5 Common security vulnerabilities that still working in 2020
1 — Login (SQL injection) Bypass
This technique is frequently used on login forms that aren’t coded imagining a good security scenario.
As you can imagine, this programmer didn’t put his time to do a proof certifying that the type of variables created and received by your web application and his backend are the same as expected.
We could imagine that he thought that processing his contents sent by your form would be enough. So, he didn't validate user data contents sent by website form in reason to find such like some “strange special characters” as a single quote; that can be interpreted by your database as a command to execute. Sorry, this little spoiler :)
So, as you can guess now, you can bypass the login displayed on Image 1, using the SQL command:
‘ or ‘1’=’1
as the user and password values of the inputs.
This command could be interpreted by database as:
“select username,pass from users where username=’’ or ‘1’=1’’ and password=’’ or ‘1’=’1 limit 0,1”;
This command make database return “true”, saying like “Hey! I’ve found some result rows using your command querie, so you can pass and enter in the admin system”, in that way bypassing the login validation.
You can learn more about this vulnerability here:
2 — Robots.txt
This file is used and interpreted by Google to use your botnets that will index your website pages.
Rules specifying User-agent navigators that are allowed (or not) to access explicit website sub directories are referred by this file.
There are some host administrators that prefer block some search engine crawlers (as Yandex, Shodan) to avoid chances of high usage of CPU. (Many instances of crawlers accessing your website and doing heavy searches, can be … veeery annoying!)
At this point we could start thinking: Are there any other reasons for some administrator block your directories? The answer is: Yes. They can be hidden some important.
As you can see on “Image 2”, this is a default robots.txt file of a famous and large used CMS called Joomla (Content Management System). At this point, there are a good and a bad thing:
The good one is that you discovered the CMS that the website use. So you can go over on some CMS exploits tools, like Joomscan (click to go to Joomscan Github project), a Security Exploit Scanner developed specifically to Joomla vulnerabilities.
The bad one is that CMS use to be very updated by administrators. So generally is very hard to exploit them.
3 — Sitemap.xml
Use to defines your map URLs website. Google requires that your website contains this file in order to indexes your website correctly and displayed by your search engine and let it knowing all the pages that yours crawlers should follow to storage some information of your website (like your website topic subject, title and description).
Many times, unwanted URLs are displayed on your website and can be accessed in order to collect information about your website structure.
The image 3 above show a xml file generated by a wordpress plugin called YoastSeo.
From this page information, let us knowing that we have access to other sitemaps and the possibility about that is this a Wordpress website, becoming easier to use specific tools (For example WPscan*) to exploit this known environment.
- * We will do another post next week showing more similar tools.
4 — Google Dorks exploit technique using Google Crawlers
As is known, Google apply some filters on your search to make your research more accurate. What usually people don’t know is that there are some known commands as “Dorks” that you can do some more advanced searches, using “secret” filters.
Intro Google Dorks
INURL
Use this dork to find a specific string in google URLs results.
EXT
find in URLs results specific file extension.
INTEXT
find in URLs results a specifi text inside the websites results contents.
This title name “Index of” is used by default by apache, in order to show a list of files or directories on your screen (huge security mistake).
Using dork command showed in image 4, we’ve search a website that have your full dump SQL website structure (with data) exposed.
Downloading this SQL files, we’ve for example commands SQL like “fill table users with this data:
“user_name: admin user_password: e10adc3949ba59abbe56e057f20f883e”.
Ok, this seems very dangerous, right? But, Is this password clear for your?
This is a md5 password pattern. So, we can go in some MD5 website decrypter and do the reverse process:
Good job guys. This works :)
You can go over on Google dorks here: https://null-byte.wonderhowto.com/how-to/use-google-hack-googledorks-0163566/
Here you can see some vulnerable websites using specifics dorks: https://www.exploit-db.com/google-hacking-database
5— Do not make use of friendly URLs
By using “ext” dork, we can find some websites that don’t matter to rewrite your URLs to avoid explicit extension files. This can say a lot about the website manager, helping us to understand your professional profile (for example don't care about security bugs).
Have your ever visit a real estate broker website and search an apartament?
This forms can contain many parameters that probably are waiting to be received to a logic code in backend, right?
This form is written in portuguese. You can look to the last input that is requiring a code (some internal id) to help you to find your apartment.
Hmmm, so we can deduce that backend is expecting some integer value. Can you imagine what will happen if we send some string value to the backend?
There is what the backend return:
Image 10 are showing to us that the system return: You have a syntax error in your SQL near to “ %’ ” order by f_valor DESC on line 1
This show to us that is possible to penetrate in database only using this field (passing some SQL commands — You can do it manually or with some tools like SQLMAP)
I will do another post next week showing you guys how to use tools like SQLmap. Are you interested? Please, let me know :)
Make sure you give this post 50 claps abd my blog a follow if you enjoyed this post and want see more.
