This is a very easy but an awesome Trick. When you or someone else enters an incorrect login multiple times then Yahoo! locks the account for "security reasons" and you are unable to access your chat names. Cool thing is that, these are a piece of cake to unlock. All you need is a list of Yahoo servers to log in with. Every time you login, you are using what's called a server to access yahoo. You login with a cookie, which is sort of like an information packet or ID proving that you are who you claim to be, and the account is yours. When people attempt to log your name in multiple times with a locking tool, all they are doing is logging in over and over with an incorrect password until your cookie expires, which means you will no longer be allowed to login. So, when you find yourself locked, what you need to do is refresh your cookie. But how can you do that when the yahoo server you were using has blocked you? Simple, find another server. Yahoo has servers all over the place. There are more than I'd care to count. I'll include a pretty decent sized list with this tutorials. All you have to do is paste one of these servers in your browser and log in on the page you see. Unless you have been locked on that server as well, you will receive a fresh cookie and will be able to log in to messenger again. Tons of people try to go through their email and login there to unlock an account, but a smart locker will shut down your mail server first, then cut off your chat server. Most people don't know what to do if the email is blocked, so they give up trying. That's why I don't even bother with the email method. I simply pick another server, log in, and I'm good to go. There are so many servers out there that it is impossible to lock them all. Even if they could, the lock is only for about 12 hours, and then you're back in business. Some Yahoo Servers : http://cn.mail.yahoo.com/?id= 77070 CHINA
http://edit.india.yahoo.com/conf ig/mail?.intl=in INDIA
http://edit.europe.yahoo.com/ config/mail?.intl=uk EUROPE/UK
http://login.yahoo.com/config/m ail?.intl=cf FRENCH CANADIAN
http://my.yahoo.co.jp/ JAPAN
http://login.yahoo.com/config/l ogin USA Yahoo Chat Logins : http://hk.chat.yahoo.com/?my Home HK
http://tw.chat.yahoo.com/?my Home Taiwan
http://in.chat.yahoo.com/?myH ome India
http://chat.yahoo.co.jp/?myHome Japan
http://chat.yahoo.co.jp/?myHome Korea
http://sg.chat.yahoo.com/?my Home Singapore
http://chinese.chat.yahoo.co m/?myHome Chinese
http://cn.chat.yahoo.com/?my Home China
http://asia.chat.yahoo.com/? myHome Asia
http://au.chat.yahoo.com/?my Home Australia & Nz
http://dk.chat.yahoo.com/ Denmark
http://fr.docs.yahoo.com/chat/ chatbylycos.html France
http://de.docs.yahoo.com/chat /chatbylycos.html Germany
http://it.docs.yahoo.com/chat/ chat.html Italy
http://no.chat.yahoo.com/ Norway
http://es.docs.yahoo.com/chat/ chatbylycos.html Spain
http://se.chat.yahoo.com/ Sweden
http://uk.docs.yahoo.com/chat /chatbylycos.html Uk & Ireland
http://ar.chat.yahoo.com/?my Home Argentina
http://br.chat.yahoo.com/?my Home Brazil
http://espanol.chat.yahoo.co m/?myHome South America
http://mx.chat.yahoo.com/?m yHome Mexico
http://ca.chat.yahoo.com/?my Home Canada
http://world.yahoo.com/ World of yahoo Cheers and Keep learning..
WELCOME GUEST ENJOY YOUR STAY HERE...
TELL A FRIEND ABOUT US..
Showing posts with label server. Show all posts
Showing posts with label server. Show all posts
Saturday, September 12, 2009
Friday, August 21, 2009
List Of Sql Injection Strings..
One of the major problems with SQL is its poor security issues surrounding is the login and url strings. This tutorial is not going to go into detail on why these string work as all these details have been given in my previous article Top 10 Tricks to exploit SQL Server Systems . First SEARCH the following Keywords in Google or any Search Engine: admin\login.asp
login.asp with these two search string you will have plenty of targets to chose from...choose one that is Vulnerable INJECTION STRINGS: How to use it? This is the easiest part...very simple On the login page just enter something like user:admin (you dont even have to put this.)
pass:' or 1 =1 - or user:' or 1 =1-
admin:' or 1 =1 - Some sites will have just a password so password:' or 1 =1- In fact I have compiled a combo list with strings like this to use on my chosen targets. There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths. The one I am interested in are quick access to targets PROGRAM i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string combo example: admin:' or a=a-
admin:' or 1 =1 - And so on. You don't have to be admin and still can do anything you want. The most important part is example:' or 1 =1- this is our basic injection string Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever inurl:login.asp
index of:/admin/login.asp like this: index of login.asp result: http://www3 .google.com/search?hl=en&ie=I SO...G=Google+Search 17 ,000 possible targets trying various searches spews out plent more Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so http://www.somesite.com/login. asp
http://www.another.com/admin /login.asp and so on. In a couple of hours you can build up quite a list because I don't select all results or spider for log in pages. I then save the list fire up Ares and enter 1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start. Now I dont want to go into problems with users using Ares..thing is i know it works for me... Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable. There you go you should have access to your vulnerable target by now Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1 =1 - so it becomes user=' or 1 =1- just as quick as login process Combo List There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.
login.asp with these two search string you will have plenty of targets to chose from...choose one that is Vulnerable INJECTION STRINGS: How to use it? This is the easiest part...very simple On the login page just enter something like user:admin (you dont even have to put this.)
pass:' or 1 =1 - or user:' or 1 =1-
admin:' or 1 =1 - Some sites will have just a password so password:' or 1 =1- In fact I have compiled a combo list with strings like this to use on my chosen targets. There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths. The one I am interested in are quick access to targets PROGRAM i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string combo example: admin:' or a=a-
admin:' or 1 =1 - And so on. You don't have to be admin and still can do anything you want. The most important part is example:' or 1 =1- this is our basic injection string Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever inurl:login.asp
index of:/admin/login.asp like this: index of login.asp result: http://www3 .google.com/search?hl=en&ie=I SO...G=Google+Search 17 ,000 possible targets trying various searches spews out plent more Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so http://www.somesite.com/login. asp
http://www.another.com/admin /login.asp and so on. In a couple of hours you can build up quite a list because I don't select all results or spider for log in pages. I then save the list fire up Ares and enter 1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start. Now I dont want to go into problems with users using Ares..thing is i know it works for me... Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable. There you go you should have access to your vulnerable target by now Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1 =1 - so it becomes user=' or 1 =1- just as quick as login process Combo List There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.
Subscribe to:
Posts (Atom)
MY STATS
