Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Editing files on webserver?


Infam0us's Avatar
Member
0 0

Hacking into index.html and leaving a comment (or note) that lets the admin know the vulnerabilities and what it could have cost him.

Ok so lets say you have a database file, and inside this db there are plain text passwords. You find the admin login page and login with the password you have for the account labeled "admin".  And nothing to interesting there (as far as editing the website).  You also have a password for a user named "owner".  The site has a major sql injection vulnerability so credentials aren't needed anyway.  How would I leave a comment in the html code of the index.html?  Would it be the best idea to try an ftp program to try and edit the index.html?  How many ways can you access the html files of a web server for editing?  ftp, webadmin.php, access there files through godaddy.com or whoever there registered with?  Are these usually ways that a hacker gains access to index.html etc.??  
 

AldarHawk's Avatar
The Manager
0 0

Okay, lets make this simple. You cannot edit the files remotely UNLESS there is a file editor there. Most likely the system is on a database structure. All you would need to do is add a new News Posting to make it visible on the index. Otherwise you would need to know the FTP password (a lot of the time different from the admin password, also normally uses different user names). So you can either send them an email or post some news.


Infam0us's Avatar
Member
0 0

AldarHawk wrote: Okay, lets make this simple. You cannot edit the files remotely UNLESS there is a file editor there. Most likely the system is on a database structure. All you would need to do is add a new News Posting to make it visible on the index. Otherwise you would need to know the FTP password (a lot of the time different from the admin password, also normally uses different user names). So you can either send them an email or post some news.

Awesome thanks for the quick reply. Is there anyway to find out if a server uses a file editor? And lets say they didn't have a file editor, would it be possible (since it would seem that a web page like this wouldn't be to hip on sanitizing user input) to edit the files on the server through a server side include vulnerability or some other vulnerability that takes advantage of non sanitized user input? Or if the attacker could find out what server it was running, how hard would it be to upload a php shell or something of the sort and have full access to the server? What would be the best approach to taking advantage of completely non-sanitized user input? Like I said thanks for the quick reply :D