投稿時間:2022-05-28 17:19:27 RSSフィード2022-05-28 17:00 分まとめ(22件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
python	Pythonタグが付けられた新着投稿 - Qiita	特微量と次元	https://qiita.com/nakam5/items/d8fa2d3c466cc5138201	相当	2022-05-28 16:44:49
python	Pythonタグが付けられた新着投稿 - Qiita	ガウス過程と機械学習(ノート目次)	https://qiita.com/yoneXyone/items/e4357c8898ce400de9d7	誤字脱字	2022-05-28 16:29:28
python	Pythonタグが付けられた新着投稿 - Qiita	ガウス過程と機械学習- 第3章(1)	https://qiita.com/yoneXyone/items/d149471e9581cd3b912c	誤字脱字	2022-05-28 16:24:39
python	Pythonタグが付けられた新着投稿 - Qiita	Python WEBサイトが更新されたらSlackに通知する	https://qiita.com/bureibu20/items/63291d51edf7693ba506	robotstxt	2022-05-28 16:21:15
js	JavaScriptタグが付けられた新着投稿 - Qiita	JavaScriptで値を上書きする方法	https://qiita.com/shinobear01/items/ffecf01ede68979db7c6	angular	2022-05-28 16:32:42
js	JavaScriptタグが付けられた新着投稿 - Qiita	【簡単】React Developer Toolsとwhy did you renderを使ったレンダリング最適化方法をいまさらだけど整理してみた	https://qiita.com/WebEngrChild/items/aa19500c51efa33dabc6	ctmemousecallbackusememo	2022-05-28 16:12:07
AWS	AWSタグが付けられた新着投稿 - Qiita	AWSコンソールへの多要素認証方法について	https://qiita.com/kimera/items/b2cbc14784f188bd1cd6	位置づけ	2022-05-28 16:54:19
Docker	dockerタグが付けられた新着投稿 - Qiita	【環境構築】dockerでjupyterlabの環境を構築する	https://qiita.com/takuma-1234/items/c0806c9ab5482039ff22	docker	2022-05-28 16:13:27
Git	Gitタグが付けられた新着投稿 - Qiita	git管理から除外したいファイルの設定方法	https://qiita.com/takuma-1234/items/7ab989563b8db9563666	train	2022-05-28 16:35:51
Git	Gitタグが付けられた新着投稿 - Qiita	プルリク LEGO のすすめ	https://qiita.com/michimichix521/items/663d74caf8db64c85914	我々	2022-05-28 16:26:29
技術ブログ	Developers.IO	【レポート】最も効果的な エンタープライズシステム・モダナイゼーションの進め方とは(AWS-08) #AWSSummit	https://dev.classmethod.jp/articles/aws-summit-online-2022-aws-08/	awsawssummit	2022-05-28 07:51:05
海外TECH	DEV Community	Android Pentesting: Writeup of DIVA Input Validation Issues for Parrot OS	https://dev.to/christinecdev/android-pentesting-writeup-of-diva-input-validation-issues-for-parrot-os-36mh	Android Pentesting Writeup of DIVA Input Validation Issues for Parrot OSWith another day gone it is time for another Android Pen test write up Today we are going to cover the fourth section of the DIVA APK Input Validation Issues When we have an application that does not validate input properly it makes it easier for an attacker to go ahead and creating input that is not expected by the rest of the application This has dire consequences ranging from altered data arbitrary code execution or unauthorized data access Not good If you have not seen any of the previous write ups feel free to head over to my GitHub and pull anything you want When you re ready put on your favorite hoodie and grab your nearest drink and let s get HACKING Input Validation Issues Part OneWhen we open the Input Validation Issues Part section on our device we are met with the following objective try to access all user data without knowing any username There are three users by default and your task is to output data of all three users with a single malicious search Let s take note of the key to this objective malicious search We also see a little hint which tells us that there are three users in the database where one is an admin Since we are working with a database we are most likely going to have to create a SQL Injection but before we get to that let s see what happens if we enter any username without knowing the true values When we enter an random guessed value we can see that no user gets returned Yet when we enter admin we can see that it returns the details of the admin user Now that we know that admin is most definitely a user we can use this to construct our SQL Injection command But before we do this I want to cheat a little bit and go snoop around in our database files to see if we can see the three users that we need to return with our command If you want to do this open up your terminal via CTRL ALT T and enter the following commands adb shellsucd data data jakhar aseem diva databases gt qlite To enter this option start typing sql press TAB Enter gt open sqli gt tables gt table sqliuser gt dump sqliuserWe can see that we need to construct a command to return the users admin diva and john Head back into your application because we are about to write the most genius original most hackery SQL Injection command ever admin OR indicates the start of our query admin we know this is already a user in the database OR since is always true the query will return all items comments out the rest of our query DUHN DUHN DUUUUUHN we ve successfully dumped their database table Wasn t that fun Input Validation Issues Part TwoWhen we open the Input Validation Issues Part section on our device we are met with the following objective try accessing any sensitive information apart from a web URL Let s take note of the important part in this objective which is to NOT access information from a web URL so don t go trying to hack Google or your favorite site We need to access local data Now before we continue I need to confess something I made an oops and had to clean install all of my tools