Wednesday, 25 December 2013

Deface Website Using Inspect Element



This method sounds kinda stupid for those who never heard it, but trust me, it really works :)



Finding Vulnerable Target :

Dorks:

intext:"Powered By: Multi Profit Websites"
inurl:/index_ebay.php
inurl:/index_amazon.php
inurl:/index_rrfc.php
inurl:/index_info.php
inurl:/index_youtube.php
inurl:/index_rss.php


1- Paste any of those dork on Google, and choose any site.

2- Add /admin/ at the end of the site.

Example :

http://martincommodities.com/sitemap.php

to

http://martincommodities.com/admin/


You will get the admin login. Here's the example



If you didn't get the login page, it means the site have been patched or in other word, not vulnerable.

Exploiting Target

1- Once you have the admin login, right click on your mouse, and choose Inspect Element. Then a console like this will appear.





2- Okay, right now, we need to find 

<input type="hidden" name="do_type" value="admin_setting_read">  .

 As you noticed, i highlighted the word hidden , this is because we need to change it from "hidden" to "text" and there will be "admin_setting_read" . Change "read" become "write"so it would be like this "admin_setting_write

Once you hit enter, you will get something like this.




Hit enter, and you will get something like the picture above



Click Login and you will be redirect to the admin page.



4- Alright, now we need to find "Add/Remove New Navigation Page" and click on it. And you will get something like "Enter a name for your new navigation..." or semothing similar. Put your shell name and click Add New Navigation Page




5- Scroll down the page to check if our shell name is already exist or not. If it is, replace our shell name from shellname.php.html to /shellname.php 


From



To



6- Now, go to menu Edit Navigation Page, and one more time, using inspect element, we change our shell name from shell.php.html  to shell.php



7- Still in the same page, go to "Enter a page title...." and enter our shell name. And at URL for this page , enter main_pages/shellname.php as in the picture below.



8- Now it's time to put the shell script. Before you enter your shell script, hit enter 3 times and paste your shell script. After that, before saving, hit enter again 3 times. And click Save Edited Navigation




9- If we get something like the picture below, it means we successfully execute the shell.


10- The final step, to view your shell, add /maim_pages/shellname.php at the end of the site URL.

Example:

www.site.com/main_pages/bcc.php




*Additional information
Bypass Login Error
If you failed to login and get something like this 

There's a solution. Just follow everything  i do in the video below.




Live Demo :

http://www.socialmediabusinesssuccesstraining.com/index.htm
http://www.trainingforsocialmediauniversity.com/index.html
http://starlitebooks.com/index.php
http://www.prostatedu.info/
http://www.menshealthhelpblog.com/
http://www.diabetesedu.info/


Video Tutorial:



Part I



Part II


That's all tutorial from me ^_^