How To: Successfully Hack a Website in 2016!

Successfully Hack a Website in 2016!

Hello partners, first of all I would like to thank all those who have sent me positive feedback about my posts, to say that I'm always willing to learn and teach. I'm also open to answer the appropriate questions.

Second i want to say sorry for the series i left in stand by mode, as soon as i get time i will return them, lastly i wanna wish happy new year and happy hacking for you all.

How to Hack a Website?

We all know that hacking is nothing more than the skill of this century.
So what does it means? ´

It means that not everyone can get that skill. so you can see how privileged is to know hacking, in other hands it´s just like a sport, some are born with the talent, some have to practice a lot to get the necessary skills.

Why to Hack a Website? Are Not We White-Hat?

Even in case you never had a successful hack before i assume that once you here you already know what is the meaning of the pic above(the picture looks a little scary and more like a black-hat attitude) , the classification of hackers actually does not make a lot of sense, in my opinion there are newbies,hackers,expert hackers and even worse the skids around, even as a white-hat(according to what the world define as white-hat) sometimes you will find yourself in situations where you have to bring an a*hole down because they are running non--human websites like child pornography and etc.

OK! So How to Hack a Website?

There are a bunch of tutorials here on null---byte and around the internet on how to hack a website with a specific tool, in case you want to learn you are in right place, just look around, but today i want to share something that i think it will be very useful for you, take a cup of coffee grab your chair and start to read this, what i m going to show you today is totally different from my other tutorials, instead of showing you how to use these tools, i will guide you on how you can successfully use these tools and tricks to hack any website, based on my experiences.

Below is my list when i want to hack a website

The Reconnaissance

The reason why a lot of newbies and non-professional hackers fail to get a successful hacking is because they don´t want to wait, most of time they want a magic button where they can click and that´s all, but in the reality it does not work like that, the first thing you have to do is a good reconnaissance about your target, for those familiar with the software development is easier to understand what i mean, you can not develop a good software without a good documentation, just like the UML in software industry here is the same, we need info about the target to make our tasks easier.

My Advice on Good Recon

What are the services they are running?

Figure out stuffs like open ports, software and versions on the server, and try to look for the exploit in case there is at least one online, or you can just make your own exploit.

Tools that i recommend for this section are nmap,whatweb and nikto and of course some others made by Mr_Nakup3nda or you.

Did they write the script by themselves?

In case they wrote it by themselves, look for scripts that take user input,scan for directory listing,check the source code,figure out how the website react to abnormal inputs, i often use these inputs:

ADMIN' OR 1=1# when its an admin url like website/admin/loign/

when its a normal login just try those traditional sql injectors like
' OR '1'='1' --
' OR '1'='1' ({
' OR '1'='1' /*

, but it does not end here, try to write sql statements on the inputs, do echo back to you, try to execute a command based on the server OS, figure out how the website filter the inputs and try to bypass the filters.

And in case they used someone else's code such as CMS just grab a copy of it and try to find bugs on your own, or find an exploit if they use a exploitable version of the CMS.

The Evil Google

Sometimes i hack websites simply with the help of some crafted google searches, as hacker you must know how to use google to gather info or hack, in case you do not know you can see my tutorial on how to use google to hack

Changing the Source Code

I bet at this point you already know how to see the source code of a webpage using the right click trick, just to remember that scripting languages like php,perl,asp, python and so on run on the server--side, so it means you can not see by right click unless its an open source platform where you can get a copy of it and change the whole code.

Directory Listing

Index browsing can be very useful when trying to find files you normally shouldn't see like password files,files used to administrate the web page, log files, any files where information get stored.

you can also manually check for suspicious urls like that:
you can either make tools that will automatically do it for you, tools like dirbsuter can be very useful for this task.

My Friend robots.txt

Its very important while hacking to have a look at these files, i wont explain the use of robots.txt(just google it), they often lead us to a lot of path where they don´t want robots to see and sometimes they are very sensitive paths.

Remote Files Inclusion

File inclusion vulnerability is a type of vulnerability most often found on websites. It allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. Below we have a piece of php code that open a file.

if (!($hfile = fopen("$file", "r"))
echo("error cant open the file: $file<br />\n");
This example open the file with the name specified in the user input ($file).
That means it opens every file an attacker want to open and if allowurlfopen is ON even remote files.
Look for example at this piece of code:

include($dir . "/members.php");

Just create a file .members.php on your web server and call the script like this:

It will execute your file on the target server. Important is just that you have PHP off or the code will get executed on your server.

NULL Bytes

The name of our community can be and is a very popular vulnerabilities in hacking life.

Lets say they have a script that takes filename that it gets and puts ".txt" on the end. So the programmer tries to make sure that only txt files can be opened.

But what about a filename like this:
It will get to:
So fopen opens phppage.php%00.txt or? No! And that is the point. The fopen functions stops after
".php" before the NULL Byte and opens only "phppage.php". So every type of file can be opened.
Scripts that allow uploads (but only for a certain file type) are also a potential target for this type of attack.


SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution, in my personal experience this is the most popular issue you will find on websites, the problem is that some websites put those info in a database and not all filter them.

So when you echoed back, the javascript message is going to be shown.
If they are just logged the last part should cause a sql error wich might give us a lot of useful info.
You can try the following
and add the /'/'
if it throws an error bingo, you are there.

