wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, 166 people, some anonymous, worked to edit and improve it over time.
The wikiHow Tech Team also followed the article's instructions and verified that they work.
This article has been viewed 3,280,889 times.
Learn more...
This wikiHow teaches you different ways to gain access to a website by hacking a login page. Websites are far more advanced and secure than they used to be, so there's virtually no way to gain access to private information just by looking at or writing basic HTML. It's much harder to hack into websites in general, especially if you're a novice! But, if you come across an older website written in rudimentary HTML by a beginning web developer, there's a slight chance you may come across passwords in the website's source code. Yes, we are being serious – passwords in the source code. A slightly more reliable way to exploit a website's login screen is to try a SQL injection. Whatever you do, don't hack into any websites without consent—it's illegal and could get you into big trouble.[1]
Steps
-
Go to the login page of a SQL-based website. If you don't see the fields asking for your username and password, click the Log In or Sign In link on the homepage to get there.
- Most developers have wised up to SQL injection hacks, so this probably won't work on the majority of websites. Still, if you find an older website with a login page, you may be able to use this hack to gain access without knowing a password.
-
Check the website for SQL vulnerabilities. The simplest way to do this is to enter ' (this is the single quote mark) into the username field, and then click the Log In or Sign In button.[2] Leave the password field blank.
- If you see an error message that contains a bunch of SQL code including QUERY: SELECT * FROM, the website is vulnerable.
- If you get a simple error that says the username or password is incorrect, this method won't work.
Advertisement -
Enter the injection code into the "Password" field. If the single quote you entered into the Username field before is still there, delete it—you'll want that field to be blank. In the password field, type ' or 1=1--+.
-
Click the Login button. If you were able to log in successfully, great!
- If this didn't work, it could be because some sites block 1--+. Try using one of these as the password instead (still leaving the Username field blank): ' or 1=1# or ' or 1=1--.[3]
- If you're able to gain access to the database, the ethical thing to do would be to alert the administrator.
- If you're still not able to log in, the site is protected against this type of hack.
-
Go to the login page of the website you want to hack. You can use any modern web browser, including Chrome, Firefox, or Safari.
- Passwords are encrypted the vast majority of the time—it's extremely rare that websites and login forms are coded in basic, unsecured HTML. You may be able to use this method if you find a very basic website from a long time ago, or maybe the website of a new-to-HTML student.
-
Go to the "Login" section. If the website has a dedicated login section, click the Log In or Sign In link or button to go there.
- If the website loads to a login screen (or if the login section is on the home page), you can skip this step.
-
Press ⌘ Command+U (Mac) or Control+U (PC) to open the website's source code. This displays the HTML source code of the current page in a new tab.
-
Press ⌘ Command+F (Mac) or Control+F (PC). This opens the Find tool, which lets you search through the document.
-
Type password into the search box. This identifies all instances of the word "password" in the code. Use the arrows next to the search field to scroll through the results.
- If you don't see any results, shorten the search to pass and repeat, then do the same with user, username, login, and other keywords which may describe login information.
- If you're attempting to hack the website by logging in under the website's administrator credentials, the username may be something like "admin" or "root".
-
Try entering an incorrect username and password combination. If you've combed through the HTML with no adequate search results, do the following:
- Close the source tab.
- Type in random letters for the username (or email address) and password fields.
- Click the Log In button.
- Re-open the source page by pressing Command + U or Control + U.
-
Look for login credentials on the error page. Once you've updated the source code to reflect what's on the failed login attempt page, you can resume using the search bar to look for keywords pertaining to the login information.
-
Enter any found login credentials on the site. If you were able to retrieve some form of username and password from the website's HTML, try using the credentials in the website's login section. If they work, you've found the correct credentials.
- Again, the chances of anything you found in the HTML working as a successful login are extremely low.
Community Q&A
-
QuestionCan you suggest any good hacking courses?Community AnswerSites like Hackthissite and Hellbound Hackers provide you with real life scenarios that can help you learn. You might start there.
-
QuestionCan I be caught if I hack a website?Community AnswerEventually, yes. Every time you access a page, it makes a log file that contains your information. This includes your IP, which can later be traced back to you by authorities if they have the legal right to do so.
-
QuestionWhat do I do if I can't change the script?Community AnswerYou don't literally change the script; you copy it to a text editor, then open it as an HTML file. This will open the website through the script that you saved in your computer.
Tips
-
Learning HTML will give you a small advantage when reviewing your selected website's source code.Thanks
-
Login forms are one thing. Try looking for forms, comments, or anything else that lets you input text. Then, you can input HTML, CSS, or JS. But, don’t hack, this is just an example.Thanks
Tips from our Readers
- Search source code for login-related keywords like "password" or "username." But again, hacking without consent remains illegal, despite ease of access.
- If your first SQL injection try fails, tweak the code, but don't overdo it. Repeated failures draw attention and legal liability. Know when to move on.
- Dig through the source code for any clues about passwords or logins, but encryption makes this unlikely nowadays. Still, carefully check.
- With extremely primitive sites, you might find exposed login data in the source. But lack of permission makes hacking illegal regardless.
- Input weird characters into login fields to check for SQL injection points. But, most modern sites protect against this method now.
- Ethical hacking allows you to safely try exploits without legal risk. It's smarter than attempting illegal website hacks.
Warnings
- You cannot edit the website's HTML from your browser unless you have direct access to the server to which the website's HTML file is uploaded.Thanks
References
About This Article
1. Go to the website's login screen.
2. View the page's source code.
3. Look for the word "password" in the source code.
4. Find and try passwords from the code.