Description

Here is a very interesting issue in MySQL database. SQL truncation occurs when you try to insert/update a field with a string which is longer than the maximum length defined in the table structure. For instance if you defined a column name as a varchar(8) and you provide abracadabra wich is 11, MySQL will truncate the string to 8 and will insert abracada instead. No message, no warning, nothing at all. This flaw can lead to security issue in some case.

Example

First I create this small table:

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `login` varchar(8) NOT NULL,
  `passwd` varchar(64) NOT NULL,
  PRIMARY KEY (`id`)
);
...

Path traversal is a very powerful attack but not necessarily easy to find, fortunatly DotDotPwn is here to help you! DotDotPwn is a powerful traversal directory fuzzer. Written in perl, it’s installed in Kali Linux by default.

Basic usage is:

dotdotpwn.pl -m <module> -h <host>

Several options are available:

-h: the host you want to test
-m: it supports http, ftp or text file as a payload
-o and -O: enable the operating system detection
-d: max depth it will look for (ie. max ../)
-f : file to grab (default is /etc/passwd for *nix system)
-E: try to grab some extra files depending of the os detection result
-S: ssl support
-x: specify the port
-r: output file
-q: quiet mode
-k: keyword to match in the response who means a win
-b: exit after the first vulnerability found
-M: http method to use with http module (can’t make it work)
-e: add an extension (.php, .png, …)

and some more…

...

Information gathering is the first and the most important step of a penetration test. More informations you will grab, easier the exploit will be.

Developed by Christian Martorella theHarvester is very usefull for this task. It’s a python script that will help you to find user emails and subdomains of a given domain by merely parsing search engines results. The following data sources are supported :

  • bing,
  • google, googleCSE, googleplus, google-profiles
  • jigsaw
  • linkedin
  • people123
  • pgp
  • shodan
  • twitter

theHarvester is by default installed on Kali Linux. Basic usage is: theharvester -d <domain> -b <source>

...

Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. Files for this level can be found in /home/flag03.

First, let’s check the home directory of our target flag03:

Exploit Exercises Nebula Level03

Ok we have an empty directory with full access and a shell script who looks like this:

#!/bin/sh
for i in /home/flag03/writable.d/* ; do
  (ulimit -t 5; bash -x "$i")
  rm -f "$i"
done
...

According to OWASP Top 10, Cross-Site Scripting aka XSS takes the 3rd place in the more common and important web vulnerabilities list. Her primary goal is to spoof the session of another user by stealing his cookie id, usually a privileged user like an admin.  You can train XSS in Damn Vulnerable Web Application, here are some tests you can perform.

Low

<?php
if( !array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '' ) {  
  $isempty = true;  
} else {  
  $html .= '<pre>';  
  $html .= 'Hello ' . $_GET['name'];  
  $html .= '</pre>';  
}
?>

This code output the name parameter without any filter so it’s very vulnerable to XSS!

...