Cours 3

Hacking and Patching

À propos de ce cours
In this MOOC, you will learn how to hack web apps with command injection vulnerabilities in a web site of your
AWS Linux instance. You will learn how to search valuable information on a typical Linux systems with LAMP
services, and deposit and hide Trojans for future exploitation.

You will learn how to patch these web apps with input validation using regular expression.

You will learn a security design pattern to avoid introducing injection vulnerabilities by input validation and
replacing generic system calls with specific function calls.

You will learn how to hack web apps with SQL injection vulnerabilities and retrieve user profile information and
passwords.

You will learn how to patch them with input validation and SQL parameter binding.

You will learn the hacking methodology, Nessus tool for scanning vulnerabilities, Kali Linux for penetration testing,
and Metasploit Framework for gaining access to vulnerable Windows Systems, deploying keylogger, and perform
Remote VNC server injection.

You will learn security in memory systems and virtual memory layout, and understand buffer overflow attacks and
their defenses.

You will learn how to clone a Kali instance with AWS P2 GPU support and perform hashcat password cracking
using dictionary attacks and known pattern mask attacks.
Programme du cours : ce que vous apprendrez dans ce cours
SEMAINE 1
Injection Web App Attacks and Their Defenses
In this module we will learn how to hack web app with command injection vulnerability with only four characters malicious string.
We will learn how to hack web app with database backend with SQL injection vulnerability and potentially show the list of
passwords by injecting string to overwrite SQL query. We will learn how to perform code review to spot the key statements/their
patterns that expose the programs for such injection attacks and learn how to patch them. We will learn how to apply security
design pattern to defend injection attacks and enhance web security.

 4 vidéos
- Course Overview-3 min
- Command Injection-11 min
- Review Code to Detect Pattern to Defend Command Injection-12 min
- Apply Security Design Pattern to Defend Command Injection Attack-6 min
 2 lectures
- OWASP Command Injection-30 min
- Detecting Command Injection-30 min

SEMAINE 2
Hack SQL Databases and Patch Web Apps with SQL Injection Vulnerabilities
In this module we will learn how to hack web app with database backend with SQL injection vulnerability and potentially show
the list of passwords by injecting string to overwrite SQL query.We will learn how to perform code review to spot the key
statements/their patterns that expose the programs for such injection attacks and learn how to patch them. We will learn the
eight-step hacker methodology for exploit systems. For the escalating privilege techniques, we show how to leverage command
injection vulnerability to search file systems and deposit/hide Trojans for future exploit.
 6 vidéos
- SQL Injection Attacks10 min
- Patching Web App with SQL Injection Vulnerability5 min
- Hacking Methodology9 min
- Demystify New OS/PL Will Not Have Injection Vulnerabilities8 min
- Escalate Privileges via Deploying Trojan10 min
- Escalate Privileges by Bringing in Sophisticated Trojan8 min

 5 lectures
- SQL Injection30 min
- SQL Injection Prevention Cheat Sheet30 min
- Red Teaming: The Art of Ethical Hacking30 min
- Understanding Privilege Escalation30 min
- National Vulnerability Database Entry30 min

SEMAINE 3
Memory Attacks and Defenses
In this module, we learn about the typical protection mechanism provided by the modern OS to prevent process from accessing
other pages data belong different process. We will also learn buffer overflow attacks and their common defenses.

 4 vidéos
- Security in Memory Systems and Virtual Memory Layout-15 min
- Variables Allocation in Virtual Memory Layout-5 min
 - Buffer Overflow-14 min
- Buffer Overflow Defense-15 min
 2 lectures
- OWASP Memory Leaks-30 min
- OWASP Buffer Overflow Attacks-30 min

SEMAINE 4
Penetration Testing
In this module we will learn how to perform Vulnerability Scanning with Nessus tool, learn to perform penetration testing using
tools included in Kali Linux distribution and to use Metasploit Framework to take control a vulnerable machine, deploy
keylogger, run remote shell and remote VNC injection. We will also learn how to clone an AWS P2.xlarge GPU instance from a
Ubuntu image with hashcat software to crack passwords.

