Another quick video showing how SQL Injection can be used to bypass a login page. This is a very basic example, but it clearly shows that if you aren’t filtering input your site is as risk. Here we use a simple SQL statement ‘OR 1=1 — to bypass the login authentication control. the ‘ at the start escapes the intended statement which should run when you click the login button and then the SQL statement OR 1=1 will run (This will equal true). For eample a simplified login statement would be “IF Username & Password = true, Login = yes. (This is not a real statement it is written here in simplified form to make it easier to understand). Our Injection statement equals true so therefore even though we have not used a username and password our statement still equals true so we get logged in! The — at the end simply comments out any code which comes after our injection which allows our statement to run without any extra code running afterwards. The site we are using in this demonstration is Mutillidae which is maintained by @webpwnized, and is great for learning how to secure webapps, check it out.
This shows that even with file validation controls an attacker can manipulate file extentions to get the php shell through the filters. The result is the same, from here the attacker can view files or upload their own to inject malicious content into the site. All visitors to the site are then potential victims, as they could be downloading malicious files or being redirected by tampered links without any idea the site has been compromised.
This is how quick it can happen. The site has a simple File Upload control, but it has no validation which allows us to upload a php shell and get access to the whole system. Using this shell we can steal password hashes or upload files to the webserver.
This starts with you receiving an email which asks you to click on the link. It could be a specially crafted email from an attacker to make you believe its from your bank, email provider, or perhaps your amazon account. You click on the link and all appears OK, you also have Facebook open (most people do, or a shopping site!) but what is happening in the background is that the attacker now has access to your browser (Firefox/Chrome/Internet Explorer) and has the ability to intercept all your login credentials. They can also craft popups which look like normal updates to tempt you into downloading something which can compromise your PC permanently, or trick you into logging into a website you are already logged into, and all without you knowing. You’ll also notice that the PC is running up to date anti virus in a fully patched Windows 7 machine.
It seems barely a week goes by without having to resolve a WordPress Issue. I needed to update to version 4.8, so I went to my update panel ready to use the “one click” update, but instead of opening up the update page informing me that the site is in update mode it opened to a blank page. After refreshing and returning to the update panel, I disabled all pluggins and tried again, now whenever clicking the update button I was greeted with a message telling me an update was in progress, I therefore it left it expecting that it would just eventually complete. However 12 hours later and WordPress was still not updated and clicking the update buttomn gave the same message that an update was already in process! Restarted the server no change, a bit of googling led me to https://wordpress.stackexchange.com/questions/224989/get-rid-of-another-update-is-currently-in-progress I therefore installed wp-cli using this guide https://www.sitepoint.com/wp-cli/ and tried in vain to carry out these steps. However I was continually told by wp-cli that wp-config.php did not exist! I checked and this was not the case, so another brick wall! I had already wasted an hour by this point on what should have been a ten minute job. Therefore I simply downloaded the latest WordPress version by running
then (from the same dir)
tar xzvf latest.tar.gz
sudo rsync -avP ~/wordpress/ /var/www/html/
As I had manually created an uploads directory I had to reassign group ownership to allow me to upload content to that directory using the following.
sudo chown -R :www-data /var/www/html/wp-content/uploads
Hey presto! we are now running on the latest version, with all existing pluggins and content still working. (I double-checked by running wpscan from my kali box just to be sure I was on the latest version) Hope this helps someone else out. Don’t forget to backup before running these steps.
I recently had to change the internal IP range of my network and that included my WordPress hosting server. I thought that I could just update the database and config file and the site would work, wrong!! The home page would display but every page and link was broken and there was no formatting and the uploaded content no longer displayed. Also when trying to login the site was still trying to access the old url as I was accessing the site by IP as it was only a testing site. I never did manage to fix the error despite an hour of my time, in the end I just had to create the a new site on the new IP and then copy the content over.If anyone else has come across this and knows how to resolve it please let me know!
There have been big changes this weekend and Glitchbyte is now FameHive. To see the changes go to https://famehive.co.uk.
This is the go to site for anyone just setting out in Cyber Security. Real good content for beginners who have no idea where to start. The main content is laid out in courses allowing you to start out with the beginners courses before moving on the more advanced. Some of these are study material for actual industry qualifications, so if you are a complete novice you can start with the CompTIA A+ to learn the basics, and progress to the Network/Security+. Then you will have a solid foundation to move onto the more advanced course material and although alot of the advanced content is not specific to an industry qualification (that’s not to say that it’s not relevent), it is of a high quality and shows techniques that you will need and use in the real world. The best part of all this is that the site is completely free to use! You can expect to pay between £200-£500 for an online course that teaches CompTIA Security+, and using Cybrary I have saved a fortune in course fees. There is also an Open submission forum where users get the chance to upload content and some of it is amazing as most tends to relate to what is going on today whether it’s a brand new proof of concept or how to setup the latest firewall or HIDS. Do yourself a favour and join up, you’d be crazy not to. Find them here https://cybrary.it
Having decided that I want to work in Cyber Security (or call it what you will if you hate that term!) I set off on my journey. This is what inspired the tag line “Frustration Is My Fuel”, this post will cover my successes, failures, (more failure than success) and hopefully help anyone thinking of going down this road. Be warned, you will need to be prepared to LEARN ALOT! Check back for our progress reports, updates and tutorials. I’ll try and include anything useful I find on the way, not just how-to videos, but also where I went wrong, as to be honest this is more about failure than success, and you need to be prepared to lose more often than you win.