hacking in 5 minutes
TRANSCRIPT
-
8/3/2019 Hacking in 5 Minutes
1/5
Resistance Anonymous quick start guide to hacking.
Greetings Anons, my name is Daniel and I am a computer systems engineer with expertise Inboth hardware and software. This guide is to give you a very basic overview of how hackers workand the basic exploits they do. If you are interested please PM me on Facebook and ask me for
links to getting started.
So lets take a look at the common vulnerabilities:
As you can see the common one's are SQLi (SQL Injection) and XSS (Cross-Site Scripting)followed by malicious file execution as part of the unknown category. So lets get started...
XSS
For the purpose of this demonstration we are going to use an XSS training website, this is aspecially designed site that you can test out exploits. http://testasp.vulnweb.com/search.asp.
Ok, so lets start.
In this case we are going to test if the site vulnerable. For this we simply inject a little Javascript, inthe search box type in the following:
alert('this site is vulnerable');
http://testasp.vulnweb.com/search.asphttp://testasp.vulnweb.com/search.asp -
8/3/2019 Hacking in 5 Minutes
2/5
Ok, so what happened? Well we injected code into the website and made the webpage process thatcode. It outputted as a Javascript alert box. Now we know we can inject code into the site lets getmore technical.
Lets input a HTML form that we can POST variables into the site. Enter the following into thesearch box:
Anonymous login:Login:Password:well here we simply inject a form in html that the webpage then displays. From here we can postvariables to the underlying php code and even access, update or remove entries from the database aswell as the server files. And there you have it, simple XSS in 5 minutes!
You should also note that the URL uses a default $_GET function to also display variables. TheURL can be manipulated in much of the same way. Now at this point I am expecting you to have alittle knowledge of coding. When php gets variables from html it does so by identifying the
-
8/3/2019 Hacking in 5 Minutes
3/5
So now we have the ability to manipulate php and SQL. So in this case I managed to do adefacement on this page by updating the database. Everyone that loads this page up will now viewmy image by using the tag and I have managed to spread the #AntiSec movementfurther.
There are many arguments that can be passed in XSS and this is it at its most simplest form. Themore advanced XSS techniques rely on running pre-written scripts from a server owned by you.Even sometimes telling the code to download files or directories from the root server. There istheoretically no limit to what XSS can do if you can pull it off properly.
SQL Injection
SQL Injection is a form of attack on websites that uses the power of SQL. SQL Is a databaselanguage that has the power to store and retrieve data very much like an excel spreadsheet.
With SQLi we can pass many arguments into the code. So lets get started, this is the php code thatnormally runs a webpage:
-
8/3/2019 Hacking in 5 Minutes
4/5
The webpage will look something like this:
The code has been told to select all entries in the database where the firstname is equal to the namein the input field (in this case Peter) and display them in a table.
So how do we exploit this? Well the answer lies in these statements:
$Name = $_POST['login'] ;
$sql = "SELECT * FROM members WHERE FirstName=$Name";
The $Name variable is the value of whatever name is input into the textbox. For our test we inputthe name peter. But for an sql injection to work we need to populate this field with code. So lets get
started...
As the variable in the original was called Peter then this is how the code looks like in plain text.
$sql = "SELECT * FROM members WHERE FirstName=Peter";
If we were to input this as a username: or '1'='1
then the code (in plaintext) will look like this:
$sql = "SELECT * FROM members WHERE FirstName= ' or '1'='1";
As it reads now the code now selects the values from the database from where 1 is equal to 1.Because 1 is always equal to 1 then it will select everything from the database and output it.
For further info please visit http://pastebin.com/uBhCjT4X
http://pastebin.com/uBhCjT4Xhttp://pastebin.com/uBhCjT4X -
8/3/2019 Hacking in 5 Minutes
5/5
This has been your guide on XSS and SQLi in 5 minutes. Join me next
time when I give you a brief introduction to Brute Force hacking, FTP
hacking and malicious file execution.
We are AnonymousWe are Legion
We do not forgive
We do not forget
Expect us...