Thinking about Website Hacking Methods

The situation is that there are quite a few friends Inbox me asking how to check the site. And I also don’t have much time to point to each of you. So I wrote a way of thinking to check the site for you to read. From there, there is an orientation => Self-study => Implementation.

– The first thing I want to say is that I want to attack a site. The first thing you need is patience. Pick up little by little. Can’t be impatient to skip a lot of information. Leads to reduced efficiency. Not every website can attack 1 shot immediately. That’s why you have to accumulate information one by one.

If you want to find a site to check, it is best to use dorks to find sites with errors.
For example the sqli dorks, The joomla versions, vbulletin dorks have bugs. This will be more effective than finding any site and then see if it has errors. (There is also a faster way that is to use dork scan tool. It will find you a block of error sites that can be checked from a list of available dorks. This is more effective for UG people when searching for error shops. ).

And if you want to attack a specific website. Then this is more difficult.

• Let’s say your victim has a domain of target.com. To attack the victim effectively. (I say here is both for shared host and large private.Site with good security, and small site or forum).

Step 1: Get initial information

Get victim’s information. By the whois it. Find out as much information about the victim as possible. And google, bing, yandex…. are all useful tools. I recommend trying with multiple search engines. Because the search algorithms of these tools themselves are different, they lead to many results with different efficiency.
For example, enter the search engine as follows:

It will give us some interesting information. Try to gather as much initial information as possible. Domain owner. Admin of the website. Support. Including phone number, Facebook, Gmail , Yahoo, email address of the company. A good Attacker is an attacker who is able to take advantage of any opening. Any weak point can attack.

Step 2: Analyze the possibility of attack

The first is to scan the main victim. Scanning victims is the main job. For sites located in private servers of large companies. Then this is the step that determines whether you can attack it or not.
Scan tools are quite a lot. I recommend you some sets like

Acunetix Vulnerability Scanner . OpenVas (of backtrack), w3af (of backtrack), nessus (of backtrack), wpscan (scanning wordpress in backtrack), joomlascan (scanning joomla bugs in backtrack, uniscan (in backtracking)… sit and tell all the toolsets that come to mind. tomorrow morning.

Tools are many, but you should choose. For which victim should use which set? And should be used in combination. Because like I said. For each different tool, it uses different scanning mechanisms and algorithms. So the effect is also different. From the scan results. It gives us the shape of how to attack.

Scan server – Scan to get information about the server. For example, see what operating system the server uses. Using Apache, SII version how much. Written in ASP or PHP. Which port is open (For port scanning, you can use nmap. It is very effective tool).

All information about the version, port, please Google immediately. Or enter exploit-db.com see if it can be attacked through it. Otherwise, you can save the information. Then check it once. These are essential steps for attacking a large website.

For Server share host. Analysis of possible attacks. This is also a very important step. It shortens your attack time. But gives high efficiency.
I see the majority (And so did I before). It is to attack a website that is not faulty, No vulnerabilities. I usually reserve the ip of the server containing the victim. Then open each site to check if there is sqli or not.
Agree that sql is a lot. And very easy to exploit. But I can’t always be lucky. Check once and the link is broken right away. If scanning the entire site, when will it be done? One way to shorten this process is to determine the type of site to attack.

I example. You have experience in checking wordpress. You want to find sites on the server that use this source code to attack. Then local to the main victim. Use google and dork is

ip:112.78.2.247 “wordpress”

Like this, I received a victim in this server using wordpresss http://www.saigoncanho.com.vn/

The same goes for other source codes.

Step 3: Attack

This is the most step, But I say the least, because it has so many types of attacks. Know how to say it all.
Just a few experiences. For example, for forum vbb for example. Many versions are actually bug free. But that’s not why we let it go. Take a look at its web applications. For example mods. Same goes for joomla and other source codes. Let’s see how the extension goes. They are very prone to errors. Because these are mostly integrated applications written by Vietnamese web developers. They are very poor in security.

Make the most of the results you scan above.

• For example, you can scan a server using apache 2.1, for example. Let’s see if it’s an update. If there is no error to exploit no. Attack it. See information from public errors on google that attack. Try to attack slowly.

See in site structure when scanned. Where is exploitable. For example, they leave database backup on the site for example. Download and analyze now.

Many scanning toolset it scans to every small error. Like finding a location where you can upload photos, upload files, for example. Try to bypass up shell to try.

There’s too much to talk about in this section. And actually most of the hacks usually talk about this part. So I leave this part to you. Please try to integrate as much experience this section . As much as possible. The other parts follow a certain rule. Maybe for any victim you do the same. But for this part. It depends on many things. Depends on the scan result. Depends on different objects. So it’s very diverse.

Results in this section. Is you can get an account admin.Up Okay shell.

Step 4: If you can attack the target directly, then don’t say anything. If you can attack a site located on the same server. Then the next step is local. About this local issue is also quite wide. I only talked about a part of it.

In local, symlink is the most common local type, most used. It is like a shortcut in the window. Contributes to speeding up the process of calling and running a file. If calling hardlink directly, the operation of the server will be faster. slow.

