Skip to content

zhiqingfeng/H2-Goat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

H2-Goat

- text in red
+ text in green
! text in orange
# text in gray
@@ text in purple (and bold)@@

Read the summarize

Security Misconfiguration

  • When we are isntalling the new application or the old password still using in the new application, the application might be vulnerable. The way to prevent this situatin is delete the features, components, documentations and samples which are not use that frequently.

  • This is the type of vulnerability in web application security. It happens when security settings and configurations are not properlu set or maintained, leaving the system open to attack.

Vulnerable and Outdated Components

  • This is use of components in a system. For example, libraries, frameworks. This could be happend when system are built to using components that are no longer maintained or supported.

  • Remove unused dependencies, unnecessary features, components, files and documentation. Only obtain components from official sources over secure links.

Injection

  • It happened when attacker try to inject the code into the system. This is allow the attacker to gain access to get information and data.

  • Some commend injections are like SQL, OS command. The way to prevent it is use sturcture SQL, such as table names, column names and so on.

Darknet Diaries - NEWSWIRES

  • Investing in the stock market can be very profitable. Especially if you can see into the future. This is a story of how a group of traders and hackers got together to figure out a way to see into the future and make a lot of money from that.

  • The stock market traders aim to predict the future. If they can buy a stock that goes up in value, they will make money. But they could lost a lot of money at the same time.

  • He spemt months to creating a huge amount of SQL injection. And he got them working.

  • The SEC is an indenpendent U.S. governmet agency responsible for protecting investor, maintaining fair and orderlu functioning of the securities markets, and facilitating capital formation.

CVE (Common Vulnerabilities and Exposures)

CVE-2022-47966

  • Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

  • This vulnerability already reported and addressed. The remote code execution vulnerability was due to the usage of an outdated third party dependency, Apache Santuario.

Sequel - Solve SQLZoo.

This task basically used SQL, I have study SQL course from the second semester, this is not that very difficult for me. :)

0 SELECT basics.

  1. Introducing the world table of countries 
    SELECT population FROM world
WHERE name = 'Germany'
  2. Scandinavia 
    SELECT name, population FROM world
WHERE name IN ('Sweden', 'Norway','Denmark')
  3. Just the right size 
    SELECT name, area FROM world
WHERE area BETWEEN 200000 AND 250000

2 SELECT from World.

  1. Introduction

    SELECT name, continent, population FROM world

  2. Large Countries

    SELECT name FROM world
WHERE population >= 200000000

  3. Per capita GDP

    SELECT name, (gdp/population) as PerCapitaGDP FROM world
WHERE population >= 200000000;

  4. South America In millions

    SELECT name, (population/1000000) FROM world
WHERE continent = 'South America'

  5. France, Germany, Italy

    SELECT name, population FROM world
WHERE name IN ('France', 'Germany', 'Italy')

Injected - Solve WebGoat.

A1 Injection (intro)

  1. What is SQL

  2. Data Manipulation Language (DML)

    UPDATE Employees SET department='Sales'
WHERE first_name ='Tobi' and last_name = 'Barnett'

  3. Data Definition Language (DDL)

    ALTER TABLE employees ADD phone varchar(20)

  4. Data Control Language (DCL)

    GRANT ALTER TABLE TO UnauthorizedUser

  5. String SQL injection

    SELECT * FROM user_data WHERE first_name ='John' AND last_name = 'Smith' or '1'='1'

  6. Numeric SQL injection

    SELECT * FROM user_data WHERE Login_Count = 2 AND userid =2 or '2'='2'

  7. Compromising confidentiality with String SQL injection

  8. Compromising Integrity with Query chaining

  9. Compromising Availability

    DROP TABLE access_log

For the question 7 to 9, I can't find the solution to reslove them, but I am still tring to do for them. :)

Voluntary Bonus

SQLZoo Tasks

SELECT names

  1. Find the country that start with Y

     SELECT name FROM world
 WHERE name LIKE 'Y%'

  2. Find the countries that end with y

     SELECT name FROM world
 WHERE name LIKE '%y'

  3. Find the countries that contain the letter x

     SELECT name FROM world
 WHERE name LIKE '%X%'

  4. Find the countries that end with land

     SELECT name FROM world
 WHERE name LIKE '%land'

  5. Find the countries that start with C and end with ia

     SELECT name FROM world
 WHERE name LIKE 'C%ia'

  6. Find the country that has oo in the name

     SELECT name FROM world
 WHERE name LIKE '%oo%'

  7. Find the countries that have three or more a in the name

    SELECT name FROM world
WHERE name LIKE '%a%a%a%'

  8. Find the countries that have "t" as the second character.

    SELECT name FROM world
WHERE name LIKE '_t%'
ORDER BY name

  9. Find the countries that have two "o" characters separated by two others.

    SELECT name FROM world
WHERE name LIKE '%o__o%'

  10. Find the countries that have exactly four characters.

    SELECT name FROM world
WHERE name LIKE '____'

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published