How To Use Your First Web Exploit
Posted in how to hack
How to use your first
web exploit
This
tutorial will show beginner hackers how to use their first web exploit in a
real-
world
situation. It will contain a Proof of Concept by me, so you can see the effects
of
this exploit on the target and how to apply it effectively. This tutorial
contains an
in-depth
explanation with step-by-step instructions so everyone can benefit equally.
It
also contains frequent screen-shots to make the tutorial even clearer, so even
if
this
is your first minute of your first day hacking, you can still get a grip on
what I
mean
and hopefully understand. The screen-shots are also present for those who are
more
visually based. More advanced hackers are also more than welcome to read
through
this tutorial. You may even profit from having a read through. The exploit
that
wil be used in this class is admittedly
great for impressing friends and family
and
co-workers because of its simplicity. By the end of this class beginner hackers
should
have gained more of a foothold in the world of computer hacking and be able
to
use this tutorial as groundwork for further explorations in this mysterious
underground
digital world.
So,
without further ado, sit back and prepare to learn how to use your first
exploit!
The
first thing that a beginner hacker must do if find the appropriate exploit to
use
for
their first time. This exploit should be simplistic in design and doesn't
require
extensive
knowledge to execute. The exploit and PoC that this class is based around
has
exactly those qualities.
There
are numerous places around the World Wide Web where one can stumble
across
exploits. These include, but are not limited to, Milw0rm, Bugsearch, Hacking
Forums,
and the BugTraq mailing list. But for our purposes today, we are going to use
Milw0rm
Homepage
Milw0rm
is literally an exploit gold mine. It is constantly updated with the latest
exploits
and its exploit archive is almost endless. To find a particular exploit you use
the Search
function which is located at the top of the Milw0rm homepage. For
example
if you typed in "Windows XP" into the search function, you would be
rewarded
with a list of exploits that target Windows XP platforms.
We
are now going to search for the exploit that we are going to use.
Click
on the Search function on Milw0rm and in the resulting page that follows type:
Fubarforum.
Then Click Submit or press Enter.
You
should see a resulting page with a list of exploits that targets the FubarForum
software.
As you can probably tel by now,
FubarForum is a type of Forum software
and
the exploit we are going to use targets an Admin Bypass vulnerability in the
software.
This means that if the exploit is successful, you will have Administrative
rights
on the website that uses the vulnerable forum version.
The
name of the exploit that we are going to use is:
FubarForum
1.6 Arbitrary Admin Bypass Vulnerability. Click on the exploit name
to
view
the details of the exploit. These details will include how to use the exploit
properly
and occasionally how to find vulnerable websites to this exploit using a
fabulous
tool called Google. With the exploit we are using today we are in luck: it
shows
us how to find the vulnerable websites.
As
we can see, this exploit targets Version 1.6 of the software. However, usually
exploits
will also work on earlier versions of the same software. The actual exploit is
simple
as was stated at the beginning: page=admin. We will be using this later
to gain
full
Administrative priviledges on the vulnerable website.
Copy
the writing next to the dork into a Google search box like shown in the diagram
below:
And
then press Enter or click Search.
The
resulting page will return a list of vulnerable websites. Here is the website
that I
have
chosen to be the PoC for this exploit.
As
you can see, this exploit is rather popular because of its simplicity to
execute.
However,
that wil not stop us from also
exploiting this website and taking control for
a
time at least.
Copy
the URL as shown in the following screenshot into your web browser:
And
then press Enter.
You
should find yourself at a page that looks something like this:
That
is the forum homepage. For the moment, we do not have any special privileges
but
we wil soon change that.
At
the end of the URL
we
are going to add the exploit code page=admin
The
URL should now look something like the following:
Or
in the visual screenshot:
Now
press Enter to exploit the forum and gain Administrative Privileges. This is a
simple
Admin Bypass exploit so it does not contain much sophistication, but it is more
than
prefect for beginner hackers just starting out.
This
resulting page should allow you to create and remove forum categories, create
forums,
etc.