In the local method. Our main purpose is to read / get the config files (or a config file of the target to be attacked). The first implementation is that we often read the file /etc/passwd to determine all the users located in the server (And not every server allows us to do it. Must bypass).

To read the config file we also have to grasp the source code. For each different source code, the config file is located in a different location.
I give some config files for some corresponding source code.

Vbulletin: public_html/includes/config.php
PHPBB: public_html/config.php
Joomla: public_html/configuration.php
WordPress: public_html/wp-config.php
ibp: public_html/conf_global.php
php-fusion: public_html/config.php
Smf: public_html/Settings.php
phpnuke: public_html/html/config.php
Xoops: public_html/mainfile.php
ZenCart: public_html/includes/configure.php
setidio: public_html/datas/config.php
Discuz: public_html/config/config_ucenter.php
Bo-Blog: public_html/data/config.php
Nukeviet: public_html/config.php
Drupal: public_html/sites/default/settings.php
Textpattern: public_html/textpattern/config.php
Serendipity: public_html/serendipity_config_local.inc.php
Pligg CMS: public_html/libs/dbconnect.php
Pivotx: public_html/pivotx/includes/minify/config.php

From here, we can imagine the exact path to the victim’s config file. From there, you can symlink the exact file to read. (If the victim changes the location of the config file, then we have to sit symlink to find. Symlink from index it, to other files, see what files it includes. From one file to another. For an experienced attacker. The security by hiding the victim’s config file is sometimes ineffective.

The symlink command structure (so that the symlink file has the address /home/usertarget/public_html/includes/config.php target.txt
This command symlinks the config file to the target.txt file located in the directory we are symlinking. In the best condition we can read this target.txt file on the host we put the shell on.

But we are not always in such good conditions. The owner of the website can chmod not let us read the config file (100,101,400…) for example. Depending on the server.Or the website owner is located in the directory containing the config file. There is a .htaccess file with the following content.

order allow, deny
deny from all

If the site owner is like that, when symlinking, we will receive a 403 Forbidden Error message.
In this article, I only talk about the idea of ​​​​attacking, but not in detail about the attack method. So I’ll just give a few examples.

What if we can’t read? You have to think about why you can’t read it. Thinking puts us in the position of admin of the victim. If it was me, how would I keep it confidential. What would I do. From there, we have different measures.

Suppose we find a solution to bypass 403 forbidden error because the website owner places the .htaccess file, for example.
On the host we put the shell. Create a folder named VHBSYSTEM for example. Its full path for example is as follows: /home/attacker/public_html/VHBSYSTEM/ .Chmod this directory again as 777 (not needed at first. If not, try again). Then create a .htaccess file with the following content

Place this .htaccess file in the /home/attacker/public_html/ directory. If we symlink the config file to the vhb.txt file with the command structure ln -s /home/victim/public_html/includes/config.php vhb.txt

Then after the symlink is done. We go to the directory VHBSYSTEM and read the file vhb.txt just symlinked. It will bypass.

This is just one example of many bypasses. Many of you say that local must have a mindset. But I think if you want a good local, you have to know many ways to bypass in case the file can’t be read.

You should refer to this issue in many documents shared in VHB. (or visit vhbgr0up.blogspot.com)

In the ways are also quite a lot of people. But use symlink all config (this on the blog and forum of vhb also said it). Sym root by creating sym root in a certain linux server. Then tar back.Up on the server need local.This on VHB also many articles mentioned already.

I also mentioned that sym root directly on the server. Sometimes it is quite effective in bypassing security.
Like before. Create a folder VHB to easily handle its full link /home/attacker/public_html/VHB. Then we execute the symlink on the shell as follows ” ln -s /root”. Then we choose a victim whose domain is target.com, for example. Continue typing “ls -la /etc/validations/target.com”. After ddos ​​go back to the folder we just created VHB. Put there an htaccess file with the following content:

Options Indexes FollowSymLinks
DirectoryIndex index.htm
AddType txt .php
AddHandler txt .php

Now let’s see what we can symlink. If somewhere it says permission access. Then don’t worry about it. Let’s go deeper. Suppose we need to see target.com whose user obtained above is the target.
Then we view it with the following link attacker.com/VHB/root/home/target/public_html/ ……
Sometimes you can’t see it, you can view the source.

Stop at the local. Don’t write until you’re done. You keep scrolling on the VHB blog for a week. What kind of pro local

Step 5.Rooting

If it is a linux server, you should try Get root it. Sometimes trying to root the server again is a shorter route than local. Not always local. It’s too much security to die. Try rooting if possible.

Create a backconnect or maybe bind a port. A back connect here is that the server can connect to itself after I open a particular port and listen to it using netcat ( nc -l -v -p 4444 ) for example. There are quite a few shells that support back- connect..

If you want to rooting, you must check if the kernel can be rooted or not. On the shell you can check with the command “uname -a”. Get the kernel version. Search on google to see if it can be exploited or not.
(You can go to exploit-db.com/local/ ) to find it.

Step 6: Attack Network

If you have already occupied a server server. Then try to attack machines on the same LAN as it. This is an opportunity to show your ability to attack in your LAN.

AnonyViet Wish You Success

Source: quilevhb.blogsqot.com

The article achieved: 5/5 – (100 votes)