How to set up Metasploitable 3 on macOS Mojave

Today we’ll set up an environment of a list of virtual machines (ubuntu and windows) that includes some intentional vulnerabilities ready to exploit using Metasploitable 3 as the target machines and Kali as an attacker, but before that, there is the list of requirements you need:

Software requirements

You can install VirtualBox, Packer and Vagrant manually from the links below, or you can use brew:

brew cask install virtualbox
brew cask install vagrant
brew install packer

System requirements

  • VT-x/AMD-V Supported Processor recommended
  • 65 GB Available space on drive
  • 4.5 GB RAM

Our environment, in the end, will have these 2 virtual machines, one running Ubuntu metasploitable3-ub1404 and one running Windows metasploitable3-win2k8.

Read More

Blind SQL Injection # bit-by-bit Inference

In the last example we use binary search technique to get each character of the SYSTEM_USER by infering a grouped 8-bits(1 byte) through a selected requests.

Now you’ll use another technique when you’ve to select a single bit from a selected position on each request.

If you’ve as an example the character s which have a presentation in decimal of 11310 and in binary 0110 01112, to use bit-by-bit technique you’ve to use bitwise AND against a byte that has the most significant bit at some position, if the predicate returns true the bit is 1 otherwise the bit is 0.

Let’s start the 8 requests for each significant bit set corresponding to6410, 3210, 1610, 810, 410, 210 and 110.

Read More

Blind SQL Injection # Inference Techniques

Blind SQL Injection is the kind of attack based on inference because you’ve no displayed error and no message indicating warnings, in this article, you’ll use inference techniques for a use case of getting the current MySQL username and hostname from a vulnerable code.

You’ll use the same tables and data from the previous example setup, and this is the code of the count-cars.php page:

Read More

SQL Injection VS Blind SQL Injection

So far you learn how to trigger a SQL error sending some SQL code from the client(Browser) to the server, however, sometimes the web application doesn’t show any error message from the database but doesn’t mean the code is not vulnerable, and this is why you’ve to pay attention to the detail.

A normal SQL injection is closely similar to a Blind SQL Injection, the only difference is that blind injection will not display any error message from the database server warning you that your SQL Query syntax is not correct, plus you’ve to ask true or false questions and watching the responses, in the other hand a normal SQL Injection will show a generic error message making exploiting the vulnerability less difficult.

Environment Setup

You’ll set up an environment to test both cases, so our examples will be executed on a database including two relational tables users and cars using a cardinality One-to-many(1:n) when a car can have multiple users.

Read More

SQL Injection Attacks # Intro

Welcome to this journey of understanding the concept of this famous vulnerability SQL Injection, we’ll try together to understand the basics and we’ll go step by step exploring it.

What’s a Web Application

Before going further, let’s first describe what’s a web application? A web application is an application that is accessed from a web browser, where the web browser will be the responsible for rendering the result coming from a web server.

Let’s take a simple example of this blog running under a Wordpress CMS, you’re reading this article from a web browser (Google Chrome, Firefox, Internet Explorer…) installed on your computer, the article is stored somewhere on a database server plus an HTTP Server rendering a server-side scripting language.

What I describe here is the combined parts that form a web app, the first part is the presentation of the result (a Web browser), the logic part (a server-side programming language in this case PHP), and in the end the database or the storage part (MySQL, SQL, Oracle…).

Read More

Use bcrypt to campare passwords using nodejs

Storing your password as a plain text is fast, however it is not secure, this why you have to make it complicated for hackers to get important information by using hashing, there is a couple of hashing functions like md5, we’ll not use md5 which it is not designed for passwords plus it’s cryptographically broken when the attacker can generate a list of common password and their corresponding hashes, then comparing the hashes to the site has stored.

You’ll use bcrypt which it is more designed for passwords, bcrypt use a salt to make a hash output unique even if your users use the same password, and this is a simple use case of bcrypt for a user who wanna update his password.

const bcrypt = require("bcryptjs");

// Generate Salt
const salt = bcrypt.genSaltSync(10);

// Plain Text Passwords
const currentpPassword = "abc123";
const oldPassword = "abc123";
const newPassword = "nWd6yCyj";

// Generate the Current User Password Hash
// by combining the salt and the password
const currentPasswordHash = bcrypt.hashSync(currentpPassword, salt);

// Compare the Old Password set by the user
// to the Current Password Hash
if (!bcrypt.compareSync(oldPassword, currentPasswordHash)) {
  console.log("The Current Password is Wrong");
}

// The new password should not be similar
// to the old password
if (bcrypt.compareSync(newPassword, currentPasswordHash)) {
  console.log(
    "The new password is similar to the new password, please choose a different one",
  );
}