Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 735

Website Takeover 101

by llorelei - 25 February, 2021 - 03:16 PM
This post is by a banned member (llorelei) - Unhide
llorelei  
Registered
8
Posts
5
Threads
3 Years of service
#1
So you wanna Take over a site and make it yours? Well Instructions are simple And i hope its not too hard for you.
Introduction: Website take over is common but the most desired way to get data VIA the term malicious actor, When preforming such attacks for the best anonymity and speed I suggest using a linux based OS Such as Kali, Parrot, Backbox, They are easy to install and can be ran using a VM such as virtualbox.
Requirements: For takeover The Things you want to have are 1. Patience 2. A proxy that can't be traced back or a VPN such a NordVPN 3. SQLmap (Highly recommend) 4. TRUST YOUR OPSEC! 5. have some knowledge on how to use SQLmap and website vulns.
Now that we have that settled lets start.
1. Find a vuln website. We can do this via google dork such as:
inurl:"" & intext:"you have an error in your sql syntax" or php?id=
When you find a site at the end will be, ID=23 or some other id number, add a ' to the end of it and if it gives a error than its vulnerable.
2. Turn on a VPN or use a proxy Go to sqlmap and do: sqlmap -u websitelink.com --dbs --dump --random-agent We will be dumping it To dump all user data + Check for a admin password

3. when The dumping process is over Check the database by going to the sqlmap directory (it should tell you after its done dumping) and clicking on the website name. Check for something that has Data or Until you find something along the lines of a admin password. When you get to the CSV file There will be a hash that you will need to crack BUT there is a exception Go to https://crackstation.net/ paste in the hash And see if they have it in there DB, This always works for me instead of wasting more time cracking. But if They dont have the password Then download JackTheRipper and also download a wordlist such as rockyou.txt. and try and crack it.

4. When you get the password then you can login as admin on the website! Login by adding /admin after the website url. put in the username + password and when you login, You can now fuck around with the website. I suggest uploading a webshell so you can have access to all files and also delete everything if you are a little goblin. Webshells i suggest are c40, c99, b374k.

Congrats, easy and simple.
This post is by a banned member (akurwaanyad) - Unhide
This post is by a banned member (Pillowzzz) - Unhide
Pillowzzz  
Registered
201
Posts
10
Threads
3 Years of service
#3
Great guide but I am stuck at the hash decryption lmao!
I have this:
$2y$10$Lr3B1g85up002BVprgV/I.5ecwaN9O81LjxHOnfhJOsDpFyHFDo8q
This should be the hashed password
                                                 [Image: kings_usergroup.gif]      [Image: godlike.png] [Image: supreme-22.gif]
This post is by a banned member (jaybenting) - Unhide
3
Posts
0
Threads
3 Years of service
#4
thank you

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)