Pin It

Common methods to hack a website


Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.



SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.


In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1 double-dash-txt.png
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’
Two things you need to know about this:
['] closes the [user-name] text field.
'double-dash-txt.png' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,
evidently


But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
  • admin'—
  • ') or ('a'='a
  • ”) or (“a”=”a
  • hi” or “a”=”a
… and so on.

Cross site scripting ( XSS ):

Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a websiteto gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Denial of service ( Ddos attack ):

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

I recently wrote an article on Hack a website using denial of service

Cookie Poisoning:


Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies

Javascript:alert(document.cookie)

Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");

It is also many versions of this kind... like for example

'

'1'='1'

'OR'1'='1

'OR'1'='1'OR'

and so on...

You may have to try 13 things before you get it completely right...


Password Cracking
Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

Know more about Brute force attack

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

95 comments :

King Adnan Anjum on March 26, 2010 at 12:48 AM said...

which is the best method to hack a website and don,t being traced.

Anonymous said...

hello sir can we get caught by doing DOS attacks from our home pc ???

Rafay Baloch on April 5, 2010 at 3:01 AM said...

@King Adnan Anjum
I think the best method is Sql injection and you can get traced for all above methods if you dont use a Proxy

@Anonymous
Yes you can get caught by Doing a DDos attacks,As long as you do it on your site then you have no problem

Anonymous said...

Hellow sir,
My name is Muhammad Irfan.
I want to ask you that in order to apply all the above methods I think it will be better for me to creat my on website and do practice. I know how to develop a website but the problem is that I don't know how to upload it on the internet. Please guide me in this matter. Thanks.

Anonymous said...

hello rafay plz teach me how 2 hack yahoo id wanted_funter@yahoo.com this is my id plz add me

Anonymous said...

hello sir m a networking student i want to get some tips about hacking website.and most important question for me can we get into or hack server from out client computer in LAN.plz send me my answer my email acount. " tarora89@gmail.com " it is just for learn not for harm purpose.

Rafay Baloch on August 11, 2010 at 1:52 AM said...

@Anonymous
There are different methods to hack different servers. I cant explain it because I don't about which server are you asking DNS server,ftp server,Application server.Kindly give me the details and I will provide you relevant Information.

mehmood.khan37 on September 1, 2010 at 1:11 PM said...

sir i hav 2 questions?
1) can v hack a website and change data there with out anyone being known abt dat?
2) do the administrators keep copies of data placed on a website and use that copies for further use OR
they always use the data placed on website for further use?

Usi on September 4, 2010 at 5:44 PM said...

Hi, this is nice post, but really i dont read this post to hack some one website! I read some kind of this stuff, so that I can save my things from getting being hacked.
and i just bookmarked the site, and will keep my self updated with more info.

Rafay Baloch on September 4, 2010 at 11:08 PM said...

@USI
I am very glad that you do so. As lots of people read these kind of articles to damage other belongings.

pritam on September 22, 2010 at 5:43 AM said...

sir please teach me clearly to hack a website.............my id is pritamdevakar1993@gmail.com

Lightning Sky on November 30, 2010 at 8:55 PM said...

Really nice Work... Mr.Rafay. Not only for this post but over all activity on this blog is awesome. Still there are some posts which can be expand further with some more details. Cheers for all good work done by you.....\m/

Anonymous said...

In addition to Rafay post, It is very important that we don't leave vulnerabilities in our code, this SQL injection attack can easily be defended by putting some checks in your code. Other than that i want to draw your attention towards infostealers that are more popular these days. Such malwares can easily steal your information like hotmail account info. or messenger IDs or your banking information. It is important that we use gmail or such services which use IPsec or HTTPS that sends encrypted traffic over the wire despite hotmail in plain text.
Trust me you wont need any anti virus program if you take care about small things.

Faheem
Security Engineer

Rafay Baloch on December 6, 2010 at 4:27 AM said...

@Faheem
Faheem you are absolutely right that SQL injection attack can be prevented by putting some checks in the codes, About the infostealers HTTPS will prevent majority of attacks but not all of them, You see that there is a tool called as Firesheep commonly used for session Hijacking,which will even work if HTTPS is enabled because a End to end encryption is required.

Kash on December 7, 2010 at 8:38 AM said...

Actually m creating my own website from Visual Studio, Access as DB. and this ' OR 1=1 logic clearly got successful. But in most of other company's website they are using sql server as DB. Still they didn't allow me access in it. Means this logic not get successful in all condition.

Rasha Ahamed on December 10, 2010 at 8:43 AM said...

