Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a hacker... but I only look good i...

I want to be a hacker... but I only look good in a white hat

Lightning Uncon talk at Dutch PHP Conference 2015

Jakub Gadkowski

June 27, 2015
Tweet

More Decks by Jakub Gadkowski

Other Decks in Programming

Transcript

  1. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/
  2. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp
  3. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin
  4. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)
  5. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”
  6. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.
  7. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”
  8. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 --risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 --risk=2 --level=2 --tables --dbms=MySQL