Upload
sqalab
View
1.918
Download
1
Embed Size (px)
Citation preview
PowerPoint Presentation
2015
Epam systems
1 -
2/ SQL-INJECTION
3/ XSS
4
5
6
#
2
. . .
- ( , ..). -.
(White hat hacking) 0-day
,
#
3
#
4
#
5
- - - ( , , ..)
(, , , ..) -
:
#
6
Acunetix Web Vulnerability Scanner http://www.acunetix.com/ Vega Vulnerability Scanner https://subgraph.com/vega/ OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project IronWASP http://ironwasp.org/ Nikto https://cirt.net/Nikto2 -
#
7
-
#
8
-
#
9
-
#
10
-
#
11
/ (header, cookie etc.) -
#
12
-
#
13
-http://www.hack.test/cases/productsCategory.php?category=1 category
http://www.hack.test/instructions.php post : author commentSQL Injection:XSS:
#
14
SQL-Injection (SqlMap) sql- - sql- -
( , ..) - - ( , , , , os-shell ..) : :http://sqlmap.org/
#
15
python sqlmap.py-u "http://www.site.com/page.php?id=51"-u http://www.site.com/login.php --data=user=name&password=pass--dbs--tables D DBNAME--columns T TABLENAME D DBNAME--dump T TABLENAME D DBNAME (--dump-all)--current-user --current-db --usersprivileges--exclude-sysdbs--os-shell SQL-Injection (SqlMap)
#
16
SQL-Injection (SqlMap)
#
17
SQL-Injection (SqlMap) (, ..) . (, , ) , os-shell
:
#
18
/ XSS (OWASP Xenotix)
xss xss
(Ip- )Fuzzing , , [X], , , ( , , , - ..) : :https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
#
19
/ XSS (OWASP Xenotix)
#
20
/ XSS (OWASP Xenotix) XSS (4808 payloads) Keylogger,
:
#
21
/ XSS (OWASP Xenotix)
http://beefproject.com/
#
22
(Pentestbox) (, , )
https://pentestbox.com/ C (C:/PentestBox) : :
#
23
(Pentestbox)
#
24
(Pentestbox)Web Vulnerability Scanners
1Stress Testing
2Information Gathering
3Exploitation Tools
4Password Attacks
5Android Security
6
7
#
25
Sql , SQL-inject21 , - , 3 XSS , XSS
#?
#
27