Get Accounts | Mail Server | Breaking Sites | Stuff | Commands

So how do you send stuff back to the webserver? Try this:

GET / HTTP/1.0
<your command here>

What kinds of commands can you send? The book Hackproofing Your Network (by Ryan Russell of Securityfocus.com and Stance Cunningham) suggests a fun and harmless hack. Create and store a bogus cookie in the location on your web browser that stores cookies. (Find it by searching for the file "cookies.txt".) Name your bogus cookie something like "MyBogusCookie." Then telnet to the victim webserver and give something like this command:

GET / HTTP/1.0
User-Agent: HaveABogusCookieThisIsAJoke 123.4
Cookie: /; MyBogusCookie

The Überhacker! -- How to Break into Computers book details a number of serious attacks you can perform through sending funny input to a webserver. Basically, you need to learn how to write shell programs, and then find ways to get them to be run by the webserver. I'm not going to explain them here, however. These attacks, when carried out against a vulnerable webserver, are so easy that little kids could do them, and I don't want to be responsible for their behavior. It's much harder for little kids to get a hold of Russell's and my books than it is for them to read this GTMHH on the Happy Hacker website.

So are you dying to know what to send a webserver in order to break into it, without having to buy a book? Here are some hints. How to do this will depend on what webserver it is, what operating system it runs on, whether its security weaknesses have been fixed, and whether the web designer has used things such as Common Gateway Interface (CGI) or Server Side Includes (SSIs) that have weaknesses in them.

You will have to research these issues at Web sites that archive vulnerabilities and exploits such as http://www.securityfocus.com/ and http://packestorm.securify.com/. You will need to study web site programming (HTML -- hypertext markup language, CGI and SSIs) and shell programming. You will need to learn webserver commands (documented at http://www.w3.org/hypertext/WWW/markup/Markup.html). You will have to use your brain and be persistent.

But at least if you come across a telnet exploit, now you know the answer to the question "where do I type that command?"

___________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org/.
We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed!

Copyright 2000 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.