Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
2. Table of Contents
• Overview
• Enumeration
• Tool Output
• Do We Stop Here?
• Custom Scripts
• Wpscan
• Online Research
• Testing Exploitation
• PHP LFI
• Code Execution, Yes Please!
3. Overview
• This session will cover the mindset I follow
when approaching a web application
• I am going to show where many might stop,
and what happens when you push further
• These types of techniques can be applied to
any web application
5. Methodology Overview
• Pre-Engagement Activities
– Hammer out all the details to conduct the test (Schedule,
Scoping, Rules of Engagement, Formal Permission, etc.)
• Information Gathering and Reconnaissance
– Depends on type of test and information you are given
(Organization name, CIDR, list of URLs, source code, etc.)
• Automated Testing
• Manual Testing and Validation
• Reporting
• Remediation Support
7. Mindset is Key
• Think like an attacker and see things through a
different lens:
– Upload an avatar? Hmmm add code?
– Download a report? Hmm directory traversal for
another file?
• Confidence
– Without it you’ll very easily hit a wall and stop
– I tell myself a vulnerability is here I just need to find it
10. Custom Scripts
• Web Application testing requires custom
scripting….really no way getting around it:
11. Custom Scripts Cont.
• Making web requests with a scripting language
isn’t too difficult
• Check out tutorials online and try to automate
web requests
• Making a tool for CVE-2012-1823 is a good use
case because you need to make a POST request
and modify several header values
– If you can write a tool for this CVE, it demonstrates
concepts that can be applied to many different CVEs
19. PHP LFI…Now What?
• What can be done with a PHP LFI?
• It depends on what function is leading to the LFI
vulnerability (include(), readfile(), etc.)
• PHP functions like include() will execute PHP code in
the included file
– Yay code execution through php snippets!
• PHP functions like readfile() will only display output
– We have more work to do
23. Summary
• Tools may not give you the answer
• Very easy to hit a hurdle and quit
• You need to be curious/creative and
constantly push to get more information
• Confidence and mindset goes a long way