Need help "hacking" a website.

[dickwebster]

So my school website is completely retarted in security measures, and i've been trying to get in the website for about 2 days right now, to show how shitty their security is. Now, i'm not going to give the website obviously, but basically the website is so shitty that the teacher's login page had a way to bypass it by looking at the script itself. I found out that in the website i can go to xxxx.com/classes and there i have a bunch of files like class_general.php, now i know this is sql probably bc of the classes and the name file, my questions is how do i read these files or download them and can i use them? when i click on them they retrieve blank and their size is fairly small like 11K but that's because all the other logins are on different websites, this classes probably have the teacher sample login and the admin login.

 

TLDR: need help reading sql files that are on .php on /classes

Im not going to hack the website, nor deface it or some shit like that, i dont even know how to code (script kid here), just need help

[cnyS91]

login try admin admin = profit

[dickwebster]

login try admin admin = profit

Do you really think i haven't tried that? ta fuck

I asked if anyone knew how to read the databases files that were on .php

[cnyS91]

hacking takes time and effort . You obv cant do it

[dickwebster]

hacking takes time and effort . You obv cant do it

First of all, did i fucking say "im a hacker" no, i asked for help explicity saying that i'm a script kid. You'r probably a dense motherfucker that dosen't understand english aren't you?

Go farm posts on "why i wanan see this? idk thx" and "wow thats alot rep rep rep" you fucking leecher.

[SmileyTM]

don't bother bro honestly. Government and Schools are highly monitored and trust me. Even if you get in, the reason why it is blank pages is because they have security. When you click on the php page, chances are the very first few lines are if $ISAREALUSER break; Which prevents anyone from ever being able to read php files through a browser. 

 

However, there is a possibility they might have a sql vulnerability which, imo, is a bitch to find if it exists or not. 

 

Hope this can help you a little.

 

EDIT: don't forget brute force, you can always crack someone's login info

[FaithHF]

Ignore above poster. At least in his explanation of what's happening.

 

The only way to read a PHP file from a web browser (that uses a PHP backend) is if you find a script that will read it and output it to you, or if you upload your own somehow. If you just try to open it, it'll parse the actual PHP script instead of displaying the contents.

 

So, to get around all that, you'd need to upload something or find another way to read the data, either using a Local File Inclusion vulnerability to read it or a Remote File Inclusion to write your own script that will read it. Or maybe RCE or whatever. But at most, you're going to likely get some database credentials to connect to a DB, so don't get your hopes up too fast that once you get the file everything is over, there will be a few more steps.

 

I also cannot actually recommend you do this, since schools are considered a subsidiary of the Dept. of Education in the govt. and tampering with school computers is considered tampering with govt. computers, thus rendering you a criminal under the CFAA or whatever other applicable digital laws your country is subject to.

[dickwebster]

Thanks for the answer, with the security thing, im from Portugal and here school security is complete shit, trust me, i got the password for the "teachers lounge" on a document they had on xxx.com/documents.

[FaithHF]

Thanks for the answer, with the security thing, im from Portugal and here school security is complete shit, trust me, i got the password for the "teachers lounge" on a document they had on xxx.com/documents.

 

I don't doubt that the security is horrible, I've seen some pretty bad setups.

But keep in mind that it may be more information leakage rather than full access, so you may need to find ways to escalate that yourself.

And consider my blurb at the end of the first post more as a disclaimer to protect my own rights

[NiceSeller]

hire a proffesional hacker from the dark web,

it's pretty cheap.

only arround $2000