During the general meeting, the plan is to cover some web application vulnerabilities. The idea is to cover a wide variety of vulnerabilities to expose the audience what is out there. Depth will be provided in the workshop. The second half of the meeting is where we test connections to the boxes to see if the infrastructure is set up properly.
User guided approach where I open the floor the audience to pitch out ideas and put them to the test. People are allowed to work at their own pace but I serve as a baseline.
if(isset($_GET["q"])) {
$searchQuery = $_GET["q"];
$sql = "SELECT * FROM listing WHERE (`listingName` LIKE '%".$searchQuery."%') OR (`listingDesc` LIKE '%".$searchQuery."%')";
} else {
$sql = "SELECT * FROM listing WHERE listingID > 0";
}
The file “search.php” is vulnerable to SQL injection due to no input sanitization. An attacker can abuse the parameter ‘q’ to make SQL queries through UNION SELECT.
Payloads: