Common methods to hack a website


Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.



SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.


In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1 double-dash-txt.png
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’
Two things you need to know about this:
['] closes the [user-name] text field.
'double-dash-txt.png' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,
evidently


But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
  • admin'—
  • ') or ('a'='a
  • ”) or (“a”=”a
  • hi” or “a”=”a
… and so on.

Cross site scripting ( XSS ):

Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a websiteto gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Denial of service ( Ddos attack ):

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

I recently wrote an article on Hack a website using denial of service

Cookie Poisoning:


Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies

Javascript:alert(document.cookie)

Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");

It is also many versions of this kind... like for example

'

'1'='1'

'OR'1'='1

'OR'1'='1'OR'

and so on...

You may have to try 13 things before you get it completely right...


Password Cracking
Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

Know more about Brute force attack

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

101 comments :

  1. which is the best method to hack a website and don,t being traced.

    ReplyDelete
  2. hello sir can we get caught by doing DOS attacks from our home pc ???

    ReplyDelete
    Replies
    1. Yes..DoS attacks are childish. Why get caught taking something down when you can steal information that might be useful. I understand most people DoS a website because they oppose what they stand for but there are ways to hide your DoS attacks through tor like The j35t3r

      Delete
  3. @King Adnan Anjum
    I think the best method is Sql injection and you can get traced for all above methods if you dont use a Proxy

    @Anonymous
    Yes you can get caught by Doing a DDos attacks,As long as you do it on your site then you have no problem

    ReplyDelete
  4. Hellow sir,
    My name is Muhammad Irfan.
    I want to ask you that in order to apply all the above methods I think it will be better for me to creat my on website and do practice. I know how to develop a website but the problem is that I don't know how to upload it on the internet. Please guide me in this matter. Thanks.

    ReplyDelete
  5. hello rafay plz teach me how 2 hack yahoo id wanted_funter@yahoo.com this is my id plz add me

    ReplyDelete
  6. hello sir m a networking student i want to get some tips about hacking website.and most important question for me can we get into or hack server from out client computer in LAN.plz send me my answer my email acount. " tarora89@gmail.com " it is just for learn not for harm purpose.

    ReplyDelete
  7. sir i hav 2 questions?
    1) can v hack a website and change data there with out anyone being known abt dat?
    2) do the administrators keep copies of data placed on a website and use that copies for further use OR
    they always use the data placed on website for further use?

    ReplyDelete
  8. Hi, this is nice post, but really i dont read this post to hack some one website! I read some kind of this stuff, so that I can save my things from getting being hacked.
    and i just bookmarked the site, and will keep my self updated with more info.

    ReplyDelete
  9. @USI
    I am very glad that you do so. As lots of people read these kind of articles to damage other belongings.

    ReplyDelete
  10. sir please teach me clearly to hack a website.............my id is pritamdevakar1993@gmail.com

    ReplyDelete
  11. Really nice Work... Mr.Rafay. Not only for this post but over all activity on this blog is awesome. Still there are some posts which can be expand further with some more details. Cheers for all good work done by you.....\m/

    ReplyDelete
  12. In addition to Rafay post, It is very important that we don't leave vulnerabilities in our code, this SQL injection attack can easily be defended by putting some checks in your code. Other than that i want to draw your attention towards infostealers that are more popular these days. Such malwares can easily steal your information like hotmail account info. or messenger IDs or your banking information. It is important that we use gmail or such services which use IPsec or HTTPS that sends encrypted traffic over the wire despite hotmail in plain text.
    Trust me you wont need any anti virus program if you take care about small things.

    Faheem
    Security Engineer

    ReplyDelete
  13. @Faheem
    Faheem you are absolutely right that SQL injection attack can be prevented by putting some checks in the codes, About the infostealers HTTPS will prevent majority of attacks but not all of them, You see that there is a tool called as Firesheep commonly used for session Hijacking,which will even work if HTTPS is enabled because a End to end encryption is required.

    ReplyDelete
  14. Actually m creating my own website from Visual Studio, Access as DB. and this ' OR 1=1 logic clearly got successful. But in most of other company's website they are using sql server as DB. Still they didn't allow me access in it. Means this logic not get successful in all condition.

    ReplyDelete
  15. Plez hw cn i communicate wth u Rafay, plez i jst wnt 2 lern many tings frm u, plez! ur an exprt kk
    mi emal add is rushinbush@gmail.com & i've alredy sbcrbed, kk

    ReplyDelete
  16. hi...just wanted to know if we can get the ip address of an orkut user,when the profile has not been used for approx. 6 months

    ReplyDelete
  17. i wntd 2 knw hw 2 change mi ip addrss evn whn jst do'in a test'in hck'in (WEBSITES). tat iz mi only drawbck plz!?