Cross-Site Request Forgeries (CSRF) And Command Injection

About this type of attack i also made a tutorial on how youcan proceed this type of attacks

Exploitable PHP Functions

Code Execution:
require() - reads a file and interprets content as PHP code
include() - reads a file and interprets content as PHP code
eval() - interpret string as PHP code
pregreplace() - if it uses the /e modifier it interprets the replacement string as PHP code

Command Execution:
exec() - executes command + returns last line of its output
passthru() - executes command + returns its output to the remote browser
(backticks) - executes command and returns the output in an array
shellexec - executes command + returns output as string
system() - executes command + returns its output (much the same as passthru())
.can't handle binary data
popen() - executes command + connects its output or input stream to a PHP file descriptor

File Disclosure:
fopen() - opens a file and associates it with a PHP file descriptor
readfile() - reads a file and writes its contents directly to the remote browser
file() - reads an entire file into an array
filegetcontents() - reads file into a string

Brute Forcing

Sometimes you will try all the methods mentioned above, but some web sites are really secure and there is no easy way to exploit them.

Often this doesn't stop us from hacking them, they might have open ports running some services such as, ftp, telnet and so on, try to brute force it and get the password, Hydra is another amazing tool for this kind of tasks.

Physical Access

If you have a physical access to the server you get everything in your hands, be discrete and leave a backdoor on it and you done.

Other Kind of Attacks You Can Also Perform Are:

Buffer Overflow
Heap Overflow
Integer Overflow

And the list is long, i just shared what i got now in my mind, you can also add yours in the comments sections... see you very soon in next tutorials.

Hacked by Mr_Nakup3nda


gr8 m8 i r8 8/8 no h8 m8

love your hacker image mahn....

great article bro, ty

Except for some gramatical errors, a good article, Mr-Nakupanda!


im sorry bro, im not an english native, you can always correct me..i will try to correct it..
Hacked by Mr_Nakup3nda

Neither am I, and that's why I use grammar correctors sometimes. You could use them to your advantage too.

The Joker listed a few in this article (last section).


i will definitely use them for the next tutorial.

hacked by Mr_Nakup3nda

Brother, I urgently need your help! I have followed all your work, and mainly how to get the pass and user of sites. At the moment I am working for a company called iberdrola and I think they are stealing clients, from which they have withdrawn me total access to my clients, and I only have minimal access. I would like to know if you can help me! Here is my email and I await brother's response. continuation of a good work. hug

which method is best to hack my college website?

Do some recon.


I wonder can I change data of the website? For eaxaple; I press roll a dice and it gives me a number 4 and I want a number 1. Would I be able to change the output? Thanks in advance!

Do some recon on the site. Look around for a script that could control the randomly generated number. And try and see if you can modify it to your advantage. Im sorry to be so vague about my answer but I dont know what it is exactly your trying to hack. Find what language it was programmed in and see if you can spot any vulnrabilities in the site itself. And always make sure you have the permission of the siteadmin.

Master.. can u link or post some video to undertstand it more

Hi I am looking poking for some one to teach me how to hack i know a little bit so far but I am completely self taught. I just started at itt tech for cyber security but I want to learn how to really hack and I don't learn good in a class room

is there any way to get rid of error 403.

It's an access denied message so you need to have the creds.

Great article. I need your help for a hack job. Can we communicate privately??

thanks for shareing it helped me alloth for study i complet understande how it work
but i wil fine more tutoral how you hacking some facebook account stuff like thes

im realy impressing how you all become a master hacker my dream is become a hacker i wanna hack everything make my own sofware :P)) keep it up make more like thes stuff your doing greatfull job teaching other how he hack or how he start hacking its very helpfull

please bro make this all work in video and send me i am waiting . please bro

This is an awesome tutorial. i really like it

@hacker can you teach me how to be come perfect hacker, i have little that i have gain by learning online , before getting myself here.


Hey guys,

I am not a very technical person but I just have a question. I am in a terrible situation with an website which uploaded without my consens several private videos with me(an ex boyfriend). After i talked to him he tried to delete but it s impossible for the users to do it. I sent several complains including DMCA to this website, nothing happened. I talked to the admin and he actually told me that i deserve it. So my question is, can someone take down this website, is there any service like that (maybe it s a stupid question since it s illegal but they survive illegal). I am willing to do everything since they denigrate me without any reason at all. I am not technical at all so it s quite impossible to do it myself..

Well, DMCA is usually a great place to start. Though be sure to resubmit your "my website was hacked on your server" type of message every week for a month or so. That will help to get the attention of the web host in question.

As for hacking the website that has your compromised content. That's usually pretty much impossible, particularly if it's just text and some pictures (ok, not to mention it's illegal to do s0).

Good luck with your fight. I get calls like this all the time. Personal attacks through bad reviews and posting negative details are actually against the law in some states here in the U.S. So don't despair. Just keep up the pressure on the different providers related to the service still displaying your personal information.

Amazing tutorial really very helpful.. Thank you so much.

I've been using fluxion a long while, I want to use sslstrip with it +_+ is it possible to do it ? as I wanna downgrade https requests to http on fake ap while victim access :) thanks

can u suggest a type of hacking for sites like bitsat.
i don't wanna hack bits site bit curious to know about it nd thnx in advance

very very very ...good, nice and helpful tutorial but somehow not satisfied cos there must be some more important things you could explain perfectly...!!! but any ways, Thanks a lot and a lot for the good things. God bless you forever and ever...!!!

MR_NAKUP3NDA bro how to download paid songs....
Can u help me


Share Your Thoughts

  • Hot
  • Latest