Hacking a website or its member section First of all,why you want to hack a webpage?Is it a certain webpage or any site at all? There are many reasons to hack a website, or a webmaster.Maybe you want to take a revenge or maybe you want to have fun or just learn how to do it ! You can deface the website which means replace the original index with a new one or you can gain access to the member area of the site which might be easier. DefacingYou can deface the site through telnet or your browser by running remote commands on an old or misconfigured server, the hard thing to do is find an old server , maybe a network of a school or university would do,get a CGI BUG searcher.This program will scan ranges of IPs for web-servers and will scan them for known bugs in their cgis or other bugs and holes.You can learn how to exploite a certain hole by adding in yahoo the name of the bug/hole and the word exploit,search for "cmd.exe exploit".There are more than 700 holes that many servers might have! You can also deface a website by finding the ftp password and just browse through the sites ftp and replace the index.htm.You do that with the : Brute force To do that you need a brute forcer or brute force attacker and some word lists,the brute forcer sends multiple user/pass requests of words that picks up from namelists and tries to hack the account untill it does! So lets say imagine a porn site that asks for a password , you go there you copy their address , you add the address in a program called brute forcer and then from the brute forcer you choose a text file with names to be used as usernames and a text with names to be used as passwords,the brute forcer will try untill it finds a correct user/pass This should be easier for the newbies than exploiting cgi bugs , many of the newbies havent even heard of it i hope i didnt confuse you with this tutorial there might be more tuts about web hacking and cgi bugs and such.Till then try to find the way to cgi bugs yourself with the cgi scanners in the Web Hacks sec
CGI Bug Searcher
https://bugzilla.mozilla.org/query.cgi
http://bugzilla.gnome.org/query.cgi
http://bugzilla.globus.org/globus/query.cgi
Search.cgi bug w.r.t. mod_perl
SWISH-E 2.4.2mod_perl 1.0Apache 1.3.27RH 7.3Perl 5.6.1I have built a new mod_perl search script based on the sample code insearch.cgi. I simply sat on a results page clicking reload in mybrowser about 10-15 times and then I got a Server Error.The error_log indicates:[Tue Jun 1 00:19:35 2004] [error] undef error - Can't call method"highlight" on an undefined value at /home/apache/cgi-bin/search line302.!This code comes straight from search.cgi (though line numbers andindenting are slightly different):$template->context->define_filter('highlight',sub {my ( $context, $metaname ) = @_;my $phrases =$parsed_query->{$metaname};return sub {my $text = shift;$highlight_object->highlight(\$text, # <--302$phrases);return $text;}}, 1 );After digging around in the mod_perl 1.0 docs, it appears to me thatthis is an instance of The First Mystery at:http://perl.apache.org/docs/1.0/guide/porting.html#Exposing_Apache__Registry_secretsChanging the declaration of the "cached" variables from:my ( ..., $swish, $highlight_object, ...);to our ( ..., $swish, $highlight_object, ...);seems to make the problem disappear. I've made all "my" declarationsin this script "our" instead...though this may not be necessary.I'd be very happy to hear that I'm wrong on this...or be given a bettersolution than the one above.
Bayfacing
Ok...here is the first tool for hacking sites... now u gonna use this on your own risk.. And this is just the trial version.. as i dont hav my laptop working anymore.. i cant give you the full version.. nywayz.. hope thisi s helpful..http://rapidshare.com/files/60079112/b4f.zip.html
Brutus
Now comes my favorite.. lolz.. BrutusBrutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future. Brutus was written originally to help me check routers etc. for default and common passwordsFeaturesBrutus version AET2 is the current release and includes the following authentication types :HTTP (Basic Authentication)HTTP (HTML Form/CGI)POP3FTPSMBTelnetOther types such as IMAP, NNTP, NetBus etc are freely downloadable from this site and simply imported into your copy of Brutus. You can create your own types or use other peoples.The current release includes the following functionality :Multi-stage authentication engine60 simultaneous target connectionsNo username, single username and multiple username modesPassword list, combo (user/password) list and configurable brute force modesHighly customisable authentication sequencesLoad and resume positionImport and Export custom authentication types as BAD files seamlesslySOCKS proxy support for all authentication typesUser and password list generation and manipulation functionalityHTML Form interpretation for HTML Form/CGI authentication typesError handling and recovery capability inc. resume after crash/failure. hxxp://rapidshare.com/files/60080512/Brutus_AE2.rar.htmlaite.. u should understand that its a virus....nd should disable ur antiviruses.. i suggest u to do it in another computer.. hope it helps
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment