IT Community Malaysia

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Deface A Website


Smasher Hax

Status: Offline
Posts: 267
Date:
Deface A Website
Permalink  
 


emote File Inclusion (RFI): A method of uploading a shell by an off-site Icon_ charly_ link_green. Local File Inclusion (LFI) AKA Directory traversal attack: A method of pulling username s and password s off a website vulnerable to the exploit of insufficien t security validation / sanitizatio n of user- supplied input file names. Blind Structured Query Language Injection (blind SQLI): Method of once again insuffician t security validation and sanitizatio n of user- input. Basic SQLi This is the easiest method of SQLi. This method allows you to enter codes such as ' or '1'='1 into the username and password fields to gain access. E.g. you find the admin login on a site and you may enter the correct username admin and the password as: ' or '1'='1. Cross Site Scripting (XSS): A method of injection html/ javascript into a website. The can be both persistent attacks, and non- persistant . Cross site request forgery (CSRF): An attack that is commonly sent by e- mail or other means and often tricks a user. Icon_ charly_ link_ greens given to a target may include HTML, something like this: Code: <img src="http: // bank.exa mple/ withdraw? account=b ob&amou nt=100& for= mallory" height="1 " width="1" border="0 "> And this will be activated through the victims browser and the site will think it was a valid and intentiona l move. Public Exploits: Public exploits are just scripts that people have released for others to use. Such as this exploit which exploits a webserver running this program on one of its open ports. I suggest you have a quick look through the script to see how/ why it works. The way of finding which software you target is using is by using Namp or the GUI Zenmap DNS hijacking: This is the method or redirecting the domain name to a rouge domain name. This method is used particually in phishing attacks. Bruteforci ng: This method is the practise of running a program to keep guessing the password and username of a site. This method is fastly going out of fashion as the max login attempts are added and even without this obstical, it can take weeks to gain the correct password. Programs commonly used for this are hydra and Brutus. Password Guessing: Yes, just as it sounds. This is the method of just guessing common password s such as: Code: admin admin123 321admin 123 password toor thesitesn ame Packet Sniffing: If you find a site with FTP access, there may be a chance you can use a tool such as cain and abel to sniff their password and username when the login. Not a very easy task as the trafic is sometime s encrypted. RCE (Remote Command Execution) : This is the method of making the server read command that you have entered for it to. E.g. Code: index.php? cmd=whoa mi index.php? cmd=net user Social Enginering : A common method used to gain informatio n. This can be a long process, but an effective one. They can patch software, but it will always be people's ignorance that will let you/ your target down. Cookie poisoning: This is a method of editing cookies you have already gained, to gain extra privileges. Not a very common method now as of cookies being encrypted, and having to be signed. This exploit can work on some surprising sites, take a look, you may be surprised. Parameter tampering: An attack usual done by moderfyin g values in the url. E.g. changing a value to decrease the amount you have to pay on something . Code: <input type =”hid den” id=”1008” name=”co st” value=”70. 00”> In this example, an attacker can modify the “ value” informatio n of a specific item, thus lowering its cost. http:// indishell.in /board/ showthre ad...eter- Tampering Tamper Data: A very nifty Firefox addon which is used to modify http/ https headers and post parameter s. Admin Auth bypass: This exploit can be as simple as adding: Code: ? action=edi t To a URL. This exploit when a server/ applicatio n allows you to edit by having the valid URL, instead of by cookies. Another method of admin auth bypass is editting the html to proceed even if the password is wrong. Reply Reply With Quote Yesterday 11:25 AM #2 rauf77 Member Image Join Date: Mar 2011 Posts: 80 good info.keep it up.... Reply Reply With Quote Yesterday 11:30 AM #3 master_ hacker Junior Member Image Join Date: Apr 2011 Posts: 17 thanxxx brother Reply Reply With Quote Yesterday 11:5



__________________

I am Sharper

ITC - Internet Moderators

Mods Name: KA



Smasher Technophobe

Status: Offline
Posts: 113
Date:
Permalink  
 

oi! no system hacker one.. pls do organize the word..

__________________

Thermaltake_mountingkit_news_tn.jpgThermaltake_Frio_news_tn.jpg



Smasher Hax

Status: Offline
Posts: 267
Date:
Permalink  
 

yepp.. thnks..

__________________

I am Sharper

ITC - Internet Moderators

Mods Name: KA



Smasher Technophobe

Status: Offline
Posts: 113
Date:
Permalink  
 

I give u about 3 days to re"organize" the notes. Please consider it as MODS u r.

__________________

Thermaltake_mountingkit_news_tn.jpgThermaltake_Frio_news_tn.jpg



Downloader Freak

Status: Offline
Posts: 61
Date:
Permalink  
 

haha..in easy step is

use google dork..find vuln site
then find admin username and password
find admin control panel log in page
upload shell..



__________________

-=[ MESS WITH THE BEST DIE LIKE THE REST ]=-



Smasher Hax

Status: Offline
Posts: 267
Date:
Permalink  
 

nope.. the simple way is... find the vuln, find the pass and user name... using filezilla to upload shell... more expansive...

__________________

I am Sharper

ITC - Internet Moderators

Mods Name: KA



Downloader Freak

Status: Offline
Posts: 61
Date:
Permalink  
 

haha..filezilla
i still doesnt understand how to use it..
sob3 youtube and google not working this time :(

__________________

-=[ MESS WITH THE BEST DIE LIKE THE REST ]=-



Smasher Hax

Status: Offline
Posts: 267
Date:
Permalink  
 

hahaha... study slow slow... heheh

__________________

I am Sharper

ITC - Internet Moderators

Mods Name: KA



Downloader Freak

Status: Offline
Posts: 61
Date:
Permalink  
 

haha..


__________________

-=[ MESS WITH THE BEST DIE LIKE THE REST ]=-



Downloader Freak

Status: Offline
Posts: 60
Date:
Permalink  
 

is there an other way to explain... i cannot understand with many word only... a bit confusing... i wanna try to deface... i had a problem with search admin n password... even with software... aish...


__________________

on-fire_1024x768_29100.jpg



Smasher Hax

Status: Offline
Posts: 267
Date:
Permalink  
 

study it in here!
http://itcom.activeboard.com/f545713/group-cyber/

__________________

I am Sharper

ITC - Internet Moderators

Mods Name: KA

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard