Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Editing files on webserver?

  1. Home
  2. Forum
  3. Web hacking
  4. Editing files on webserver?

Infam0us's Avatar

Infam0us

Member
0 0

Hacking into index.html and leaving a comment (or note) that lets the admin know the vulnerabilities and what it could have cost him.

Ok so lets say you have a database file, and inside this db there are plain text passwords. You find the admin login page and login with the password you have for the account labeled "admin".  And nothing to interesting there (as far as editing the website).  You also have a password for a user named "owner".  The site has a major sql injection vulnerability so credentials aren't needed anyway.  How would I leave a comment in the html code of the index.html?  Would it be the best idea to try an ftp program to try and edit the index.html?  How many ways can you access the html files of a web server for editing?  ftp, webadmin.php, access there files through godaddy.com or whoever there registered with?  Are these usually ways that a hacker gains access to index.html etc.??

AldarHawk's Avatar

AldarHawk

The Manager
0 0

Okay, lets make this simple. You cannot edit the files remotely UNLESS there is a file editor there. Most likely the system is on a database structure. All you would need to do is add a new News Posting to make it visible on the index. Otherwise you would need to know the FTP password (a lot of the time different from the admin password, also normally uses different user names). So you can either send them an email or post some news.


Infam0us's Avatar

Infam0us

Member
0 0

AldarHawk wrote: Okay, lets make this simple. You cannot edit the files remotely UNLESS there is a file editor there. Most likely the system is on a database structure. All you would need to do is add a new News Posting to make it visible on the index. Otherwise you would need to know the FTP password (a lot of the time different from the admin password, also normally uses different user names). So you can either send them an email or post some news.

Awesome thanks for the quick reply. Is there anyway to find out if a server uses a file editor? And lets say they didn't have a file editor, would it be possible (since it would seem that a web page like this wouldn't be to hip on sanitizing user input) to edit the files on the server through a server side include vulnerability or some other vulnerability that takes advantage of non sanitized user input? Or if the attacker could find out what server it was running, how hard would it be to upload a php shell or something of the sort and have full access to the server? What would be the best approach to taking advantage of completely non-sanitized user input? Like I said thanks for the quick reply :D