How to destroy someone’s server or website using command execution or file execution.

Your clients not paying you after work ? So you wanna destroy his server and web application?

Hey guys today i will show the process of destroying some one’s server or website. But keep in mind that this is only for educational purpose. If you do any harm to anyone using this script then i am not reliable for the occurrence.

Sometimes we developer works with various client’s. But some bad client do not pay after works.  Also sometimes they want more changes than contract. So if then the developer not want to do the changes then the client may not pay him. Also if pay they may give you unexpected rating like in fiverr, upwork, freelance and many online market place. So this is a  way to teach them a lesson. I will show two process here.

I am assuming that you are working with some one and you have his server access or FTP access or may have Cpanel or SSH access. Anyone from them. Then you have to upload this code into his site. So that you may execute it from your browser URL. I mean you must have to upload this script in his server.

Specially today i will show you the process on wordpress. But this process is not only for wordpress. You may use it any any site which runs php code in it’s server. Again, it is a php code, so the server must need to execute php code. Otherwise this tricks will not work.

And i request you to insert this code in any of the known file which already exists in the server. Because if you add any extra file the web admin pay guess that as a extra added file and may have a look inside the file. So you must have to tricky to do this. Also in wordpres if there they installed security plugin, like iThemes Security, Sucuri, Wordfrence, All in one WP security and many more, most of the plugin has file changing detection system. So if you insert your code into core wordpress file like wp-config.php then the plugin will detect that file changed and it will send notification to the web administrator. But it never trace the readme.html which located in the root directory of wordpress installation. But the problem is if you add this code inside the readme.html and access the file through browser URL it will not work for you. Because of file extension. readme.html is a html file and php code will not run inside it. So then you have to either rename it to readme.html or you have to add a php file like readme.php.

Hack clients server and destroy it’s content.

But i recommend to rename the file instead of adding new one. Because if there is two readme file then the admin may differ it and it also eye-catching. So better rename the readme.html to readme.php and then insert the shell code there.

Now i am going to show you step by step process of destroying website or server or wordpress using non traceable php script or shell. This is non traceable because this is not a automated shell code like c99.php and i not encoded this script to base64. So it can easily insert into any code of the existing file. Hackers insert malicious code inside site by encoding base64 which looks like random text and integer so it is eye-catching. But if you wish then you can do so. I’ll show both process here.

Non detectable shell code in php.

Step one: Shell Code:

So this is very simple few lines code.  Now you have to run/execute this code through browser URL.

Step Two: Insertion and execution process.

Here now i will show the process of how to and where to insert and then how to run or execute the code. So for simple making i will show the process here in my localhost via XAMPP applicaiton on windows operating system. But obviously it should work in other operating system like Linux, Mac OS.

Here i have inserted the code in a separate file.

We are almost done of the first process. Now we have to run the code from browser. As here i am using the wordpress so then my file access path will be http://localhost/sell/wp-content/themes/cashforcar-wp/init.php because i kept the file into that folder. If i keep the file into the wordpress installation root directory then my file path will be http://localhost/sell/init.php but as i kept it into that folder lets execute this in our browser URL.

Hack web application is easiest way.

Here i am seeing a blank page after execution the URL. Yes if you also fetch this then you are also ok. No problem, i kept the code hidden that means i added a css property on form tag as display none. That’s why this is not sowing anything. So now you have to make the input form visible and execute code. For doing that right click anywhere on the blank page and go to Inspect Element of your browser (I am using google chrome browser).

After Inspect then click on form tag from the Elements and then see the css property. Display none, i added display none because some plugins can find out css property as hidden. That’s why i not recommend to use hidden property. Now just disable the property by clicking on the left tick option of display:none css property as shown in the image. So then you will be able to see then from in the page.

Now you can run command (Shell or OS command) via this form. As i am using windows OS then i am going to show you some windows based command here. So lets execute the directory listing command first to see the files and ( This command will show you all files and folders and sub folders also). So now type dir /s /b /o:gn and then click on submit button. It will show you all files and folders. When you will run it in Linux machine then you can use linux command like mv, rmdir, mkdir, ls, pwd And the most powerful and strong command in linux or unix based OS is sudo rm -rf / or withour sudo rm -rf /  . It will destroy the linux machine. But some server not allow to execute this code due to security. Happy hacking. If you fetch any problem then ask me in comment section or email me in j4g064ndhu@gmail.com.

After the execution it will show the output like the image below.

Now you can do whatever you like with the OS command. You may create new file or directory and insert code into that. Again you may delete any file from there and the site will not function properly or damage permanently. It’s now up to you what you want to do with that. Now i am showing the process of mixing this code with base64 encoded and plain text into the readme.html file.

Then open the readme.php in a code editor and insert the code above of the file. You may use base64 encoding by converting the php code to base64 online.

Now you have to call the URL from browser like http://localhost/sell/readme.php and then it will provide you the same hidden from with some other text on the page. So if the admin run the readme.php without looking inside the code if the file then he will not able to guess the hidden input box for command execution. After this you have to inspect and make the form visible then execute command. I am also giving you an another code for the same purpose. But it is a little bit different from this.

Server file deletion non encoded php shell code.

So here if you input any specific folder name for the input GET parameter then it will delete that folder and it’s sub folders. But if you directly call the URL without parameter then it will delete all files and folders in the wp-content directory. Here wp-email.php file i created and injected my code. I created the file as like wordpress core file. So see what happen after execution. Be careful during the execution in your own computer. If you fetch any difficulties then just ask me in the comments. I will try my best to help you to learn.

 

%d bloggers like this: