Follow us on Twitter!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 30
Guests Online: 28
Members Online: 2

Registered Members: 82838
Newest Member: w1zarrd
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Questions

Author

Question On General Site Exploiting

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 23-04-08 01:49
Ok, I have a friend who owns a website. Not very well done. Hes has it through a Very knowing web hosting Company (honestly a shity one to my standards) anyway we were talking and I start to show him the basic changing of the url stuff, if there a way to block it? for instance: http://www.example.com/index.html then to find out whats on the pages http://www.example.com/images/. yada. So back to the point is there a way to block that type of stuff? And is there a way to test or see if it is possible to drop a list of the root folder itself. Then a way to stop it from droping a list. (Cannot release the name of his site per his request)


The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png
<script>alert('XSS');</script>
Author

RE: Question On General Site Exploiting


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-08 01:55
a simple fix would be adding an index.html page in every folder you want "secured" saying

Directory listing not allowed

or something like that.

if you want to ACTUALLY store files in a public place, but restrict access, do some research on "htaccess"


Author

RE: ok

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 23-04-08 02:02
Cool, I will read up more on .htaccess, now is there a way to test to see if i could drop a list of the root folder through the url address if that is possible, or is there a different method i should be testing. (Testing Web sites is different out side of HBH, LOL)


The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png


Edited by elmiguel on 23-04-08 02:09
<script>alert('XSS');</script>
Author

RE: Question On General Site Exploiting


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-08 02:31
you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.

but once again, if the location of files is critical to your security, you should probably think about redesigning your site Wink


Author

RE: Question On General Site Exploiting


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-08 02:37
DigitalFire wrote:
you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.


hmm i can't believe i wasn't aware of that lol. guess i just never thought about it or noticed it. haha guess you learn something new everyday


Author

RE: Question On General Site Exploiting


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-04-08 03:53
ok, interesting. Then how come whenever i visit

www.system.meltdown.isahomo.com

it automatically sends me to a list of directory files?


Author

RE: Question On General Site Exploiting

richohealey
Member



Posts: 1022
Location: #!/usr/local/bin/python
Joined: 01.05.06
Rank:
Monster
Posted on 23-04-08 04:00
DigitalFire wrote:
you cannot drop root in the same fashion.

what happens is, if you point to a directory, and there is NO index.html page, then apache gives a directory listing.

so an index.html page actually protects it pretty well.

but once again, if the location of files is critical to your security, you should probably think about redesigning your site Wink


Actually you're wrong.

assuming you're using apache, though most httpd's are compliant;

It looks through the default extensions (on my server, .py, .php, .html) looking for default name (defaults to index).

Failing this, it then performs the default action, which DEFAULTS to a dirlisting.

You can point that to a 404 if you want, or just turn DirectoryListing False in httpd.conf


bitchohealey at hotmail dot com skype:richohealey www.psych0tik.net
Author

RE: Cool, Thanks For the input

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 23-04-08 13:46
Cool, so mainly all I have to do is setup his .htaccess and jst start making path redir if someone tries to change the url. I will search the code bank to see if there are some good scripts to add for other security. Thanks for all the input.


The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png
<script>alert('XSS');</script>