hacking exposed 作业

Homework CH10

0540170伏勁松

1. (30 points) Google Dork

1)    Using googledork to find atarget which can be injected.

2)    Explain why this targetcan be injected.

3)    Explain how to avoid it.

Solution：

1）        find the googledork from GHDB

using  inurl:"folderview?id="site:drive.google.com to search targets on google

the target is Google Drive

 

2)this is to findthe Finds people's private folders on Google Drive, which can Leakage personal information.whichjust google this,there will be large amount file to be exposed,it’s verydangerous.

 

3)Google Driveshould fix it by update patch in time.

 

2. (30 points) Havij

1)    Install Havij.

2)    Explain how to use thistool.

3)    Using Havij to crack adatabase.

1)

2)chooseone target with input request,then analyze it

Find thewebsite use mysql database

3)thenclick table àget Column ,it will show us the whole DB constructor.

 

3. (60 points) SQL injection

1)    Try to use SQL injectionto crack a web application.

2)    Explain why this webapplication can be cracked.

3)    Explain how to avoid it.

1）i could not find one web application which can be sql injected.

2) becauseprogram do not make judgement on the validity of user input data.

3) Usebind variables; Perform strict input validation on any input from the client;

Implement default error handling;              Lockdown ODBC;    Lock down the     database server configuration;          Use programmatic frameworks

 

4. (30 points) Burp Suite

1)    Install  Burp Suite.

2)    Explain how to use thistool.

3)    Using Burp Suite to scan atarget, what kind of information can you get?

1)

2)

Step1:set brup and firefox proxy address127.0.0.1:8080

Step2:turn on the intercept

Step3:use firefox to search something on google oropen one page,the request info will be intercepted by brup

 

5. (40 points) Browser plug-in

1)    Introduce a Browserplug-in on chrome or firefox which can do web application hacking.

2)    Explain how to use thistool, and show your results.

1）        choose TamperData which is usedon firefox.The tool can intercept requests and modify the HTTP header orreponse.etc

2）        Step1:install on firefox

Step2:open it onbrowser menuàTamperData

Step3:click StartTamper,then every request will be intercepted and show us a alert.

Step4: after click Tamper,there is a window show the request header,and can bemodified .Once modify,the request will be repeat by using the header specified.