF in the future.

Wednesday, June 4, 2014

How to get .edu/education emails for free

So do you want to get into student discounts but don't have an .edu email? then follow this guide to easily get one for free.

Step one: go to HERE
Step two: Click "Create an account"
Step three: Select any of the student options, I usually go with college.
Step four: Click "Find" and click any school, doesn't matter. (Do not check the box)
Step five: !IMPORTANT! Check the box below the email boxes and do not fill anything into said boxes.

It should look like this

How to remove your last name from facebook


• Brain
• Mozilla Firefox ( Any Version )
• Indonesian Proxy ( Hide My Ass Proxy )
• Patience
• Facebook Account

Step One :

Open Firefox & Go to and Scroll Down

Learn how a hacker can easilly steal your facebook account

These are all methods used by hackers to steal accounts Facebook know it now....

There are many ways in which hackers pursued by the penetration of Facebook accounts have been uncovered while not touching each other to rule it became known, but in this post I will try to offer you all the ways in which hackers penetrating accounts in Facebook, where I tried to do I just insert that still working or pose a danger to the accounts to the limits of the time of writing this post.

How to change Windows 7 password without logging in

1. You must turn on Sticky Keys (which is in the bottom right of the login screen).

2. You must shut down your computer and turn it on again.

3. You must immediately shut down your computer when it says "Starting Windows."

How to get a person's IP and boot people offline on xbox

Step 1. Download the following program, CAIN

Step 2. Open Cain and abel click the start/stop sniffer tab at top left just under file to activate it, Then head over to the "Sniffer tab".
Once at sniffer tab click the blue + at the top then click ok on the tab that pops up wherever it says "microsoft" thats your ip for your console
your gonna use that for the next step remember it.

Step 3. On the sniffer tab look at the bottom tabs click "apr"
Click white box on the very top the big one the blue + should turn blue.
Now you click your xbox's ip that you memorised for the first row of ips ex: on the second white tab you should click your modems default gate way ex:

Step 4. Your nearly done all you gotta do now is click the start/stop button under file at the very top to start getting peoples ips.

Step 5. Once you have the persons ip just load up whatever flooding services you have and flood port 3074 with 100 and more threads with UDP