A very useful aspect of PHP is the ability to manage file uploads. Allowing users to send a file opens a whole can of worms, so be careful when allowing this fonctionnality. If wrong protected it could result of a full control of the server. With DVWA you can learn effective defense.

Low

if(!move_uploaded_file($_FILES['uploaded']['tmp_name'], $target_path)) {
    $html .= '<pre>';
    $html .= 'Your image was not uploaded.';
    $html .= '</pre>';
} else {
    $html .= '<pre>';
    $html .= $target_path . ' succesfully uploaded!';
    $html .= '</pre>';
}

The first level is the easiest because it has absolutly no protection against malicious file upload. Choose a file - in my case a PHP shell - and submit the form:

DVWA file upload

...

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.  All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

The OWASP Top 10 project references the most security issues and widespread on the web. Most safety audits and specialized tools are based on the Top 10. The primary aim is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses. The Top 10 also provides basic techniques to protect against these high risk problem areas.

For each risks, OWASP provides generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the Rating Methodology:

OWASP top10 risk

...

As an ethical hacker when you perform a pentest, you must follow some rules and process step by step to be efficient, below the different phases shortly explained.

Agreement

The first step of a penetration test is to write an agreement, a kind of pre-engagement about the legal requirements and the rules of the test. It must be signed by both parties before starting the analysis. Some important informations have to be defined with your client:

  • the scope: ip range, URL, server…
  • the method used: white/grey/black box
  • the start date and the end date
  • the forbidden techniques: denial of service, social engineering…

> Read the agreement example by TrueSec

...

Description

Here is a very interesting issue in MySQL database. SQL truncation occurs when you try to insert/update a field with a string which is longer than the maximum length defined in the table structure. For instance if you defined a column name as a varchar(8) and you provide abracadabra wich is 11, MySQL will truncate the string to 8 and will insert abracada instead. No message, no warning, nothing at all. This flaw can lead to security issue in some case.

Example

First I create this small table:

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `login` varchar(8) NOT NULL,
  `passwd` varchar(64) NOT NULL,
  PRIMARY KEY (`id`)
);
...

Path traversal is a very powerful attack but not necessarily easy to find, fortunatly DotDotPwn is here to help you! DotDotPwn is a powerful traversal directory fuzzer. Written in perl, it’s installed in Kali Linux by default.

Basic usage is:

dotdotpwn.pl -m <module> -h <host>

Several options are available:

-h: the host you want to test
-m: it supports http, ftp or text file as a payload
-o and -O: enable the operating system detection
-d: max depth it will look for (ie. max ../)
-f : file to grab (default is /etc/passwd for *nix system)
-E: try to grab some extra files depending of the os detection result
-S: ssl support
-x: specify the port
-r: output file
-q: quiet mode
-k: keyword to match in the response who means a win
-b: exit after the first vulnerability found
-M: http method to use with http module (can’t make it work)
-e: add an extension (.php, .png, …)

and some more…

...