This page has been robot translated, sorry for typos if any. Original content here.

Complete guide to deface (updated)

I often see the question on the forum: "How to break down the sites?" or "How to redevelop the site?". Today you will be able to defect the portal without putting any effort! All lovers of easy prey I invite! =)

Main part
Today I will talk about how to make the differences of various sites, through errors in popular scripts. Recently, a serious security hole was discovered in the popular phpBB engine.
The vulnerability was detected in the module viewtopic.php

The point is that the remote attacker could execute an arbitrary php script on the vulnerable system when passing about such a line viewtopic.php? T = 1 & highlight =% 27

As you probably already guessed, this vulnerability allows you to execute arbitrary commands of any length on a vulnerable server. Today we will use this hole, and together with you we will break the real server. Our goal will be precisely the deface, that is, the replacement of the main page of the site with ours.

So, let's start, our victim will be (at the time of publication, the portal is resistant to vulnerability).
The first thing that catches our eye when visiting this page is that it is built on the basis of the portal system php-nuke.

By default, phpBB is the forum in this system. We click on the link that leads us to the forum, (е=index.php) and make sure that this is phpBB version 2.0.6 .

We pass the following query to the forum:е=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s =

and find that the engine has absorbed the line, as evidenced by the characteristic inscription instead of the nickname of one of the users: ") #i". But this does not mean anything, we can easily break off the execution of commands on this server, but we will not guess and just try to execute it:е=viewtopic.php&t=2&highlight=%27.$poster=`$ls`.%27&l s = pwd

This command (pwd) should show us the directory in which we are now, if this happens, then it follows that the execution of commands on the server is possible. This is what happens. The path of the / var / www / html / osclux / directory is displayed. The next command is "id" to test our access.

As we see the rights we have uid = 99 (nobody) , that is, the rights of the web server. Now we display the listing of folders and files in the html_public directory, using the command "dir / var / www / html / osclux" and find that the index.php we need for this deface lies in this directory.

So, we are on the finish line - by executing the command echo Hacked by vasya> index.php , we will display the main page with the inscription "Hacked by vasya". Checking. Happened.

You made a deface.

Instead of concluding
It was in such a simple way that the was defaced, that's how the forum on was broken. I also note that this is the simplest implementation of this hole, under good conditions, you can easily flood it onto a server listening to a specific port, a script on a pearl, and get a full shell with nobody rights.