This page has been robot translated, sorry for typos if any. Original content here.

A complete guide to deface (updated)

I often see the question on the forum: "How to break sites?" or "How to define a site?". Today you will be able to defice the portal without putting a drop of effort! I invite all lovers of easy prey! =)

Main part
Today I will talk about how defaults of various sites are made, through errors in popular scripts. A serious security hole was recently discovered in the popular phpBB engine.
A vulnerability was discovered in the viewtopic.php module.

The fact is that a remote attacker could execute an arbitrary php script on a vulnerable system by transferring something like the line viewtopic.php? T = 1 & highlight =% 27

As you have probably guessed, this vulnerability allows you to execute arbitrary commands of any length on a vulnerable server. Today we will use this hole, and together with you we will break a real-life server. Our goal will be precisely a deface, that is, the replacement of the main page of the site with ours.

So let's start, our victim will be (at the time of publication of the article, the portal is resistant to vulnerability).
The first thing that strikes us when visiting this page is that it is based on the portal system php-nuke.

The default forum for this system is phpBB. We click on the link that leads us to the forum ( and make sure that it is phpBB version 2.0.6 .

We give the forum a request of this type:е = viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s =

and we find out that the engine has absorbed the line, which is indicated by the characteristic inscription instead of the nickname of one of the users: ") #i". But this does not mean anything, we can easily break off the execution of commands on this server, but we will not guess and just try to execute it:е=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s = pwd

This command (pwd) should show us the directory in which we are now, if this happens, then it follows that the execution of commands on the server is possible. This is what happens. Directory path / var / www / html / osclux / is displayed. The next command follows “id” to check our access.

As we see, we have uid = 99 (nobody) rights, that is, web server rights. Now we list the folders and files in the html_public directory, with the command "dir / var / www / html / osclux" and find out what we need so much for defeys index.php lies in this directory.

So, we are at the finish line - by running the command echo Hacked by vasya> index.php , we will display the inscription “Hacked by vasya” on the main page. We are checking. Happened.

You made a deface.

Instead of conclusion
This is the simplest way deface was conducted, this is how the forum on was broken. I also note that this is the simplest implementation of this hole. Under good conditions, you can easily upload a perl script to a server listening to a specific port and get a full-fledged shell with nobody rights.