Archive for the 'Injection' Category
become a hacker with webgoat
Filed under: Information, Injection, LFI, PHP, RFI, XSS, sql, tools | Tags: ajax, flaws, hacking, learn, PHP, security, tutorial, webgoat, websecurity
Comments(0) WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.
There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.
playing with a backdoor
Filed under: Information, Injection, tools | Tags: backdoor, linux, netcat, ngrep, security, server
Comments(0) I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.
I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)
The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345
The null byte to hack includes
Filed under: Injection, LFI, PHP, RFI, Security | Tags: include, inclusion, LFI, local file inclusion, null, null byte, PHP, remote file inclusion, RFI, security
Comments(3) The null byte (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets. Strings end if there is a null character.
In PHP this character looks like this %00.
Ok whats the deal with null bytes?
A lot of people think that this method below, to include a file which has a fix extension (.php), is a bullet prof one, but that’s not true.
include ($_GET['site'].”.php”);
?>
If you call the script with a null byte in the URL it’s possible to include any local or remote site!
http://example.com/?site=../../../../etc/passwd%00
Protect your application against SQL injections part 2
Filed under: Injection, PHP, sql | Tags: Database, Injection, mysql, PHP, security, sql, sql-injection
Comments(0) In part 1 we made sure that the value is an integer, but what if a value could be a string?
You have to escape special characters in a string for using in a SQL statement. This means that a single quote (’) get a backslash before (\’).
There are escape functions for each popular database:
Protect your application against SQL injections part 1
Filed under: Injection, PHP, sql | Tags: Database, Injection, mysql, PHP, security, sql, sql-injection
Comments(3) Many applications use a database to store data. Popular products are MySQL, SQLite and PostgreSQL.
A lot websites use a number called ID in the URL to get more information to a dataset like a product or a posting.
The problem of using ID’s is if they aren’t validated, bad guys and girls can spy, change or destroy your database by manipulating the SQL query.
This attack is called SQL injection.
An example to get the field “title” in the row with the value of $_GET['id']
System call injection
Filed under: Injection, PHP, Security | Tags: escapeshellarg, escapeshellcmd, exec, Injection, PHP, shell, system
Comments(1) With the follow commands you can execute an external program on the system (server).
- shell_exec
- proc_open
- system
- exec
- passthru
- popen
- “ (back tick operator)
This form sends a domain name and prints the result back from the linux program whois.
What does a phpshell look like?
Filed under: Injection, PHP, RFI | Tags: Injection, PHP, phpshell, remotefile, RFI, security, shell, system
Comments(0) After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.
An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.
system($_GET['cmd']);
?>
The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.
(evil) Register Globals (on)
Filed under: Injection, LFI, RFI | Tags: bypass, Injection, LFI, PHP, register_globals, RFI, security
Comments(2) The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.
Why is it a security risk? Let’s look at this example:
Cheating with obfuscation
Filed under: Injection, PHP, XSS | Tags: hex, hexcode, Injection, logfile, PHP, security, urldecode, XSS
Comments(0) Sometimes I find strange lines in my webservers log, like this one:
“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1″
Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.
