Skip to main content

6 Ways to Hack or deface Websites Online

By

Hello friends , today i will explain all the methods that are being used to hack a website or websites database. This is the first part of the hacking websites tutorial where i will explain in brief all methods for hacking or defacing websites. Today I will give you the overview and in later tutorials we will discuss them one by one with practical examples. So guys get ready for first part of Hacking websites class.... Don't worry i will also tell you how to protect your websites from these attacks and other methods like hardening of SQL and hardening of web servers and key knowledge about CHMOD rights that what thing should be give what rights...

 Note : This post is only for Educational Purpose only.


ways to hack websites, hacking websites

What are basic things you should know before website hacking?
First of all everything is optional as i will start from very scratch. But you need atleast basic knowledge of following things..
1. Basics of HTML, SQL, PHP.
2. Basic knowledge of Javascript.
3. Basic knowledge of servers that how servers work.
4. And most important expertize in removing traces otherwise u have to suffer consequences.
Now First two things you can learn from a very famous website for basics of Website design with basics of HTML,SQL,PHP and javascript.

 And for the fourth point that you should be expert in removing traces. I will explain this in my future articles. So keep reading.. or simply subscribe my posts..

As we know traces are very important. Please don't ignore them otherwise you can be in big trouble for simply doing nothing. so please take care of this step.
METHODS OF HACKING WEBSITE:
1. SQL INJECTION
2. CROSS SITE SCRIPTING
3. REMOTE FILE INCLUSION
4. LOCAL FILE INCLUSION
5. DDOS ATTACK
6. EXPLOITING VULNERABILITY.

 1. SQL INJECTION
First of all what is SQL injection? SQL injection is a type of security exploit or loophole in which a attacker "injects" SQL code through a web form or manipulate the URL's based on SQL parameters. It exploits web applications that use client supplied SQL queries.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
2. CROSS SITE SCRIPTING
Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended to do. XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI, CNN, Ebay, Apple, Microsft, and AOL.Some website features commonly vulnerable to XSS attacks are:
• Search Engines
• Login Forms
• Comment Fields

Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

3. REMOTE FILE INCLUSION
Remote file inclusion is the most often found vulnerability on the website.
Remote File Inclusion (RFI) occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local
exploits to escalate his privileges and take over the whole system.
RFI can lead to following serious things on website :
  • Code execution on the web server
  • Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
  • Denial of Service (DoS)
  • Data Theft/Manipulation


4. LOCAL FILE INCLUSION 
Local File Inclusion (LFI) is when you have the ability to browse through the server by means of directory transversal. One of the most common uses of LFI is to discover the /etc/passwd file. This file contains the user information of a Linux system. Hackers find sites vulnerable to LFI the same way I discussed for RFI’s.
Let’s say a hacker found a vulnerable site, www.target-site.com/index.php?p=about, by means of directory transversal he would try to browse to the /etc/passwd file:
www.target-site.com/index.php?p= ../../../../../../../etc/passwd
5. DDOS ATTACK
Simply called distributed denial of service attack. A denial-of-service attack(DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. In DDOS attack we consumes the bandwidth and resources of any website and make it unavailable to its legitimate users.
6.EXPLOTING VULNERABILITY
Its not a new category it comprises of above five categories but i mentioned it separately because there are several exploits which cannot be covered in the above five categories. So i will explain them individually with examples. The basic idea behind this is that find the vulnerability in the website and exploit it to get the admin or moderator privileges so that you can manipulate the things easily.
Labels:

Comments

Post a Comment

share your thoughts ....

Popular posts from this blog

Track Lost Android Phone and Tablet

By
1. Use the IMEI Number Every Android phone carries a unique IMEI number. It will be printed at the back of your device. If you are unable to find the number, you have to launch your phone app and dial the number *#06#. This will give you the IMEI number of your phone. Store this number in a safe place so that it helps you in locating your phone when it is lost 2 Android Device Manager Google has recently released a new locator feature for Android gadgets called Android Device Manager, which helps its users locate their lost or stolen phones and tablets. It functions in the same way as Lookout and Samsung’s “Find My Mobile”. Here’s how to use Android Device Manager. Go to the Google Settings app, then select Android device manager. By default, the locator feature is activated but to activate remote data wipe, select the box next to “Allow remote factory reset”, then select “activate”. To use this feature, open the site https://www.google.com/android/devicemanager and sig...
Post a Comment
Read more

DOWNLOAD CODE BLOCKS 16.01 MINGW.SETUP .EXE 86.3 MB

By
Code::Blocks for Mac is a free C, C++ and Fortran IDE that has a custom build system and optional Make support. The application has been designed to be very extensible and fully configurable. Code::Blocks is an IDE packed full of all the features you will need. It has a consistent look, feel and operation across its supported platforms. It has been built around a plugin framework, therefore Code::Blocks can be extended with plugins. Support for any kind of functionality can be added by installing/coding a plugin. Key features include: Written in C++. No interpreted languages or proprietary libs needed.. Full plugin support. Multiple compiler support: GCC (MingW / GNU GCC), MSVC++, clang, Digital Mars, Borland C++ 5.5, and Open Watcom etc. Support for parallel builds. Imports Dev-C++ projects. Debugger with full breakpoints support. Cross-platform. Code::Blocks' interface is both customizable and extensible with Syntax highlighting, a tabbed interface, Class Br...
1 comment
Read more