    ReplyDelete
  18. hi i want to learn hacking..........

    ReplyDelete
  19. @Rafay baloch...
    well you know if you even behind a vpn..then also you can be traced..
    and you just tell the methods you should give a good brief description on especially .sql, xss ,lfi and rfi ..
    and

    ReplyDelete
  20. Prof3ssional HaCk3rFebruary 2, 2011 at 11:16 PM

    Rafay Its for Beginners brother keep it Im founder of PCA-HR (PAK CYBER ARMY HACKER RULEZ Group)..............

    ReplyDelete
  21. Someone has tried to change our passwords-

    How can they do this as it is a server we dont control -
    213.171.196.251

    root
    z7m6G4w7w

    ReplyDelete
  22. aslam o alikum
    my name is shahzad from okara pakistan
    i want to hack a web site , can any person help in this situation.
    i m very thank ful to him if any suggest me. my cell no is +92 315 3934230. and yahoo id is shahzad_786_sa@yahoo.com

    ReplyDelete
  23. can some1 hack a site for me?

    ReplyDelete
  24. Is there a great book about SQL injection? your feedback will be very appreciated gentlemen! ;)

    Great article in here btw

    ReplyDelete
  25. My Name Is Kashif Qadeer from Lahore.
    I Want to learn hacking.
    Anybody wanna teach me.

    ReplyDelete
  26. SIR HOW TO HACK A WEBSITE WITHOUT BEING TRACED.
    MY FRIEND IS A HACKER AND HE TOLD ME THAT YOU HAVE TO DESIGN YOUR OWN PROXY SO THAT NOBODY CAN TRACE YOU.
    SIR CAN YOU PLZ HELP ME

    ReplyDelete
  27. sir my name is sachin

    i do not understand where and how to use this sql injection, i am very exited to hack my own website
    please help me

    ReplyDelete
  28. hello rafay.
    i have found this site via google and already bookmarking. waiting for easy hacking tutorial. ex. easy method to hack wordpress/joomla
    not for harm people, just for learning purpose
    kind regard.

    ReplyDelete
  29. Its really interesting and thanks for helping on how to hack a website.

    ReplyDelete
  30. I am new to Affiliate Marketing. I started out by using ClickBank. However, I have gotten no orders and feel that I have done all there is to do in order to get business. I have read many e-mails telling me that they can exploit ClickBank, Commission junction, FaceBook and others to intercept orders. I believe they can even incept orders where the URL is hidden such as Bit.ly. How do they do this and how can I stop it?

    ReplyDelete
  31. This is definitely a topic thats close to me since we are into website designing ,so Im happy that you wrote about it. Im also happy that you did the subject some justice. Not only do you know a great deal about it, you know how to present in a way that people will want to read more

    ReplyDelete
  32. My name is bharath and Im new to this Site Some pls tell me how to hack a website..... Like changing the content or picture in that website Like these hacking techniques.... Pls tell me plssss.
    If anyone likes to help me pls contact my id. gtasanbharath@gmail.com

    ReplyDelete
  33. I wanted to thank you for this excellent read!! I definitely loved every little bit of it.Cheers for the info!!!! & This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you .........
    thanks

    ReplyDelete
  34. I think you have more knowledge about hacking sites. Can you hack any site?

    ReplyDelete
  35. i would want a full explanation on basic hacking.it a thing that fascinates me.twista_real@yahoo.com.am a networking student.it will help me go a long way.security is all dat matters

    ReplyDelete
  36. sir i have tried ur sql injection hack process on my coll website
    when i entered (' OR 1=1 — ') in username and (') in password its giving an error as right paranthesis missing
    please help me out in this

    ReplyDelete
  37. i appreciate your work sir..

    Thanks for making this perfect blog for anyone who wants to know about this topic.

    ReplyDelete
  38. hellow , can u teach me how to browse free of charge with my zantel modem and via phone u can rch me via email da_programmer10@yahoo.com

    ReplyDelete
  39. Hello sir...i don't understand hack system...plz give easy instruction of hack....

    ReplyDelete
  40. Nice information is provided through this blog and it is nice to visit this blog and the information provided here. It is an educational blog which increase our information and news.

