Category : Web Security
Basically website exploitation is breaking into a site to do what you want. Sometimes you want to upload a file to a server, overwrite files on a server, get user data, or just Mess the website up.
The way to make the most out of a web server or site, is to secretly extract user data, possibly including admin information, and then doing what you need. You can do so much with an Admin account!
Arbitrary File Upload - Arbitrary File uploading is a very easy, and common exploit. It's exploited by finding a page that allows you to upload a file without having to have any permissions. This is just caused by poor server management. You can easily prevent arbitrary file uploads by restricting access to your upload pages. I found that most wordpress sites are vulnerable to this exploit!
SQLi - SQLi is manipulating a website to communicating with a SQL database and getting it to leak information. SQLi is great for extracting user information, as you're directly communicating with a database.
XSS - XSS stands for Cross-Site-Scripting. Essentially, XSS is manipulating a text field on a webpage to execute Java Script. There are 2 types of XSS; Persistent, and non persistent. Persistent XSS is where the Java code is published to the website and anyone who views the exploited page is vulnerable. Non-persistent XSS is where you can execute Java from a text box, but it doesn't stay on the page.
LFI & RFI - Local, and Remote file Inclusion attacks are preformed by tricking a webserver to display a page that isn't supposed to be displayed on the website. Example: the psswd file of a webserver. This file holds information that could give the attacker access to the webserver.
There's many, many many more ways to hack a webserver, but these are a few of the basic methods.
Shelling is a common term used to explain uploading a file, or shell to a website. A shell is a file that contains a (PHP, Perl, C, Python, ect, ect). Shells are usually like a RAT, but for a web server. It gives the attacker access to the Command Line, lets them browse all the files on the server, and displays crucial data. There are many many different kind of shells available.
One of the downfalls to shelling a site is if the webmaster notices the shell on the website they can easily remove it. Keep in mind many shells are ineffective if you do not have Root access to the server.
Rooting is gaining root access to a server. Root is the linux version of Admin. The root account has control over everything on the server and can do pretty much anything.
After you shell your first site you'll probably ask yourself what should you do wit h it, and you'll want to know if you can profit off of it. Firstly, yes you can profit from that. If you're feeling like a good guy you could always report the vulnerability to the website's webmaster and ask for a reward. If you're feeling a little black hat you could always upload advertisements on the website, use the site for a booter, or just use it at storage. Just think. A webserver is a computer. Shelling a server is giving you remote access to a computer not too different than what you're using right now. Your imagination is the limit!
Proudly Operated from India
© 2016 Copyrights. All Rights Reserved