Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Page source. MYSQL. ETC. ETC.


ghost's Avatar
0 0

I'm trying to figure out how to crack a login that I got online. I would show you the link but its hosted on my home server (no thanks) and don't want to bother to host it on a free host.

Alright so my login has a button that says "Click here to login" if you view the source the source will be
<a href="192.168.1.104/members/">Click here to login</a> when you click to login it doesn't bring you to a new page just a Java script like pop up box comes up with user name and password boxes. I tried some S.Q.L. injections with no luck. If you enter in a password that's not correct it just re brings up the box until you hit cancel then brings you to 192.16.1.104/failed/. I need to figure out a way to view the source of /members/ (or at least thats what I think I have to do) and I can't figure out how. I also tried turning Java script off but the login screen still comes up.

Anyone have any suggestions? or tips/help. That would be GREAT.

Thanks for your time.


ghost's Avatar
0 0

okay so maybe you didnt give us a link… but i really hope thats not your home IP that you posted =\ if it is… i suggest removing it quickly


spyware's Avatar
Banned
0 0

johnjuan728 wrote: okay so maybe you didnt give us a link… but i really hope thats not your home IP that you posted =\ if it is… i suggest removing it quickly

It's a local ip you !@$# :P.

At TS: Try viewing the source of the file where information is being posted. Try to figure out how the login works. Does it post to a PHP file? You can't view the source of those except when you have LFI in the site. Poke around and see what you can find.

If a "box" comes up when javascript is disabled it's probably htaccess. Google for htaccess and you'll get the info you want. You can hack it by rooting the server or getting a LFI. Or navigating AROUND the htaccess.


ghost's Avatar
0 0

alright john, I think ill let that one slide. That you don't know the difference between an ip and a local ip. lol. and thank you spyware you were very helpful. :D keep up the good work.


richohealey's Avatar
Python Ninja
0 0

how on earth do you plan to navigate AROUND htaccessQQ htaccess is recursive!!!


ghost's Avatar
0 0

trixus wrote: alright john, I think ill let that one slide. That you don't know the difference between an ip and a local ip. lol. and thank you spyware you were very helpful. :D keep up the good work. not gonna lie.. wasnt payin any attention ^_^ but meh i'll take the insult hehe


spyware's Avatar
Banned
0 0

richohealey wrote: how on earth do you plan to navigate AROUND htaccessQQ htaccess is recursive!!!

This is were the hackers part comes in. You can either root the whole box, check out IP-neighbors and root those, SE the sys-op (better known as the asshole who runs the box) or sniff packets. Intercept mail. Whatever. That's navigating too. Navigating means more then browsing in your modded firefox.


ghost's Avatar
0 0

spyware wrote: [quote]richohealey wrote: how on earth do you plan to navigate AROUND htaccessQQ htaccess is recursive!!!

This is were the hackers part comes in. You can either root the whole box, check out IP-neighbors and root those, SE the sys-op (better known as the asshole who runs the box) or sniff packets. Intercept mail. Whatever. That's navigating too. Navigating means more then browsing in your modded firefox. [/quote]

Continuing spywar's post, since he beat me to the general, I'll go a bit more specific:

Is the protocol encrypted (https)? If not, I'd suggest figuring out who is going to be logging into the box, and then just do a MiTM attack. Check out ettercap. This is your best bet by far.

Since your on a local network, why not use this as a chance to try out all the physical intrusion stuff you've learned and never used?

Also, you should be able to capture logins to email accounts from clients. The first time I gave a presentation in a tech class, there was a kid who always checked his emails on his PDA in our class. was using wireshark to capture an ARP packet so that I could show a real-world example of one. Well, I used a shell script to start wireshark – and it started ettercap too. So I switch to another desktop to run vi, and there's ettercap: and in the status box at the bottom is his email address and password (dorkdork)…. everyone in the room started cracking up and I got to give a second lecture on the history of encrypted protocols, and how they work. The kid never used his PDA during our class again.


ghost's Avatar
0 0

thanks death, :D. but yeah It is on a local host but for learning purposes (since, technically I have access to all the files anyways) I want to "pretend" its not, or at least not use any exploits that can only be done to local hosts.