Open in app

Sign in

Write

Sign in

How To Hack WebSite? — ExploitByte

Exploitbytes
5 min readJul 24, 2021

--

How To Hack WebSite? — Hacking has developed tremendously in the last decade and new techniques have been invented which are also quite easy. Even an ordinary programmer can use them and hack a vulnerable website.

Today in this post I tell about some of the techniques using which you can hack websites like a pro. You can use techniques to steal passwords, de-morph websites and steal important information. You can go through our dedicated hacking tutorials to learn these techniques completely. You should have basic knowledge of programming like HTML, CSS, PHP and MySQL etc.

you how to find the login information of any website by accessing the website’s source HTML. Although you can access the HTML of a large number of websites in most browsers, no website stores its administrator password or other login information in HTML, and any website that stores such information Well, she can either be brand new or she is not completely ready yet.

SQL Injection

SQL injection is a very widely used technology. It is used to hack data-driven applications. In a SQL injection attack, malicious code is inserted at the end of the website URL in the input fields or address bar.

Injection of SQL query will be executed on the server and replied by the response. For example, following SQL Query is requested to the server.

SELECT*FROM [Order]

These commands will reveal all information stored in the database “Orders” table. If an organization maintains records of their orders into a database, all informaton kept in this database table will be extracted by the command.

SQL Delete Query

The DELETE statement is used to delete existing records in a table. To understand, consider a table “Customers” in a database. The following information is the table “Customers” is containing.

A SQL Injection, or SQLi, is a vulnerability which allows a hacker to “inject” a SQL statements into a target and access their database. The potential here is pretty extensive often making it a highly rewarded vulnerability. For example, attackers may be able to perform all or some CRUD actions (Creating, Reading, Updating, Deleting) database information. Attackers may even be able to achieve remote command execution.

SQLi attacks are usually a result of unescaped input being passed into a site and used as part of a database query. An example of this might look like:

$name = $_GET[‘name’];
$query = “SELECT * FROM users WHERE name = $name”;

Here, the value being passed in from user input is being inserted straight into the database query. If a user entered test’ OR 1=1, the query would return the first record where the name = test OR 1=1, so the first row. Now other times, you may have something like:

$query = “SELECT * FROM users WHERE (name = $name AND password = 12345”);

In this case, if you used the same payload, test’ OR 1=1, your statement would end up as:

$query = “SELECT * FROM users WHERE (name = ‘test’ OR 1=1 AND password = 12345”);

So, here, the query would behave a little different (at least with MySQL). We would get all records where the name is test and all records where the password is 12345. This obviously wouldn’t achieve our goal of finding the first record in the database. As a result, we need to eliminate the password parameter and can do that with a comment, test’ OR 1=1;-. Here, what we’ve done is add a semicolon to properly end the SQL statement and immediately added two dashes to signify anything which comes after should be treated as a comment and therefore, not evaluated. This will end up having the same result as our initial example.

You Can Read SQL Injection In Detail Click Here

Cross-Site-Scripting

Cross site scripting, or XSS, involve a website including unintended Javascript code which is subsequently passes on to users who then execute that code via their browsers. A harmless example of this is:

This will create the Javascript function alert and create a simple popup with the letters XSS. Now, in previous versions of the book, I recommended you use this example when reporting. That is, until a very successful hacker told me it was a “terrible example”, explaining that often the receiver of a vulnerability report may not understand the severity of the issue and may award a lower bounty because of the harmless example.

So, on that note, use the example to determine if a Cross Site Scripting vulnerability exists, but when reporting, think through how the vulnerability could impact the site and explain that. By that, I don’t mean tell the company what Cross Site Scripting is, but explain what you could achieve with this that directly impacts their site.

Part of that should include identifying which kind of Cross SIte Scripting you are reporting, as there’s more than one:

  • Reflective XSS: These attacks are not persisted, meaning the XSS is delivered and executed via a single request and response.
  • Stored XSS: These attacks are persisted, or saved, and then executed when a page is loaded to unsuspecting users.
  • Self XSS: These attacks are also not persisted and are usually used as part of tricking a person into running the XSS themselves.

DOS

Denial of service (DOS) is an attack on a computer or network that reduces, restricts or prevent accessibility of system resources to its legitimate users.

In a DOS attack, attackers flood a victim system with non-legitimate service request or traffic to overload its resources.

Dos attack leads to unavailability of a particular website and slow network performance.

Denial of Service (DOS) is a type of attack in which service offered by a system or a network is denied. Services may either be denied, reduced the functionality or prevent the access to the resources even to the legitimate users.

There are several techniques to perform Dos attack such generating a large number of request to the target system for service. These large number of incoming request overload the systme capacity to entertain resulting denial of service

Cookies Poisoning

Cookies Poisoning is a very commonly used technique. First I would like to tell you that cookies are a small packet of data which is saved by the website from the user’s computer. Normally username and password are saved in cookies. For example, when you login to Facebook, your username and password are saved in cookies and the next time you visit Facebook, the website retrieves cookies from your computer so that you do not have to login again. And you are directly logged into your account. In a cookie poisoning attack, the contents of the cookie are tampered with, so that the security mechanism can be bypassed.

Click Jacking

The term clickjacking was first used by Jeremiah Grossman and Rover Hansen in 2008. In clickjacking, HTML elements are made invisible and in invisible HTML elements the hacker inserts his malicious code and when the user clicks on the page, he gets caught in the hacker’s web without knowing it. This means that the page will be normally visible to a user. He won’t be able to see the invisible elements, but when he clicks on another element on the page, he will inadvertently click on the link you created. Typically hackers use iFrames to insert code from their Facebook page plugins and when you click on any other visible element, you inadvertently like their Facebook page.

If You Like This Post Please Comment Down And For More Hacking Content Click Here

Originally published at https://exploitbyte.com on July 24, 2021.

Hacking
Website
Sql Injection
Xss Attack
Vulnerability

--

--

Exploitbytes
Exploitbytes

Written by Exploitbytes

113 Followers
35 Following

I am Ethical Hacker & Bug Hunter.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams