filmov
tv
Exploit Blind SQL Injection to deserialize objects and execute code | Elf Resources @ X-MAS CTF 2022
Показать описание
Elf Resources is an easy-to-medium web challenge from the X-MAS CTF 2022, involving the exploitation of a blind SQL Injection in order to retrieve some python objects and then exploit an arbitrary deserialization vulnerability to exfiltrate the flag.
=== Timestamp ===
00:00 - Intro
00:22 - Attack surface analyses
00:43 - Testing the Elf's Id parameter
01:31 - Installing Hackvector
01:42 - Exploitation of the SQL Injection with sqlmap
02:31 - Elf's data column analyses
02:49 - Wrap up about serialization, deserialization, and pickle
03:21 - Attack planning and assumptions
03:38 - Understanding and reproducing the object with a custom script
04:03 - Assumptions about the implementation of the API and how to attack it
05:10 - Exploiting blind SQL Injection and arbitrary deserialization to exfiltrate the flag
05:42 - Exfiltrate and analyze the vulnerable code
06:30 - Vulnerability remediations and suggestions
06:47 - Conclusion
If you enjoyed the video leave a like and subscribe to my channel!
---
Would you like to support my work? Offer me a virtual coffee :)
Check out my socials:
Shout-out to those who supported me during the CTF:
Tags:
#XMASCTF #sqlinjection #ctf #hacking
=== Timestamp ===
00:00 - Intro
00:22 - Attack surface analyses
00:43 - Testing the Elf's Id parameter
01:31 - Installing Hackvector
01:42 - Exploitation of the SQL Injection with sqlmap
02:31 - Elf's data column analyses
02:49 - Wrap up about serialization, deserialization, and pickle
03:21 - Attack planning and assumptions
03:38 - Understanding and reproducing the object with a custom script
04:03 - Assumptions about the implementation of the API and how to attack it
05:10 - Exploiting blind SQL Injection and arbitrary deserialization to exfiltrate the flag
05:42 - Exfiltrate and analyze the vulnerable code
06:30 - Vulnerability remediations and suggestions
06:47 - Conclusion
If you enjoyed the video leave a like and subscribe to my channel!
---
Would you like to support my work? Offer me a virtual coffee :)
Check out my socials:
Shout-out to those who supported me during the CTF:
Tags:
#XMASCTF #sqlinjection #ctf #hacking
0:07:30
Exploit Blind SQL Injection to deserialize objects and execute code | Elf Resources @ X-MAS CTF 2022
0:05:54
How To Discover & Exploit Blind SQL Injections
0:11:39
Blind SQL Injection Made Easy
0:00:34
Exploit Blind SQL Injection! #bugbountypoc #infosec #bugbountyhunting
0:01:45
Using Burp to exploit a Blind SQL Injection
0:08:34
How to Find Blind SQL Injection on Bug bounty programs | Bug hunting live
0:00:33
SQL Injection 101: Exploiting Vulnerabilities
0:00:36
Database Breached: The Power of SQL Injection
0:44:01
Master SQLi Attacks with Sqlmap like a PRO!
0:06:45
Blind SQL Injection | Exploiting Database Through Commands
0:04:41
How to perform blind SQL injection with sqlmap
0:01:00
Blind SQL Injection #cyberfacts
0:05:22
1. Discovering & Exploiting Blind SQL Injections
0:00:39
4 Tips to Prevent Blind SQL Injection Attacks
0:00:48
Blind SQL Injection Explained with Real Examples 🔍
0:15:43
Blind SQL Injection And How to Exploit it Using Burp-suite
0:01:48
$10,000 bounty: Unauthenticated Blind SQL Injection | POC | Private Bug Bounty Program 2024
0:00:14
💻 Blind SQL Injection Explained
![[BugBounty] Blind SQL-injection](https://i.ytimg.com/vi/fts7IhYEakw/hqdefault.jpg)
0:01:15
[BugBounty] Blind SQL-injection - Time Based Blind ($$$$)
0:01:55
Lab 15: Blind SQL injection with out-of-band interaction
0:00:13
Find SQL Injection vulnerability with sqlmap
0:02:58
Cyber Defense - Exploiting Blind SQL Injection
0:00:55
what is an SQL Injection?
0:12:17
Time-Based Blind SQL Injection!
Комментарии