Upload File

exploiting web applications

33
EXPLOITING WEB APPLICATIONS AUSNUTZEN VON SICHERHEITSLÜCKEN IN WEB APPLIKATIONEN MIT KALI LINUX UND SQLMAP VON MARC LANGSDORF 1

Upload: cayla

Post on 19-Jan-2016

92 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Exploiting Web Applications. Ausnutzen von sicherheitslücken in Web Applikationen mit Kali Linux und Sqlmap von marc Langsdorf. Exploiting Web Applications. Ziel Angriff auf die MySQL Datenbank der Web Applikation Auslesen von sensiblen Daten. Exploiting Web Applications. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

AUSNUTZEN VON SICHERHEITSLÜCKEN IN WEB APPLIKATIONEN MIT KALI LINUX UND SQLMAP VON MARC LANGSDORF

1

Page 2: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

Ziel

•Angriff auf die MySQL Datenbank der Web Applikation

•Auslesen von sensiblen Daten

2

Page 3: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

1. Versuchsaufbau

•Angreifer

• VM Kali Linux• IP 192.168.178.50

3

Page 4: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

4

Page 5: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

1. Versuchsaufbau

•Opfer

• VM Metasploitable Linux• IP 192.168.178.51

5

Page 6: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

6

Page 7: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

1. Versuchsaufbau

•Beide VMs befinden sich im gleichen Netzwerk

•Der Angriff läuft über die Web Applikation DVWA

7

Page 8: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

8

Page 9: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

2. Vorbereitung des Angriffs

•Einloggen in die Web Applikation

•Auslesen des Session Cookies

9

Page 10: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

10

Page 11: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

11

Page 12: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

2. Vorbereitung des Angriffs

•Gültige URL finden

12

Page 13: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

13

Page 14: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

2. Vorbereitung des Angriffs

•SQLMAP Befehl für den Angriff zusammenstellen

14

Page 15: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

15

Page 16: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

3. Angriff durchführen

•SQLMAP Befehl ausführen und Ergebnisse überprüfen

16

Page 17: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

17

Page 18: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

18

Page 19: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

19

Page 20: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

20

Page 21: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

3. Angriff durchführen

•URL ist verwundbar

•Auslesen von Informationen

21

Page 22: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

22

Page 23: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

23

Page 24: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

24

Page 25: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

25

Page 26: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

26

Page 27: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

27

Page 28: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

28

Page 29: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

29

Page 30: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

4. Angriff erfolgreich

•Datenbank der Web Applikation mit Benutzernamen und Passwörtern erfolgreich ausgelesen

30

Page 31: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

5. Weitere Möglichkeiten

•Einloggen in die Applikation als Administrator

•Versuchen Shell Zugriff mit erhaltenen Benutzernamen zu erhalten

•Angriffe gegen Kernel und andere Subsysteme

31

Page 32: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

6. Links

•http://www.offensive-security.com/metasploit-unleashed/Metasploitable

•http://www.kali.org/

•http://sqlmap.org/

•http://www.dvwa.co.uk/

32

Page 33: Exploiting Web Applications

EXPLOITINGWEB APPLICATIONS

VIELEN DANK

MARC LANGSDORF

33


Exploiting Data-Usage Statistics for Website ... · applications by exploiting shared resources. Examples are the list of installed applications, the memory footprint of applications,

Exploiting flexible meshes for modelling groundwater flow ...€¦ · Exploiting flexible meshes for modelling groundwater flow and reactive transport in Quaternary deposits: applications

Exploiting Semantic Web and Knowledge Management

Exploiting Nonlinearities in MEMS: Applications to Energy

Exploiting the Saturation Effect in Automatic Random Testing of Android Applications

Exploiting Web Applications XSS

Exploiting Large Scale Web Semantics

Testing and exploiting Flash applications - CCC Event Weblog

Exploiting and analyzing Microsoft Surface Applications

Creating Modern CICS Web Applications by Exploiting Open ......Creating Modern CICS Web Applications by Exploiting Open Source Javascript Libraries Stephen Mitchell [email protected]

Web Application exploiting and Reversing Shell

Steve Kosten - Exploiting common web application vulnerabilities

Assessing and Exploiting Web Applications with Samurai-WTF

EXPLOITING WEB APPLICATIONS AUSNUTZEN VON SICHERHEITSLÜCKEN IN WEB APPLIKATIONEN MIT KALI LINUX UND SQLMAP VON MARC LANGSDORF 1

Exploiting Web Services for Meteorological Applications

Exploiting Low-Rank Structure in Computing Matrix Powers with Applications to Preconditioning

Attacking WebKit Applications by exploiting memory corruption bugs

Exploiting Web applications SQL Injection

EXPLOITING TAGGING IN ONTOLOGY-BASED E-LEARNING · Facilitates communication, information sharing, interoperability, and collaboration on the Web ! Main Applications: ! blog, wiki,

Exploiting Linked Data For Building Web Applicationswtlab.um.ac.ir/images/e-library/linked_data/other/exploit-lod...Exploiting Linked Data For Building Web Applications Michael Hausenblas

Camdoop : Exploiting In-network Aggregation for Big Data Applications

New methods for exploiting ORM injections in Java applications

Exploiting large scale web semantics to build end user applications Enrico Motta Professor of Knowledge Technologies Knowledge Media Institute The Open

Exploiting web based sources for homework

Exploiting Agent-Oriented Programming for Developing ...woa10.apice.unibo.it/santi_guidi_ricci.pdf · Exploiting Agent-Oriented Programming for Developing Android Applications Andrea

Optimization Techniques Exploiting Problem Structure: Applications

Exploiting Grids for Applications in Condensed Matter Physics

Web 2.0 for Business and IT€¦ · Exploiting Web 2.0 Syndication Provide syndicated access to applications, information and services through APIs and widgets Enterprise Mashups

The Art of Exploiting Logical Flaws in Web Apps · The Art of Exploiting Logical Flaws in Web Apps ... Why Logic Flaws? ... The Art of Exploiting Logical Flaws in Web Apps

Exploiting And Defending Web Applications

“Exploiting the integration potential of Semantic Web and ...€¦ · “Exploiting the integration potential of Semantic Web and Linked Data technologies for geospatial applications”

Exploiting the Semantic Web: Next Generation Semantic Web Applications in KMi Watson, PowerMagpie, PowerAqua, … Mathieu d’Aquin Laurian Gridinoc Vanessa

New Methods for Exploiting ORM Injections in Java Applications · New Methods for Exploiting ORM Injections in Java Applications Mikhail Egorov Sergey Soldatov HITBSecConf2016 - Amsterdam

Camdoop: Exploiting In-network Aggregation for Big Data Applications · Camdoop Exploiting In-network Aggregation for Big Data Applications Paolo Costa [email protected] joint

Web applications – protecting and exploiting › ~startup › prezentacja › TomaszKuczynski_090… · Web applications – protecting and exploiting 1 Tomasz Kuczyński Poznań