 6 vidéos
- Vulnerability Scanning with Nessus-7 min
- Vulnerability and WannaCry Ransomware-7 min
- Penetration Testing with Kali Linux-6 min
- Metasploit Framework-10 min
- Keylogging-3 min
- Remote VNC Server Injection-1 min
 3 lectures
- Nessus Training-30 min
- Kali Linux & Documentation-30 min
- Metasploit Resources-30 min
 SEMAINE 1
Injection Web App Attacks and Their Defenses
In this module we will learn how to hack web app with command injection vulnerability with
only four characters malicious string. We will learn how to hack web app with database
backend with SQL injection vulnerability and potentially show the list of passwords by
injecting string to overwrite SQL query. We will learn how to perform code review to spot the
key statements/their patterns that expose the programs for such injection attacks and learn
how to patch them. We will learn how to apply security design pattern to defend injection
attacks and enhance web security.

Concepts clés

 Hack web app with command injection vulnerability and patch them
 Perform code review and detect the command injection/SQL injection patterns
 Apply security design pattern to defend injection attacks and enhance web security
Course Overview

Welcome to the 3rd course of the fundamentals of computer and network security specializations.
Hacking and patching, it is a short course title, but it says it all.

This course learn how to hack web application with command injection vulnerability. In the demo
we'll entered only four characters to malicious as a malicious string like &Ls& which will expose the
victim directory.

This is a short list malicious attack, I know.

We learn to launch any Unix command including cat to show the file content on the victim system and
possibly we review the passwords.

We will drop single line php code as a Trojan, so that we can come back later.

We'll learn how to hack web application with database backend with SQL injection vulnerability and
potentially show the list of password hiding in the database, by injecting twelve characters string to
override an SQL query.

We also learn how to perform code review, to spot the command injection
or SQL injection pattern. For example they may not have immediate input
validation code right after that input.

They don't have immediate exit when detect an error.

They don't have- They utilize generic system code instead of a specialized
specific function code.

We learn to apply security design pattern in writing code so that we can

avoid injection attack, and enhanced the web security.

We also learn the eight steps hacker methodology for systematically exploit
system.

We then understand the buffer overflow attack and deploy their defense.

We will learn performing the vulnerability scanning using the tool called Nessus. With Nessus we
can detect the reason Wannacry /Wannacrypt Ransomware on our
patch Windows system.

We learn how to perform penetration testing using the tools included

in Kali Linux distributions.

Finally we will learn to use Metasploit framework to take control of

vulnerable machines and deploy keylogger, run remote shell or
perform remote VNC injection to see the same desktop on the victim.
So let's get started.
Lesson 37 . Command Injection

In this lesson, we define the command injections, discuss it's impact and examine the sources of it's
vulnerabilities. And provide a demo which shows the OS command injected to a Web server and
executed by the remote Web server to display its directory and file content.

A type of cyber attacks called injection where operating system commands are injected by hackers as
part of the inputs and executed by a program and typically in a Web server. The command injection
occurs when the program does not perform proper input validations. Make sure you remember this
word, input validation. That's a very important technique.

General kind of technique, also defense. The input from the users are used directly or, very
importantly, indirectly most of the time as parameters to the layer system command functions.

For example, exec function code or system function code by the program to send confirmation maybe
e-mail or notification e-mail or create a directory to host user submitted data in an upload kind of case.

The consequence of command injection vulnerability is that it allows attackers to run arbitrary, any,
any OS command on the victim machine. The victim machine can be hijacked to attack others, to
perform any operations the hacker desires. Local password, credentials, such as credit card
information. Could be stolen and searched easily once you've a command injection vulnerability. It's
listed as the number one vulnerability or application security threat at OWASP's site was listed as a
Top 10 Vulnerabilities in 2012. OWASP is Open Web Applications Security Projects

and it is a wonderful organization. And at creating a thriving global community that drives the
visibility and evolution in safety and security of the world's server.

So I just check last night, the injection is still listed as a number one on OWASP's Top 10 Application
Security list in their most recent release candidate report, that was the 2017 candidate release report.
The official release will be sent out August 2017. But you can now go to the OWASP website and get
the report. Very rich information if you're learning cybersecurity.

