OWASP top 10, 2017 - A1 Injection

OWSAP

Senario

1
2
3
4
5
6
7
8
9
10
<?php
// your code:
$sql = "SELECT * FROM `Accounts` WHERE `customer_id` = '" . $_GET['id'] ."'" ;
$result = sql_exec($sql);

// attacher access your site as below:
http://example.com/app/accountView?id=' or '1'='1

// your server will exec:
SELECT * FROM `Accounts` WHERE `customer_id` = '' or '1'='1'

Prevention

1
2
3
4
5
// Query Parameterization
$sql = "SELECT * FROM `Accounts` WHERE `customer_id` = :int_id";
$statement = $dbh->prepare($sql);
$statement->bindParam('int_id', $_GET['id']);
$statement->execute();

Chrome headless mode

Chrome

Requirement

Chrome version 59+

command alias (or edit .bash_profile)

1
alias chrome="/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --headless --disable-gpu"
1
chrome --print-to-pdf https://httpbin.org
1
2
chrome --screenshot https://httpbin.org
chrome --screenshot --window-size=1280,1696 https://httpbin.org

REPL mode (read-eval-print loop) - samething like javascript console

1
2
3
4
chrome --repl https://httpbin.org

>> window.innerHeight
{"result":{"description":"600","type":"number","value":600}}

Reference

https://developers.google.com/web/updates/2017/04/headless-chrome
https://en.wikipedia.org/wiki/Headless_browser

Install python3 and pip3

Python

Ubuntu

Requirement

1
2
apt-get install build-essential
apt-get install zlib1g-dev (optional)

Install python2.7

1
2
3
4
apt-get update
apt-get install python
apt-get install python-pip
pip install --upgrade pip

Install python3+

1
2
3
apt-get install python3
apt-get install python3-pip
pip3 install --upgrade pip

Install python library - yaml

1
apt-get install python3-yaml

CentOS

Requirement

1
2
3
4
yum groupinstall 'Development Tools'
yum install zlib-devel
yum install zlib (optional)
yum install wget (optional)

Install python2.7

build-in python 2.7

Install python3.6

yum official repositories support up-to 3.4

1
yum install python34

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
curl -O https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tgz
wget --no-check-certificate https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tgz (optional)
tar -xzvf Python-3.6.0.tgz
cd Python-3.6.0
./configure --prefix=/usr/local/python3
make
make install
ln -s /usr/local/python3/bin/python3 /usr/bin/python3


wget --no-check-certificate https://github.com/pypa/pip/archive/9.0.1.tar.gz
tar -zvxf 9.0.1.tar.gz
cd pip-9.0.1
python3 setup.py install
ln -s /usr/local/python3/bin/pip /usr/bin/pip3
pip install --upgrade pip

Install python plugin - pyyaml

Since pip only support HTTPS source

1
2
3
4
wget https://pypi.python.org/packages/4a/85/db5a2df477072b2902b0eb892feb37d88ac635d36245a72a6a69b23b383a/PyYAML-3.12.tar.gz#md5=4c129761b661d181ebf7ff4eb2d79950
tar -zxvf PyYAML-3.12.tar.gz
cd PyYAML-3.12/
python3 setup.py install

Docker Cheatsheet

Docker

Pull to local server

1
2
3
4
5
6
7
8
9
10
11
12
13
# Linux dis
docker pull ubuntu
docker pull centos
docker pull kalilinux/kali-linux-docker

# programming
docker pull node
docker pull golang
docker pull jupyter/notebook
docker pull tomcat

# db
docker run -p 8888:8080 adminer

Plain container

1
2
3
docker run -t -i ubuntu bash
docker run -t -i centos bash
docker run -t -i kalilinux/kali-linux-docker bash

Hexo create a new blog post

Hexo

Generate a new file

1
hexo new post "My first post"

edit post content

1
vi source/_post/My-first-post.md

generate static file

1
2
3
hexo generate
[or]
hexo g

run server

1
2
3
hexo server
[or]
hexo s

deploy

1
2
3
hexo deploy
[or]
hexo d