The Tutorials in this blog are for Educational purposes only.

Inject shell in a valid image using Py script & Bypass image upload!

 some times uploader checks the uploaded file with getimagesize() function to verify if the uploaded file is a valid image or not... We can bypass them by injecting shell in a valid image file :)

Here is a video Tutorial:

The above video shows how to inject a shell into a valid image file and bypass PHP getimagesize() function while uploading shell.

the python script is very small check out the source its just 4lines :p

Script : Pastebin click here

I am just a script kiddie so forgive me for any mistakes! :)

This video is for educational purposes only.......


Upload Shell in OpenCart 2016

[+] Video Tutorial [+]

Sorry for this low quality :( I'll improve quality in future videos. please like & subscribe ^_^

WordPress Auto Shell Uploader & Defacer { Python Script }

it is a handy python script to save time to shell & deface :)


Github link


Raw Script Link


python's 'Requests' library must be installed to use this script! its very easy!
guideline to install:-


Launce the script.
put site url with http://
put username
put password
put deface page file name. (i.e: deface.html) & it will shell the server & Deface homepage.

Video TUT

 Youtube link


Won't work in captcha protected wp-logins .

URL Inspector - a Python script coded by me.

url inspector is a small python script coded by a 15 years old script kiddie :p named skidie Khan. I am a new learner so there are some bugs I'll try to fix it :3


  1. Shows ip of the site and server informations.
  2. Option to save html source of the site in a file.
  3. Scans for cms. Checks if the target is WordPress / Joomla! / Drupal. finds their login page.
  4. Scans for Admin login pages.
  5. Scans for other sites hosted in the same server using bing.
  6. Option to save other sites list in a file.


first launch the script & Just put the site url without http & press enter. example:

Source code & Downloads:

php prv8 uploader scripts

here are 2 small php up-loader scripts. these things come in handy in many situations like shelling in WordPress etc.... While we are in mobile there is a key limitation of copy text so big shell codes can't be copied for pasting :/ .At that time these scripts are useful!
note: sometimes 1st one doesn't work on WP use 2nd one instead.


[alternative one]source: 

Mini Shell - That works in most of the servers!

This is a mini shell modified by me to prevent search engine crawl. sometimes heavy shells like wso, b374k etc are uploaded in server but shows blank page, sometimes u get 403 forbidden or 503 method not implemented error. Luckily this shell might save you from these conditions!
it has the minimum functions of a shell.
*upload option.
*directory view.
*file edit , rename, delete, chmod.


Google Drive

Use Google for hacking! understanding basic Google Dorks [For Beginners]

Welcome to this Tutorial. Biggrin
Here, I will tell you about how to use Google for hacking and get search results more accurately.
So lets get started!

Google: Google is a search engine. That's all I know about it. Roflmao
Dork: it is basically a search string with various operators to find something accurately.

So lets now discuss about operators which can be used to create powerful google dorks for hacking.


inurl is used to show only those pages which has the search term in their websites url. for example, " inurl:admin.php " will return all the websites which has the text "admin.php" in their url.


intitle is used to show only those pages which has the search term in their websites title. for example, " intitle:admin login " will return all the websites which has the text "admin login" in their title.


filetype is used to search specific file type in websites. for example " filetype:pdf " will return all the websites which has pdf files in their website.


intext is used to search for a specific text in websites. for example " intext:login "


site can be used to limit your search to a specific site only. For example, " " will search something only on this site.
site can also be used to search for a specific country site like:
" site:in " will return only the sites of India. use country short codes here are some of them:
bd - Bangladesh
au - Australia
il - Israel
my - malaysia
br - brasil
gov - government sites
com - com sites
net - net sites
org - organization sites
there are tons of them google for them Rolleyes

You are halfway through! you have learned basics now put them in action!

Lets build some dorks with these operators!!!

=> inurl:wp-config intext:wp-config 'DB_PASSWORD'
wp stands for wordpress. Yes the popular cms. The database username and passwords are stored in wp-config file. So we search for wp-config inurl, intext we used more query to ensure the exact result. You will understand more when You will google this.

=> inurl:admin inurl:userlist
using this we can find the usernames of of website.

=>inurl:admin login ext:php site:lk
used to find php admin panels
=> inurl:index.php?id=
Yes for the sake of sql injection! Google can reveal tons of mysql vulnerable sites to you! google sql injection dorks list for more.

=> inurl:index.php?id= intext:Warning: mysql num rows() site:in
here we made a dork for sql vulnerable sites only from india! using site operator u can limit to a specific country websites only!

=> intitle:admin
changing the site url we can use google for finding admin page.

Ok, I missed lots of more operators but the most used operators are mentioned above. Now using these create your own dork for hacking Thumbsup

Black Hat
I hope you have learned somethings from this small tutorial.
 This post was previously published by me on here

aWPVScan - Android Wordpress Vulnerability Scanner

aWPVScan is a black box WordPress Security Scanner written in java which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations.
 [aWPVScan = Android WP Vulnerability Scan]



Direct Download

sqlmapchik - the android apk port of sqlmap tool.

sqlmapchik is a port of sqlmap tool.Sourcecode is available on GitHub:
Note that Google Play version may not include the latest available sqlmap version. To build a cutting-edge package, see instructions on GitHub
NOTE: The very first launch will take some time for the files need to be unpacked.
Unsupported features:
Project is currently in beta (I suppose it will always be as sqlmap is constantly evolving :)
At this point, not all of sqlmap features are supported. Here is what doesn't work for sure:
* sqlmap API
* profiling
* log colorizing
* beeping :)
* user-defined function injection
* updating
* metasploit integration
Other features _should_ work. If you find an issue (I bet you will:), don't hesitate to report it on Github, by email, Twitter, pidgin mail etc.


Get it on Google play 

google to download from other places :p

Skidie Deface Maker v1.0 - A php Script for making deface page!

Yes This simple php script is written by me =D. Its a quick handy php script for making deface page without knowing html coding =D

./Add custom image
./Add Background Music
./Add Message
./& oother basic options

Remember its  v1.0 :D . I am not that good in writing scripts but made this one to help some of my friends.

Output will be at the same directory. A new file named "Deface.html" will be created.


Google Drive

WebCruiser Web Vulnerability Scanner + Key

WebCruiser Web Vulnerability Scanner, an effective web penetration testing tool created by JanuSec. WebCruiser supports scanning website as well as POC (Proof of concept) for SQL Injection, Cross Site Scripting, Local File Inclusion, Remote File Inclusion, Redirect and other Web vulnerabilities.
More info at



Username: WWW
Serial: 3E08-3C1B-CAFB-321F

The Pro + Portable version of Havij 1.14

Nowadays, its getting hard to get the working pro version of havij. many of them gets the work almost done but stucks on "Getting Current Database" . I am using this pro portable version from long time & it works fine! as its a hack-tool please use it at ur own risk!!!


Google Drive