How to hack Web Server

2
1765

What we will need

  • A target www.techpanda.org
  • Bing search engine
  • SQL Injection tools
  • PHP Shell, we will use dk shell http://sourceforge.net/projects/icfdkshell/

Information gathering

We will need to get the IP address of our target and find other websites that share the same IP address.

We will use an online tool to find the target’s IP address and other websites sharing the IP address

IMG_20160813_190914

  • Enter the URL http://www.yougetsignal.com/tools/web-sites-on-web-server/ in your web browser
  • Enter www.techpanda.org as the target
  • Click on Check button
  • You will get the following results

 

IMG_20160813_191231

 

 

Based on the above results, the IP address of the target is 69.195.124.112

 

We also found out that there are 403 domains on the same web server.

 

Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.

 

Enter the URL www.bing.com into your web browser. This will only work with bing so don’t use other search engines such as google or yahoo

Enter the following search query

ip:69.195.124.112 .php?id=

 

HERE,

  • “ip:69.195.124.112” limits the search to all the websites hosted on the web server with IP address 69.195.124.112
  • “.php?id=” search for URL GET variables used a parameters for SQL statements.

You will get the following results

 

IMG_20160813_191145

 

As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.

 

The next logic step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or using tools listed in this article on SQL Injection.

 

Uploading the PHP Shell

We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded fromhttp://sourceforge.net/projects/icfdkshell/

  • Open the URL where you uploaded the dk.php file.
  • You will get the following window
  •                                 IMG_20160813_191003
  • Clicking the Symlink URL will give you access to the files in the target domain.

Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails etc.

 

This Post is Strictly for EDUCATIONAL PURPOSES. Don’t use in bad manner. It can be a punishable offence.

NOTE:- some tricks may not work due to fixture of bugs of servers.

2 COMMENTS

  1. I see your blog needs some fresh & unique articles. Writing manually is time-consuming, but there is a solution for this.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.