800+ IT
News
als RSS Feed abonnieren📚 How to hack admin panel of website?
💡 Newskategorie: IT Security Nachrichten
🔗 Quelle: kalilinuxdojo.com
 |
| how-to-hack-website |
How To Hack The Website?
- Information Collection.
- Vulnerability Analysis of Website.
- Exploitation of Vulnerability.
- Run Payload and Remote Control the Website.
The first step is to gather the information about the website. The website server, programming language and server side script used in the development of the website.
The next step is to find the admin panel directory of the website to hack it. Next step is to find the vulnerability in the admin page and exploit the admin page by using sql injection or by uploading sheel on root directory of server. This provides a complete access of the website database.
Most websites databases can be hacked using sql injection but some websites may have a sql injection prevention code. In such cases, use shell injection.
Once the vulnerability is exploited and root access is gained; run the payload to control
website remotely.
Step 1: Information Gathering and Footprinting
Gathering Information About Website in Windows:
- Download and install HTTrack website copier.
- Click on the Next button.
- A popup will appear to name the project. Assign a suitable project name in the new prroject name field.
- Next, it will ask you where to store the website data. Provide directory to store web data. Hit next.
- Enter the URL of website in the web address field and click next.
- Now, HT Track will automatically start copying the data.
Gathering Information About Website in Linux:
In Linux, we use wget command and copy the entire website offline. Doing this allows us to access the whole source code of the website anytime. Besides, we may need to use brute force the web form or anything and creating word list from the target site. So simply use wget:wget -r www.kalilinuxdojo.com
Information Gathering using Google Dorks
Google is a very powerful search engine. By using Google, we can get almost all the
information about the website. Google Dorks will provide the hidden directory structure of the website.
Some usable Google Dorks:
- site:www.kalilinuxdojo.com filetype:asp
- site:www.kalilinuxdojo.com inurl:index.php
- site:www.kalilinuxdojo.com error
- site:www.kalilinuxdojo.com admin
- link:www.kalilinuxdojo.com
- related:www.kalilinuxdojo.com
Step 2: CPSCAN : Find Website Admin Panel Using CPSCAN
Download Cpscan from GitHub. Click here.
OR
Clone by using the command:
# git clone https://github.com/susmithHCK/cpscan.git'
After downloading CPSCAN, open terminal with root access and type the following command to
optain the admin page of the website:
# python cpscan.py -t kalilinuxdojo.com -v
option
-v is for verbose mode.
-t target site.
Step 3: Finding Vulnerabilities in the Website.
Once root page is obtained; pentest the website to find its vulnerability and exploit it to gain admin access. To find vulnerability in Windows operating system use Acunetix – windows based application to pentest website – developed by a UK based company. It is still widely used to pentest the vulnerability in webpage. Once the location is known for attack, hackers use this tool to see the vulnerability of the website as all websites qualified in level one might not be vulnerable to attack.
Once the URL address is entered into the URL bar of this software, the vulnerability can be easily found.
Step 4: SQL Injection to Attack the Vulnerability of the Website
SQL injection is most widely used by hackers for website hacking. It is used by pentester to safeguard the website from hackers and vice versa. SQL injection allows attacker to hack the database of a website.
Some of SQL Injection examples are:
' OR ''='
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*
Alternatively, attacker can also use ‘Havij’ tool. It is available on the hacker forums for free of cost. It comes as an easily useable application like windows tool.
The tasks Havij performs are simply stunning. The simplest one for the users and the worst for the users of the website named ‘Get’. It fetches all the information held within the databases of the target website. The information varies from usernames, passwords, phone numbers and bank details.
Remote File Inclusion Root Shell
File inclusion may be a form of vulnerability most frequently found on websites. This
vulnerability allows the attacker to upload shell into the web server, typically through a script on the online server. This vulnerability is due to the wrong implementation and validation of code. Below is a
chunk of a php code that opened a file.
<?phpif (!($hfile = fopen("$file", "r"))echo("error cant open the file: $file<br />\n");?>
This example opened the file with the name specified in the user input field ($file). That means it opens every file the attacker and if allowurlfopen is on even remote files.
Also See:
- How To Hack Whatsapp account?
- How To Hack Windows 7|8|10 remotely?
- How to hack facebook account 2016?
- How to hack wifi password on android?