Plez hw cn i communicate wth u Rafay, plez i jst wnt 2 lern many tings frm u, plez! ur an exprt kk
mi emal add is rushinbush@gmail.com & i've alredy sbcrbed, kk

Anonymous said...

hi...just wanted to know if we can get the ip address of an orkut user,when the profile has not been used for approx. 6 months

Rasha Ahamed on December 24, 2010 at 7:40 AM said...

i wntd 2 knw hw 2 change mi ip addrss evn whn jst do'in a test'in hck'in (WEBSITES). tat iz mi only drawbck plz!?

Anonymous said...

hi i want to learn hacking..........

so4mp3 on January 24, 2011 at 5:38 PM said...

goooooood methods

Anonymous said...

@Rafay baloch...
well you know if you even behind a vpn..then also you can be traced..
and you just tell the methods you should give a good brief description on especially .sql, xss ,lfi and rfi ..
and

Prof3ssional HaCk3r said...

Rafay Its for Beginners brother keep it Im founder of PCA-HR (PAK CYBER ARMY HACKER RULEZ Group)..............

Anonymous said...

Someone has tried to change our passwords-

How can they do this as it is a server we dont control -
213.171.196.251

root
z7m6G4w7w

shahzad on February 4, 2011 at 10:08 PM said...

aslam o alikum
my name is shahzad from okara pakistan
i want to hack a web site , can any person help in this situation.
i m very thank ful to him if any suggest me. my cell no is +92 315 3934230. and yahoo id is shahzad_786_sa@yahoo.com

Anonymous said...

can some1 hack a site for me?

Anonymous said...

Is there a great book about SQL injection? your feedback will be very appreciated gentlemen! ;)

Great article in here btw

M Kashif Qadeer on March 26, 2011 at 8:26 AM said...

My Name Is Kashif Qadeer from Lahore.
I Want to learn hacking.
Anybody wanna teach me.

Anonymous said...

SIR HOW TO HACK A WEBSITE WITHOUT BEING TRACED.
MY FRIEND IS A HACKER AND HE TOLD ME THAT YOU HAVE TO DESIGN YOUR OWN PROXY SO THAT NOBODY CAN TRACE YOU.
SIR CAN YOU PLZ HELP ME

Anonymous said...

sir my name is sachin

i do not understand where and how to use this sql injection, i am very exited to hack my own website
please help me

pain on April 18, 2011 at 7:51 PM said...

hello rafay.
i have found this site via google and already bookmarking. waiting for easy hacking tutorial. ex. easy method to hack wordpress/joomla
not for harm people, just for learning purpose
kind regard.

web design company on April 26, 2011 at 10:30 PM said...

Its really interesting and thanks for helping on how to hack a website.

Anonymous said...

I am new to Affiliate Marketing. I started out by using ClickBank. However, I have gotten no orders and feel that I have done all there is to do in order to get business. I have read many e-mails telling me that they can exploit ClickBank, Commission junction, FaceBook and others to intercept orders. I believe they can even incept orders where the URL is hidden such as Bit.ly. How do they do this and how can I stop it?

Qatar website development company on June 13, 2011 at 11:25 PM said...

This is definitely a topic thats close to me since we are into website designing ,so Im happy that you wrote about it. Im also happy that you did the subject some justice. Not only do you know a great deal about it, you know how to present in a way that people will want to read more

Bharath on July 6, 2011 at 5:02 AM said...

My name is bharath and Im new to this Site Some pls tell me how to hack a website..... Like changing the content or picture in that website Like these hacking techniques.... Pls tell me plssss.
If anyone likes to help me pls contact my id. gtasanbharath@gmail.com

web development services on July 6, 2011 at 11:09 PM said...

I wanted to thank you for this excellent read!! I definitely loved every little bit of it.Cheers for the info!!!! & This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you .........
thanks

Muralimohan.A.R on July 30, 2011 at 9:29 AM said...

do u know anything about rdos??..

Biztechconsultancy on August 19, 2011 at 5:29 AM said...

I think you have more knowledge about hacking sites. Can you hack any site?

Anonymous said...

i would want a full explanation on basic hacking.it a thing that fascinates me.twista_real@yahoo.com.am a networking student.it will help me go a long way.security is all dat matters

jeevitesh on October 13, 2011 at 2:51 AM said...

sir i have tried ur sql injection hack process on my coll website
when i entered (' OR 1=1 — ') in username and (') in password its giving an error as right paranthesis missing
please help me out in this

gari said...

i appreciate your work sir..

Thanks for making this perfect blog for anyone who wants to know about this topic.

Anonymous said...

hellow , can u teach me how to browse free of charge with my zantel modem and via phone u can rch me via email da_programmer10@yahoo.com

chirag baroliya on November 26, 2011 at 10:43 PM said...