This means that all those tmp files and shared prefs we created in the pervious writeups are all gone Not to worry because I m going to work around it Let s go into our APK and see what sensitive data we can exploit If you aren t me and you still have your tmp file you can easily use that file I will instead create a secret file that will contain some user data We will then use this file to see if we can access it in the application Open up your terminal and do the following adb shellsucd data data jakhar aseem diva echo password username alex gt private txtcat private txtwith our file created and our sensitive data stored locally on our device we can now go back to our application and try to access our private txt file via input Let s navigate to that file via file data data jakhar aseem diva private txtWhen we hit view we can see that our data is revealed And so we are done with part two Let s keep going Input Validation Issues Part ThreeWhen we open the Input Validation Issues Part section on our device we are met with the following objective DOS the damn thing Do not find the code just crash the app and then find the root cause of the crash Firsts things first let s go over what a DOS attack is A Denial of Service DOS attack is an attack that has the intention of shutting down a system which in turn makes it inaccessible or slow We perform DOS attacks by flooding the target with traffic or large volumes of information that causes the system to crash Now we can go about this in various ways but for this writeup let s do it the most basic way by entering a large amount of data into the input and pushing the red button To make the app crash I simply just spammed my keyboard with until the input no longer accepted my string length and voila it worked Okay so we successfully completed the first part of the objective which was to crash the app via a DOS attack Let s head into Android Studio or alternatively you can use the adb logcat command in your terminal but I like the pretty AS colors to see what our log returned Now there s a lot going on here and it s easy to get overwhelmed but let s focus on our error code SIGSEGV I highlighted the SIGSEGV code because it is is important since it indicates a segmentation fault in Linux containers Simply put we get this code since our application tries to read write outside of the memory allocated for it or when writing memory which can only be read Let s open up our JDX GUI jadx gui and see what our source code says When we open up our InputValidationActivity we recognize a class Divajni that we had to use way back when in our hardcoding issues writ eups We can see that it uses this value to initiate our launch sequence Let s open up Divajni We get greeted again by soName which we know has something to do with our libdivajni so file Okay now from here on we can open up our terminal and see if we can find something in our libdivajni so file that is odd or related to our error code We won t have to scroll to far before we identify the culprit strcpy Though we cannot access it to see how it is used strcpy is a common culprit when it comes to segmentation faults This is because the strcpy code is suitable handling for small inputs but not for large ones such as the input we used for our DOS attack Congratulations you have successfully completed all three parts of the DIVA Input Validation Issues I hope this was easy enough to follow understand I ll see you next time for our last section section Access Control Issues If you have recommendations on any cool tools techniques or tutorials that I too can follow feel free to leave them below and I ll check it out Pull this on my GitHub for future reference	2022-05-28 07:35:30
ニュース	BBC News - Home	Uvalde shooting: Texas shooting response was 'wrong', says official	https://www.bbc.co.uk/news/world-us-canada-61613177?at_medium=RSS&at_campaign=KARANGA	please	2022-05-28 07:25:33
ニュース	BBC News - Home	Armed female bystander kills man firing at party in West Virginia	https://www.bbc.co.uk/news/world-us-canada-61615236?at_medium=RSS&at_campaign=KARANGA	multiple	2022-05-28 07:25:04
北海道	北海道新聞	北海道内１５１５人感染、３日連続２千人以下　３人死亡　新型コロナ	https://www.hokkaido-np.co.jp/article/686688/	北海道内	2022-05-28 16:29:22
北海道	北海道新聞	後志管内２２人感染、小樽は１６人　新型コロナ	https://www.hokkaido-np.co.jp/article/686684/	新型コロナウイルス	2022-05-28 16:38:04
北海道	北海道新聞	春の高校野球全道大会　北照８年ぶり決勝へ　準決勝２試合目は雨で順延	https://www.hokkaido-np.co.jp/article/686695/	春の高校野球	2022-05-28 16:35:06
北海道	北海道新聞	ウィシュマさんの妹、再来日　「真相解明に力貸して」	https://www.hokkaido-np.co.jp/article/686694/	名古屋出入国在留管理局	2022-05-28 16:33:00
北海道	北海道新聞	バスケ、宇都宮が琉球に先勝　ＢリーグＣＳ決勝第１戦	https://www.hokkaido-np.co.jp/article/686690/	日本生命	2022-05-28 16:28:00
北海道	北海道新聞	札幌ドーム、日本ハム移転後も黒字　市が収支試算、２３～２７年度	https://www.hokkaido-np.co.jp/article/686534/	北海道日本ハム	2022-05-28 16:27:15
北海道	北海道新聞	開通から５０年、旭川買物公園の挑戦これからも	https://www.hokkaido-np.co.jp/article/686640/	平和通買物公園	2022-05-28 16:25:20
北海道	北海道新聞	クウェイルが単独首位　ミズノ・オープン第３日	https://www.hokkaido-np.co.jp/article/686689/	単独首位	2022-05-28 16:22:00