Here we show a demo of command injection attacks on a registration website.

The URL of the website is https://cs591x.csnet.uccs.edu/reg.php. Know that from our site. This is a
server running behind the UCCS firewall. Therefore you can not reach it, but the virtual machine you
are going to clone on AWS will have the same content and allow you to perform the command
injection to the web server, similar to what I'm going to describe. The /reg web page take in the full
name are shown in the web page below. Full name, email, password and then come the [INAUDIBLE]
value of the membership applicant. When the user fills in this information and clicks on the register
button the web form data will be submitted to the web server for processing.

The data will be saved in the database and email will also be sent to the user's email.

And then they know that the registration is approved and the provided link they can access to the
member specific variable informations, variable webpage.
The system admin will then look at the application and then try to approve the membership. This
particular set up for this particular web browser, web app.

Here we show the hacker can actually attach a malicious unix command as showed as ampersand sine
os ampersand sine just four capture.

Right after the typical email entry.

The register button is then clicked. So this particular demo you can actually tell your friend the
smallest character. Example of Command Injection is four characters. Now let's see what the HTTP
response coming back. We see a long list of the files, right in the middle there. Staring with counters
PHP action, dot PHP and so on.

And they are returned, followed by the original greeting and status messages. It turns out, all this
middle part is a file in the directory /var/www/html/php. Which is exactly the same location of the
server side script, that are processing the request.

It is located inside the web server location,

see in this case CS 591 x [email protected]. We also see the ampersand LS, ampersand sign is included in
the mail command which are echoed. Normally you shouldn't print out your mail whatever the
command in your server size script, but here is for the demonstration purpose.

It turns out by adding this right after the AOS.

We can display the content in /var/html. Basically, what we are saying is you can actually change the
OS command by other reprising commands as that would be executed. And the IOS dot dot means go
to the upper directory of /1/wxtmlpsp which is this one.

Basically, we can now navigate through the file system in the victim's web service site as long as we
have the privilege. And in our case, the server side script regit.php is run by the account Apache, so
long as Apache can read and execute the file you can actually display and navigate through that. The
directories of Apache doesn't have the execute or read-write. Then we will not get any result coming
back.

We cannot display those with this attempt.

But still, any of the web directory, since Apache needs to be able to read it. Therefore it will be able to
display the content.

How about if you like to display the action.php? Well, very simple. Just do a cat, space Action.php
and prefix with ampersand sign and then post script with ampersand sign. Submit it through the
webpage. Now you are going to see the content of that action.php. Normally the php service, we don't
want to reveal its content only the execution result html but you are going to see they are very variable
in measures coming back. I will let you try it and maybe discuss with your classmates. In this MOOC,
what other critical credential information was revealed inside the action.php? Here we show it by
replacing &ls& with &cat ../../cgi-bin/passwd&. Thus doing, when we enter and submit, we were able
to display the content of the password file right in the middle there. You can see a typical password
file format, the login name, followed by the colon which is a separator, followed by the password
string. In this case, unfortunately encrypt in using the parent text pound sign something.

Okay, so is very revealing using CAT, you can actually see the content, and then capture a lot of
information in the Web server side. So we just demonstrate to you we can run any OS command in the
victim site and navigate up and down in the file system.

Lesson 38 . Review Code to Detect Pattern to Defend Command Injection

In this lesson, we examine the web application and the system component, and try to understand how
the command injection occur. We performed a code review on the reg.php, and that has command
injection. We also discussed how the static code scanner tool will do, and to detect example like
reg.php.

Here, we show the OWASP rating of the command injection based on their risk rating methodology.
You can actually see the same table from the PDF I post on the website. So because it is a small form
there on the bottom of your screen, I will try to repeat the most important information extract from
each of those category in the rating methodology. The first category is threat agents.

And in command injection, anybody can do this, right? Anybody, as long they have a web browser,
they can type in that malicious code. So it's very dangerous. Anybody can do it.

No professional level, anybody can do it. The second column there is attack vectors.

Basically, it's saying what are the things that can be exploited in your web application.

