exploiting web applications
DESCRIPTION
Exploiting Web Applications. Ausnutzen von sicherheitslücken in Web Applikationen mit Kali Linux und Sqlmap von marc Langsdorf. Exploiting Web Applications. Ziel Angriff auf die MySQL Datenbank der Web Applikation Auslesen von sensiblen Daten. Exploiting Web Applications. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/1.jpg)
EXPLOITINGWEB APPLICATIONS
AUSNUTZEN VON SICHERHEITSLÜCKEN IN WEB APPLIKATIONEN MIT KALI LINUX UND SQLMAP VON MARC LANGSDORF
1
![Page 2: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/2.jpg)
EXPLOITINGWEB APPLICATIONS
Ziel
•Angriff auf die MySQL Datenbank der Web Applikation
•Auslesen von sensiblen Daten
2
![Page 3: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/3.jpg)
EXPLOITINGWEB APPLICATIONS
1. Versuchsaufbau
•Angreifer
• VM Kali Linux• IP 192.168.178.50
3
![Page 4: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/4.jpg)
EXPLOITINGWEB APPLICATIONS
4
![Page 5: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/5.jpg)
EXPLOITINGWEB APPLICATIONS
1. Versuchsaufbau
•Opfer
• VM Metasploitable Linux• IP 192.168.178.51
5
![Page 6: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/6.jpg)
EXPLOITINGWEB APPLICATIONS
6
![Page 7: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/7.jpg)
EXPLOITINGWEB APPLICATIONS
1. Versuchsaufbau
•Beide VMs befinden sich im gleichen Netzwerk
•Der Angriff läuft über die Web Applikation DVWA
7
![Page 8: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/8.jpg)
EXPLOITINGWEB APPLICATIONS
8
![Page 9: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/9.jpg)
EXPLOITINGWEB APPLICATIONS
2. Vorbereitung des Angriffs
•Einloggen in die Web Applikation
•Auslesen des Session Cookies
9
![Page 10: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/10.jpg)
EXPLOITINGWEB APPLICATIONS
10
![Page 11: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/11.jpg)
EXPLOITINGWEB APPLICATIONS
11
![Page 12: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/12.jpg)
EXPLOITINGWEB APPLICATIONS
2. Vorbereitung des Angriffs
•Gültige URL finden
12
![Page 13: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/13.jpg)
EXPLOITINGWEB APPLICATIONS
13
![Page 14: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/14.jpg)
EXPLOITINGWEB APPLICATIONS
2. Vorbereitung des Angriffs
•SQLMAP Befehl für den Angriff zusammenstellen
14
![Page 15: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/15.jpg)
EXPLOITINGWEB APPLICATIONS
15
![Page 16: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/16.jpg)
EXPLOITINGWEB APPLICATIONS
3. Angriff durchführen
•SQLMAP Befehl ausführen und Ergebnisse überprüfen
16
![Page 17: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/17.jpg)
EXPLOITINGWEB APPLICATIONS
17
![Page 18: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/18.jpg)
EXPLOITINGWEB APPLICATIONS
18
![Page 19: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/19.jpg)
EXPLOITINGWEB APPLICATIONS
19
![Page 20: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/20.jpg)
EXPLOITINGWEB APPLICATIONS
20
![Page 21: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/21.jpg)
EXPLOITINGWEB APPLICATIONS
3. Angriff durchführen
•URL ist verwundbar
•Auslesen von Informationen
21
![Page 22: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/22.jpg)
EXPLOITINGWEB APPLICATIONS
22
![Page 23: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/23.jpg)
EXPLOITINGWEB APPLICATIONS
23
![Page 24: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/24.jpg)
EXPLOITINGWEB APPLICATIONS
24
![Page 25: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/25.jpg)
EXPLOITINGWEB APPLICATIONS
25
![Page 26: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/26.jpg)
EXPLOITINGWEB APPLICATIONS
26
![Page 27: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/27.jpg)
EXPLOITINGWEB APPLICATIONS
27
![Page 28: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/28.jpg)
EXPLOITINGWEB APPLICATIONS
28
![Page 29: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/29.jpg)
EXPLOITINGWEB APPLICATIONS
29
![Page 30: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/30.jpg)
EXPLOITINGWEB APPLICATIONS
4. Angriff erfolgreich
•Datenbank der Web Applikation mit Benutzernamen und Passwörtern erfolgreich ausgelesen
30
![Page 31: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/31.jpg)
EXPLOITINGWEB APPLICATIONS
5. Weitere Möglichkeiten
•Einloggen in die Applikation als Administrator
•Versuchen Shell Zugriff mit erhaltenen Benutzernamen zu erhalten
•Angriffe gegen Kernel und andere Subsysteme
31
![Page 32: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/32.jpg)
EXPLOITINGWEB APPLICATIONS
6. Links
•http://www.offensive-security.com/metasploit-unleashed/Metasploitable
•http://www.kali.org/
•http://sqlmap.org/
•http://www.dvwa.co.uk/
32
![Page 33: Exploiting Web Applications](https://reader035.vdocuments.us/reader035/viewer/2022062805/56814e00550346895dbb6bc8/html5/thumbnails/33.jpg)
EXPLOITINGWEB APPLICATIONS
VIELEN DANK
MARC LANGSDORF
33