8 Tools to Track Registry and File Changes by installing a software

By
1.  Regshot unicode Regshot is a long running utility that can quickly take a before and after snapshot of the system registry. Also in the more recent unicode version it’s gained the ability to monitor for file changes using CRC32 and MD5 file checksums although this function is turned off by default and you have to go to File -> Options -> Common Options -> and tick “Check files in the specified folders” to enable it. Only the Windows folder is entered into the list of watched folders so you have to enter any others yourself through the Folders tab. This version also added the Connect to remote registry option. Regshot is very much a “hands on” utility and is more for experienced or advanced users to quickly check for system changes between two different points in time. Simply create the 1st shot, install the software or run the program you want to watch, and then press 2nd shot. After comparing the differences in the 1st and 2nd shots, it will open an HTML log ...
1 comment
Read more

13 websites to register your free domain

By
Register your Free Domain Now!! 1)  .tk Dot TK is a FREE domain registry for websites on the Internet. It has exactly the same power as other domain extensions, but it’s free! Because it’s free, millions of others have been using .TK domains since 2001 – which makes .TK powerful and very recognizable.  Your website will be like www.yourdomainname.tk . It is free for 1 year. It’s a ccTLD domain whixh having the abbreviation  Tokelau. To create a .tk domain, Visit   www.dot.tk 2) co.cc Co.cc is completely free domain which is mostly used by blogspot bloggers because of it’s easy to use DNS system. Creating a co.cc for blogger is simple ( for instructions- “click here”). Your website will be like www.yourdomainname.co.cc . To create a .co.cc domain, visit www.co.cc 3)   co.nr co.nr is too like co.cc. Your website will be like  www.yourdomainname.co.nr . You can add it for blogger also.. To create a .co.cc domain, vi...
Post a Comment
Read more

Bypass Online Surveys to Download a File

By
Pop Up windows by Fileice or Sharecash If you have Seen this Type of window before Downloading any file then you are welcome to give a read to this article.You will know that why you should not  download this  file or if you really want to download it without performing any real  online survey  then How to do it.Also see :  How to Make Money with PPD sites Without any Blog Note : I don’t Download anything From any PPD(Pay per Download) sites as most of the Downloads does not work and there are many More Other methods to get a File from Internet (Eg. Torrent ).So First thing I’ll Suggest you that Do not download anything from Fileice.net and Sharecash.org as they are not worthy of your countless seconds. So If you are not satisfied by my above mentioned Statement then I have some Tips/Tricks for you by which you can Bypass  Online Surveys  for Downloading a File.It is whether Fileice or Sharecash.I have found these trick and Tips on Go...
Post a Comment
Read more

FIXED : Google adsense error in inserting code to blog throwing error Attribute name "async" associated with an element type "script" must be followed by the ' = ' character

By
Error - Asynchronous adsense code in HTML just add ='async' between async and src of your code ... let say my code for adsense is < script async src = 'http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js' ></ script > then do the following...... < script async = 'async' src = 'http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js' ></ script > notice the difference this is how you can add that error and display the google ads ..
Post a Comment
Read more

Google Sheet/Google form Script to send automated Email to users

By
Well many of us want to send especially bloggers sometimes want to send automated replies to user 's ..but as usual, not everyone is a code geek or lovers ... so this is a small guide to How to use Google form with Google sheet to make an automated reply link....so follow the steps accordingly. STEP 1: GOTO google Forms ... and create a form ... in my case I just take users email id and how do they get to my site. 1. GOTO   https://docs.google.com/forms?usp=mkt_forms 2. login with your account. now choose blank form. 3. in Form title write your forms name, for example, let say my form. 4. in Form description write the description let say  A simple form ... 5. now go to setting and in general tab, check collect email address. and  click on save 6. (optional) you can also ask some basic question 7. now goto responses tab now click on create new spreadsheet button. (that green icon ..) in select response, destination cho...
1 comment
Read more

Java Program to print integers you have input through console using BufferedReader and StringTokenizer

By
import java.util.*; import java.io.*;   class Buf_R_Str_Token{      public static void main(String args[]) throws IOException{          BufferedReader b_r = new BufferedReader( new InputStreamReader(System.in));          String str = b_r.readLine();                     StringTokenizer st = new StringTokenizer(str, "," );                     String item;          try {              while ((item = st.nextToken()) != null ){                  System.out.print( " " + item);      ...
Post a Comment
Read more

Download Complete Websites For Offline Access

By
there  are the various tool available on the internet to download a complete site .. with the following tool you can download a complete site or a particular section of a site: 1.Internet Download manager : In the internet download manager, you can use Site Grabber option to download a site. this is what I mostly use ..some other alternatives are. Getleft Getleft   has a new, modern feel to its interface. Upon launch, press   “Ctrl + U”   to quickly get started by entering an URL and save directory. Before the download begins, you’ll be asked which files should be downloaded. We are using Google as our example, so these pages should look familiar. Every page that’s included in the download will be extracted, which means every file from those particular pages will be downloaded. Once begun, all files will be pulled to the local system like so: DOWNLOAD GETLEFT PageNest DOWNLOAD PAGENEST Cyotek WebCopy ...
Post a Comment
Read more

how to implement adding of numbers in PROLOG

By
write a knowledge base add.pl with the following rules: // for two variables  sum(X,Y):-     S is X+Y,    write('sum of '),write(X),write('and '),write(Y),write('is ='),write(S). add:-     write_ln('Enter the first number:-'),     read(First),     write_ln('Enter second number:-'),     read(Second),     S is First+Second,      write('sum of '),write(First),write('and '),write(Second),write('is ='),write(S). now we can close this windows and in the main WINDOW either type  ['add.pl']. or consult the add.pl file. now you can call this funcation via two ways :- ?- sum(5,44). it will give output as  sum of 5 and 44 is 49 or you can call via  add. Enter the first number . :| 45. Enter the second Number . :| 45. sum of 45 and 45 is equal to 90. note i have used sum:- instead of add:- so i ha...
Post a Comment
Read more