Professional Documents
Culture Documents
Objective(s)
aid to better understand common exploitable vulnerabilities, how it been exploit, and reversely (re)develop a defensive mechanism securing web application deployed through best practice
Code Execution
Code Execution
ability to execute command(s)/code on a target machine or in a target process inject and execute shell code / scripting code ability to fully take control of the target machine
PHP/Code Injection
this is silly, hopefully nobody doing it:
Shell/Code Injection
this is silly, hopefully nobody doing it:
Case 1: in some if not most cases, there is NO: session checking for authenticated user no validation of authorized user authorized to delete your own POST, but knowing the id sequence number anybody can delete random POST of a random user
YouTube.com
added video to a users Favourites, agged videos as in appropriate, etc....
etc
SOURCE: https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/
SOURCE: https://github.com/BKcore/NoCSRF
/vulnCode.php?page=/tmp/phpcode /vulnCode.php?page=/etc/passwd%00
er t c a har C e Byt l l Nu
Null-Byte Injection
URL/WEB presentation as - %00 termination character / terminator alter the intended logic of the application
// How about appending with .php // <?php if (isset( $_GET['page'] )){ include( $_GET['page'] . .php ); } ?> // http://www.example.com/vulnCode.php?page=/etc/passwd%00.php
SQL Injection
SQL Injection
occurs when user input is not ltered for escape characters manipulation of SQL statements no sanitization of user input no type casting not using proper method in query placeholder
SQL Injection
http://example.com/news.php?newsID= OR 1=1 --%20 SELECT * FROM users WHERE name = '' OR '1'='1' -- ' http://example.com/news.php?newsID= OR 1=1 --%20 SELECT * FROM users WHERE name = '' OR 1=1 -- '
SQL Injection
by using placeholder method in SQL statement
File Upload
File Upload
allowing a user to upload a le in a website: potentially opening a door for attacks/exploits without validations and protections: user can upload a server side script / shell code possibility totally pawned the server easily
File Upload
File Upload to Document root without validation malicious user can access directly uploaded le through URL putting the server totally vulnerable and open to possibility of total compromised
File Upload
Sample exploitable le upload
// upload to document root / no validation / accessible via URL // <?php $target_path = "uploads/"; $target_path = $target_path . basename($_FILES['uploadedfile']['name']); if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file " . basename($_FILES['uploadedfile']['name']) . " has been uploaded"; } else { echo "There was an error uploading the file, please try again!"; } ?>
set the ownership to root/superuser and only readable by others (apache/nobody) - 022 mask
Resources Prediction
scan web server using predicted list of common les/ folders/CGIs outdated vulnerable server software directories listing / traversal etc
Resources Prediction
nikto - perl web scanner script