Hello sir...i don't understand hack system...plz give easy instruction of hack....

Linux Hosting on December 19, 2011 at 11:12 PM said...

Nice information is provided through this blog and it is nice to visit this blog and the information provided here. It is an educational blog which increase our information and news.

webmaster on January 11, 2012 at 11:36 PM said...

want a website we can make it for u!!!
Come and join us!!!!!!
Bajaj.neha363@gmail.com
see mine www.funzmaza.in

Ecommerce Software on January 17, 2012 at 3:05 AM said...

Its quite confusing but interesting !! Thats a huge task ifever to know it completely.

Anonymous said...

i saw a book on the books.goolge and i want to get the book for free. please revert to me

The best on February 22, 2012 at 11:36 AM said...

Hello sir,i want to hack a website which has a dns server and i know that from which city it is but it is showing its location from washington or from chicago i am in a very big confusion please help me out

The best on February 22, 2012 at 11:39 AM said...

Hello sir iam a small lad of 15 years and i want to hack a website.
but iam not able to crack its firewall can you please help me.

Anonymous said...

hello frndss and mr admin i want to hack my college website so can u please tell me how to do it.........
my email id is angel4_grv@rediffmail.com

Anonymous said...

Am from Kenya and want to learn how to hack and crack passwords. Am a programming student My email id is Rajitroney@yahoo.com if you are willing to help Email me I will be more than grateful

needantivirus2011.blogspot.in on March 28, 2012 at 2:01 PM said...

good info :D

James said...

SO many people asking to learn to hack websites. Guy's its not just a simple 2 lesson course and your immediately a hacker than can break past any encryption and security software thrown at you. It takes many years of studying networks, learning how firewalls are set up and how they act, how web servers respond to queries etc etc. Guys don't ask because people that know how to Dont have the time to teach any script kiddy.

Launch X431 GX3 on April 10, 2012 at 7:16 PM said...

Pretty great publish even i may possibly say that complete internet website is wonderful. I preserve knowing new problems every one and just about every solitary evening from publish like these. extraordinary things!

Windows Server 8 Training Courses on April 17, 2012 at 3:07 AM said...

I'm really impressed that there's so much about this subject that's been uncovered and you did it so well, with so much class. Good one you, man! Thanks for the post on tire.

Anonymous said...

hi to everyone i want to learn hacking a website or a blog.. can anyone teach me how to do it.. its highly appreciate for your help.. email me natsirt_tj@yahoo.com. long live to hackers!!!!!

abhishek on May 3, 2012 at 12:38 AM said...

Hi this post is really nice and looking to learn more. Frankly speaking I need more guide and don't think this much thing will help me as I am Zero in this field.

Anonymous said...

sir, can you teach how to hack this site http://ranshop.e-games.com.ph/itemshop/Shop/Items.aspx this is my e-mail australjosedaryl@yahoo.com thnk!

Anonymous said...

Test

Anonymous said...

hellow respected sir my chat site has been hacked can u give me some tips to distrub the hacker am totly pist off plg plg plg is off ftf server my site is chat-zone.mobi email me jaimania4@hotmail.com

Anonymous said...

Can my bf spy on my gmail chats if he doesn't know my secret account? I don't use my own pc

Facebook Application Developer on May 28, 2012 at 4:28 AM said...

hmm this site is really amazing and familiar to me, i am impressed by this site and really gonna share this site to my friends.

banks on June 18, 2012 at 11:09 PM said...

hi..you want banks guide and more informations.....go to visit our site http://banksindia.net/guide

Cristeen on June 20, 2012 at 3:34 AM said...

fantastic post and Thanks for sharing this info. It's very helpful.
web agency brussels

Content management system on July 8, 2012 at 1:30 AM said...

These kind of post are always inspiring and I prefer to read quality content so I happy to find many good point here in the post, writing is simply great, thank you for the post

shivam kumar on July 22, 2012 at 1:41 AM said...

want to know easier way to hack then dis is what u want.
zoopdownloaders.blogspot.in
also earn free money....hahahaha....\oo/

Anonymous said...

How do i hack a website with no input?

surendra singh on September 29, 2012 at 5:27 AM said...

Live Chat Application is a powerful tool that helps you talk to your website visitors and convert them into customers.

esther on September 29, 2012 at 6:11 AM said...

Great thoughts you got there, believe I may possibly try just some of it throughout my daily life...


Email Database

esther on September 29, 2012 at 6:12 AM said...

Thank you for the info. It sounds pretty user friendly. I guess I’ll pick one up for fun. thank u...



Email Database

Anonymous said...

