No content

RULES • No DDoSing to the servers • You can use whatever tools you want • Goal is to exploit the web app and root the box, then capture the flag inside the /root/ folder • Credentials for a temporary VPS to get a reverse shell • [email protected]:ilovelinux123

No content

START HACKING! 873067175 [email protected]:ilovelinux123

ABOUT ME Not any geek or any nerd ;-) https://osandamalith.com Passionate in Penetration Testing and Reverse Engineering IT Security Consultant at ZeroDayLab, London. Currently holds: OSCE, OSCP, OSWP, CREST CRTPEN, eCRE, eWPTX, eCPPTX, eCPPT Author of few vulnerabilities and 0days. https://www.exploit- db.com/?author=6712 I love to make things, break things and make things that break things ;) DJ at Ministry of Sound, London, UK

No content

ALL MY EXPLOITS INSIDE KALI • grep -rnw '/usr/share/exploitdb/exploits/' -e 'Osanda’

• https://thehackernews.com/2018/09/4g-ee-wifi- modem-hack.html • https://www.theregister.co.uk/2018/09/19/ee_ modem_vuln/

No content

No content

BUG BOUNTY VS PENTESTING

No content

No content

PENETRATION PROCESS • Information Gathering • Scanning • Enumeration • VA & Exploitation • Post Exploitation

SQL INJECTION

No content

SQL Injection Intention Extracting data, Bypassing Auth, Priv Esc, etc Source of Vulnerability User input, HTTP headers, second order injection, Files, etc Exploitation Technique Inband, Out-of-Band, Inference

SQLi Exploitation Techniques Inband Union-Based Error-Based Out-of-Band HTTP, DNS, Email Inference Boolean Based Time Based

MY ERROR BASED RESEARCHES • Error Based SQL Injection Using EXP • https://osandamalith.com/2015/07/15/error-based-sql-injection-using-exp/ • https://www.exploit-db.com/papers/37953 • BIGINT Overflow Error Based SQL Injection • https://osandamalith.com/2015/07/08/bigint-overflow-error-based-sql-injection/ • https://www.exploit-db.com/papers/37733

MYSQL OUT OF BAND HACKING • https://osandamalith.com/2017/02/03/m ysql-out-of-band-hacking/ • https://www.exploit- db.com/papers/41273 • https://packetstormsecurity.com/files/14 0832/MySQL-OOB-Hacking.html

VULNERABLE QUERY • $query = "SELECT id,name,join_date,title FROM members WHERE name = '" . $member_name . “’;”; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT 1,2,3,4; • SELECT id,name,join_date,title FROM members WHERE name = ‘Ergo’ UNION SELECT @@version,2,3,4;

WEB APPLICATION FIREWALLS

WAFS! if (isset($_REQUEST['member_name']) && $_REQUEST['member_name'] !== '') { $member_name = $_REQUEST['member_name']; $member_name = preg_replace("/union|select/i", "", $member_name); $member_name = preg_replace("/into|outfile|dumpfile|[#]|[--]/i", "nope", $member_name); $member_name = preg_replace("(or|and|OR|AND)", "nope", $member_name); $connection = @mysqli_connect(MYSQLHOST, MYSQLUSER, MYSQLPASS, MYSQLDB);

WAFS! if (preg_match('/UNION|SELECT|union|select|\s/', $workaround)) { echo "";

WHEN /OR/i IS FILTERED. • https://osandamalith.com/2017/02 /03/alternative-for- information_schema-tables-in- mysql/ • https://www.exploit- db.com/papers/41274 • https://packetstormsecurity.com/fi les/140831/Alternative-For- Information_Schema.Tables-In- MySQL.html

No content

No content

MYSQL PRIVILEGES • File_priv • Enables reading and writing files on the server host using the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. A user who has the FILE privilege can read any file on the server host that is either world- readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.) • Enables creating new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables. •

CHECKING PRIVELEGES

• select File_priv from mysql.user where user = substring_index(user(), '@', 1) ; • null'unUNIONiOn/**/selSELECTeCt/**/1,File_Priv,3,4/**/from/**/mysql.user/**/ where/**/user=substring_index(user(),'@',1)&&1=‘1

PASSWD FILE • null'uNunionIoN/**/SeLselectEcT/**/1,load_file('/etc/passwd' ),3,4||1='1

SOURCE CODE REVIEW

SOURCE CODE REVIEW! • /var/www/html/auth.php

INVESTIGATING THE COOKIE FUNCTIONS • /var/www/html/includes/security.php

EVAL IS DANGEROUS https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/

CREATING A COOKIE

OUR EXPLOIT!

PWNED!

ROOT THE BOX! PRIVILEGE ESCALATION • System and network information • User information • Privileged Access / Cleartext credentials • Services • Jobs/Tasks • Installed software version information

CAPTURE THE FLAG [CTF]

No content

SQLI PREVENTION • Use prepared statements and parameterized queries • Using PHP Data Objects (PDO) $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // Do something with $row } • Supports any database driver and the universal option.

SQLI PREVENTION • Using MySQLi Extension (MySQL Improved) $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row }

ALL MY RESEARCHES ON SQL INJECTION • https://osandamalith.com/tag/mysql/

ANY QUESTIONS?