Source Code Audit Training

Day 3

Jörn Schneeweisz

© 2018

Exploitation \o/

Exploitation

Q: What is an exploit?

Exploitation

Some theory by Halvar Flake/Thomas Dullien

Exploitation

Sometimes an exploit it as easy as:

Exploitation

Advantage of most exploits against managed code:

  • Reliability

Verification

Creation of working PoC exploits Practical exercises Final practical exercises on real-world code bases

Bug Patterns and Examples

HelloFile.java

HelloFile.java

⚰️ RIP

PHP

PHP

Ruby on Rails

MySQL

> SELECT 123 FROM dual WHERE 1=1;
+-----+
| 123 |
+-----+
| 123 |
+-----+
1 row in set (0.00 sec)

MySQL

mysql> SELECT 123 FROM dual WHERE 1="1";
+-----+
| 123 |
+-----+
| 123 |
+-----+
1 row in set (0.00 sec)

MySQL

mysql> SELECT 123 FROM dual WHERE 1="1somestring";
+-----+
| 123 |
+-----+
| 123 |
+-----+
1 row in set, 1 warning (0.00 sec)

MySQL

mysql> SELECT 123 FROM dual WHERE 1="somestring";
Empty set, 1 warning (0.00 sec)

MySQL

mysql> SELECT 123 FROM dual WHERE 0="somestring";
+-----+
| 123 |
+-----+
| 123 |
+-----+
1 row in set, 1 warning (0.00 sec)