    ReplyDelete
  41. want a website we can make it for u!!!
    Come and join us!!!!!!
    Bajaj.neha363@gmail.com
    see mine www.funzmaza.in

    ReplyDelete
  42. Its quite confusing but interesting !! Thats a huge task ifever to know it completely.

    ReplyDelete
  43. i saw a book on the books.goolge and i want to get the book for free. please revert to me

    ReplyDelete
  44. Hello sir,i want to hack a website which has a dns server and i know that from which city it is but it is showing its location from washington or from chicago i am in a very big confusion please help me out

    ReplyDelete
  45. Hello sir iam a small lad of 15 years and i want to hack a website.
    but iam not able to crack its firewall can you please help me.

    ReplyDelete
  46. hello frndss and mr admin i want to hack my college website so can u please tell me how to do it.........
    my email id is angel4_grv@rediffmail.com

    ReplyDelete
  47. Am from Kenya and want to learn how to hack and crack passwords. Am a programming student My email id is Rajitroney@yahoo.com if you are willing to help Email me I will be more than grateful

    ReplyDelete
  48. SO many people asking to learn to hack websites. Guy's its not just a simple 2 lesson course and your immediately a hacker than can break past any encryption and security software thrown at you. It takes many years of studying networks, learning how firewalls are set up and how they act, how web servers respond to queries etc etc. Guys don't ask because people that know how to Dont have the time to teach any script kiddy.

    ReplyDelete
  49. Pretty great publish even i may possibly say that complete internet website is wonderful. I preserve knowing new problems every one and just about every solitary evening from publish like these. extraordinary things!

    ReplyDelete
  50. I'm really impressed that there's so much about this subject that's been uncovered and you did it so well, with so much class. Good one you, man! Thanks for the post on tire.

    ReplyDelete
  51. hi to everyone i want to learn hacking a website or a blog.. can anyone teach me how to do it.. its highly appreciate for your help.. email me natsirt_tj@yahoo.com. long live to hackers!!!!!

    ReplyDelete
  52. Hi this post is really nice and looking to learn more. Frankly speaking I need more guide and don't think this much thing will help me as I am Zero in this field.

    ReplyDelete
  53. sir, can you teach how to hack this site http://ranshop.e-games.com.ph/itemshop/Shop/Items.aspx this is my e-mail australjosedaryl@yahoo.com thnk!

    ReplyDelete
  54. hellow respected sir my chat site has been hacked can u give me some tips to distrub the hacker am totly pist off plg plg plg is off ftf server my site is chat-zone.mobi email me jaimania4@hotmail.com

    ReplyDelete
  55. Can my bf spy on my gmail chats if he doesn't know my secret account? I don't use my own pc

    ReplyDelete
  56. hmm this site is really amazing and familiar to me, i am impressed by this site and really gonna share this site to my friends.

    ReplyDelete
  57. hi..you want banks guide and more informations.....go to visit our site http://banksindia.net/guide

    ReplyDelete
  58. fantastic post and Thanks for sharing this info. It's very helpful.
    web agency brussels

    ReplyDelete
  59. These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post

    ReplyDelete
  60. want to know easier way to hack then dis is what u want.
    zoopdownloaders.blogspot.in
    also earn free money....hahahaha....\oo/

    ReplyDelete
  61. How do i hack a website with no input?

    ReplyDelete
  62. Live Chat Application is a powerful tool that helps you talk to your website visitors and convert them into customers.

    ReplyDelete
  63. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life...


    Email Database

    ReplyDelete
  64. Thank you for the info. It sounds pretty user friendly. I guess I’ll pick one up for fun. thank u...



    Email Database

    ReplyDelete
  65. If someone wants to do something good . Hack this server and delete everything . No worries this is a illegal Cardsharing server and the Hoster dont want to do anything against it .

    Cardsharing server ip by Hetzner 176.9.68.138

    http://pastebin.com/6X5L2H0u open ports

    ReplyDelete
  66. These comments are funny, teach me how to hack and all that. its not something you will learn over night, hackers taking down websites or changing them can take days not a few mins, i see a few people here wanted to take down a website, maybe LOIC myt do that for you if you and others can arrange something lol.

    but pretty good info about this, defo not for educational for some people :P

    ReplyDelete
  67. Can you please help to hack the following website?

    www.puppyprofits.com

    I would love to add text that tells these assholes they are a bunch of losers who are too lazy to get a real job and exploit animals who cannot speak for themselves. Maybe bringing down their site too?

