Now,first free ur time before reading this tutorial.This is a big tutorial ..so that u can learn and hack everything.
1. Introduction.
Most of the hackers who deface websites are
script-kiddies, we're now going to take a look how hackers quickly
detect vulnerable websites and deface other domains on the system.
2. SQL Injection.
Many people would take as a main the SQL Injection (SQLi) attack. SQLi is very popular and there are many dorks out there.
2.1 Searching for vulnerable websites.
The search is very easy. We just put the dork and
try diffrent search results. For quicker results you may use the
exploit scanner.
2.2 I want to attack a specific website which is on a shared hosting.
Again the search is very easy. Let's say we have the
IP 69.162.119.226 with no malicious thoughts on it, of course. We
navigate to:
www.bing.com
In the search field write:
Code:
ip:69.162.119.226 id=
You should get very interesting results which you might attack.
3. Attacking the web application itself.
A very good method to gain access is to attack the
web application itself. Even if the websites' web application is
up-to-update and you aren't able to exploit it, you can search for
vulnerable web applications on the server itself. We'll be using the
same method as in the 2.2 .
Let's say we have again the IP 69.162.119.226 with no malicious thoughts on it, of course. We navigate to:
www.bing.com
In the search field write:
Code:
ip:69.162.119.226 "wordpress"
You should get websites powered by wordpress or any other system you have a working exploit on.
4. I've got admin access, now what ?
After you've got admin access, upload a shell.
5. I've got a shell, now what ?
Now it's time to take down your target. You can either:
- Root the server.
- Get the victims' website configuration database.
5.1 Rooting the server.
First we need to disable the security. There is a good tutorial in this forum, follow it and you'll be fine.
Second we need a back-connection OR we can
bind a port. A back connection means that the server connects to you
after you have opened the specific port and have launched netcat to
listen ( nc -l -v -p PORT ) . Locus shell provides a great interface
for begginers. Just upload locus, after which go to back-connection OR
bind shell and follow the instructions.
5.1.1 Pwning the kernel.
One of the most popular ways to root a web server
is by pwning the kernel if it's a Linux box. To find out the kernel
version simply type "uname -a" on your back/bind connection to/from the
server. After you've got the version try finding a local root exploit
for it. If you can't find, don't give up ... try harder ...
5.1.2 Getting the victims' database configuration file.
Many of you have heard of "symlinking" . This is
actually something like a shortcut on the Windows OS except this term
is used in the Linux/Unix Distributions. Symlinking is a necessity in
order to the Linux/Unix box to run about 10 times faster. Without it
the server will be really slow even with high hardware configuration ,
which is just pointless.
To get the configuration file, first find
out what system is the victim using ( e.g. Wordpress, Joomla, vBulletin
etc ). Now go to your shell ( you will have to had disabled the
security ) and type in "cat etc/passwd" .
Etc/passwd file contains all usernames on
the Linux/Unix box which are created when you get hosting ( usually
that's the cpanel username ). Now to get this file you will have to
have disabled the security. In this file the usernames aren't long as
the domain ones, for e.g.
You have victim website hackers1.com
In etc/passwd this can refer to the username:
hack1, hak1, hac1, hckrs1, hrs1 etc
So spend some time figuring out the username. After
you've got it it's time to get the database config file. You can see
the default configuration files list here:
Code:
vBulletin -- /includes/config.phpIPB -- /conf_global.phpMyBB --
/inc/config.phpPhpbb -- /config.php Php Nuke -- /config.phpPhp-Fusion --
config.phpSMF -- /Settings.phpJoomla -- configuration.php ,
configuration.php-distWordPress -- /wp-config.phpDrupal --
/sites/default/settings.phpOscommerce -- /includes/configure.phpe107 --
/e107_config.phpSeditio -- /datas/config.php
After you've got your path, it's time to extract the db information.
Let's assume you're in directory
/home/attacker1/public_html/shell.php , where shell.php is your shell
and attacker1 is the username of some domain
we've just compromised. Doesn't this ring the bell ? The path to the
victims' hosting should be /home/victim1/public_html/ where victim1 is
your victims' username. Let's execute this command on our shell,
assuming the victims' system is vBulletin :
ln -s /home/victim1/public_html/includes/config.php victim1.txt
This command uses symlink and it tells the server
"hey, give me the file /config.php and save it as victim1.txt"
(symlinking) . Now when you navigate to attacker1.com/victim1.txt you
should have their configuration file. Many administrators put some
security on their forums/cmses so we're going to break them now ...
5.1.2.1 Htaccess.
The admin of the victim1.com website might have put this htaccess file in the /includes folder:
order allow, deny
deny from all
When we try to symlink this it will return in a 403
Forbidden Error. So how do we bypass this ? Easy. We create a folder
e.g. "hack" . We navigate to "hack" by typing "cd /hack". Next we symlink like this:
ln -s /home/victim1/public_html/includes/config.php victim1.txt
and we get a 403 Forbidden error ... Now we
put this htaccess file in a directory before "hack" for example we are
in "/home/attacker1/public_html/hack" and we have to put this htaccess
file (below) in "/home/victim1/public_html/" . The htaccess file you
have to
put:
Now we navigate to "/home/attacker1/public_html/hack" and click
"victim1.txt" and it should load us the configuration file. If you have
done a symlink but with a different .txt file, replace your custom name
in the htaccess as well e.g. I have done symlink:
ln -s /home/victim1/public_html/includes/config.php 1.txt
so I have to put htaccess:
HeaderName 1.txt
5.1.2.2 Browse Through Attack - Bypassing ALL Security.
Tired of bypassing everything step by step by step ? Now I'm going to show you a very cool method to bypass ALL security.
Take this scenario as example:
We have disabled all security. But still we can't symlink right. What do we do ?
First we create a folder with a custom
named folder like "hack". We enter it via our shell and type in "ln -s /
root" . Next we choose a victim domain
like victim1.com . We type in " ls -la /etc/valiases/victim1.com ". Now
we navigate one folder back and put this htaccess file in the "hack"
folder:
Options Indexes FollowSymLinks
DirectoryIndex test.htm
AddType txt .php
AddHandler txt .php
Now if we are in
"/home/attacker1/public_html/" this equals to "attacker1.com" . So we
want to navigate to the "hack" folder and we type in the URL
"attacker1.com/hack" and we see a "folder" which actually is a symlink
called "root". Don't get too happy, we still have got restricted
permissions to some folders. Now to "browse through" their hole hosting
space we just navigate to
"attacker1.com/hack/root/home/victim1/public_html/".
Now you can browse through his
website without worrying about IP restrictions with htaccess file.
Although if there is htaccess because of which you have to enter
username and password, you have to find a way to bypass that yourself.
OK so you're browsing through and you are in "/includes/" and you find
"config.php". You click on it but it gives you a BLANK page. WTF ?! Not
exactly. Right-click and select "view source" and the configuration
file is there .
6. Is this is it ? Is it really this simple ?
Yes, this is it, nothing complicated. This is the way most hackers "deface", "root" or whatever they do to websites/forums.
`````````````````````````````````````````````````` `````````````````````````````````````````````````` ``````
I hope you Understand this & like it 
9:25 PM
Hemanth Joseph
0 comments:
Post a Comment