Hello everyone, this is IRISnoir from Hackingarise. I am back with another post for you. Now, today, we will be discussing about AcuForum, as you see in the title.
Be cautious, though. Because if you can get in there easily, then why can’t the others. And if you’re skillful, you can know and avoid their grip against you. You must refrain from touching the links, even if they’re tempting.
First of all, initiate your VPN. Because the site has an IP logger. Also, Secure your DNS.
Now, go to it with this link: http://testasp.vulnweb.com/
You will then need to LOGIN
Just press the login button on the greenish bar.
But you can’t login, you don’t wanna register too, because you don’t need another login for a useless site. WhaT ArE YOu GonNA DooOOo!!11!
Well, it’s easy. You inject them with malicious SQL code.
I will give you a step by step tutorial:
1 – Put ‘admin’ at the username part. I know that you can put anything there but putting admin makes it all cooler.
2 – Inject SQL code into the Password bar:
' or 1=1--
Now, I’m gonna break this piece of code down into parts and explain them. This is for those that haven’t learnt about SQL injection yet. You can skip this.
Broken down code: ‘ | or 1=1 | —
He first part is the apostrophe. Now, you might be thinking. Why is an apostrophe needed. That is because it is SQL code. Here is a sample of what SQL code looks like:
WHERE name = 'admin'
AND pass = '' or 1=1--' LIMIT 1
At the start, you can see ''. That means the apostrophe we mentioned acted as a stopping part for the starter one.
Now, we go to the 'or 1=1' part. When you combine the statement, it actually makes sense:
'' or 1=1
This will make it so that the results are ALWAYS TRUE. Making the system give you entry no matter what. That is just dangerous. Am I right?
To the '--' part, it acts as a commenter. Meaning that it turns everything beyond the '--'. It will force the system to discard the other code beyond those two negative sentiment.
Instead of the system seeing this:
AND pass = '' or 1=1--' LIMIT 1
It actually can only execute this part:
AND pass = '' or 1=1
If you ask me what teamwork really is, I will show you this. Each of the code all do their part. Just like everything should be in exploiting and hacking. SQL is just dangerous.
Now, enough with the chit chat. When you enter the 'credentials', which means:
admin:' or 1=1--
Then you will gain entry as ADmIn. How exciting!!!
Then you can make a post. About whatever you want. You can say Hi, perform some XSS, or whatever you want. BUT, secure yourself. Use a VPN and secure your DNS. Again, AcuForum has an IP logger there for your actions. Be alert. Once you get caught, it's all over.
It is also vulnerable to more attacks, like directory traversal, and more, can you find and perform all the exploits?
Now the DISCLAIMER: This is just for education purposes, stay safe, stay ethical as Hackingarise is never responsible for your malicious deeds.
It's legal only if you hack sites that are dedicated specifically for hacking like AcuForum itself. Hacking others will get you in trouble.
Thank you for reading, if you like this website and find it useful and informative, share it to your friends. Also, please make a donation, it will help us a BUNCH.
Also, check this out.
Have a nice day.