Pentest Tutorials

COMMON METHODS USED FOR WEBSITE HACKING

This topic contains 0 replies, has 1 voice, and was last updated by  finox 7 years, 9 months ago.

  • Author
    Posts
  • #502

    finox
    Participant

    Remote File Inclusion or RFI
    SQL injection
    Cross site scripting or XXS
    Local file inclusion or LFI
    Directory Traversal attack

    RFI:
    RFI stands for Remote File Inclusion and it allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

    Code execution on the web server
    Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
    Denial of Service (DoS)
    Data Theft/Manipulation

    Local File Inclusion:
    Local File Inclusion known as LFI. It
    It is same as RFI.

    SQL injection:
    A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

    By doing this you can get the admin id and password. after getting the Username and password you can access the control panel of admin and change the website details or whatever you like,you can do.
    For more Details read this articles
    What is SQL iNJECTION?
    Implementation of SQL Injection

    Cross site scripting or XXS :

    It is is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site’s owner

    Directory Traversal attack
    A directory traversal (or path traversal) is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs.

    The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

    Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

You must be logged in to reply to this topic.