Professional Documents
Culture Documents
VU21997 - Expose Website Security Vulnerabilities - Class 4 SQLMap Final
VU21997 - Expose Website Security Vulnerabilities - Class 4 SQLMap Final
VU21997 - Expose Website Security Vulnerabilities - Class 4 SQLMap Final
Security Vulnerabilities
SQLMAP, IDOR
SQLi recap
Review AAA:
What does Authentication mean?
What does Authorisation mean?
What does Accounting mean?
Who are you? Can you do that? How much did you use? (billing/auditing)
Power company emailed you – your bill is ready:
http://www.powerRus.com.au/bills/bill.php?bill_id=12345
Have you ever tried changing 12345 to 12346?
Did it work?
If it did and you just saw someone else’s bill:
Insecure Direct Object Reference
Which AAA principle wasn’t followed?
Sounds too easy. Must not be
common, right?
https://nakedsecurity.sophos.com/2017/01/26/how-one-man-could-have-deleted-
any-public-facebook-video/
Facebook fixed the vulnerability in July and awarded Melamed a $10,000 bug bounty
How can we exploit IDOR?
Too easy? Instead of modifying the URL in your browser, try using
BurpSuite and intercept the packet.
Exercise 1
http://www.cvedetails.com/google-search-
results.php?q=direct+object+reference
5 minutes: who can find
the most popular/
worst sounding
IDOR vulnerability?
SQLi Review – 15 minutes
1. Recall: if I’m logging in, what might the SQL look like?
SELECT password FROM logins WHERE user=‘test’
2. Try to locate where you can inject:
SELECT password FROM logins WHERE user=‘______’
3. Try injecting some SQL:
SELECT password FROM logins WHERE user=‘ ‘ OR ‘1’=‘1 ’
Can you still remember how to inject SQL commands? Reminders:
Lab #1: – replace ‘..name=root’ in URL with your correctly formatted command
#2: and #3: spaces are filtered, what else could we use?
#4: Now, we need to inject into the id field instead.
#5: Our ID parameter must start with a number
#6: Our ID parameter must end with a number
Optional/Advanced:
#7: start and end with a number, #8: Time-based attack #9: ORDER BY injection
SQLMap
Try it yourself:
sqlmap -u http://<WebForPentesterTarget_IP>/sqli/example1.php?name=root
You will be asked some questions:
Not looking
good..
Success!
Database
dumped.
Exercise