In this case, it's very easy to exploit, just send in a text. You don't even need to have a special kind of
hacking tool, right? It's text. You just type in the operating system command, and then go ahead and
submit.

The third column is prevalence, and basically, it's trying to say, this will be, this injection will be
where they occur.

It turned out this kind appear in a lot of web services.

The kind of service including database SQL service, including operating system, LDAP server, and so
on, even including some email server. So the next column is whether they can be detected easily or
not. So detectability is another important factor to decide whether this is very vulnerable or not. In this
case, the command injection is easy to discover by one method which is code review. Examining the
code.

It is not easy by just purely based on testing. Okay? So they rank it as average in this case, in this
particular criteria. For the detectability, typically, we can also use a software tool like a scanner or a
fuzzer to generate automatically all different kinds of testing script to attack the website. In our case,
we will perform the code review in the next couple of slides.

The next criteria is technical impact.

And that is also severe. And the reason is once you can enter the command, in a way, you can hijack
the machines. And with a traversal OS and [INAUDIBLE], you can actually steal the data from the
website. So data can be lost or stolen, and data can be corrupted, right? Because you can now replace
the content by editing the file through this interface. And most impact is host takeover. Right. And the
last criteria they have is business impact, and you can envision that this could be a very severe impact
on business because you're being attacked. You're being hijacked, right?

Here, we show the data flow of these web applications. First, a registration web page with a form input
element email.

Second, the hacker enters & ls & after an email address. Third, the form input data are submitted to the
server side script reg.php on the other server, cs591x. Note that the data pass through the firewall and
without being blocked, and goes through the hardened operating system. Even a hardened operating
system cannot detect that, right? It heads over to the web server, and then hand it over to the script.

The reason being one, HTTPS connection is encrypted, right? Therefore, the content cannot be
observed or analyzed by the firewall.

Second, the hardened OS typically does not protect application type of vulnerability. They only take
care of the scheduling, the library, and their protection. Fourth step, the server side script saving the
email form input as a local variable like $email, and then pass along to variable $to, and finally, send
in to the system function code.

Right? And the system function code, including echo of messages they prepare, type it to a mail
command that has a subject registered wait for approval, with the option -c to send it to the user,
which is described in the email inside variable $to, and then also get a copy to the system in this case,
at cchow@uccs. The malicious string, &Is& sign, was submitted as part of the email address and been
included in the $to variable, which is then executed by the server operating system. And the first &
sign tells the operating system shell to start a new process. The next two character, ls, will be executed
to that shell. And then, the & sign, the second & sign, tries to isolate the rest of the string from being
used as a parameter for the OS. Right? The & sign in the shell script language is to start a new shell
and to take the rest of the string before the next operator, & sign [INAUDIBLE] as operating system
command. The return results of the operating system is also passed [INAUDIBLE] by the system as
output, and therefore, it will show up in our HTTP response. As it was presented in OWASP's recent
assessment, the code review is the best way to detect code injections.

Here, we perform the code review of reg.php line 10, which I show you there. I didn't show the whole
code, but the key important statement is shown here. Line 10, reg.php received email form input value
from the user and assign it to variable $email. Line 81, the $email variable is assigned to $to variable
to prepare for the system() call. Line 84, the $to is used to form the $mailcmd. Line 85, the $mailcmd
is executed by the system() call. Right? And the &ls& malicious string is sent in by the hacker,
passing through $email, $to, and then to $mailcmd, finally, inside, as a parameter for system()
[INAUDIBLE] call. The email input with [email protected]&Is& will produce mail, the subject field
followed by -c option, you'll see that &Is is right after that.
Since the reg.php is executed in /var/www/html/php directly, the directory content is shown as a result.
Here, let's show the static code analysis tool, what it typically can do for detecting the use of
dangerous system call through language parser. And one of the famous tool, very useful tool, is SCA,
short name for static code analysis, provided by HP Fortify secure packaging, software packaging.
[INAUDIBLE] Packaging. And it will detect and also find out whether this is severe or not, this or
this, severe or not.

