Thursday, August 29, 2013

Hacking Websites Through Sql Injection

The Most Common Question People often ask from me related to hacking is How Hackers Hack our Websites. Today I am Telling You a Very Important Technique to Hack Websites With a Demo.The Technique i will use is Sql Injection.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using poorly designed query language interpreters.

Lets Start Hacking a Website…..

    When You Enter a Username and Password in a Website the query Which is fired is similar to : Select * from Admin where username = ‘ishan’ and password = ’123′ ;

Here Admin is the table name and username,password are columns in the table.

Now I Supply values for username and password as ‘ishan’ and ’123′ and an error is produced.
Now Lets supply username= 1′ or ’1′ = ’1 and password = 1′ or ’1′ = ’1 and let’s see what happen?

The Website is Hacked, 

 Now Lets Go back to Sql Query and see what happen if we replace ‘ishan’ and ’123′ with 1′ or ’1′ = ’1 , Then Query Becomes

Select * from Admin Where username = ’1′ or ’1′ = ’1′ and password = ’1′ or = ’1′ = ’1′

Now as we know if any of the condition in or is true then statement is true therefore username and password may not be equal to ’1′ but ’1′ = ’1′, This is a Universal truth.Since Both Condition of And are true now therefore the whole select query becomes true and it returns the row…

    Now as we don’t enter any valid username and password so Which row from admin table does the Select query will retrieve.Good Question?

It will retrieve the very first row of the table

Now The basic thing in this attack is that we have Fooled the Database by manipulating query..

    You Can try some more username and passwords to fool database:


        ‘) or (‘a’='a

        ”) or (“a”=”a

        hi” or “a”=”a

Hope That You have liked this post and don’t forget to +1 and recommend this site in right pane

Note :This is for Educational Purpose only. Don’t try it to cause any harm to any website or its Database

Step by Step Phishing Tutorial-2

Many people ask me that they want to hack Gmail, Facebook or yahoo id’s of their friends. Today I am sharing with you the concept of Phishing. This is similar to Fishing, where the fisherman puts a bait at the hook, thus, pretending to be a genuine food for fish. But the hook inside it takes the complete fish out of the lake.

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by letting victim login on a fake page. In Phishing We Create a fake page of the social networking site on which victim has their profile. By gaining trust of Victim We force him to login to our fake page, When Victim login through fake page he will be redirected to a script which saves the information like username and passwords and then let the user login into their original profile.

I am demonstrating the Phishing attack on Gmail id’s. There are basically three steps Which We have to follow.

Just create an account on any free hosting service like,000webhost,, or so that you can upload your files on a server and let victim login through it.

Go to and save the page on your desktop by going to File Menu. Now open this HTML Page with notepad and find action.Change action to action =”script.php”. script.php is the file on which we want to redirect Victim it contains the programming logic to steal information. Save This Gmail HTML Page as index.html

You can Download the script.php file from here. Just copy the content of this file to a notepad and save it as script.php and don’t forget to choose all documents in Save as Type Textbox.

  Now create a blank Text Document and save it as “Passwords.txt”.Now upload index.html, script.php and Passwords.txt to your Web server like give path of to victim and when he try to login his username, password will be saved in Passwords.txt file and you can read username and password from there.

Note : This tutorial is for Educational and Awareness Purpose only.Please do not use Scripts provided in this tutorial to harm anyone’s resources or steal any confidential information...

Step by Step Phishing Tutorial

What is Phishing ?

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites
, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.

How To Do Phishing ?

STEP 1:Firstly U Must Signup For A Free Web Hosting Service Like:

And Register A Domain Or Subdomain.

After Getting Your Signup Done, You Have Your Own Subdomain Like For Instance You Registered With Freehostia,

Then Your Domain Is Like "Www.Yourname.Freehostia.Com"

Now Login To Your Freehostia Account And Go To "File Manager" In The Freehostia Control Panel.

STEP 3:Now what you have to do is, go to your domain folder like "" and create a seperate folder in that directory.with the name of the site, for eg. Gmail , if you want to phish a gmail account!

Now (   click here   )to Download and extract the file "phishers created by me" to your desktop. And then open your "gmail" folder. You'll find three files there viz. "mail.php" , "Log.txt" & "gmail.html" (each phisher folder contains same files)

Now upload "mail.php" & "index.html" "log.txt" to the "gmail" folder you created inside ""

So when you're done with the uploading part, the link to your gmail phisher is "".

Congrats!! That is your gmail phisher!! Now all you have to do is copy the link to the phisher file i.e. ""
And send it to the victim you want to hack! When he/she'll open that link, it'll be directed to your gmail phisher and when he/she logins that page
He/she'll be redirected to the original "gmail" website and you'll get the password in the "jafar.txt" file which will be created in the gmail folder. You created in your freehostia domain and the path to that file will be "" ...