(FYI....THIS IS CURRENTLY UNDER MAJOR REVISION TO SUITE A MORE TECHNICALLY INTELLECTUAL AUDIENCE)
Thank you for you patience while I rework this.
-cisc0ninja
This is meant to be an introductory lesson to mucking with webservers and the like, so if you're been doing this since the mid 90's this is stuff you probably already know and if you're new and saying "hey i don't think that works" then it's outdated info still left in my cranium; sorry and feel free to update/add.
To avoid any legal issues we're going to be using our site as an example, although you can basic insert any site when you are trying these methods.
This info should be common knowledge but based on the success of my previous tutorials apparently there's a lot of people not in the know.
So you've got a web address now what?
http://www.soldiex.com
hmmm...
I wonder if they have an images gallery...
www.soldierx.com/pics doesn't work
lets try...
www.soldierx.com/pictures still no luck
www.soldierx.com/images page not found!
www.soldierx.com/image oh there we go!
hmm... what all ports do they have web sites or potentially other interesting goodies on?
well web based ports are normally something like 80, 8080, 1080, 443, etc..
lets try....
www.soldierx.com:8080
or
www.soldierx.com:443
etc.... etc...
(these will yield no results on our site but try it on others and see what you get!
I wonder if they are running an ftp for some kinda transferring web files?
ftp://www.soldierx.com
http://www.soldierx.com:21 ( i know this wont really work but it may tell you the version # or name of the ftp application, if there is one and it's running on the default port)
Man I wonder what applicatoin is used for hosting?
Good thing I know how to use telnet!
telnet www.soldierx.com 80
hmm...
my port scan shows ftp running on port 666
ftp://www.soldierx.com:666 awesome! (not really because we're not doing it but it's funny finding sites that still run ftp servers they think aren't viewable by everyone)
oh speaking of viewable i wonder if there are any hidden directories!
www.soldierx.com/administrator/ (try with or without an "s")
www.soldierx.com/admin well i think it's there but i can't see anything!
I wonder if I can throw garbage at it to let me browse the admin directory or a higher currently inaccessible directory?
www.soldierx.com/~~~~~~~~~~~~~~~~~~~~~~~~~~/admin/stats/index.htm/../../
or how about....
ftp://www.soldierx.com/~~~~~~~~~~~~~~~~~~~~~~~~~~/admin/files/../../../e...
I wonder if other file types work? Are they running js? or php?
www.soldierx.com/index.htm works, what about...
www.soldierx.com/index.js
www.soldierx.com/default.html
www.soldierx.com/index.php
I wonder if they've got a lot of messed up code or if something is vulnerable to an exploit because they're using apache 1.0.0.2
(not us but i can guarantee you somebody on the net is still using it)
Well it's a good thing I have nikto.pl
perl nikto.pl -h www.soldierx.com
I wonder if they are running some kind of backend database for the site?
Oracle? SQL? Mysql? Microsoft SQL?!?!?!?
sqlmap ftw!
python sqlmap.py -url "http://www.soldierx.com/sqlmap/mysql/get_int.php?id=1"
Any questions? That's what the forums are for.
Wanna update? Feel free to.
-cisc0ninja
cisc0ninja's cranium