It first performs a process called data contamination analysis. It does that by tracing back the sources
of system functions parameters. Any of the variable that was referenced there, they will try to trace it
back to the beginning of the code and see whether any of the beginning variable, their data was used.
You trace, first, from system $mailcmd to $to because there is a variable $to in a mail command. And
then from $to, it trace back to $email. Line, probably 80, 84, and then you trace it all the way back to
that Line 10, where the email receive the value from $_POST global array with the key email.

And any of the variable being traced are considered to be contaminated. And once the analysis trace
all the way to the $_POST array, they can conclude the chance is very, very high, the command
injection will occur because $_POST receives the web user input.

Lesson 39 . Apply Security Design Pattern to Defend Command Injection Attack

In this lesson, we apply the simple security design pattern through defend against command injection
attack. Here, we present a simple cyber security design pattern, it end at awarding command injection
vulnerability in your code.

Always remember, validate your input before performing any program specific operation.

Validate your input data with regular expression.

So the sub step is filter out, the purpose is to filter out the malicious inputs such as ampersand
character, bar and any character that is used to create process or pipe process to another command.

And we only allow certain character, such as in email case, alphanumerical, @, and the rest of domain
name also period, or alphanumerical [INAUDIBLE] character.

Avoid using any dynamic system function code such as exec to perform system operation. And try to
make it as specific as possible using specific API code such as mail, you do an email, or you are using
mkdir to make directory. In those case, those specific API codes or parameters cannot be interpreted as
generic open system command. For more detail, please read owasp injection prevention cheat sheet.
Input validation is a fundamental techniques used to sanitize the data in any of the program. And we
will make sure that within the range of a various or of certain type, maybe a string, maybe a number.
And here we are using it for security purpose. And hard to detect whether they are malicious code
pattern in the input.

Regular expression is provide a language for you to specify the data pattern.

It also provides function for you to detect whether an input coming in matching those pattern. You just
specify. And to extract out the sub pattern out from that data. And we try to do detection in most of the
case here. Most of the programming language will provide regular expression library including
function call with the pattern and input data as parameters to input typically.

Here in PHP we use PREG_match function to detect two parameters the first one is a regular
expression string identified by the forward slash delimiter and in the end there's another one. Inside
this delimiter is the pattern. And the first character is upper arrow, the last character is dollar sign. This
is called space of inner base. Identify the beginning and ending of the string. So we try to indicate
through the system we are matching the whole string, not just the subset of it. And therefore, it's trying
to matching the whole string input data. And resolve letting go any malicious code which is outside of
the pattern.

The simple inside we see a square bracket, beginning right bracket, y square bracket and right, left
square bracket. They are the symbol indicating the character class.

Any of the character within that square bracket, they are legitimate symbol, single character.

After the right bracket, we see a plus sign, that basically saying any of these character can be repeated
one time or more, so that's the kind of pattern. And right after that first square bracket and plus sign we
see backslash a, basically try to specify a sign of the symbol which is email and email has a s sign
there. And we use backslash because sometime someone the language will use SI as a very simple to a
variable substitution. So we don't want that happen. We don't want that to end up as array variable and
we write to treat it as a data.

The second parameter is input string to be matched against that first parameter which is regular
expression. In our case we are checking the $email. We have the whole expression prefix with bang
symbol. Bang in typical language, Boolean expression is negate. So basically we say any of the input
string. Those are matching the pattern will return to and therefore, we execute the two branch of the if
statement. It is critical as you can see there the last statement on that two branch is exit and that's very
important.

It is critical that whenever we detect a malicious pattern, we exit right away without doing any
additional operation. One of the key guideline in good coding practice or pattern, is to substitute
generic dangerous system call with very specific function call.

Instead of using the generic function call to perform functions such as sending email, creating
directory, we should use specific function call like mail function called provided by the programming
language. Sometimes we need to install a specific software package or library module for that to
happen.

But that's a worthwhile effort.

Here, the four parameters submit to an email function will not interpret operating system command.
They have specific meaning to the mail function code.
 SEMAINE 2
Hack SQL Databases and Patch Web Apps

with SQL Injection Vulnerabilities

In this module we will learn how to hack web app with database backend with SQL injection
vulnerability and potentially show the list of passwords by injecting string to overwrite SQL
query. We will learn how to perform code review to spot the key statements/their patterns that
expose the programs for such injection attacks and learn how to patch them. We will learn the
eight-step hacker methodology for exploit systems. For the escalating privilege techniques, we
show how to leverage command injection vulnerability to search file systems and deposit/hide
Trojans for future exploit.

