2017 is just around the corner, and there are gonna be more exciting things in infosec. IOT, Visualization, Machine Learning, threat intel etc.
2016, majority people were talking about IOT, threat intel and in December, nothing much to talk about these 2 issues except the biggest DDOS in internet history was actually powered by IOT.
People keep on investing in big data/threat intel when the current data that they have or available in public domain, is more than enough for their daily operation. People are investing in big data like they are running GCHQ or Fox Media. But that's people...
People keep on investing in technologies which are unnecessarily needed. People keep on harping on issues which are they barely understood. (for me) The biggest issue is still PEOPLE and their IGNORANCE.
But above all, SAP security is really interesting especially in business function area, things related to Segregation of Duties (SOD). Wonder how InfoSec is gonna be in 2017?
Tuesday, December 20, 2016
Skiddies in action
Nothing much to do during this festive holiday, so I decided to setup a lab to test SQL injection using POST method. I know, this is a NO BRAINER, SKIDDIES LVL 6 and a B1G J0k3 to all of you, but mind me, im just learning.
Conclusion: same ol, same ol....
1. Setup an application that authenticate controlled by MSSQL through form submission.
2. Boot up Kali Linux
3. Using ZAP/Burp to monitor the parameter passed by browser during the crawling.
4. Using that parameter, pass it to sqlmap for further testing.
5. Grab the SQL banner using sqlmap.. Succeed.
6. Next, try to gain shell using --os-shell -> failed because of xp_cmshell was kind of fuct up.
7. Next, try to gain shell using MSF's sql_payload connecting to MSSQL port -> failed since the IPS runing like a rottweiler.
Conclusion: same ol, same ol....
Subscribe to:
Posts (Atom)