Basic SQL Grammar for Successful SQL Injection Attacks
crehacktive
The basic steps to learn SQL injection attacks, the flower of web hacking! This is a lecture on basic SQL grammar!
Basic
SQL, Penetration Testing, MySQL
File upload vulnerabilities, even advanced techniques!
We deliver core insights that are hard to find anywhere else.
File Upload Vulnerability Attack Lecture
Finally, the last part of the series!
📖 File Upload Vulnerability Attack Series, Taught by a Penetration Testing Practitioner
시리즈에서 배우는 내용 펼쳐보기
PART(1): Basics / Practical Attacks / Secure Coding
This training covers the most important aspects of file upload vulnerability attacks, focusing in detail on attack processes that use entirely different approaches from conventional methods. You can learn everything from basic attack knowledge to bypass techniques used in practice, real-world case studies, various countermeasures, and secure coding. This is an essential foundational course for all subsequent training sessions.
PART(2): Advanced Attack Techniques / In-depth Practical Analysis Current Lecture
This course covers advanced attack techniques and Web Application Firewall (WAF) bypass methods not addressed in PART(1), and involves analyzing technical methods used in real-world environments through hands-on practice.
SKILL-UP: Webshell Obfuscation Techniques
In today's web environment, the use of web shell detection solutions is gradually increasing. Accordingly, security analysts must possess the skills to bypass these detection solutions. Therefore, this will be an essential training for practitioners.
File Upload Vulnerability Attack Techniques and Practical Case Analysis: PART 2
The final part to wrap up the file upload vulnerability lecture!
This course is 'Part 2', the sequel to the 'File Upload Vulnerability Attack Techniques and Practical Case Analysis: PART 1 taught by a penetration testing professional' course.
File Upload Vulnerability Attacks Part 2 is divided into a total of 3 parts, and each topic is as follows.
This course is 'Part 1' of Part 2, and covers the topic of 'File Upload Library Analysis and Attack Methodologies.'
✅ Differences between File Upload Vulnerability Attack Part 1 and Part 2
- Part 1 covers the concepts, operating principles, attack methods, practical case examples, and secure coding regarding file upload vulnerabilities. (Basic concepts and general theory)
- Part 2 goes beyond the general attack mechanisms of file upload vulnerabilities and explores various attack methodologies that can occur in specific environments.
Content you won't hear anywhere else
is packed into this lecture!
taking the CreHactive Web Hacking series.
Today, there are various ways to learn web hacking. From online lecture platforms like Inflearn to academies for offline classes and search engines, the most common paths we encounter tend to focus primarily on general content.
However, this lecture is different. I am confident that it contains 'content you won't find anywhere else'!
File Upload Vulnerability Attack Part 2-1
Check out the learning content!
💡 This lecture is Part 2-1, and it covers 'File Upload Library Analysis and Attack Methodologies'.
Is the upload validation logic known to be safe really secure?
The source code below is known to be secure against file upload vulnerabilities. So, is it truly secure?
...
String path = request.getRealPath("/upload");
MultipartRequest multi = new MultipartRequest(request, path, 1024*10*10, "UTF-8");
Enumeration formNames = multi.getFileNames();
while(formNames.hasMoreElements()) {
String param = (String)formNames.nextElement();
String uploadFile = multi.getFilesystemName(param);
int extOffset = uploadFile.lastIndexOf(".");
String fileExt = uploadFile.substring(extOffset+1).toLowerCase();
if (!fileExt.equals("jpg") && !fileExt.equals("png") && !fileExt.equals("gif")) {
File fp = new File(path, uploadFile);
fp.delete();
out.println(“<script>alert(‘Invalid extension’);history.back(-1);</script>");
return;
}
}
...No. This source code is 'vulnerable source code'.
The reason why this code is vulnerable and the attack methods for it are covered in detail in the Part 2-1 lecture.
Shall we learn more? 📚
Understanding Cases by File Upload Library
We analyze each file upload library, covering potential security threats and various cases that may arise.
Methodologies and Practices Based on Security Threats
We will examine potential security threats for various cases and conduct hands-on attack exercises.
This is not a lecture that gives you the answers,
it is a lecture that broadens your perspective!
'File Upload Vulnerability Part 2' consists of three lectures designed to help you succeed in file upload vulnerability attacks across various environments. However, this is not a course that simply provides the answers. Taking this course does not guarantee success in file upload vulnerability attacks in every single environment.
The goal of this lecture is not to provide the right answers, but to be a lecture that broadens your perspective. By learning that vulnerabilities can occur in various environments, you will gain the realization of "Ah, I can try it this way too!" and furthermore, you will be able to analyze future assessments while 'knowing' that diverse environments exist. There is a world of difference between analyzing with this knowledge and analyzing without it.
I hope this lecture helps you clearly refine your perspective on web hacking and lay the foundation to elevate your skills to a higher level!
Anticipated Q&A 💬
Q. Is there any prior knowledge I should have before taking the course?
You must have an understanding of 'File Upload Vulnerabilities.' Additionally, you should be familiar with the content covered in Part 1 to smoothly follow Part 2. Of course, if you already have a high level of understanding regarding 'File Upload Vulnerabilities,' you should have no problem taking the course.
Q. Who is the target audience for this course?
I recommend this course primarily for "practitioners." However, those who have sufficiently studied web hacking theory or are currently preparing for employment can also take the course.
Q. Do I have to take 'File Upload Vulnerability Attack Part 1'?
I recommend taking the course. Even if you have an understanding of file upload vulnerabilities, there may be parts of Part 2 that are difficult to understand without a foundation in Part 1. Therefore, even for working professionals, I recommend taking Part 1 first before proceeding to Part 2.
Q. Part 2 is divided into three parts; do I need to take all of them?
You do not necessarily have to take all three parts. However, if you want to learn attack methodologies for various practical environments, I "highly" recommend taking all three.
Q. Should I take Part 2 in the order of the 3 parts?
You don't necessarily have to do that; you can start with the topics you're most interested in. However, since the three parts were produced in order, I believe it would be better for the overall flow to take them sequentially.
Notes before taking the course 📢
It is recommended that you take this course with a prior understanding of web technology and web hacking. Additionally, we recommend that you first take the 'File Download Vulnerability Attack' and 'File Upload Vulnerability Attack Part 1' courses from CreHactive's web hacking lecture series.
Required Lectures
I am taking this great class well. Thank you.
I took all of these lectures during the Chuseok holidays. The detailed explanation and practice of the file upload library were good, and my perspective on the Spring Framework changed. I am currently doing mock hacking, and there were many practical exercises that I could apply right away, which was good. Thank you for making such a great lecture.
It would be better if you could provide example files in vulnerable versions so that you can practice right away by setting up a real environment with the course materials. The example files that can be downloaded as course materials are versions with the vulnerabilities removed.
![File Upload Vulnerability Advanced Attack Techniques PART 2 [Integrated Edition]Course Thumbnail](https://cdn.inflearn.com/public/courses/333012/cover/12bd40e1-1e17-493a-81b9-64ac5fed558e/333012.png?w=420)
![[Easy for Non-Majors] Information Security Incidents: From Cause Analysis by Type to SolutionsCourse Thumbnail](https://cdn.inflearn.com/public/files/courses/342007/cover/ai/2/785d01a5-f55f-4807-b882-6dcbfe3d7f91.png?w=420)
![[OT Security-Common] Understanding the AI Era through Manufacturing Security Field CasesCourse Thumbnail](https://cdn.inflearn.com/public/files/courses/341942/cover/ai/0/a992253a-0431-4396-9212-69d5390e6c2d.png?w=420)
