It is supported by most operating systems; installation is simple as downloading and extracting a ZIP folder. The Interface is simple and intuitive. Features are while limited and implemented carefully. Users can be easily added, or by bulk CSV importing.
Email templates are easy for creation and modification using variables allows for easy personalization , creating campaigns is a straightforward process, and reports are pleasant to look at and can be exported to CSV format with various levels of detail. Simple Phishing Toolkit sptoolkit. In this Phishing tool, the solution may lack in the GUI attractiveness department compared with some of the previous entries.
There is an important feature that puts high on our list. It provides an opportunity to combine phishing tests and security awareness education. Moreover, there is a tracking feature for training completed people. Unfortunately, this tool has been abandoned in the year A new team is trying to give it a new life, but as of now, the documentation is scarce and scattered all over the internet, making realistic implementation in an enterprise environment a difficult task.
Read Also 1. How Hackers can hack instagram Accounts 2. How hackers can hack Skype Account. King Phisher. These tool features are plentiful, including the ability to run multiple campaigns simultaneously, and geo location of phished users, web cloning capabilities, etc. A separate template having templates for both messages and server pages.
User interface is simpler. Installation and configuration are not simple one. This tool supported only on Linux , with additional installation and configuration steps required. Step Open your Browser and download the Humen error tool from github. Right click on the zip file then click extract here. Extracted file is ready then open the file. Open the Instagram folder. Delete this image file and insert victims Instagram image.
Paste Instagram profile image and also rename the picture as image. Right click the index. How to Jailbreak iOS 7. How to unlock iPhone 7 Passcode The file of index. Replace Target circle image to victim profile image name and save. Put image name as image. Replace the Victim Name to victims Instagram name.
Put Instagram id name. Open Terminal. Type the command cd Downloads and then type ls to list the files. Hit enter then type cd HumenError-master. Instagram Failed and can't Upload Videos 3. How to get Instagram followers for Free Without Surveys. Access a tool, then the tool is successfully running then put 1 for Instagram hacking.
Choose 1 and hit enter. Now add another column into the previous string and group the whole string by a like this:. And here we see the output in above screenshot and Now we again use in the same query three to four times like this:. After some tries we get an error message since the random number is repeated. But in that error message it gives the core path, the database name security, as we asked it do. Let us ask it for the version name:.
After using the query a few times it generates an sql error message with username:. By this technique we can dump the information from the database through the sql error message. Lesson 7: Dumping database using out file.
In this lesson, we will learn how to dump the database by using outfile. Let us start by breaking the sql query like this:. Now I would like to discuss some functions at the back end.
Start mysql at your terminal and use the database security:. Now dump the database and ask mysql to write it into a file by using a function called outfile, so the query is. There is another function, which is known as dump file. Dump file uses only a single row so we have to give it a limit for dumping the database:. Another function which is used is load file. It is used for loading files from the file system into mysql. Here is the query:.
Combine both of them and dump the combination into an outfile. The query is. Now come to the front end part and type in this query into the address bar:. In this way, we can change the string to get more information, such as database version, current user, etc.
Lesson 8: Blind Boolean-based single quotes. In this lesson we will learn to perform blind injections. Let us start from enumeration and try to break the query:. After injecting some queries we see that we do not have an error message on the screen. Hence we are not sure here that the injection exists on this page or not. That is why this type of injection is called blind injection. There are two types of blind injection, Boolean-based and time-based injections. Let us ask the database some small questions like what is the first character of the database.
If the first character of the database is S, it will return a reply which is true. If the second character is A, then the database will reply false, since A does not belong to the database name , but E also gives true.
Now we use another technique, in which we change the way of querying the database and it responds back. There is a function to break up the strings into part; it is called sub string. This will make easier for us to detect the first letter of database, as shown in the screenshot below.
We have a value of and the query used is. Let us check the value of the second letter, E. It is Let us check the value in mysql query: select ascii substr database ,2,1 ;. We evaluate the query. Let us try to guess the 3 rd character by this query:. And the result is 1, meaning true. So make it 97 then. And the result is 0; it means false, hence the valid value lies between 97 and So now keep trying to guess all values from 97 to You are in…………….
It means the value 99 is true. Let us see what happens if we change the value 99 to It means true. It means the 1 st letter is E for Email. Lab 9 does not give us a signal or an error that we have tampered the query, which results in Mysql error. So now it makes us check whether SQL injection is possible. Here we introduce how to use the sleep command in Mysql.
What we see from the screenshot is that we get a response 10 sec after running the query, so the Mysql sleeps for 10 seconds. This is also known as a time-based SQL query. There is a waiting response from the browser which you can notice at the bottom of the screenshot below.
Since the time-based SQL query was able to detect a legitimate database it gives us the response. If the database name were incorrect, we would not have got a waiting response. We get a failed login attempt response. We get a login failed attempt again. Similarly, the failed login error appears for double quotes for both username and password. But when we enter a double quote for just the username the SQL breaks and has an error. We come to the result that we have a double quote followed by the bracket.
Hence we have successfully derived the query. So the knowledge we take out from this result is that the developer has used the query. Now in order to fix the query so that it works, we can balance the quotes or comment out the rest of the query.
So I comment out the rest of my query in the username field. Now as I press enter, it becomes a valid query though we are not able to login and it does not give us an error message. The query simply checks for the second OR condition, validates the user, and prints the record of the second row.
Now I will demonstrate Lesson 14 and leave Lesson 13 for readers to practice. It uses the same mechanism as we have used in this lab. Inputting a large number or a single quote as a username and password does not work. The reason is that the 1 used after OR resolves to true and as a result we have successful query.
The password is not matched since we commented out the rest of the query. Now we move on to the next query, which is Select concat select database ;. This basically selects the database and dumps it as a string.
0コメント