This article will record a journey how did i hack a website.

DON’T DO ANYTHING BAD!

1.Gathering more and more informations

Google is a very useful tool,make good use of google hacking may yield  twice the result with half the effort. Some significant

grammars are as follow:

I found a target by using :

it was a admin’s login page. Then we need to find this website’s ip ,usually these two ways:

  • ping
  • whois

Next,use nmap to find more info about this website:

Only 80 port was opened. In general, more ports opened means more potential security vulnerability.For this website ,we can only attack it’s http server.

2.Preliminary test

Enter admin’ in the input box and it returned this page:

It means that the website exists sql injection.

Then use burpsuit to some basic test:

found some interesting test result, the sentence ‘ or 1=1 or ”=’ return different length of response,test this sentence:

Wow~ successful login !we can modify other user’s password:

But..that is not finished

3.Further penetration testing

Save the post request to post.txt through burp’s proxy,and call the sqlmap out:

Boom…found it’s table name: adminid , continue:

finally:

Haha.. admin’s id and password were out~

It’s just for fun,please don’t do sth bad~!

 

*

+
跳转到评论