    ReplyDelete
  68. hello sir

    i want to download a database of a website. i am using httrack website copier but it fails while downloading. please suggest me the best software to download website for offline browsing.
    website is www.igrs.ap.gov.in

    ReplyDelete
  69. hello sir i want to know how to hack into a blog facebook site..ive tried a lot of methods but never worked...its blog here in school..
    how to i do it..

    ReplyDelete
  70. ...nice tutorials,..i have visited hack forums,..i did try diff. way of hacking...many failed,..because the last steps,..also did failed,..some hackers have hacked the site already bfor i got it ..jejejeje....

    ReplyDelete
  71. i wan't to hack a joomla based site,..can i ask some help Sir,..needing your Advice,..plz' tell me some tricks,..com_user&view=reset&layout=confirm doesn'n work at all,..they have improve and sanitized the filters..< " '> $JGAGFS$$ etc. it does not work,... here is my- crime.colony@gmail.com

    ReplyDelete
  72. Hi i need help :D I want to hack a site, and i don't know how. i need user and pass od the admin. How to get them? Thanks

    ReplyDelete
  73. looking for someone to destroy a website I pay for
    georgesjack74@yahoo.com

    ReplyDelete
  74. Hello Sir!! i hv read all your articles...all were really useful....i m stuck hacking a website whose URL ends with .net/admin_login.aspx ... plz help me as soon as possible ... speaking frankly that is my website which is hacked by someone and i want to recover it without anyone know that my site is hacked...that will bring shame to me.... i hv made that site for some tutorial classes students... if u want further more about the site plz let me know thnQ!

    ReplyDelete
  75. hello Sir,
    please teach me how to hack or bypass in cyberoam??

    ReplyDelete
  76. Hello Sir, I am MD SHAMMI.I want to know about third party website source code Download/hacked.
    Please Help Me.

    Thanks

    ReplyDelete
  77. Hi i have created my wordpress blog which is so nice and looking so beautiful.And i have created its profile.Sgt. Hack Blob

    ReplyDelete
  78. What a nice blog commenting you have share about this site and mostly people like this comment.Wedding Ring in singapore

    ReplyDelete
  79. what a nice site you have send for this site.Proposal Ring

    ReplyDelete
  80. Hey....I want to block out and hack two blogs....can you help me with it???

    ReplyDelete
  81. Thank you very much for sharing this informative post. Hacking is an art to break into the password protected sections of the website. After entering into the website, the hacker can do anything.

    ReplyDelete
  82. If you want to ddos DONT USE UR HOME CONNECTION!
    use a WAY stronger method! www.silentstresser.com is fucking awesome! I took down DdoS protected sites even!

    ReplyDelete
  83. Do you require the services of a pro hacker? Contact us at hacksforcash2014@gmail.com.

    ReplyDelete
  84. can u please show me tricks and hacks for premium accessing the digital libraries for thesis research, i need to access them for articles
    such as springerlink, jstore, emerald, elesiver, science-direct etc etc
    please help me out
    u can contact me on my email

    bestthanever@gmail.com

    ReplyDelete
  85. its possible hack joomla 2.5 website? sample: glucholazy.eu

    ReplyDelete
  86. Pls sir, teach me step by step on how to hack into any website without being traced! Send to chidi_eluwa1@yahoo.com

    ReplyDelete
  87. Hack these assholes! Good practice ;)

    Exposingjohns.com

    ReplyDelete
  88. Hi, everyone, just thought I'd share this guy's contact with you guys as I noticed a lot of you need hackers for one thing other, this guy's helped me graduate, catch my cheating ass girlfriend and even helped my colleague clear criminal records, here's his contact just in case anyone need it, techjinnie@gmail.com, he might be reluctant to help as hacking is illegal but don't worry, just say you're from Mr. Bonds, good luck people.

    ReplyDelete
  89. The chopping is for those people who think that the presidents of the world make only shit. If thus somebody causes a world war like Obama, Kim Yong Yun or Putin, it will be the hackers who save the world.

    ReplyDelete
  90. Thanks for this article, please tell a good wordpress plugin for protecting it from Dos attack and from SQL injection & also tell is there any automated SQL injection tool that can hack a website?

    ReplyDelete
  91. Asslam O Alikom.....

    Uncle Can You teaCh Me Sql InjeCtion ... Step By Step Please I 'll Pay For that ..

    My Email : musk4n786@gmail.com

    ReplyDelete
  92. Thank you very much for sharing this. I like it and hope that you continue posting. adult dance classes atlanta

    ReplyDelete

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.