Concepts clés

Course Overview

SQL Injection Attacks

Dans cette leçon, nous discutons de l'injection SQL et de son impact, examinons la source de cette
vulnérabilité. Et fournir une démo qui montre comment les informations de mot de passe dans la base
de données peuvent être révélées par injection, expression logique dans une instruction d'expression
sécurisée, données d'entrée filaire, et contourner la vérification de condition dans les commandes SQL.
L' injection SQL est un type d'attaque de vulnérabilité d'application d'injection où les commandes SQL
ou les expressions logiques associées sont injectées par les pirates informatiques dans le cadre de
l'entrée et exécutées par le serveur SQL.
Cela permet de révéler les données sensibles, telles que le mot de passe, les numéros de carte de crédit,
dans la base de données SQL.
Il se produit lorsque le programme n'effectue pas la validation d'entrée que nous avons vu dans le cas
d'injection de commande.
L' entrée des utilisateurs est utilisée directement ou indirectement comme paramètre pour les requêtes
SQL ultérieures.
La vulnérabilité d'injection SQL permettra à l'attaquant de modifier, d'exécuter une requête SQL sur le
serveur réel de la victime.
Le pirate peut voler et créer de faux mots de passe et informations d'identification dans la base de
données des victimes. Ils peuvent voler ou falsifier d'autres informations critiques à l'intérieur de la
base de données, comme l'injection de commandes.
Dans la même catégorie de vulnérabilité d'injection, SQLinjection est l'un des numéros 1
dans OWASP Top 10 Vulnérabilities 2013.
Vous pouvez consulter l'URL répertoriée ici.
Il reste le numéro 1 du Top 10 des risques de sécurité des applications OWASP, qui sera probablement
publié en août 2017.
Contrairement à l'injection de commandes, l'injection SQL se concentre sur l'attaque du serveur SQL,
et par conséquent, il ne peut pas exécuter la commande du système d'exploitation arbitraire.
Personnellement, je pense que c'est moins dangereux, mais alors des informations critiques pourraient
être révélées.
Le serveur MySQL, qui doit être exécuté sous Linux, maintient son propre fichier de mot de passe
dans la base de données MySQL, par cette base de données spécifique appelée MySQL, à l'intérieur de
sa table utilisateur, une table avec le nom USER.
Ils sont différents du mot de passe maintenu par le système d'exploitation dans /etc/shadow,
généralement /etc/shadow dans le système Linux.
Cependant, pour des raisons de commodité ou de paresse, si l'administrateur système est trop
paresseux, souvent le login et le mot de passe sont exactement les mêmes créés.
Le pirate peut alors se connecter.
S' ils entrent par effraction dans une base de données, récupérez ces informations d'identification, ils
peuvent ensuite se connecter via le système de la victime.
C' est ce qu'on appelle l'escalade du privilège.
Vous volez des informations d'identification d'une zone des services, vous pouvez autoriser dans
l'autre service.
L'escalade des privilèges est l'une des étapes importantes de la méthodologie de piratage.
Voici une démonstration de l'attaque par injection SQL à l'aide d'une application Web de demande de
profil d'appartenance typique.
Tout d'abord, montrons le fonctionnement normal.
Dans la page de l'application Web Demande de profil d'adhésion, nous saisissons l'adresse e-mail et
les mots de passe, puis nous cliquons sur le bouton Soumettre.
Si la vérification du mot de passe est OK, l'état est affiché dans la page Web de réponse de l'activité
qui revient.
Ici, nous montrons l'exploit d'injection SQL, ou vulnérabilité, de l'application Web Demande de profil
d'appartenance.
En ajoutant simplement une chaîne malveillante, guillemets simples, 'ou 0=0 ou', opérateur, se
terminant par un guillemet unique.
Si nous entrons cette chaîne juste après l'adresse e-mail, nous sommes en mesure de récupérer les
informations de profil de tous les membres dans cette base de données particulière, y compris le mot
de passe pour accéder au site Web.