If someone wants to do something good . Hack this server and delete everything . No worries this is a illegal Cardsharing server and the Hoster dont want to do anything against it .

Cardsharing server ip by Hetzner 176.9.68.138

http://pastebin.com/6X5L2H0u open ports

Anonymous said...

These comments are funny, teach me how to hack and all that. its not something you will learn over night, hackers taking down websites or changing them can take days not a few mins, i see a few people here wanted to take down a website, maybe LOIC myt do that for you if you and others can arrange something lol.

but pretty good info about this, defo not for educational for some people :P

GOOKGEEK on October 9, 2012 at 8:44 AM said...

Can you please help to hack the following website?

www.puppyprofits.com

I would love to add text that tells these assholes they are a bunch of losers who are too lazy to get a real job and exploit animals who cannot speak for themselves. Maybe bringing down their site too?

Anonymous said...

hello sir

i want to download a database of a website. i am using httrack website copier but it fails while downloading. please suggest me the best software to download website for offline browsing.
website is www.igrs.ap.gov.in

Anonymous said...

hello sir i want to know how to hack into a blog facebook site..ive tried a lot of methods but never worked...its blog here in school..
how to i do it..

Anonymous said...

...nice tutorials,..i have visited hack forums,..i did try diff. way of hacking...many failed,..because the last steps,..also did failed,..some hackers have hacked the site already bfor i got it ..jejejeje....

Anonymous said...

i wan't to hack a joomla based site,..can i ask some help Sir,..needing your Advice,..plz' tell me some tricks,..com_user&view=reset&layout=confirm doesn'n work at all,..they have improve and sanitized the filters..< " '> $JGAGFS$$ etc. it does not work,... here is my- crime.colony@gmail.com

shweta vakharia on November 20, 2012 at 4:50 AM said...

gg

Anonymous said...

Hi i need help :D I want to hack a site, and i don't know how. i need user and pass od the admin. How to get them? Thanks

moshe on January 13, 2013 at 4:04 PM said...

cool !

Anonymous said...

looking for someone to destroy a website I pay for
georgesjack74@yahoo.com

Anonymous said...

Hello Sir!! i hv read all your articles...all were really useful....i m stuck hacking a website whose URL ends with .net/admin_login.aspx ... plz help me as soon as possible ... speaking frankly that is my website which is hacked by someone and i want to recover it without anyone know that my site is hacked...that will bring shame to me.... i hv made that site for some tutorial classes students... if u want further more about the site plz let me know thnQ!

vishal Sonara said...

hello Sir,
please teach me how to hack or bypass in cyberoam??

Md.Shammi on May 7, 2013 at 5:13 AM said...

Hello Sir, I am MD SHAMMI.I want to know about third party website source code Download/hacked.
Please Help Me.

Thanks

Anonymous said...

If i send you the side, can u change the 5th sem mark of F grade to E grade. www.bput.ac.in, or, www.bput.org. My reg no. 1121333052.

Sgt. Hack Blob on July 2, 2013 at 12:21 AM said...

Hi i have created my wordpress blog which is so nice and looking so beautiful.And i have created its profile.Sgt. Hack Blob

Wedding Rings Singapore on July 21, 2013 at 9:44 PM said...

What a nice blog commenting you have share about this site and mostly people like this comment.Wedding Ring in singapore

Anonymous said...

what a nice site you have send for this site.Proposal Ring

Anonymous said...

Hey....I want to block out and hack two blogs....can you help me with it???

Aimy Wilson on November 13, 2013 at 12:19 AM said...

Thank you very much for sharing this informative post. Hacking is an art to break into the password protected sections of the website. After entering into the website, the hacker can do anything.

DeltaForce101 on March 20, 2014 at 5:17 PM said...

If you want to ddos DONT USE UR HOME CONNECTION!
use a WAY stronger method! www.silentstresser.com is fucking awesome! I took down DdoS protected sites even!

Anonymous said...

Do you require the services of a pro hacker? Contact us at hacksforcash2014@gmail.com.

Kamran Kashmala on June 7, 2014 at 10:54 PM said...

can u please show me tricks and hacks for premium accessing the digital libraries for thesis research, i need to access them for articles
such as springerlink, jstore, emerald, elesiver, science-direct etc etc
please help me out
u can contact me on my email

bestthanever@gmail.com

Anonymous said...

its possible hack joomla 2.5 website? sample: glucholazy.eu

Anonymous said...

Pls sir, teach me step by step on how to hack into any website without being traced! Send to chidi_eluwa1@yahoo.com

Anonymous said...

Hack these assholes! Good practice ;)

Exposingjohns.com

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.