Sachez que l'absence des deux guillemets simples ou du dernier ou de l'opérateur dans cette chaîne
malveillante n'entraînera pas l'affichage de ces informations de mot de passe.
C' est très délicat, mais nous vous expliquerons pourquoi c'est plus tard.
Le résultat de la requête SQL renvoie une erreur de syntaxe SQL à la ligne 1, si nous manquons ces
guillemets simples ou l'opérateur ou.
Par exemple, en supprimant le dernier ou l'opérateur, nous aurons 0= 0 devis unique finissent dans
l'instruction fermée de requête SQL, où 0 devis n'est pas un terme légal dans l'instruction SQL.
Par conséquent, le traitement des requêtes SQL rejettera et imprimera qu'il y a une erreur de syntaxe.
Examinons le code showme.php pour comprendre où se produit la vulnérabilité de l'injection SQL.
Tout d'abord le code, nous pouvons repérer en regardant le modèle, il viole le modèle de conception de
sécurité un modèle que nous avons discuté dans la session précédente.
Il ne vérifie pas l'entrée juste après que nous avons lu dans les données d'entrée, comme indiqué dans
la flèche là-bas.
En outre, l'e-mail d'entrée est utilisé dans la requête SQL.
La requête utilise également étoile, un caractère générique, pour afficher tous les champs de la table,
et cela devrait être modifié pour la rendre plus spécifique.
Par exemple, au lieu de montrer le mot de passe, nous devrions probablement donner lieu à une
demande spéciale avant de montrer le mot de passe.
Rappelez-vous le paradigme de remplacer le mécanisme générique par un mécanisme spécifique,
plus spécifique, meilleure est la sécurité.
Ici, nous examinons comment les requêtes SQL avec chaîne malveillante sont évaluées.
En activant les instructions de débogage d'impression dans le showme.php, nous obtenons l'impression
de requête suivante, ce qui montre que nous avons 'ou 0=0 ou', appelé une chaîne malveillante, injecté
dans la requête SQL, comme indiqué au milieu là.
La clause where a trois expressions au total.
Et nous mettons en évidence la chaîne malveillante avec des couleurs rouges.
Et il s'avère qu'il y a trois expressions.
Ils sont connectés avec ou opérateur.
La première opération, première expression, email=' [email protected] '.
C' est l'expression normale, que nous voyons dans la requête normale.
Il retournerait true comme prévu, et donc il ne montrait qu'une des lignes lorsque nous examinons
toute la ligne.
La deuxième expression, 0=0, est l'attaque malveillante, qui, en tant qu'expression logique, retournera
toujours vrai.
Et parce que tout ce qui est vrai ou une autre valeur est vrai bien que, est toujours retourné vrai, nous
contournons simplement une expression logique précédente.
Et n'importe quelle ligne de la base de données sera alors appariée et affichée.
Le troisième est un caractère à deux guillemets simples.
Cela n'a pas d'importance dans ce cas, puisque l'expression logique du milieu remplace déjà cette
façon particulière à travers, pour donner la véritable expiration pour tous ou.
Ce terme, deux guillemets simples, ne semble pas avoir d'importance.
Par conséquent, dans ce cas, toutes les informations de ligne dans la table member1 reviendront et
s'afficheront, et toute la colonne s'affichera également, car nous utilisons une étoile de caractère
générique.
 SEMAINE 3
Memory Attacks and Defenses

In this module, we learn about the typical protection mechanism provided by the modern OS to
prevent process from accessing other pages data belong different process. We will also learn
buffer overflow attacks and their common defenses.

Concepts clés

Course Overview
 SEMAINE 4
Penetration Testing

In this module we will learn how to perform Vulnerability Scanning with Nessus tool, learn to
perform penetration testing using tools included in Kali Linux distribution and to use
Metasploit Framework to take control a vulnerable machine, deploy keylogger, run remote shell
and remote VNC injection. We will also learn how to clone an AWS P2.xlarge GPU instance
from a Ubuntu image with hashcat software to crack passwords.

Concepts clés

Course Overview